Skip to Content

GRC 10.0 – GRC Request with both System and Role Line Items

Most common question I have come across in this forum is how to handle the GRC requests with both System and Role LineItems. As system will not have any owner associated with it, SYSTEM lineitem should be moved to NO STAGE path and remaining roles should follow regular path.

End user logs on to GRC and will add both System and Role LineItems to the request.

1. Create an BRF+ Initiator decision table as shown below to separate System LineItem to NO STAGE path once the request is raised.

2. MSMP configuration should look as shown below.

Once above configuration is done. If a request has both system and role line items, System line item will go to a NO_ROLEOWNER_PATH and roles will go to regular path.

To report this post you need to login first.

27 Comments

You must be Logged on to comment or reply to a post.

  1. Bindu Sai

    Hi Madhu,

    I have followed your blog post to create my initiator.

    This is working absolutely fine but i found a issue recently when i raised a EAM request. My initiator table has a condition to direct requests with request type to FFPATH but instead they are going to default path and getting auto approved.

    I assume that you are also using same initiator decision table. Have you come across any such issue?

    Please help.

    Regards,

    Sai.

    (0) 
    1. Madhu Babu Sai Post author

      Hi Sai,

      I think your requirement might be to separate “SYSTEM” LineItem when user selects request type as “Create Account” or “Change Account” and add system LineItem, so just modify your initiator as shown below. Your all scenarios will work perfectly.

      Please test and let me know if any issues 🙂

      Regards,

      Madhu.

      (0) 
      1. Shailesh Belhekar

        Hi Madhu,

        Can you help with BRF+ rule configuration when user just selects SYSTEM and submit it. Roles are submitted by 1st stage. How to move system entry to NO STAGE in this case.

        Regards,

        Shailesh

        (0) 
  2. Shailesh Belhekar

    Hello All Experts,

    I am facing same issue but scenario is different which I found not possible with above solution. If I am submitting request with ONLY system, then request will go to AUTO approve and end.

    1) In change authorizations option, end user submits request with only filling SYSTEM option.

    2) Request goes to 1st Stage people, who will add roles into system

    Existing MSMP no roleowner is used as routing condition here, if role approver not FOUND, request takes  ESCAPE ROUTE and goes to Escape Stage with system option and role(if not defined role owner for it)

    3) If role has owner, it goes to Role Owner.

    Can we remove SYSTEM option from request and send it to NO PATH stage instead of ESCAPE route

    OR

    Is there any better way to handle this?  client do not wants to APPROVE requests with SYSTEM entries but ready to handle requests with no role owner request.

    Please help..  **Urgent**

    (0) 
    1. Harinam SanKirtan

      In your BRF+ Decision table for the initiator, you need to catch the result that one of the line items is a “System”.

      To do this, you need the condition column Role Connector used and have the setting set to “Is Initial”. A row in the decision table that is recognised as a Role will have the value set to “Is NOT initial” (i.e. this line item is a role and has a connector assigned).

      (0) 
      1. Shailesh Belhekar

        Hi Harinam,

        If we add ‘Is initial’ in initiator and route it to no stage, then complete request will go to NO STAGE since user only select system in 1st place and request will end..

        right now My initiator only has:

        request type … Line Item Rule-Result

        do you suggest adding ‘Role’ column in initiator ?

        (0) 
        1. Harinam SanKirtan

          Hi Shailesh,

          Can you raise your concern as a question on the forum rather than a comment on a blog/article? That way you can share screenshots and also will act as a better reference point for other SCN users in the future who may have a similar issue/question.

          (0) 
          1. Shailesh Belhekar

            Sure Harinam. Since this was ongoing thread with small change in situation, posted my query here.

            For now, it would be really helpful, if you could provide your guidance here.

            Should my initiator also include ROLE CONNECTOR, ROLE  as columns?

            right now. its just REQ TYPE, ITEMNUM, RULE RESULT

            (0) 
  3. Manoj Padmanabhan

    Hello Madhu,

    I did what you have suggested. of New Account request type.

    It skips”System” Line item and it goes to “No Role Owner” path and request passes through all stages. Manager, Role Owner, SAP Security (3rd Stage) and then as this is a case of “No Violations” in a role..it will not take detour path and it should auto provision in backend ERP.

    Autoprovision log shows ” User is created in backend”, but I do not see that use is created. Can you please help? Please look below.

    But I do not see user getting created in Backend after SAP Security Stage is over. Can you please help?

    Thanks,

    KameshAudit Log2.png

    (0) 
      1. Manoj Padmanabhan

        I actually Get this message in SLg1 logs

        Started provisioning for request number 257

        End request status for request no 257 is X

        Call is going to IDM to update the request status and EOR is X

        Callback service, req system:

        Thank you

        Kamesh

        (0) 
  4. Plaban Sahoo

    Hi Madhu,

    As per Harinam(in above comments), ROLE_CONNECTOR as “is initial”, catches a line item of type “SYSTEM” ; and “is not initial”, catches a Role.

    I gave the same, but there is error(as below screenshot). But your screenshot does not show any value called “is not initial”. So, what to do for Role line item? /wp-content/uploads/2014/11/k_596115.jpg

    (0) 
    1. Plaban Sahoo

      Hi Madhu,

      this is in continuation to my previous comment.I have also tried, with below BRF+ config., but Request of ‘System line item ‘, does not follow NO_ROLE path.

      /wp-content/uploads/2014/11/sa_596116.jpg

      (0) 
      1. Madhu Babu Sai Post author

        Hi Plaban,

        What exactly is your requirement?

        In your scenario do you select the SYSTEM LineItem in the request?

        Can you provide further more details.

        As per your screenshot. This is how it works

        First Row: For request Type 001 or 002 and if ROLE_CONNECTOR comes as SPACE then it returns that RESULT

        Second Row: For request Type 001 and if ROLE_CONNECTOR is empty. Only for this scenario it works. For any other value of ROLE_CONNECTOR except EMPTY it doesn’t work.

        Regards,

        Madhu.

        (0) 
        1. Plaban Sahoo

          Hi Madhu,

          I would simply like to know, what is the correct ROLE_CONNECTOR value for System line item.

          I tried using “is initial”, as per your screenshot for system line item, but my workflow does not follow the NO_ROLE path

          (0) 
  5. Manuela Stegmaier

    Hi Madhu,

    did you use the routing rule GRAC_MSMP_ROUTE_NO_ROLEOWNER -rule to get a auto approval of the line item system?

    I am not able to configure the brf+ with the role connector collumn, so I need another solution. May it be possible to define this routing rule?

    Thanks for your feedback.

    Manuela

    (0) 
  6. Pankaj Jha

    Why do we even have system option to add ? Anyways, we can’t raise an access request without adding roles to it. So, as per me having system as an option in add button is redundant. Can anyone tell me if there is a rationale behind having system as an option ?

    (0) 
    1. Artem Ivashkin

      Hi Pankaj,

      From my point of view, there is some bug in methodology from SAP side with this option. Systems and roles will be approving in parallel that is not logical in case if system is not approved and roles are approved. So, we decided to make system option for New account, and role for Change account. It’s a bit inconvenient for users, but logically is quite good: first, user gets systems; second, get roles for approved systems.

      So, my answer: it is irrational (imho).

      (0) 
      1. Salim Assaf

        Artem – did you ever find a workaround to your problem?  I seem to be having the same issue, and I can’t seem to think of a resolution.

        (0) 

Leave a Reply