SAP GRC Access Control 10.x – Firefigther ID Owner approval delegation
Not to long ago, I was requested to provide a feasible solution for the situation of when a Firefighter ID Owner is out of the office and an Access Request is created for a FF ID owned by him. In this particular case, the Owner wanted to be the only person being able to approve or reject Firefighter requests, but also wanted to provide to others the ability to approve requests for FF ID’s he owned but only when he was unavailable. In this document I will explain what was the solution provided, and what challenges did I faced.
The answer to the above situation is “Approver Delegation”. This is a standard option available by default for every GRC Front-end user, in My Home tab:
If the Owner wants to create a new Delegation, he/she will have to click on “Delegate”…
…and then select the ID of the delegated user:
If the Owner forgets to perform this task, Administrators can also setup Delegated Approvers for any user:
What this essentially does is giving to the Delegated Approver access to the Owner’s Work Inbox, for the validity period entered; and if this person has authorizations for approving Access Requests, he/she will be able to approve the requests sitting on the Owner’s Inbox. The delegated user does not need to be set up as Owner, it can be any user in the system. If you want only a few requests to be approved by a Delegated Approver, System Administrators can forward the requests to that user.
Which authorizations does the Delegated Approver need?
The Delegated Approver will need access to the NWBC and permissions to approve Access Requests. SAP delivered roles containing the needed authorizations are:
SAP_GRAC_ACCESS_APPROVER – Role for Access Request Approver
SAP_GRAC_BASE – Base Role for all Access Control Users
SAP_GRAC_NWBC – View Access Control Information Architecture
If additional granularity for the type of Access Request is needed, field GRAC_RQTYP from authorization object GRAC_REQ can be used to leverage authorization for approving only certain type of Access Requests.
Why is the Delegated Approver not receiving new Work Item e-mail notifications?
The main challenge I faced was trying to figure out why the Delegated Approver was not receiving an e-mail notification when a new Firefighter Access Request was created for an ID owned by the original Owner, although the needed configuration was there, which is, on the Workflow Configuration of your SAP_GRAC_ACCESS_REQUEST Process, go to Step 5 and make sure that for your relevant path (GRAC_EAM_PATH for instance), in the Notification Settings you have GRAC_CURRENT_APPROVERS as the Recipient ID for the NEW_WORK_ITEM Notification Event:
So, did a little digging and found this SAP Note (depending on your AC version) that after being implemented by an ABAP colleague, solved the issue:
Hope this helps to anyone that wants to configure this functionality. Feel free to make any questions or suggestions. Thanks for reading.