Enabling requester to cancel his/her own GRC ARM Requests
This blog post is to explain how to enable a requester to cancel their own GRC request without waiting for GRC administrator to cancel it.
Typically in “Maintain EUP Fields” the parameter “One User per Request per System” value will be set to YES to ensure that a second request is not allowed for the same user for the same system with a different set of roles while the prior request is already open. If tried to raise a second request it throws an error “There is already an open request for system xxx by user id xxx”.
This is a very crucial setting and helps in performing the SOD analysis aptly at the respective stage level before approving the role assignments in SAP systems. At the same time, this setting frustrates the requesters when the submitted request was incomplete and not appropriate. The incomplete/inappropriate submitted request needs to be canceled before raising a correct one. Hence, they require help from GRC admins to cancel it.
Below steps can be performed for enabling the requesters to cancel their own GRC requests without depending on GRC admin every time and reduces the burden on GRC admins.
Create a report transaction for Report GRFNMW_MANUAL_INSTANCE_CANCEL from SE93. Let’s say ZCANCEL.
Step2: Add GRFN_MSMP in SU24 for ZCANCEL Transaction and apply do not check. This will ensure sufficient access without providing admin access to requesters.
Step3: Customize the launchpad for work center Access Management to add an option “Cancel Request”.
Identify the role and instance which is providing access to “Access Management” work center in NWBC for the requester from LPD_CUST transaction.
This can be identified from the Application configuration of Security role as shown in the below picture.
Click on Application configuration button and navigate to the component configuration as shown in below picture.
This configuration is linked to Role: GRACMGMT and Instance: GRAC_ACCESS_MANAGEMENT.
Identify the same in LPD_CUST transaction, double click on it and add a new application under “Access Request Administration”
This will help the requester to see an additional option in the Access Management work center called “Cancel Request” which is routed to program: GRFNMW_MANUAL_INSTANCE_CANCEL.
This step involves ABAP code modifications and is not exactly depicted as it demands ABAP work.
Write an ABAP code to match the MSMP Instance ID with the request number that can be obtained from table GRFNMWRTINST.
Modify the screen input fields with user-friendly names instead of technical names. Also, ensure that ABAP code is placed with a condition that login user ID matches with the “created by user” column in table GRFNMWRTINST to allow the requester to cancel their own request but not the ones created by any other user.
The screenshots of actual functionality are not available at this moment. You may please check and it should work.
In this way, we can provide requesters access to cancel their own request instead of relying on GRC admins all the time.
Thanks for reading!