GRC Request with both System and Role Line Items
GRC 10.0 – GRC Request with both System and Role Line Items
Most common question I have come across in this forum is how to handle the GRC requests with both System and Role LineItems. As system will not have any owner associated with it, SYSTEM lineitem should be moved to NO STAGE path and remaining roles should follow regular path.
End user logs on to GRC and will add both System and Role LineItems to the request.
1. Create an BRF+ Initiator decision table as shown below to separate System LineItem to NO STAGE path once the request is raised.
2. MSMP configuration should look as shown below.
Once above configuration is done. If a request has both system and role line items, System line item will go to a NO_ROLEOWNER_PATH and roles will go to regular path.
Thanks for this. Very helpful! 😉
I have followed your blog post to create my initiator.
This is working absolutely fine but i found a issue recently when i raised a EAM request. My initiator table has a condition to direct requests with request type to FFPATH but instead they are going to default path and getting auto approved.
I assume that you are also using same initiator decision table. Have you come across any such issue?
I think your requirement might be to separate "SYSTEM" LineItem when user selects request type as "Create Account" or "Change Account" and add system LineItem, so just modify your initiator as shown below. Your all scenarios will work perfectly.
Please test and let me know if any issues 🙂
Thanks a lot Madhu. My issue is resolved 🙂
Can you help with BRF+ rule configuration when user just selects SYSTEM and submit it. Roles are submitted by 1st stage. How to move system entry to NO STAGE in this case.
Hello All Experts,
I am facing same issue but scenario is different which I found not possible with above solution. If I am submitting request with ONLY system, then request will go to AUTO approve and end.
1) In change authorizations option, end user submits request with only filling SYSTEM option.
2) Request goes to 1st Stage people, who will add roles into system
Existing MSMP no roleowner is used as routing condition here, if role approver not FOUND, request takes ESCAPE ROUTE and goes to Escape Stage with system option and role(if not defined role owner for it)
3) If role has owner, it goes to Role Owner.
Can we remove SYSTEM option from request and send it to NO PATH stage instead of ESCAPE route
Is there any better way to handle this? client do not wants to APPROVE requests with SYSTEM entries but ready to handle requests with no role owner request.
Please help.. **Urgent**
In your BRF+ Decision table for the initiator, you need to catch the result that one of the line items is a "System".
To do this, you need the condition column Role Connector used and have the setting set to "Is Initial". A row in the decision table that is recognised as a Role will have the value set to "Is NOT initial" (i.e. this line item is a role and has a connector assigned).
If we add 'Is initial' in initiator and route it to no stage, then complete request will go to NO STAGE since user only select system in 1st place and request will end..
right now My initiator only has:
request type ... Line Item Rule-Result
do you suggest adding 'Role' column in initiator ?
Can you raise your concern as a question on the forum rather than a comment on a blog/article? That way you can share screenshots and also will act as a better reference point for other SCN users in the future who may have a similar issue/question.
Sure Harinam. Since this was ongoing thread with small change in situation, posted my query here.
For now, it would be really helpful, if you could provide your guidance here.
Should my initiator also include ROLE CONNECTOR, ROLE as columns?
right now. its just REQ TYPE, ITEMNUM, RULE RESULT
I did what you have suggested. of New Account request type.
It skips"System" Line item and it goes to "No Role Owner" path and request passes through all stages. Manager, Role Owner, SAP Security (3rd Stage) and then as this is a case of "No Violations" in a role..it will not take detour path and it should auto provision in backend ERP.
Autoprovision log shows " User is created in backend", but I do not see that use is created. Can you please help? Please look below.
But I do not see user getting created in Backend after SAP Security Stage is over. Can you please help?
Can anyone reply to my above issue? Thanks for your efforts.
I actually Get this message in SLg1 logs
Started provisioning for request number 257
End request status for request no 257 is X
Call is going to IDM to update the request status and EOR is X
Callback service, req system:
As per Harinam(in above comments), ROLE_CONNECTOR as "is initial", catches a line item of type "SYSTEM" ; and "is not initial", catches a Role.
I gave the same, but there is error(as below screenshot). But your screenshot does not show any value called "is not initial". So, what to do for Role line item?
this is in continuation to my previous comment.I have also tried, with below BRF+ config., but Request of 'System line item ', does not follow NO_ROLE path.
What exactly is your requirement?
In your scenario do you select the SYSTEM LineItem in the request?
Can you provide further more details.
As per your screenshot. This is how it works
First Row: For request Type 001 or 002 and if ROLE_CONNECTOR comes as SPACE then it returns that RESULT
Second Row: For request Type 001 and if ROLE_CONNECTOR is empty. Only for this scenario it works. For any other value of ROLE_CONNECTOR except EMPTY it doesn't work.
I would simply like to know, what is the correct ROLE_CONNECTOR value for System line item.
I tried using "is initial", as per your screenshot for system line item, but my workflow does not follow the NO_ROLE path
Have you resolved your issue?
Thanks Madhu for sharing.. It really very helpful.
did you use the routing rule GRAC_MSMP_ROUTE_NO_ROLEOWNER -rule to get a auto approval of the line item system?
I am not able to configure the brf+ with the role connector collumn, so I need another solution. May it be possible to define this routing rule?
Thanks for your feedback.
Very Helpful document Madhu. Thanks for your efforts.
Why do we even have system option to add ? Anyways, we can't raise an access request without adding roles to it. So, as per me having system as an option in add button is redundant. Can anyone tell me if there is a rationale behind having system as an option ?
From my point of view, there is some bug in methodology from SAP side with this option. Systems and roles will be approving in parallel that is not logical in case if system is not approved and roles are approved. So, we decided to make system option for New account, and role for Change account. It's a bit inconvenient for users, but logically is quite good: first, user gets systems; second, get roles for approved systems.
So, my answer: it is irrational (imho).
Artem - did you ever find a workaround to your problem? I seem to be having the same issue, and I can't seem to think of a resolution.
No, didn't find a solution according to my requirement. However, we decided to split role and system assignment.
Can you please share a document where I can find complete steps to configure this BRF+ and map it to Workflow?
Any help with documetation?