Skip to Content

New user Request does not provision after enabling Risk approval workflow

All,

Initially I had set up the workflow to provision new users to a backend system, and if the role does not have an approver and the manager approved it would auto-provision.

I also was able to provision users with roles with approvals.

My next step was to activate the SAP_GRAC_RISK_APPR workflow so that if a role had an risk that it would go through the Risk approval workflow.

I started again with my test of provisioning a new user to a role that has not SOD's and no approvers but now my workflow does not provision.

The request status says "In Progress" on the manager Stage with a status of "Decision pending" even though I have approved as the manager.

I see in the audit path that it shows that it was approved by the "Manager" but then nothing happens after that:

There are not errors in the SGL1 logs, everything is green.

RFC connections test successfully.

I also checked GRACREQPROVLOG and there are no logs being generated for that request number (24867)

manager-stage.jpg (49.5 kB)
audit-log.jpg (35.9 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Nov 15, 2017 at 03:43 PM

    All,

    thank you for your time, I have actually figured out the issue (it was simple and I feel bad for wasting time).

    When I did my mass role load via the spread sheet as we were preparing to get the roles into the system to run Risk Reviews, even though I left the role owner empty for the default end user role, I had accidentally checked the "Assignment Approver" and "Content Approver" sections of the spread sheet.

    I noticed this as I went back through the methodology of the role to validate everything loaded correctly.

    Once I corrected this the provisioning process for no role owner worked again.

    (there were check marks under those sections before I updated even though no approvers were listed..this is the correct screen shot)

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 15, 2017 at 02:17 AM

    Alessandro,

    I have already set up the SOD violation workflow based on that note. My problem is I am trying to provision a new user with a role that has "zero" risks and it makes it all the way to the manager approvals section, and then after the manager approval I get a notification saying it was approved by manager and going to "Role Owner" but it just sits in the Manager Workflow.

    I have already set up a Routing role for "no role owner" that was working but now seems to have stopped.

    Here is the current workflow

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 14, 2017 at 02:00 PM

    Dear Michael,

    the risk approval workflow is not triggered from the Access Request workflow. The risk approval workflow gets activated with parameter 1063 and changes the behavior of the access risk maintenance. If set to YES, instead of saving the changes, it sends it out as an workflow and needs to be approved. That scenario can be configured for creation, update, and delete. See also parameters 1101, 1102, 1103.

    In an Access Request workflow, the risk owner approval works differently. It must be configured within the same workflow process id and requires a detouring/routing rule and a dedicated agent for the risk owner (for approval). So, basically you define a routing rule in case violations exist (e.g. GRAC_MSMP_DETOUR_SODVIOL) and route to a specific path. In that path you define an agent that approves the violations/risks. SAP provides a class that determines the risk owner in the access request approval workflow. See note https://launchpad.support.sap.com/#/notes/1670504.

    Hope this helps.

    Cheers, Alessandro

    Add comment
    10|10000 characters needed characters exceeded