cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Workflow Substitution to a Subordinate

Go to solution
former_member443899
Participant

on ‎10-12-2012 7:01 PM

0 Kudos

Hi Everyone,

I just want to know what other organizations have dealt with managers that want to substitute to direct reports.  This was a scenario we did not think our clients were interested in, but soon we were told about a few situations where a person received their own tasks.  The quick fix was to use the workflow logic and update their position's reports to relationship in PO13. 

Unfortunately this causes mass data updates, OM needs to be proactively told, and there is no error message we can generate that I know of to stop the individuals in their tracks.  For obvious reasons we would like to update our solutions to be more secure.

So my questions are...

1) Is it possible to give a runtime or upfront error if someone tries to open their own task?  Similar to time clerks in CAT2.

2) Is the best solution to use the substitution table to ensure that before a task is assigned to an agent that we confirm there is no substitutions?  However, what do you do for tasks already in that manager's UWL?  We try not to give the employee forward access because they can forward to anyone in the organization.

3) What other options exist?

Ideally I am trying to make a solution that works for new tasks, prevents old tasks from getting approved by the same person, and to ensure they can be forwarded during an org change to the ner manager without issue.

System is EHP5 (using Java Webdympros still) and Netweaver 7.0 EHP2

Doug

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member443899
Participant
‎07-17-2013 7:36 PM
0 Kudos

The solution we came up with depends on the workflow.  Some we updated the workflow to check for a self-approval situation and generated an error or diverted the workflow.  There was nothing we could do from a security standout.   Finally for custom Iviews and workflows there is more choice. 


Thank you for your assistance.

Show replies
Show replies

Answers (2)

Answers (2)

siddharthrajora
Product and Topic Expert
Product and Topic Expert
‎10-15-2012 7:34 PM
0 Kudos

Typically when substitution occurs he can see all the managers task list, which require action.

.  The standard substitution rules set up in UWL or via

MPS_SET_SUBSTITUTE enter the substitute into HRUS_D2. 

You can of course configure substittues for certain type of tasks.

In your question, you wont to avoid only self approval?

In many cases like in leave request self approval is allowed

can you advise in which scenario you want to avoid? in many cases you would need to check via badi or a custom check for avoiding self approval!

Show replies
Show replies
former_member443899
Participant
‎10-15-2012 8:09 PM
0 Kudos

Hi Siddharth,

I understand that this is normally an all or nothing type situation, but clients must have asked this before.  Our business need is that direct reports are used at times for training purposes, but no workflow should allow them to approve their own entries to prevent any types of fraud.  However, today other than updating the reports to relationship there is nothing stopping a substitute that is a direct report from getting/approving their own requests.

Vacation Leave is not as big of a deal because there is less of a chance for abuse because money isn't directly involved.  However, CATS/Record Working Time or Travel/Expense Claims can be for large monetary amonts.

We tried to limit CATS/Record Working Time, but it also stopped the employee from entering time at all because it needed to write to the CATSDB for statuses other than 30 - Approved.

Scenario 1: Employee enters over time for 12 hours.  Manager substitutes to a direct after the request is made (so the agent is already found so the workflow is done).  The manager has not yet approved/rejected the entry.


Scenario 2: This will likely be fixed with our workflow updates but wanted to run it by you anyway.  Someone submits a travel or expense claim.  Their manager/approver is substituting for them.  The employee should not get the task at all, but if they do they should not be able to approve/reject it.  It should be forwarded or left until the manager gets back.  In this situation we think updating the rule to check HRUS_D2 will fix this problem.  Then we can determine another manager.

Thanks again,

Doug

siddharthrajora
Product and Topic Expert
Product and Topic Expert
‎10-15-2012 8:45 PM
0 Kudos

for cats you can do via HRMSS_A_CATS_APPROVAL

and similarly for Expenses, yesi have seen customers having this issue and did a check in FM to avoid this.

there was filtering logic UWL for self approval too, i m not sure it will help on expeneses.

in the fm SAP_WAPI_SUBSTITUTE_MAINTAIN you can code your own checks for substitution,

former_member443899
Participant
‎10-15-2012 8:54 PM
0 Kudos

What do you mean this can be done in HRMSS_A_CATS_APPROVAL?  Is it based on the Approval Profile?  I'm not sure what you are suggesting for record working time to prevent self approvals.

We don't want to stop substitutions to subordinates due to business need, but want to lock down workflows so they cannot be self-approved.  The most important being Record Working Time and Travel/Expense Claims.

former_member443899
Participant
‎10-22-2012 1:17 PM
0 Kudos

Why does this type of security check seem different in ECC verses Portal?

suresh_subramanian2
Active Contributor
‎10-22-2012 2:05 PM
0 Kudos

Hello Doug Robbins !

                Create a background task and check programmatically whether the initiator and approver are same. If so, send the work item in in-editable mode.

                Otherwise, prevent the work item getting routed to them.

Regards,

S.Suresh.

siddharthrajora
Product and Topic Expert
Product and Topic Expert
‎10-22-2012 3:04 PM
0 Kudos

Yes what suresh suggests is correct, there is no check as such in the standard to prevent self approval, you need to do it programmatically, thats what i intend to explain

Former Member
‎10-24-2012 2:47 AM
0 Kudos

In leave request, there is a pilot note to prevent selv approval. Ask SAP about it.

In regular workflow, you should be able exlude initiator in the WF step, thus preventing selv approval. I think the drawback of this is he doesn't even see the task when he sends a travel statement and he is substitute for approver.

Br

Kirsten

former_member209157
Explorer
‎11-07-2012 6:35 AM
0 Kudos

In the latest release of HCM [ HR Renewal 1.0 ]  Substitution functionality has been enhanced. Substitutuion is not only possible for workflow items but also non workflow based workitems (Leave was supported in non workflow mode as well) and a select set of MSS applications.

With this enhancement there was also a change that approvals (Leave or CATS) cannot be done for self.

Ex: If a manager 'M' assigns a direct report 'D' as a substitute. Lets say Direct report 'D' applies for leave. In this scenario the leave request will not appear in the Inbox of 'D' so would not be able to approve.

If the manager 'M' logs in the request would be availabe in the managers Inbox.

suresh_subramanian2
Active Contributor
‎10-13-2012 6:20 AM
0 Kudos

Hello Doug !

             In general, employee before going on leave, he/she informs administrator to maintain substitute. Some times, due to some emergency reasons, if employee couldn't inform to maintain substitute. In either cases, the administrator assigns substitute using the function module SAP_WAPI_SUBSTITUTE_MAINTAIN or from the transaction RMPS_SET_SUBSTITUTE.

             If the work items are already available with agents who is on leave, authorization should be granted only to administrator to forward it and none else.

             You can use HRUS_D2 table to verify whether substitute is assigned to a user.

Regards,

S.Suresh.

Show replies
Show replies
former_member443899
Participant
‎10-15-2012 12:39 PM
0 Kudos

Well we do use the substitution rule through the UWL and I was thinking of using HRUS_D2 to direct new workflows to the appropriate managers assuming we can update all of them to include this new check.  However, is there a way to ensure they cannot approve their own if all else fails and they still have or accidently get their own task?

I'll check with security again, but they were having trouble trying to find the correct authorization check.  Do you have any suggestions on where they can start?

suresh_subramanian2
Active Contributor
‎10-15-2012 1:58 PM
0 Kudos

Hello Doug !

          For end users,S_WF_USER authorization can be assigned.

          For workflow administrator, S_WF_WFADMIN authorization can be assigned.

Regards,

S.Suresh.

former_member443899
Participant
‎10-15-2012 2:53 PM
0 Kudos

S. Suresh,

My security co-worker says that these are security profiles, but most solutions now are based on security objects like S_WF_WI.  He said that we ran a few tests and could not find an authorization value to prevent someone from approving their own requests.

Any other suggestions out there?

Ask a Question