Skip to Content

GRC AC 10.1 IDM Request Executed Directly

Hi Gurus,

I have a scenario which is the SAP user can lock their self through Oracle IDM.

I had configured connector but the problem is, this request coming to workflow. And I don't know this workflow comes from and where.

I checked table GRACREQ and the request is retrieved.

Need this request can be directly executed after request retrieved.

FYI, the request status after user submitted the request is PENDING

pic :

Please correct me if I am wrong. Really appreciate your help.


Add comment
10|10000 characters needed characters exceeded

2 Answers

  • Posted on Oct 18, 2018 at 09:13 PM


    It looks like request type 02 for Change use is being created and then routed via the MSMP workflow.

    you can look up the request in business client to see which approver it is sitting to

    If you don't want lock account to be approved then you can look at alternating the MSMP workflow to route to a path with no stages which will result in automatic approval. You need attributes in the request to differentiate the lock user scenario from other change of access. If you have the request attributes to make that decision then you can update the Initiator rule to split the requests out.

    Alternatively, see if Oracle IdM can have a check to avoid sending lock users into GRC as a requests (I assume this occurs to run risk analysis).

    Add comment
    10|10000 characters needed characters exceeded

    • Thanks, Collen.

      The request above is identified as 'no agents found' and stuck somewhere.

      We can close open request coming from IDM through tcode NWBC >> Access M >> Search Request.

      My next question, how do we route and maps agents responsible for the workflow? Could you share from end to end? Sorry, I am beginner..

      Warmest Regards.

  • Posted on Nov 04, 2018 at 11:12 PM

    Hi Yoppie

    You need to read up on MSMP workflow configuration which is a SAP Access Control specific solution

    It really depends on what has been configured to understand the agent determination rule (could be a standard function module, BRF+, class, PFCG role, etc)

    I wrote this blog a few years ago and it contains some links to MSMP config. If you get into the MSMP workflow and look at the path/stage agent link and then find the way in which it's determined you'll be able to debug and or analysis why these requests cannot find an agent. The solution may be a master data fix or the MSMP workflow needs to be tweaked to handle the use case

    Add comment
    10|10000 characters needed characters exceeded