Skip to Content
Technical Articles

SAP GRC Access Control 10.x – Firefighter ID Controller Log Report Review Workflow

This document focuses on setting up Workflow Notifications for Firefighter Log Review by the Controller, including the notification of a new Work Item. The main advantage Workflow notification provides is that this work item will need to be submitted/approved by the Controller, acknowledging that he/she has reviewed the Firefighter Session log.

Notification types

During the assignment of a Firefighter ID Controller to a Firefighter ID, you will see three options for “Notification By”:

  • Email: will send an email notification to the Controller with a link to the Firefighter Session log
  • Workflow: will create a work item in the Controller Work Inbox. This is the one we need to chose for making the submission of logs review available for the Controller.
  • Log Display: means the Controller will personally run the report.

Activating Log Report Review Workflow Process

First, you will need to activate and generate the process for “Firefighter Log Report Review Workflow” (SAP_GRAC_FIREFIGHT_LOG_REPORT).

You can enter into the MSMP Workflow Configuration by executing transaction GRFNMW_CONFIGURE_WD, or navigating to IMG -> GRC -> AC -> Workflow for Access Control -> Maintain MSMP Workflows:

Select the row for Process ID SAP_GRAC_FIREFIGHT_LOG_REPORT and make sure you are on Change mode. You can skip to Step 5 – Maintain Paths:

Then, you will need to maintain the details of the Default Stage of the Default Path. Make sure that the Agent ID is “GRAC_SPM_CNTRL_AGENT”, and that the Approval Type is “Any One Approver”. If you set this setting to “All Approvers”, all the Controllers assigned to the Firefighter ID must submit/approve the log before it actually gets submitted.

You can also personalize additional settings by clicking on “Modify Task Settings”.

For instance, I would like to make the Comments Mandatory, for enforcing that acknowledgment I was talking before, and also I will allow the ability to forward the Log Review to another Controller.

Once you have finished, make sure you perform Step 7, Saving and Activating current process version. After that, the Controller will get a new Work Item on his/her Work Inbox for every Firefighter Session. Bare in mind that this workflow will be triggered by program GRAC_SPM_LOG_SYNC_UPDATE, if you set parameter 4007 to YES. If you set parameter 4007 to NO, the Firefighter Session Log will be collected when program GRAC_SPM_LOG_SYNC_UPDATE gets executed, and the Work Item will be generated when GRAC_SPM_WORKFLOW_SYNC program gets executed. Make sure you have these sync programs scheduled on a periodic background job according to your Configuration Settings.

How to trigger the New Work Item e-mail notification

Similar to what we did before, select the row for Process ID SAP_GRAC_FIREFIGHT_LOG_REPORT making sure you are on Change mode, but this time skip to Step 3 – Maintain Agents.

The problem is that in this Workflow Process, the Controller (Agent ID: GRAC_SPM_CNTRL_AGENT) has Agent Purpose Approval. For giving Notification Purpose also, we need to create a duplicated entry (e.g. ZGRAC_SPM_CNTRL_AGENT_N), and give it Agent Purpose “Notification”:

Save your new Agent, then go to Step 5, and on the Default Stage Notification Settings, create a new notification event for event “NEW_WORK_ITEM”, like the one below:

Remember to Save and Activate in Step 7 after creating this notification event.

Once this is complete, the Controller will receive the email notification when a new Work Item gets sent to his/her Work Inbox. Make sure you have maintained an email address in the SU01 of the Controller.

Auditing Log Reviews

You will be able to review the workflow generated Log Reports Review by going into NWBC -> Access Management -> Search Requests (inside Access Request Administration section), selecting “Fire Fighter Log Report Review Workflow”.

 

Hope this helps, if you need more information do not hesitate to leave a comment.

 

Related topics

 

Be the first to leave a comment
You must be Logged on to comment or reply to a post.