on 04-11-2012 11:28 PM
Hi Gurus,
I have installed GRC - AC 10.0 and I want to configure EAM to allow automatically provisioning of Firefighter with following steps:
1. -In Access Management, AC Owners, FF ids, Controlles, Reason Codes are setup in advance
2. - I can create a manual Access Request for a Firefighter assignment and is functional without any issue
3. - Common workflow has been activated
4. - Email server has been configured and checked that can send emails
5. - In IMG -> GRC -> Access Control -> Workflow for Access Control -> Maintain MSMP Workflow I have activated SAP Process Id-s :
SAP_GRAC_ACCESS_REQUEST
using the default settings .
6. At Pct #5 Maintain Paths- Stage Definition- I have checked boxes - Approve by Email & Approve and I have Activated it.
Then, I create a access request again and no email is send it out to Owner.
In MSMP, in Pct #5, I have all for Process Id SAP_GRAC_ACCESS_REQUEST , I have left all 3 paths:
GRAC_MANAGER
GRAC_ROLEOWNER
GRAC_SECURITY
7. I have tried to activate other processes id-s:
SAP_GRAC_FIREFIGHTER_LOG_REPORT
SAP_GRAC_ROLE_APPR
however with the same result.
All my SPM Owners and FF-ids have email adress, how should I maintain their email in MSMP, as the documentation is confusing for me.
8. Then, at Point #3 - Maintain Agents - I have created a Z Rule where I have mapped directly the Account ID-s and I have assigned it in Pct 5 (Maintain Paths) and activated- without any result.
Thank You,
Marc
Marc:
Have you configured the Stage Notifications for the stage you are questioning? Did you see if the request was in the approvers NWBC Inbox?? If request is not in inbox, then no email will go out. The notification event you want is New Work Item.
Hope this helps.
Kevin.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Marc: have you checked the following areas:
1. Search for the request in NWBC and see if there are any issues. Did the request provision and is it in FINISHED instace status?
2. Txn: SLG1 to check for any authorization issues for the user IDs being used to provision.
2. MSMP instance monitor to see if any clue as to what has happened. Transaction is GRFNMW_DBGMONITOR_WD.
I have found that without knowing the full situation, it's difficult to troubleshoot, and this is where you need to start. With the informaiton here, you should be able to determine WHY.
Thanks.
Kevin
Hi Kevin,
I have checked again Tr. GRFNMW_DBGMONITOR_WD and :
MSMP Instance Status=Running
Approval Status=Pending
and MSMP Instance ID > Audit Log Tab> with following messags:
:" FF-id ..access added for approval at Path GRAC_DEFAULT_PATH" stage GRAC_MANAGER
-"..Approved by OWNER.." at Path GRAC_DEFAULT_PATH and Stage GRAC_MANGER
-..FF-id is approved for user "Assign"
-.."No Agent found, canceling path GRAC_DEFAULT_PATH (in stage no. 002 -GRAC_ROLEOWNER)
Thanks,
Marc
Marc:
I recently ran into the same issue. If you have your controllers set in the NWBC, check the background ID to make sure that this ID (possible something like WF-BATCH, has sufficient authorization). My client did not inlcude enough authorization on that, and the user could not look up users. After adding SAP_GRAC_ALL (or customer specific equivelant), then the workflow did not error out. Also, I am recommending that it is important to have an Approver Not Found Escape route on EVERY Process ID that is used. SAP does not currently deliver a GRAC_SECURITY agent for the FF Log Review workflow, but I created a PFCG Agent Rule using the customer specific copy of the MSMP Admin role, then assigned that role to the Admin users. Then I created my Escape Route on the FF Log Process ID. Workflows will not give error when an approver is not found like it did in previous versions, and the workflow will begin to process, but since no Escape Route is availabel will just cancel at the stage leve.
Thanks,
Kevin
Marc:
I recently ran into the same issue. If you have your controllers set in the NWBC, check the background ID to make sure that this ID (possible something like WF-BATCH, has sufficient authorization). My client did not inlcude enough authorization on that, and the user could not look up users. After adding SAP_GRAC_ALL (or customer specific equivelant), then the workflow did not error out. Also, I am recommending that it is important to have an Approver Not Found Escape route on EVERY Process ID that is used. SAP does not currently deliver a GRAC_SECURITY agent for the FF Log Review workflow, but I created a PFCG Agent Rule using the customer specific copy of the MSMP Admin role, then assigned that role to the Admin users. Then I created my Escape Route on the FF Log Process ID. Workflows will not give error when an approver is not found like it did in previous versions, and the workflow will begin to process, but since no Escape Route is availabel will just cancel at the stage leve.
Thanks,
Kevin
Hi Kevin,
I have checked and:
1. My Request did not provision and is in Running status
2. Transaction: SLG1 with messages;
- Controller ID not specified
-Message GRAC_SPM_MESSAGE130 (& 1& 2) :Specify Controller Group Name & Specify Delivery option
3. GRFNMW_DBGMONITOR_WD is empty
As NWBC is configured, I presume the issues are in MSMP.
If you have any suggestions, please let me know.
Thank You,
Marc
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ajesh,
Tr NWBC>
1. GRC Role Assignment- Create FF ID Owner & FF ID Controlle- as I can notice now, there is Distribution List Email market mandatory and innactive for Group Type Options: Owner & Owner Gorup- this one is missing from my settings - becomes enabled only when I choose Group Type "LDAP Group" - which we don't use it, we use direct mapping from master record
Tr SUGR - I have created an Owner Group however all I have added the user- ids and each user id has his own email address in his Master Record
2. Tr NWBC>Superuser Maintanance> Controllers> if I choose Notification by - workflow and I have a Access Request created by FF-id Requester, no email will be in NWBC- Inbox of my Owner, however if I change the notification to "Email" I have receving an email in Owner's Inbox.Which can be open and I can click on "Submit" button without any provisioning of FF-id.
3. Super User Maintenance- I have Firefighter assigned to FF-id & Controllers assigned to FF-ids
Do you have any suggestions?
Thank You,
Marc
Hi Marc,
Aprart from Kevin recommendation, I suggest you re-visit the following doc and see if you have missed any steps.
http://scn.sap.com/docs/DOC-1562
Make sure you have maintained the following parameters:
Workflow 1113 WF-BATCH
Emergency Access Management 4002 YES
Emergency Access Management 4003 YES
Emergency Access Management 4004 YES
Emergency Access Management 4005 YES
Emergency Access Management 4006 YES
Emergency Access Management 4007 YES
Emergency Access Management 4008 YES
Emergency Access Management 4009 YES
Regards,
Ajesh.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
13 | |
3 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.