If you have a situation where you need approval of Manager’s Manager.
like we have scenario for normal role and critical role.
when we have workflow for request type New/Change account for assignment of role. Which goes for 2 level of approval process unless it is a critical role where it goes for 3 level of approval process.
Critical role are marked as critical within Role in GRC Access Control 10.1 Business Role Management which is repository of roles in GRC System.
When a request is submitted by user it creates a request number and a workflow is also triggered.
The work flow takes the approval path based on Initiator rule created in BRF+.
The initiator rule contains the input parameter in decision table and gives the rule result values which are directly mapped to follow the path based on rule result.
here is example of BRF+ decision table.
For example, New/Change Request type is 001, and when submitted a role assignment it check in the Initiator rules and takes the approval process.
The approval stages are maintained in MSMP for each path where Agent rules (approver determination Function Module) are mapped.
The Non critical role path is maintained with 2 stages of approval process
- Role Owner
Critical Role Path is maintained with 3 stages of approval process
- Manager’s Manager
- Info Asset Owner
Determination of approver (Agent Rule) is mapped to stages and the workflow reads the stage detail in background and sent it to approver’s inbox.
There are SAP Standard Function Module based rule for determining approver like Manager and Role Owners
Determination of Manager’s immediate head is not a standard functionality but can be achieved using ABAP Class based function module Rule
SAP GRC 10.1 Access Control provides interface GRFNMW_DEV_RULES to develop your own rules and can be contained to be mapped into MSMP.
The rules created will be maintained in the MSMP Rules as approver, and will be used in MSMP Stages as approver agent.
When a request goes to the stages it sends the workflow item to the approver determined by the rule.
To achieve this, A Function group (ZGRAC_FM_RULE) and Function Module based rule (ZMGR2_CRA_AR). Needs to be created
Step 1: Create a function group ZGRAC_FM_RULE
Step 2: Execute tcode GRFNMW_DEV_RULES Create a Function Module based Agent rule ZMGR2_CRA_AR.
Copy GRAC_MSMP_MANAGER_AGENT to create a function module ZMGR2_CRA_AR.
It will be linked to MSMP process id SAP_GRAC_ACCESS_REQUEST by GRC Team (TECHM) once the development of new Function module rule is complete.
The agent based Function module rules, should first run a query on table GRACREQ to get the Request GUID. Then it looks up in table GRACREQOWNER using Request GUID for that particular request, looks for Usertype=MAN and determines the value of USERID from the table which is managers ID of the user for whom the request is raised. The Manager ID will be used as User ID and will look up for its managers based on data source configuration.
This is already configure`d in SPRO, Data Source configuration.
The Function Module Rule will be maintained Under Maintain Rule in MSMP.
And will be mapped to Agent ID, which will be used in Stage for approval.
Whenever a request is submitted GRACREQOWNER table is updated with Request ID, with information of Manager is stored under User Type as MAN ,and Manager’s ID is stored under USERID.
1. The RFC Information are stored in table GRACV_DETAIL_DS, where Connector ID is the RFC Name and User Data type = HR ,
Table GRACV_DETAIL_DS is a maintenance view table. Select queries cannot be applied on maintenance tables. As discussed, we can refer to table GRACUSERSOURCE, this is the root table of GRACV_DETAIL_DS.
Read table GRACUSERSOURCE using the ff. parameters:
- User Data Type: HR
- Data source type: 01
if There are 2 HR systems the loops will check the systems based on sequence.
- Once Manager ID is retrived, the value of Manager ID will be passed to HR System Using RFC and the RFC should call function Module /GRCPI/GRIA_USR_GET_DETAILS provide the Manager ID and path and retrive the Managers Manager ID and pass it to GRC System agent rule as an Agent for that stage.
The following input parameters will be passed to FM /GRCPI/GRIA_USR_GET_DETAILS
- Manager’s of the user
- Path ID – will look at table GRACCONNSTAT passing the connector = RFC connection.
- (SPRO àààMaintenance Connector Settings)