Hello Sabita

We do have role owner and things working fine at our end .We have same settings as u mentioned .

Worth checking if role owner is shown in agent colum for that particulay stage .

Select the path and then see if below against stage you have role owner as agent.

Modify setting and modify at stage level setting make a difference ,

You need to click on modify to add role owner .

M sure you would have done it but trying

Regards

Asheesh

Hi Asheesh,

Thanks for your reply. The stage and role owners are correct. What I have found that if I assign system in the request, it searches for the agent based upon system--Role combination while my Role owners are independent of system.

When I add only role in the request, it gives error "User doesn't exist", as with Role only assign action comes and with system create action.

In SPRO-auto-provisioning, in change user option, if we check the option create user if doesn't exist with change user action and assign role action, the workflow goes fine and role owner is able to approve the request, user being auto-provisioned.

It looks like a bug in the system.

Regards,

Sabita

Thats correct Sabita ,

We also had same issue .If you are putting role and system together in request ,it will fail at role owner stage as it consider system also as a line itme and try to search for a owner .

So what we need to is segregate system from the request before it reaches to role owner .

For that we have created a routing rule before role owner stage and seprating system from the request .

There is note also for this but dont remember top on my head .

Thanks & Regards

Ashees

Hi Asheesh,

How did you design the routing rule for that?

One more question, stupid may be but I am unable to get it. When we create a routing rule, it is supposed to be attached to the stage from where it will trigger if conditions are met with routing enabled checked.

Is there any other place this mapping happens? Like in route mapping? There is option to put from Path ID and from stage, is that also to be filled up?

Regards,

Sabita

faced the same issue today. I was lucky to discover this topic after a few hours of struggling.

SAP apparently still has not solved this issue

Hi Jong,

The worse part is that SAP even don't acknowledge this as an issue. After one month of discussion, system connection, screenshots, they didn't understand what problem is. They keep suggesting workarounds. Even a note is there to suggest how to skip this stage and go to security stage.

Regards,

Sabita

Hi Sabita,

In stage no. 002 - GRAC_ROLEOWNER what rule id you are using?

please tell.

Hi Sachin,

It is standard, you need not assign it, just select appropriate agent in "Modify Task Settings" - that is GRAC_ROLEOWNER I guess.

I am not using it now, as it is not serving its purpose. I am using custom rules.

Regards,

Sabita

Hi Sabita,

Then are you using BRF+ rule? to sort out your issue.

Hi Sachin,

Yes we are using BRF+ rules but not for Role owner stage. Requirement was only for manager level stage, for which we created brf+ Agent rule based upon department.

Regards,

Sabita

Hi Sabita,

Is this is your requirement ?

Request-->Manager-->Approve-->Department wise-->Approve-->Security-->Auto Provision

then how you added mitigation Control when SoD is comes.

Please help.

Hi Sachin,

Choose the stage where you would like the approver to decide on SOD and assign mitigation control. Make Risk analysis mandatory for this stage and uncheck option - approver despite risks. It will stop approval if there are risks.In the Risk analysis tab, there is button for mitigate Risks. The approver can select Risks and put control assignment there.

He will have to wait for mitigation approval if workflow for mitigation is active. After mitigation confirmation he can go ahead with approval.

If you want a separate stage for Risk, use detour and put above conditions there.

Regards,

Sabita

HI Sabita,

As you said above.

I tried but it is not working..

Any other idea for that.

One question more i also have to create Process called Control  Assignment for Approver Workflow  for Mitigation Control.

Please Advice.

Hi Sachin,

For SOD, detour works fine. I have not configured based upon detour, but first level approver has mandatory task to assign mitigation control else system will not allow approval. It works correctly. I guess you are missing something there.

I am not sure about your second query, does it mean Control Assignment Workflow? It is very easy. Try standard one or create your own BRF+ Rules based upon what parameter you want to determine approvers.

Regards,

Sabita

HI Sabita,

In our case we required in Second Stage Controller assign Mitigation Control.

In second question Yes it is Control Assignment Workflow, i used standard one it's work fine Thank you.

But if you please give me some advice how i make mandatory of assignment of mitigation control in Controller stage.

Hi Sachin,

I am glad that you solved your second issue.

You can't force a approver to put mitigation control assignment, but you can stop them approving if there are risks. In that case, they have to assign mitigation and wait for mitigation approval before they can approve the main request. To do this, just click on stage-->modify task settings and there uncheck the option "Approve despite Risks" it will stop approval if there are unmitigated risks.Hope this helps.

Regards,

Sabita

HI Sabita,

I worked as you said but it is not working for our case.

Any advice on that.

Hi Sachin,

Can you explain what issue you are facing, may be we can help.

One issue is that approver is able to approve even when the option is not checked. Check SAP note 1667440 & 1724462

Please explain what the issue is.

Regards,

Sabita

HI Sabita,

The issue is when a SoD is there so that request moves to SoD Path/Detour Path so here Controller have to mitigate the risk before it submit the request.

But In our case when a request is moves to Controller is able to submit the request without mitigated the risk.

For Note 1667440 SAP Maintain BRF+ Function Id What is the use of that Funcation ID

Snapshot attached for reference.

Parameters 1071,1072,1073 have Value YES. & stage level setting, maintain 'Approve Despite Risk' as NO (unchecked).

I worked as this note said but still no luck.

Note:- Our Controllers pick by system based on BRF+ rule. SO do i have to make any adjustments.

Please advice.

Hi Sachin,

My understanding says that if you want ot have mitigation for some Risk and not for other ones, you create a Mitigation Policy BRF+ Rule. If you don't want to have this, simply remove the entry from Mapping as shown in BRF+ doc in note 1667440

No, controller setting is ok if request goes to correct controller based upon SOD.

Check one more place, select the stage of detour and click on modify settings, click more and check if there is any settings for approve despite risks. Sometimes two places"Modify Task Settings" and "modify Settings" conflict each other.

What Patch you are on?

If above settings don't resolve your issue, you can raise an OSS for that.

Regards,

Sabita

HI Sabita,

How i create a Mitigation Policy BRF+ Rule same a normal BRF+ Rules we create in Access Request.

We are on SAP GRC 10 SP09

Approve despite risks Unchecked in all place.

The Mitigation Policy not required in normal case, if you have any entry in mapping, remove them.

I have not done mitigation policy rule, will not be able to help you in this matter.

We are also at SP09, the approval is stopped by system if there are risks based upon SPRO and task settings.

Regards,

Sabita

HI Sabita,

We done By Set The Parameter[1071,1072,1073] Settings to YES & also Approve despite risks Unchecked in all place.

Any thing more on that .

Hi Sachin,

I guess you should contact SAP if it is not working.

Regards,

Sabita

Hi Sabita,

Thanks for help.