cancel
Showing results for 
Search instead for 
Did you mean: 

Notify end user of workflow failure

former_member400151
Participant
0 Kudos

Hi all,

My requirement is, whenever a UAR request is errored  an email notification needs to be sent to the requestor saying their request has failed from being processed and ask them to conatct SAP security team for analysis.


Should I configure this as a Escape route? Please advise.


Thanks

Lakshmi

Accepted Solutions (1)

Accepted Solutions (1)

former_member193066
Active Contributor
0 Kudos

Hello,

you can configured escape path and keep security as agent, and same time you can add requestor in notification.

Regards,

Prasant

former_member400151
Participant
0 Kudos

Thanks Prasant!!!

This is how I have configured but still no luck.

Path I 😧 GRACERRORPATH with description as GRACERRORPATH

Stage config ID : GRAC_SECURITY and description : SAP security

Agent ID : GRAC_SECURITY, Escalation type : No escalation and did not check on Routing enabled

In the stage level I have configured notification as follows:

Notification event : ESCALATION

Template ID: GRAC_AR_ESCALATION

Receipent ID : GRAC_REQUESTER

I created a request with a role with NO role owner, but still did not get any notification on UAR error.

Instance status still shows as Running with Instance Approval status as Decision pending.Inside the Instance status it says "No agent found,cancelling path". But did not receive any notifcation of failure.

Please advice.

Thanks

Lakshmi

former_member193066
Active Contributor
0 Kudos

hello Lakshmi,

did u enable escape path? at process global setting?

former_member400151
Participant
0 Kudos

Yes Prashant.

Thanks

Lakshmi

former_member193066
Active Contributor
0 Kudos

can u confirm it went to escape path.

since you have chose escalation as event it will not sent it,

chose new work it, then can choose your own msg template.

Regards,

Prasant

former_member400151
Participant
0 Kudos

Hi Prashant,

I have modified the notification settings as attached. Still does not get notification.

Thanks

Lakshmi

former_member193066
Active Contributor
0 Kudos

Hello Because it not moving to escape route.

did u activate new version .

Regards,

Prasant

former_member400151
Participant
0 Kudos

Hi Prashant,

That was the issue. I made the config in one client and did a transport to our test client. But missed to generate the new version there. Now the workflow is working.. Thanks a lot 🙂

Now the workflow works this way...When a role did not have a role owner it went to escape path and the request went to GRAC_SECURITY inbox (but no email notification) but instead sent a notification to Requestor.Below is how I have configure my escape path.

Path I 😧 GRACERRORPATH with description as GRACERRORPATH

Stage config ID : GRAC_SECURITY and description : SAP security

Agent ID : GRAC_SECURITY, Escalation type : No escalation and did not check on Routing enabled

In the stage level I have configured notification as follows:

Notification event : ESCALATION

Template ID: GRAC_AR_ESCALATION

Receipent ID : GRAC_REQUESTER

But I don't want the GRAC_SECURITY team to be involved. When a request fails for any reason then the request must goto cancelled status and a notification must goto requestor saying the request # was cancelled due to a reason(list out the reason for failure if possible).

Please advise.

Thanks

Lakshmi

former_member193066
Active Contributor
0 Kudos

you need to have any agent in escape route.

who can check the reason of the error and process for provisioning.

and set custom notification to requester.

Regards,

Prasant

0 Kudos

Hi Lakshmi,

Wanted to give you a heads up, "Cancelled" is an internal status of the workflows and there is no standard MSMP notification event for it. Also, workflow status "cancelled" means the request is dead. Do you really want it to set up this way?

Regards,

Sajib.

Former Member
0 Kudos

hi Lakshmi

UAR refers to USER ACCESS REVIEW workflows and not user access request, as your issue turns out to be.

in escape path, add a stage before security, so that this team/person can cancel the request. also use even as NEW_WORK_ITEM and not ESCALATION, in escape stage. create a custom document object and message class, and assign it to custom template.

the recipient can be requestor, as per your need.

@prasant: i tried to assign multiple document objects to message class, but i get error,

Entry 001 0MSMP_AR_NEWWORKITM does not exist in GRFNNOTIFYMSG (check entry)

i am trying to create entry 001, as per the above error. however, i do not see any advantage of doing this, as i get to choose only Template id in Stage level notification settings.

could you share your view on this

Regards

Plaban

former_member193066
Active Contributor
0 Kudos

Hello PLaban,

you have a different issue compared to Lakhsmi.

appreciate a separate discussion with screenshot, this will be useful for other to search when needed.

Regards,

Prasant

former_member400151
Participant
0 Kudos

Hi Prasant,

I have modified the workflow to be like this.

When a approver is not found then the request takes an escape path. It goes to Security team with a notification(yet to configure) that the request has come to security through a escape path due to an issue. Security team will reject teh request with a comment and the notification goes to a requestor saying its rejected and then he/she will have to re-submit a new request.

Path I 😧 GRACERRORPATH with description as GRACERRORPATH

Stage config ID : GRAC_SECURITY and description : SAP security

Agent ID : GRAC_SECURITY, Escalation type : No escalation and did not check on Routing enabled

In the stage level I have configured notification as follows:

Notification event : NEW WORKITEM, REJECTED

Template ID: GRAC_AR_ESCALATION. GRAC_REJECTED

Receipent ID : GRAC_CURRENT_APPROVERS, GRAC_REQIESTER respectively.

Going to setup a meeting to see if they accept this.

The whole purpose of this configuration is when a request is failed for some reason it sits there until the requester comes and asks about it. So to prevent this from happening when a request fails if the requester is being notified immediately, he can re-submit a new request with a correction step taken.


To acheive my goal Is Escape route configuration our only choice? Escape route enables my request from being killed and has it alive.

Do we have an option in configuration to
cancel the failed/errored UAR and Email notify the Requestor that UAR #### has failed and they should address issues in a new UAR or contact SAP Security for assistance.

Please advise.

Thanks

Lakshmi

former_member400151
Participant
0 Kudos

Hi Sajib,

Thaks for your reply.

The whole purpose of this configuration is when a request is failed for some reason it sits there until the requester comes and asks about it. So to prevent this from happening when a request fails if the requester is being notified immediately, he can re-submit a new request with a correction step taken.


To acheive my goal Is Escape route configuration our only choice? Escape route enables my request from being killed and has it alive.

Do we have an option in configuration to
cancel the failed/errored UAR and Email notify the Requestor that UAR #### has failed and they should address issues in a new UAR or contact SAP Security for assistance.

Also in our company requester is going to be 1 person for each site. So in total there may be 3-4 requestor. All the request for GRC will be entered by them into the system.

I am only seeing a standard Stage ID. Is it possible to create a new stage ID (meant for those 4 people) and notification item be set to New work item with a custom notification created with recepient ID as GRAC_REQUESTER?

In this way we can eliminate security stage totally which might be concern for our managers to have additional work added to our team.

Thanks

Lakshmi

former_member400151
Participant
0 Kudos

Hi Plaban,

Can we create a new stage ID other than the standard ones available. If so should that be done direclty on the MSMP stage area under Path?

Thanks

Lakshmi

former_member193066
Active Contributor
0 Kudos

Hello Laskmi,

Yes you can configure workflow to security team and they can reject the workflow.

but, depend on you configuration.

if a workflow goes to escape path for any other reason.. if target system is down or user has to resubmit. just 1 example, escape path is very useful to avoid re submission of request.

since it has come after all approval process if any problem related either system of anything the user has to go all over again.

what if the root cause of error is not fixed and user has to resubmit every time.

my advice if any issue request goes to escape path, get the issue fixed and reroute the ticket to appropriate stage for provisioning.

Regards,

Prasant

former_member193066
Active Contributor
0 Kudos

Hello Lakshmi,

What other thing you can do it.

Setup a path for Escape route..

use any dummy agent if you dont want security team to be involved.

and use a custom notification sent to requestor where you can ask them to resubmit request.

as mentioned earlier, its not a good practice since the same error might occur again.

Regards,

Prasant

former_member400151
Participant
0 Kudos

Thanks Prashant!!

Option 1 : If we choose to reroute the request back after correction (If management accepts security team to take nextra work) then would I be forwarding the request to next stage (manager/ or ole owner) or should I be sumbitting the request.

How would the configuration be changed for this? Will BRF+ needs ot be touched?

Option 2: If we choose to go without re-routing and have requester re-submit the request with security not involved the based on your above inputs if I use Dummy agent which I want to be GRAC_REQUESTER who should be notified anyway , what should be the stage I need to set?

Is Stage something I can create my own instead of standard (i.e eg ZGRAC_AR_CONTACT)

Please advise.

Thanks

Lakshmi

former_member193066
Active Contributor
0 Kudos

you can use GRAC_DEFAULT_STAGE no need to create ZGRAC_AR_CONTACT.

you can only send notification to Requestor, they cannot be agent at stage, unless they have thier user id created in GRC system.

REgards,

Prasant

former_member400151
Participant
0 Kudos

Hi Prashant,

I tried to modify the escape path by setting GRAC_DAFAULT stage as the stage ID and created a new Agent ID ZGRAC_ERROR_CONTACT with Agent type: GRC API Rules and Agenet purpose: Approval for Agent rule ID : GRAC_MSMP_CURRENTAPPRVS_AGENT

While generation it was giving me error that IMG configuration tabel was missing.

So I am trying to delete the whole path ,stage,Agent ID and have them create again with GRAC_SECURITY stage added back. While doing it I was able to delete Path,Stage but unable to delete Agent ID ZGRAC_ERROR_CONTACT. It errors out with message " Agent ZGRAC_ERROR_CONTACT is being used in stage definition GRAC_DEFAULT_STAGE".

I verified all the path and I do not see any stage called GRAC_DEFAULT_STAGE being utilized.

Please advice.

Thanks

LAkshmi

Former Member
0 Kudos

Hi Lakshmi,

yes, you can create new stage under path.

regards

plaban

former_member400151
Participant
0 Kudos

I am still stuck with this issue. Can someone help please 😞

....

I tried to modify the escape path by setting GRAC_DAFAULT stage as the stage ID and created a new Agent ID ZGRAC_ERROR_CONTACT with Agent type: GRC API Rules and Agenet purpose: Approval for Agent rule ID : GRAC_MSMP_CURRENTAPPRVS_AGENT

While generation it was giving me error that IMG configuration tabel was missing.

So I am trying to delete the whole path ,stage,Agent ID and have them create again with GRAC_SECURITY stage added back. While doing it I was able to delete Path,Stage but unable to delete Agent ID ZGRAC_ERROR_CONTACT. It errors out with message " Agent ZGRAC_ERROR_CONTACT is being used in stage definition GRAC_DEFAULT_STAGE".

I verified all the path and I do not see any stage called GRAC_DEFAULT_STAGE being utilized.

Please advice.

Thanks

LAkshmi

former_member193066
Active Contributor
0 Kudos

Hello,

You can follow Plaban Sahoo  advice.


and solve your issue.


PKP

former_member400151
Participant
0 Kudos

Hi Prashant,

The problem is my workflow is erroring out at generation. I created an agent but not using it in any path. On trying to generate ,the version it fails and when I try to delete the newly created agent also it fails with message "Zagent XXX is being used in stage definition GRAC_DAFAULT_STAGEis being used in stage definition.

I am unable to proceed in anyway.

Thanks

Lakshmi

former_member193066
Active Contributor
0 Kudos

Hello Lakshmi,

I am not sure about this error, unless you paste the log of error during generation.

did you follow the steps provided by Plaban?

Regards,

Prasant

former_member400151
Participant
0 Kudos

Hi Prashant

Yes I created a new path called ERRORPATH and added Stage GRAC_DEFAULT_STAGE with agent ID as GRAC_SECURITY and added notifications.

Thanks

Lakshmi

Former Member
0 Kudos

Could you provide the last screen of the error. the error details are not visible

former_member400151
Participant
0 Kudos

Hi Plaban,

Here is the log.

Thanks

Lakshmi

former_member400151
Participant
0 Kudos

Hi Prashant/Plaban,

The error has gone now. This is what I did to eliminate the error.

The incorrect path ID /Agent ID was stuck and was preventing the MSMP version generation.

1.I double checked all the path again, but was not able to find any of it configured as I mentioned already.

2. Tried to goto the transport in SE09 and deleted all the incorrect entry from the object.

3. Even after deleting them , issue still appeared.

4. I added back the incorrect Agent ID in the path and activated and it was successfull.

5. After activation, removed the incorrect Agent from the configuration and updated GRAC_SECURITY agent and then activated and was successfull then.

Now i am waiting for a developer access key to start on custom templates.

Thanks a lot Prashant and Plaban for your help on this.

Thanks

Lakshmi

Answers (0)