Skip to Content

New user Request does not provision after enabling Risk approval workflow

Nov 14, 2017 at 01:50 AM


avatar image


Initially I had set up the workflow to provision new users to a backend system, and if the role does not have an approver and the manager approved it would auto-provision.

I also was able to provision users with roles with approvals.

My next step was to activate the SAP_GRAC_RISK_APPR workflow so that if a role had an risk that it would go through the Risk approval workflow.

I started again with my test of provisioning a new user to a role that has not SOD's and no approvers but now my workflow does not provision.

The request status says "In Progress" on the manager Stage with a status of "Decision pending" even though I have approved as the manager.

I see in the audit path that it shows that it was approved by the "Manager" but then nothing happens after that:

There are not errors in the SGL1 logs, everything is green.

RFC connections test successfully.

I also checked GRACREQPROVLOG and there are no logs being generated for that request number (24867)

manager-stage.jpg (49.5 kB)
audit-log.jpg (35.9 kB)
10 |10000 characters needed characters left characters exceeded

Hello Michael,

Please provide with MSMP screens for better analysis of the issue.

Kind regards,


* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Michael Hughes Nov 15, 2017 at 03:43 PM


thank you for your time, I have actually figured out the issue (it was simple and I feel bad for wasting time).

When I did my mass role load via the spread sheet as we were preparing to get the roles into the system to run Risk Reviews, even though I left the role owner empty for the default end user role, I had accidentally checked the "Assignment Approver" and "Content Approver" sections of the spread sheet.

I noticed this as I went back through the methodology of the role to validate everything loaded correctly.

Once I corrected this the provisioning process for no role owner worked again.

(there were check marks under those sections before I updated even though no approvers were listed..this is the correct screen shot)

Show 3 Share
10 |10000 characters needed characters left characters exceeded


if there was no approver defined, then you should consider configuring "No Approver Found" events in MSMP. In that way it will be handled rather than getting stuck.

Regards, Alessandro


yes I do have that configured already. I think it is a bug with the "mass role load" feature where if the two items in my screen shot above have "Check marks" then it screws up the workflow.

I posted a screen shot of what it looks like after I fixed it and it worked perfectly because I had the "no approver found" setting checked in the MSMP.

you can try this out yourself if you want...just do a role import from a .txt file and leave the role owner blank but put a "Y" in the Assignment approver and Role Content Approver.

It will send your request into limbo :)


wrong master data handling that doesn't throw an exception.. not surprised though :) open an OSS if you want to have it corrected.

Michael Hughes Nov 15, 2017 at 02:17 AM


I have already set up the SOD violation workflow based on that note. My problem is I am trying to provision a new user with a role that has "zero" risks and it makes it all the way to the manager approvals section, and then after the manager approval I get a notification saying it was approved by manager and going to "Role Owner" but it just sits in the Manager Workflow.

I have already set up a Routing role for "no role owner" that was working but now seems to have stopped.

Here is the current workflow

10 |10000 characters needed characters left characters exceeded
Alessandro Banzer
Nov 14, 2017 at 02:00 PM

Dear Michael,

the risk approval workflow is not triggered from the Access Request workflow. The risk approval workflow gets activated with parameter 1063 and changes the behavior of the access risk maintenance. If set to YES, instead of saving the changes, it sends it out as an workflow and needs to be approved. That scenario can be configured for creation, update, and delete. See also parameters 1101, 1102, 1103.

In an Access Request workflow, the risk owner approval works differently. It must be configured within the same workflow process id and requires a detouring/routing rule and a dedicated agent for the risk owner (for approval). So, basically you define a routing rule in case violations exist (e.g. GRAC_MSMP_DETOUR_SODVIOL) and route to a specific path. In that path you define an agent that approves the violations/risks. SAP provides a class that determines the risk owner in the access request approval workflow. See note

Hope this helps.

Cheers, Alessandro

10 |10000 characters needed characters left characters exceeded