Skip to Content

Auto Approve Roles without Role Approver

Hello GRC Team,

Warning: This is one of the Frequently Discussed Thread. Went through the discussions as well as SAP Notes but still couldn't get through the basic concepts. So, Please help me with more detailed and if possible with a screenshot or two.

Going through the SAP Note 1709391, In order to provision roles without owners, in addition to the parameter 2038, set a detour for no role owners to a no stage path.

I have two requirements to understand how this auto approval works.

Requirement No:1

There are 3 stages for the request to go through.

1) Manager and

2) Role Owner

3) Security

The Request is approved at manager level and in the second stage Role Owner is not available and it should automatically to go Security Stage.

Requirement No:2

There are 2 stages for the request to go through.

1) Manager and

2) Role Owner

The Request is approved at manager level and in the second stage Role Owner is not available and it should automatically get approved.

My Understanding is: In Requirement No:1, I need to Use BRF+ and In Requirement No:2, I Can do it using MSMP.

Please throw some light on this. Also, Let me know how and where to maintain No stage in MSMP

Regards,

Deepak M

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Jun 17, 2015 at 03:00 PM

    Hi Deepak,

    Here are my thoughts:

    1. Requirement #1 - No BRF+ manipulation needed.  It appears that a pre-defined detour rule is available:

             

    • Use this rule in step 6 of MSMP "Maintain Route Mapping" and route FROM your existing path (with correct stage sequence) TO a new path, which could be called "No Role Owner Path":

                  

    • "No Role Owner Path" will have no stages assigned:

                 

    • Then, if the request contains a role that does not have an owner, this routing rule will kick in and the request will route to the "No Role Owner Path", where there is no approval required (no stages assigned).  Once the request makes it to this path, it will auto-approve and the access will be provisioned.

    *** HOWEVER, because I have not configured this, I am not sure if this rule "GRAC_MSMP_ROUTE_NO_ROLEOWN" will route the ENTIRE request (including the roles that DO have role owners) or if it will split the request and send only the roles without owners down this path.  I have a feeling it will route the entire request, but you may be able to change this within the User Provisioning settings of SPRO (Maintain Provisioning Settings--> Auto provision at end of each PATH rather than at end of Request).  But even if this works, the request will probably not make it BACK to the Security stage for Risk Analysis.

    The above *** note may indicate that you need to re-design your strategy all-together if the functionality does not work.  If this is the case, my recommendations on your new strategy would be as follows:

    1. Approval sequence should be 1.)Manager; 2.) Security; 3.)Role Owner.

              -With the approvals sequenced this way, you will be able to use the pre-defined routing rule GRAC_MSMP_ROUTE_NO_ROLEOWN at the end of the approval paths, which remediates the issue I mention above regarding the request not making it BACK to the Security stage after hitting the routing rule.

    If not all requests need to go to the Security Stage, then you would need to configure the standard routing rule "GRAC_MSMP_DETOUR_SODVIOL" and map it in step 6 of MSMP just as described above with the other rule.  Then, you would need to route to a new path for requests containing Risk Violations, and create the appropriate stages thereafter.

    Hope this get's you on the right track!  Let me know your difficulties and I can continue to help!

    -Ken


    1.JPG (115.6 kB)
    2.JPG (22.4 kB)
    3.JPG (49.7 kB)
    4.JPG (57.9 kB)
    Add comment
    10|10000 characters needed characters exceeded

    • Yes this configuration should evaluate the request in path New_Account and look to see if there are any roles with no owners, and if so it should route to the No_Role_Owner_Path.

      However, I think it is unlikely that you will be able to route back to the original workflow path to be able to finish with the Security stage, so I recommend having your approval sequence like this:

      1. Manager

      2. Security (SOD analysis and assign Mitigating Controls - will help Role Owner make decision too)

      3. Role Owner (where the request can detour if no role owner found.  all approvals already captured, so the request will auto approve and provision)

      Let me know if you have difficulty developing.

      -Ken

  • Jun 17, 2015 at 02:41 PM

    Hello Deepak,

    You need to enable routing at the stage before role owner

    Did you get chance to check below SAP Note

    1757735 - Auto Approve Roles or Systems without Approver



    Hope it helps you



    Regards

    Baithi

    Add comment
    10|10000 characters needed characters exceeded