Skip to Content
author's profile photo Former Member
Former Member

GRC AC 10.1 SP12 UAR : Issues in detour path in Workflow

Hi All,

I am configuring UAR in GRC AC 10.1 SP12. Below are my main configuration details.

Reviewer – Role Owner

Admin Review – No

Rejection option – Not used

Only options available for Role owner (Reviewer) – Approve & Remove

Requirement is to give option of “approve” or “remove” of role assignments to user. If role owner perform action “remove” for any user, it has to go to Security path (Detour). For approve action, no need of detour.

Used Standard Agent ID - GRAC_UAR_REVIEWER for Role owner agent

Used Standard routing rule - GRAC_MSMP_DETOUR_UAR_REV_ROLE for removal action

Used Custom Agent for security agent in Security path for role removal action (PFCG USER GROUPS based)

Assigned “SEC” user group to security people in logon data in SU01 in GRC

I have created some test roles and users in plug in system and ran all the required jobs.

Issue : Assume I have 4 roles and their user assignments as below.

User1 – Role1

User2 – Role1, Role2

User3 – Role1, Role2, Role3

User4 – Role1, Role2, Role3, Role4

I have generated UAR request based on below data.

Connector – ECCCLNT100

Role Name – Role1

Now the UAR request created and waiting for approval at role owner stage like below

1st Scenario:

Role1 Action

User1 - Approve

User2 - Approve

User3 - Approve

User4 - Approve

For the above request everything working fine and processed the request as expected.

2nd Scenario:

Role1 Action

User1 - Remove

User2 - Approve

User3 - Approve

User4 - Approve

For the above request the role owner processed the request as above and then as expected the line item “User1” for removal routed to “Secuirty” stage as per standard detour condition. Then security member process the request as it is and Role1 is removed from User1.

Note : After every request is processed, I am running the required sync jobs to enure I am using the correct data

3rd Scenario:

Role1 Action

User1 - Remove

User2 - Approve

User3 - Remove

User4 - Approve

Here also the request processed as expected. Role1 removed from User1 & User3 once the request detoured to security path

4th Scenario:

Role1 Action

User1 - Remove

User2 - Approve

User3 - Remove

User4 - Remove

Here also the request processed as expected by role owner & security team member.

5th Scenario:

Role1 Action

User1 - Approve

User2 - Remove

User3 - Approve

User4 - Approve

Here is the actual issue I am facing. Role1 removed from User2 without going to security path. Once the role owner processed the request as above Role1 removed from user2 and request closed

6th Scenario:

Role1 Action

User1 - Approve

User2 - Remove

User3 - Approve

User4 - Remove

Again same issue here also. Role1 removed from User2 & User4 without going to security path. Once the role owner processed the request as above Role1 removed from user2 & User4 and request closed

7th Scenario:

Role1 Action

User1 - Approve

User2 - Remove

User3 - Approve

User4 - Approve

Again not worked as expected. Role1 removed from user2 but with involving security stage in security path (Detour)

Like above I have processed many request but no request went to security stage but roles removed from users in 1st path only to whom the action is “Remove”. As per my analysis, if role owner did not select action as “Remove” for ATLEAST first user assignment(line item) of particular role, it is not going to detour path and role is getting removed from 1st path 1st stage only.

If the action is “remove” for 1st user assignment, the request is going to detour path and all the applicable below roles are getting deleted from security path(Detour) security stage. Sorry if I am confusing here by writing lengthy one. Please help me in this issue and let me know if we have any notes or I am missing something in configuration or workflow.

Please see attached file for detailed MSMP & UAR request screenshots.

IMPORTANT NOTE: If I process the request as administrator, the request getting processed as expected i.e roles are removed after taking detur path (Secuirty) from all applicable users irrespective of the position of user assignment line item in the request.


I am not able to attach all the screenshots here. Will attach remaining screenshots later.


Thanks In Advance,

Sathish Pallem

3.png (34.6 kB)
2.png (54.5 kB)
1.png (46.4 kB)
Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Jun 09, 2016 at 05:34 PM

    Hi Sathish,

    Kindly check if the below Note helps.

    2283072 - Detour functionality and Cancel save rejection is not working in UAR



    Regards,

    Manju

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jun 10, 2016 at 02:32 AM

    Hello Sathish Pallem,


    First of all, the way you explained the issue with all the screenshots is really impressive.


    As mentioned by manjunath, please go through the sap note.


    Also, go through this important note of yours when administrator can process the request and the user is not able to, did you happen to check if there is any authorization missing for the user?

    Try giving maximum access to the user and process it and if things are moving normally then you can easily find out what authorization is missing for the user.

    Please do the findings and keep us posted.

    Regards,

    Rakesh Ram M

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jun 28, 2016 at 11:42 AM

    Hi Manjunath & Rakesh,

    Thanks for your reply. I tried to give full access to role owners but no luck. Also I have checked the note just now and seems it is useful. but I can not implement the note right now as my project is already completed. I have not used detour path for removal action in the project and included security stage as 2nd stage in the same path. 😊

    My client requirement is to include security stage as a 2nd stage. Now all the line items will go to security stage irrespective of the action if we select approval type as complete request in task settings for security stage.

    Thanks,

    Sathish

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.