cancel
Showing results for 
Search instead for 
Did you mean: 

GRC %PROVISIONING% variable - Issue

former_member187795
Participant
0 Kudos

Hi All,

I have configured my MSMP workflows and all of them are working fine.

For my New/Change Account workflows have 3 stages.

I didn't maintain any global notification settings, instead in my 3rd stage i have maintained an Email Template for APPROVED notification with %PROVISIONING% variable.

Provisioning is happening correctly, but email which is being sent to the user doesn't contain any information about provisioning and shows message "NO PROVISIONING LOGS AVAILABLE"

Then i have added END_OF_REQUEST event in global notification settings and  this is sending email with all details properly to the user.

Does that mean provisioning notification variable should be used only with END_OF_REQUEST event in global notification settings and not at any stage level?

Experts please advise.

Regards,

Sai.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member

Hi Sai,

This behaviour has been occurring since the beginning of version 10.0.

I wish that the %PROVISIONING% variables worked from a Stage notification also.

former_member187795
Participant
0 Kudos

Hi Harinam,

Thanks for the details So you say that there is no other option than to use Global notification settings is it ?

Regards,

Sai.

Former Member
0 Kudos

At the moment no. It seems that the logic only prints out the details literally at the end of the request/path.

Oddly enough, if your provisioning setting is set to "End of Path" that does not make a difference either as it seems provisioning takes place after the path has ended, whilst the notification is submitted just before the path is closed (hence the message log not available). I tried to test this last year on SP11, but no luck. Since then, I just configure the email to be shot out at the end of the request (makes some sense as you want to send a final email listing what was provisioned to the end user, including their passwords).

I wish the provisioning log could be written to the buffer or something before the request has actually closed as a whole or from the path.

former_member187795
Participant
0 Kudos

Thank you so much Harinam for taking your time in clarifying my issue. Hopefully SAP should add on this feature in near future

former_member187795
Participant
0 Kudos

Hi Harinam,

I have one more query.

For example in closing notification I want to show different Email content to the user.

Eg: For New account requests - Along with provisioning details I want to show this message

The Initial password generated will only be valid for 5 days. Please login within 5 days. After which, password reset is required to obtain another valid password

Similarly for Change Account Requests - I should not show these details as they are irrelevant

In this case my global notification Can I have different closing templates based on request type? Or Should I use the same for all request types closing notification

Please suggest if it can be done.

Regards,

Sai.

Former Member
0 Kudos

....you've hit a dilemma i've faced before.

You can create your own custom notifications and then add them to the MSMP stages, but as you have just realised, the %PROVISIONING% variable only seems to work if set as a "End of request" Global notification, so having a working notification for different request types does not work.

If you are going to be using the End of Request notification to send the Close notifications, I would put in a generic statement within the template as you have described above (i.e. put in a "Note: any passwords generated expire after etc etc...").

To find out more about creating your own notification templates and applying them to the workflow, you can find many answers through the SCN in the form of threads or blog/articles documented by other members.

I hope that answers your question.

former_member187795
Participant
0 Kudos

Hi Harinam,

Sorry for bugging you

Actually I have created different notification templates for different request types and included them in the last stage of all my request types hoping that that will be sent to the user, but since END OF REQUEST is mandatory for closing notification for %PROVISIONING% variable i have enabled it in my Process Global Settings.

For New/Change account, EAM request type - I am getting the same notification closing template maintained in Process Global notification settings.

For other request types like Unlock, Terminate request types since they don't have %PROVISIONING% variable requirement I wanted for these alteast my custom notifications to go and maintained them in last stage.

Now both notifcations are going one from Global settings and one from stage settings

I assume that there is no standard way to achieve my scenario.

But Is there any way where I can achieve this with the help of ABAPer so that I can chk with them

Please suggest if you have any idea.

I already browsed entire forum, found something relevant which was mentioned that can be achieved using a BADI GRFN_MSMP_NOTIFICATION_ES.

But i went through the note 1589130 - GRC AC 10.0 - MSMP Notification Override BADi - Enabling and looks like it is for different scenario.

Do you have any idea about this?

Thanks in advance

Regards,

Sai.

Former Member
0 Kudos

The SAP note mentioned above is to fix the issue of ensuing the Delegates also receive the emails from the Access Request workflow.

The Provisioning logs used by the %provisioning% variables will give details of the account being locked/unlocked/deleted also. What it stupidly does not give is a list of which roles have been removed (which is another matter of its own and worthy of it's own thread on this forum). I still feel the "Close" request notification sent out from the Global setting can be utilised in your case.

It may be worth investing time (and money) into a a ABAP resource who can decipher the GRC program code, but any modification here could well make your version of GRC AC unsupported. I have had one instance where the customer decided to use the notifications at both the Stage and at the Global stage when a request is closed. The Stage sent additional informatino pertaining to the request type (i.e. like the messages you have customised), whilst the Global one sent the Provisioning settings.

I know with the notifications you can set different message numbers for the same notification class etc, but this only seems to work from the stage settings..and not from the Global setting.

I know these answers are useful but not 100% helpful or problem solving for you.

Have you tried raising a call to SAP Support? I would be interested in receiving a Developers answer as to why the notification variable behaves as we discussed.

former_member187795
Participant
0 Kudos

Hi Harinam,

Thanks for detailed reply.

Now we are trying to propose the scenario as you suggested. Both stage level and global level notifications will be there for closing.

At stage level - We will mention the details with custom text as per client requirement.

At Global level - We will give provisioning details

I wanted to raise OSS message, but I already raised some four messages for different issues with business roles and business role mail notifications almost one month back and still no proper response from SAP May be will raise another OSS message for this and atleast will try to get details from them about this behaviour

Once again Thanks a lot

Regards,

Sai.

Former Member
0 Kudos

Hi Sai,

It's good to hear that you are considering a workaround. I can understand that the %PROVISIONING% variable would not work in all the other stages of a path bar the last one, but you would think that it would work after ending the path.

I completely understand your worries about raising another SAP note when you have a good few open and unresolved. I would still raise it and see what happens. It is better to have it on the support teams books.

Out of interest, what Support Pack are you on? I have found that majority of  Business Role related issues were fixed as of SP13, but a few additional fixes had to be implemented on our current project and these notes are now a part of SP14. You may wish to have a look through the notes aligned to SP13 and 14 and see if any of them fix your issues. You may save time on the project by investigating the ready made notes rather than waiting for Support to come back.

Anyways I hope this has helped you. You may wish to mark this thread as answered now

All the best.

former_member187795
Participant
0 Kudos

Hi Harinam,

I raised OSS message for this as even I wanted to know SAP's idea behind having this feature

We are on GRC SP13. Business roles provisioning and de-provisioning works fine and almost all notes required are already applied.

Below are the scenarios I tested and reported issue to SAP. Please provide some input if u already resolved these issues.

GRC Request TypeE9B2A1:E8A1:E13A1:E12A1:E11A1:E10Business Role ScenarioProvisioning StatusParameter 4019 ValueSynch Job Status
Create AccountCreating User Z_GRAC_USER3 with business role YB_GRC_TEST and YB_GRC_TEST1User is created.Both business roles provisioned.Since both roles have one common composite role it has been assigned only once in the backend since role is same and validity is same.YESSynch jobs are executed and now GRACROLEUSAGE table shows that user has 2 composite roles and 2 single roles assigned.
Change AccountModify User Z_GRAC_USER3 and remove business role YB_GRC_TEST User is modified. Only Business role YB_GRC_TEST has been removed properly.YESSynch jobs are executed and now GRACROLEUSAGE table shows that user has 1 composite role and 1 single role assigned. This is proper and correct.
Change AccountModify User Z_GRAC_USER3 and remove business role YB_GRC_TEST1  User is modified. Only Business role YB_GRC_TEST1 has been removed properly.YESSynch jobs are executed now and currently user Z_GRAC_USER3 don't have any roles assigned in the backend system. But GRACROLEUSAGE table shows that still few roles which are part of business role are still assigned. This is the major issue with Sync jobs
Change AccountModify User Z_GRAC_USER3 and add business role YB_GRC_TEST1  User is modified.  Business role YB_GRC_TEST1 has been assigned properly.YESSynch jobs are executed and now GRACROLEUSAGE table shows that user has 1 composite role and 1 single role assigned. This is proper and correct.
Change AccountModify User Z_GRAC_USER3 and add business role YB_GRC_TEST  User is modified.  Business role YB_GRC_TEST has been assigned properly.YESSynch jobs are executed and now GRACROLEUSAGE table shows that user has 2 composite roles and 2 single roles assigned.
Change AccountModify User Z_GRAC_USER3 and remove business role YB_GRC_TEST User is modified.  Business role YB_GRC_TEST has been removed properly.YESSynch jobs are executed and now GRACROLEUSAGE table shows that user has 1 composite role and 1 single role assigned. This is proper and correct.
Change AccountModify User Z_GRAC_USER3 and assign business role YB_GRC_TEST and remove business role YB_GRC_TEST1According to this scenario existing business role should be removed and new business role should be added. Existing role has been removed. There is one common composite role in the newly assigned business role and existing business role and this common role also got removed. This is major and critical issue with business roles de-provisioningYESSynch jobs are executed now and currently user Z_GRAC_USER3 has been assigned with new business role. This business role is a combination of 1 composite role and 1 singel role. Since composite role which is a common role has been removed, now user has been assigned with only single role. But GRACROLEUSAGE table shows that still few roles which are part of that composite role are still assigned. This is another major issue with Sync jobs
Change Account Modify User Z_GRAC_USER3 and remove business role YB_GRC_TEST Single role which is part of business role is removed as composite role which is part of business role is already removed with previous requestYESNow user in backend don't have any roles assigned. After running the sync jobs, I can see that single roles which are part of removed composite role are still showing up in GRACROLEUSAGE table. This is the major concern for using Business roles for Provisioning and De-provisioning activites

When business role is assigned notification says "BUSINESS ROLE ASSIGNED"

When business role is removed notification says just "ROLE IS REMOVED" and not "BUSINESS ROLE IS REMOVED"

When business role is assigned notification says "BUSINESS ROLE ASSIGNED to USERID"

When business role is removed notification says "ROLE removed from USERID ()". This is incorrect as it shows empty brackets after the user which usually used to specify the system name in those brackets in case of single or composite roles.

When business role is assigned to the user, mail notification should say that requested business role has been assigned.

But along with that mail notification also contains a message which says that "USER IS CREATED"

This is incorrect as user is already existing in the system.

These are the issue

Regards,

Sai.

Former Member
0 Kudos

Hey Sai,

Copy and paste your latest response to a new thread and mark this one as answered.

WE can continue looking into the new matter on a new thread

Former Member
0 Kudos

Hi Harinam,

Did you get any response from SAP for the above issue.

Even we are facing the same issue.

Thanks,

Sriram

Answers (0)