on 08-26-2015 3:26 PM
Hi all,
My requirement is, whenever a UAR request is errored an email notification needs to be sent to the requestor saying their request has failed from being processed and ask them to conatct SAP security team for analysis.
Should I configure this as a Escape route? Please advise.
Thanks
Lakshmi
Hello,
you can configured escape path and keep security as agent, and same time you can add requestor in notification.
Regards,
Prasant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Prasant!!!
This is how I have configured but still no luck.
Path I 😧 GRACERRORPATH with description as GRACERRORPATH
Stage config ID : GRAC_SECURITY and description : SAP security
Agent ID : GRAC_SECURITY, Escalation type : No escalation and did not check on Routing enabled
In the stage level I have configured notification as follows:
Notification event : ESCALATION
Template ID: GRAC_AR_ESCALATION
Receipent ID : GRAC_REQUESTER
I created a request with a role with NO role owner, but still did not get any notification on UAR error.
Instance status still shows as Running with Instance Approval status as Decision pending.Inside the Instance status it says "No agent found,cancelling path". But did not receive any notifcation of failure.
Please advice.
Thanks
Lakshmi
Hi Prashant,
That was the issue. I made the config in one client and did a transport to our test client. But missed to generate the new version there. Now the workflow is working.. Thanks a lot 🙂
Now the workflow works this way...When a role did not have a role owner it went to escape path and the request went to GRAC_SECURITY inbox (but no email notification) but instead sent a notification to Requestor.Below is how I have configure my escape path.
Path I 😧 GRACERRORPATH with description as GRACERRORPATH
Stage config ID : GRAC_SECURITY and description : SAP security
Agent ID : GRAC_SECURITY, Escalation type : No escalation and did not check on Routing enabled
In the stage level I have configured notification as follows:
Notification event : ESCALATION
Template ID: GRAC_AR_ESCALATION
Receipent ID : GRAC_REQUESTER
But I don't want the GRAC_SECURITY team to be involved. When a request fails for any reason then the request must goto cancelled status and a notification must goto requestor saying the request # was cancelled due to a reason(list out the reason for failure if possible).
Please advise.
Thanks
Lakshmi
hi Lakshmi
UAR refers to USER ACCESS REVIEW workflows and not user access request, as your issue turns out to be.
in escape path, add a stage before security, so that this team/person can cancel the request. also use even as NEW_WORK_ITEM and not ESCALATION, in escape stage. create a custom document object and message class, and assign it to custom template.
the recipient can be requestor, as per your need.
@prasant: i tried to assign multiple document objects to message class, but i get error,
Entry 001 0MSMP_AR_NEWWORKITM does not exist in GRFNNOTIFYMSG (check entry)
i am trying to create entry 001, as per the above error. however, i do not see any advantage of doing this, as i get to choose only Template id in Stage level notification settings.
could you share your view on this
Regards
Plaban
Hi Prasant,
I have modified the workflow to be like this.
When a approver is not found then the request takes an escape path. It goes to Security team with a notification(yet to configure) that the request has come to security through a escape path due to an issue. Security team will reject teh request with a comment and the notification goes to a requestor saying its rejected and then he/she will have to re-submit a new request.
Path I 😧 GRACERRORPATH with description as GRACERRORPATH
Stage config ID : GRAC_SECURITY and description : SAP security
Agent ID : GRAC_SECURITY, Escalation type : No escalation and did not check on Routing enabled
In the stage level I have configured notification as follows:
Notification event : NEW WORKITEM, REJECTED
Template ID: GRAC_AR_ESCALATION. GRAC_REJECTED
Receipent ID : GRAC_CURRENT_APPROVERS, GRAC_REQIESTER respectively.
Going to setup a meeting to see if they accept this.
The whole purpose of this configuration is when a request is failed for some reason it sits there until the requester comes and asks about it. So to prevent this from happening when a request fails if the requester is being notified immediately, he can re-submit a new request with a correction step taken.
To acheive my goal Is Escape route configuration our only choice? Escape route enables my request from being killed and has it alive.
Do we have an option in configuration to
cancel the failed/errored UAR and Email notify the Requestor that UAR #### has failed and they should address issues in a new UAR or contact SAP Security for assistance.
Please advise.
Thanks
Lakshmi
Hi Sajib,
Thaks for your reply.
The whole purpose of this configuration is when a request is failed for some reason it sits there until the requester comes and asks about it. So to prevent this from happening when a request fails if the requester is being notified immediately, he can re-submit a new request with a correction step taken.
To acheive my goal Is Escape route configuration our only choice? Escape route enables my request from being killed and has it alive.
Do we have an option in configuration to
cancel the failed/errored UAR and Email notify the Requestor that UAR #### has failed and they should address issues in a new UAR or contact SAP Security for assistance.
Also in our company requester is going to be 1 person for each site. So in total there may be 3-4 requestor. All the request for GRC will be entered by them into the system.
I am only seeing a standard Stage ID. Is it possible to create a new stage ID (meant for those 4 people) and notification item be set to New work item with a custom notification created with recepient ID as GRAC_REQUESTER?
In this way we can eliminate security stage totally which might be concern for our managers to have additional work added to our team.
Thanks
Lakshmi
Hello Laskmi,
Yes you can configure workflow to security team and they can reject the workflow.
but, depend on you configuration.
if a workflow goes to escape path for any other reason.. if target system is down or user has to resubmit. just 1 example, escape path is very useful to avoid re submission of request.
since it has come after all approval process if any problem related either system of anything the user has to go all over again.
what if the root cause of error is not fixed and user has to resubmit every time.
my advice if any issue request goes to escape path, get the issue fixed and reroute the ticket to appropriate stage for provisioning.
Regards,
Prasant
Hello Lakshmi,
What other thing you can do it.
Setup a path for Escape route..
use any dummy agent if you dont want security team to be involved.
and use a custom notification sent to requestor where you can ask them to resubmit request.
as mentioned earlier, its not a good practice since the same error might occur again.
Regards,
Prasant
Thanks Prashant!!
Option 1 : If we choose to reroute the request back after correction (If management accepts security team to take nextra work) then would I be forwarding the request to next stage (manager/ or ole owner) or should I be sumbitting the request.
How would the configuration be changed for this? Will BRF+ needs ot be touched?
Option 2: If we choose to go without re-routing and have requester re-submit the request with security not involved the based on your above inputs if I use Dummy agent which I want to be GRAC_REQUESTER who should be notified anyway , what should be the stage I need to set?
Is Stage something I can create my own instead of standard (i.e eg ZGRAC_AR_CONTACT)
Please advise.
Thanks
Lakshmi
Hi Prashant,
I tried to modify the escape path by setting GRAC_DAFAULT stage as the stage ID and created a new Agent ID ZGRAC_ERROR_CONTACT with Agent type: GRC API Rules and Agenet purpose: Approval for Agent rule ID : GRAC_MSMP_CURRENTAPPRVS_AGENT
While generation it was giving me error that IMG configuration tabel was missing.
So I am trying to delete the whole path ,stage,Agent ID and have them create again with GRAC_SECURITY stage added back. While doing it I was able to delete Path,Stage but unable to delete Agent ID ZGRAC_ERROR_CONTACT. It errors out with message " Agent ZGRAC_ERROR_CONTACT is being used in stage definition GRAC_DEFAULT_STAGE".
I verified all the path and I do not see any stage called GRAC_DEFAULT_STAGE being utilized.
Please advice.
Thanks
LAkshmi
I am still stuck with this issue. Can someone help please 😞
....
I tried to modify the escape path by setting GRAC_DAFAULT stage as the stage ID and created a new Agent ID ZGRAC_ERROR_CONTACT with Agent type: GRC API Rules and Agenet purpose: Approval for Agent rule ID : GRAC_MSMP_CURRENTAPPRVS_AGENT
While generation it was giving me error that IMG configuration tabel was missing.
So I am trying to delete the whole path ,stage,Agent ID and have them create again with GRAC_SECURITY stage added back. While doing it I was able to delete Path,Stage but unable to delete Agent ID ZGRAC_ERROR_CONTACT. It errors out with message " Agent ZGRAC_ERROR_CONTACT is being used in stage definition GRAC_DEFAULT_STAGE".
I verified all the path and I do not see any stage called GRAC_DEFAULT_STAGE being utilized.
Please advice.
Thanks
LAkshmi
Hi Prashant,
The problem is my workflow is erroring out at generation. I created an agent but not using it in any path. On trying to generate ,the version it fails and when I try to delete the newly created agent also it fails with message "Zagent XXX is being used in stage definition GRAC_DAFAULT_STAGEis being used in stage definition.
I am unable to proceed in anyway.
Thanks
Lakshmi
Hi Prashant/Plaban,
The error has gone now. This is what I did to eliminate the error.
The incorrect path ID /Agent ID was stuck and was preventing the MSMP version generation.
1.I double checked all the path again, but was not able to find any of it configured as I mentioned already.
2. Tried to goto the transport in SE09 and deleted all the incorrect entry from the object.
3. Even after deleting them , issue still appeared.
4. I added back the incorrect Agent ID in the path and activated and it was successfull.
5. After activation, removed the incorrect Agent from the configuration and updated GRAC_SECURITY agent and then activated and was successfull then.
Now i am waiting for a developer access key to start on custom templates.
Thanks a lot Prashant and Plaban for your help on this.
Thanks
Lakshmi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.