on 04-17-2014 7:57 PM
Hi Team,
We have defined ABAP Class based for Agent Rule ZCL_GRAC_WFA_RISK_OWNER, and the Risk owners are also maintained in the AC table in Set-up, but after submitting the access request there are SOD voilations,Detour condition GRAC_MSMP_DETOUR_SODVIOL is satisfied , so the request is routed to ROLEAPP_SOD_PATH and parallely routed SODVIOL_DETOUR_PATH6,
Once the role owner approvers the request, and escape route applied at SODVIOL_DETOUR_PATH6 as No approver found.
But the Risk owners are defined in the AC Owner table.
Can anybody help with this, as why escape path is applied even after maintaining Risk owners?
Regards,
Sindhu
Hi Sindhu,
Please check for the agent rule whether it is defined properly and picking the agent or not,normally this issue happens if the agent is not defined properly and system could not find the agent.
Also activate the workflow which is also sometimes a reason for the issue.
Additionally make sure the agent is defined both at the stage default settings and optional settings.
Regards
Pradeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Sindhu and Pradeep. We applied note 1670504 in 2013 when it is in version 2 and it works fine in our old GRC system since old system only has single SoD logical group. Below is how risk owner table be loaded in different version of this note.
Version 2
LOOP AT MT_SOD_RISKS INTO ls_sum_viol_det WHERE connector = is_line_item-connector.
Current version
LOOP AT MT_SOD_RISKS INTO ls_sum_viol_det WHERE connector = is_line_item-connector and role = is_line_item-role_name.
Attachment of current version
LOOP AT MT_SOD_RISKS INTO ls_sum_viol_det ."WHERE connector = is_line_item-connector and and role = is_line_item-role_name.
Now SAP seems remove all the restriction when loading risk owner table in ZCL_GRAC_WFA_RISK_OWNER.
We fixed the issue in our new GRC system by re-setup SoD for each of the goup.
Hello,
Risk owner has to be maintained in risk id under owner tab for that risk.
then your agent rule will work.
Regards,
Prasant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for reply Paichha. Risk owner do exist in owner tab of related risk when checking nwbc -> access rule maintenance -> access risks. We also check if risk owner exist in SU01 and they are all there. We have tried to re-run full sync for GRC box itself also but still, it doesn't pick up by agent rule.
Hi Sindhu,
Please check the SoD violations in your request are coming from the roles present in the request or are from existing assignment of user.
Note 1670504 provides 2 different risk owner agent ( lineitem level and request level ) . If your SoD violations are coming from existing assignment then you need to implement the second logic ( request level risk owner )
Best Regards,
Aman
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Sindhu,
We have similar issue for approver not found when SoD detour for new user. It is routed to escape route instead to risk owner for approval. All the risk owners do exist in table GRACSODRISKOWN and all the risk owner alos shows up in user table GRACUSER. We have checked WF-BATCH user access and it looks OK.
Can you share the solution if any?
Thanks,
Ying Ye
Thanks for reply Sahoo.
We have tested both new user and existing user and SoD route to escape route with approver not found message.
Simulation on BRF rule route to Z_ASSIGN_ROLES path. If there is SoD detected in Z_ASSIGN_ROLES path, it will map to Z_SoD_Detour then send to agent Z_AR_RISK_OWNER_APPROVER for approval.
Any suggestion where should we check further?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.