HR Triggers in Access Control 10.0

Understanding HR Triggers in Access Control 10.0

http://wiki.sdn.sap.com/wiki/display/GRC/Understanding+HR+Triggers+in+Access+Control+10.0

http://wiki.sdn.sap.com/wiki/display/GRC/GRC+10.0+-+HR+Trigger+configuration

Understanding HR Triggers in Access Control 10.0

Purpose

The Purpose of this document is to help user in understanding the details of the HR Trigger functionality provided by Access Control 10.0. This document also talks about the various configurations and settings that the user needs to make use of this functionality as per the business requirements.

Overview

HR Triggers is used in Access Control 10.0 to automatically create an access request whenever an info type is changed in the HR Plug-in system. This helps the organization to set specific rules for a new user automatically when the user is hired in the organization. There are many other functionalities that are achieved using the HR Trigger process and are explained in detail in the following sections.

How is HR Trigger Initiated

HR Trigger gets initiated as soon as there is a change in any of the info types in the HR system. This change in HR Info types may be due to the creation of a new User ID because of a new hire or due to change in Position of an employee or due to change in the validity of an employee or due to termination of an employee or due to any other info type change of an existing employee. All this process happens at the Plug-in system used for the HR processes. There are a few IMG setting that are required to be set to initiate this HR Trigger process properly.
IMG setting required at the HR Plug-in system
Goto IMG->Governance, Risk and Compliance (Plug-In->Access Control->Maintain Plug-In Configuration Settings.
Maintain the following parameters as shown below.

Param ID	Parameter Value	Short Description
1000	ERDCLNT300	Please maintain Plug-in Connector
1001	GRDCLNT100	Please maintain GRC connector
1003	YES	Enable HR Trigger

A reference screenshot for this configuration setting is shown below:
 

How is this change transferred to the GRC System

As soon as any of the changes stated above occur in the HR system, a BADI is triggered in the plug-in system which makes an internal table containing the info types that have been changed along with their old and new values. This table is then passed to the GRC system via a system call to the GRC function module which receives this change event and takes over the control. This call is made using a qRFC to make sure that the data is not lost in case the GRC system is down or not available at that moment.

How GRC system handles this change

Now, the control is passed on from the HR Plug-in system to the GRC system along with the info type data that has changed. The GRC system now tries to make use of the BRF+ Application for HR Triggers to find out which type of request has to be created. This is done by using the decision table in BRF+ application whose each row returns an Action ID based upon the info type that has been changed. As an example, change in the info type 0105 and Subtype 0001 (User ID) would indicate that a new user has been created and hence this row would return the Action ID as Create. Based upon this Action ID, the request type is chosen and the request is created using this request type.

BRF+ Application to choose the request type

The BRF+ Application is required for the purpose of selecting the Request Type that would be used to create the request. The BRF+ Application that is used for HR Triggers must be mapped under the following IMG setting.
Goto IMG->Governance, Risk and Compliance->Access Control->Maintain AC Applications and BRFplus Function Mapping.
Add a new entry using the BRF Function ID used in the BRF+.

Appl ID	BRF Function ID	MSMP Process ID
HR Triggers	XXXXXXXXXXXXXXXX	SAP_GRAC_ACCESS_REQUEST

A reference screenshot showing this configuration is shown below:
 
You can create the BRF+ Application by following the steps mentioned under the following link: GRC 10.0 - HR Trigger BRF+ configuration
Now, the Action ID that is returned by this BRF+ application is used to fetch the information on the request type to be used for the newly created request.

Setting up the Request Type

To set the Request Types based upon the Action_ID, set the IMG as shown below:
Goto IMG->Governance, Risk and Compliance->Access Control->User Provisioning->Maintain Settings for HR Trigger
The screen here would looks as shown in the below screenshot:

Select and double click on the Action ID for which you need to set the respective Request Type.
You can also set the systems for which the request is to be created along with the validity dates of the user over these systems. To do this, you can select the Action ID and then click over the 'Maintain Systems' link in the left panel. A reference screenshot for the screen that would appear is shown below:
 

Overview

HR Triggers rules can configured in the GRC 10.0, either via BRF+ rules or via complex Procedure Call via Function Module.
This document contains the step-by-step approach to build the BRF+ rules for configuring the HR Trigger rules to be used to enable the automatic request creation into the GRC system, whenever there is an activity carried out in the connected HR system.

Steps to configure the HR Triggers:

1. On GRC 10.0 system open transaction SPRO and go to node Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFplus Function Mapping.
2. Copy the pre-delivered BRFplus rule, mentioned against Appl Id 'HR Triggers'.
3. On GRC 10.0 system open transaction brfplus or fdt_workbench. In BRF+ menu choose Workbench =>Open Object and paste the ID copied in step 2.

Creating BRF Rule with conditions

4.   Go to ‘Assigned Rule sets’ tab and click on ‘Create Rule set’ button.

5.   Enter the details as shown below and click on ‘Create and Navigate to Object’ button.

6.   Save the Object. Press Yes, when the pop-up "Do you want to Save before exit" comes.
7.   Enable the Ruleset by clicking on ‘Enable Ruleset’ button as shown below.

8.   Assign the priority to the ruleset as shown below.

9.   Enter the priority and click on ‘OK’ button.

10. Save the Object.

11. Create the Rule as shown below. Right click on the HR_Trigger application and go to Create ->Rule.

12. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.

13. Save the Rule.

14. Now Insert the Rule in the Ruleset.

15. Select the rule RULE_1.


16. Save the Ruleset.

17. Go to Rule_1 and create the Process Expression as shown below.


18. Select the Type as ‘Loop’.

19. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.


20. Click on Loop_1 as shown below.

21. Save the object Rule_1.


22. Select ‘Perform Action’ value in Result Type as shown below.

23. Select Loop Mode as ‘For Each Entry in…’ as shown below.



24. Select the table by clicking on ‘Select…’ as shown below.

25. Select the ‘HR_TRIGGER_TABLE”.

26. Save the loop ‘Loop_1’.

27. Now create one more rule as shown below.


28. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.

29. Save the rule ‘Rule_2’.


30. Now add the Rule_2 as shown below.


31. Click on ‘Search’ button.


32. select the ‘RULE_2’ object.


33. Save the loop ‘Loop_1’.

Creating Decision Table for conditions

34. Create the Decision Table as shown below. 


35. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.



36. Click on ‘Insert Column -> From Context Data Objects’ as shown below.


37. Select the objects in the table and click on ‘Select’ button. 

38. The selected objects are displayed in the table as shown below. Now click on ‘Insert Column from Data Object’ button in the Result Columns table as shown below.


39. Click on ‘Search’ button.


40. Select the object and click on ‘Select’ button.


41. The selected objects are displayed in the table. Now click on ‘OK’ button.


42. Now we can find the columns in the table.

43. Click on ‘Insert New Row’ button to add the contents to the decision table.


44. Enter the value for the Connecter column as shown below.


45. Enter the connecter value and click on ‘OK’ button.



46. In the same way add then values to the necessary columns as shown below.



 






47. Select the row and click on ‘Copy Row’ button.


48. Now click on ‘Insert Copied Row’ button as shown below.






49. Save the Decision table.


50. Activate the Decision table.


51. Click on ‘Activate’ button.

52. Add a Process Expression as shown below.


53. Select the Object ‘DECISION_TABLE’.




54. Now assign the value to the ‘Action ID’ Result data table as shown below.




55. Select ‘Insert’ as shown below.


56. Select the Context parameter as shown below.

57. Select ‘ACTION_ID’ object.




58. Save and activate the rule ‘Rule_2’.


59. Click on ‘Activate’ button as shown below.



60. Now activate the loop ‘Loop_1’.


61. Click on ‘Activate’ button as shown below.



62. Now activate the rule ‘Rule_1’.

63. Click on ‘Activate’ button as shown below.



64. Now activate the ruleset ‘Ruleset_1’.


65. Click on ‘Activate’ button as shown below.



 A. Decision table Conditions for New Hire, Terminitation and Position Change

De-centralized EAM GRC 10.0

inShare2

Source:   http://scn.sap.com/community/grc/blog/2014/01/16/de-centralized-eam-grc-100

For Centralized EAM Configuration :
    http://atozgrc.blogspot.in/2013/10/configuration-of-emergency-access.html

In GRC 10.0 SAP has introduced the Centralized Emergency Access Management process unlike its older version GRC 5.3 which got mixed reviews from GRC users.

Initially a user has submitted his idea in SAP IDEA PLACE asking SAP to provide De-centralized logon in GRC 10.0 in the same way they have been using in GRC 5.3 and this has been supported by lot of GRC consultants.

https://ideas.sap.com/ct/ct_a_view_idea.bix?c=4F27C74D-5330-4569-8199-D69072C0D4AE&idea_id=5C643027-DCA7-4CB1-871E-BFFAF3A072B3

Finally SAP has enabled De-centralized firefighting feature in GRC 10.0 from GRC SP10. Depending on the client's needs, the option "log on centrally" (current version 10 behavior) or "log on locally" (5.3 behavior) can be configured in GRC 10.

Also system had the ability where both centralized and de-centralized approach can be configured but user can either login centrally or locally as there can be only one firefighter session at a time.

De-centralized EAM configuration – SP13 – ID based Firefighting

Step 1: Creating Connector and Assigning Integration Scenarios

Creating Connector:
Create new connector using SM59 Tcode or going through below mentioned path.

Create ABAP connector with the options as shown below.


Under Logon & Security maintain the details as shown below. User RFC_USER is a system user and is available in ECD system with S_RFC access.

Once you have maintained all these values. Save the connector and then click on Connection Test. If it is successful, you will get below screen.


Maintain Connectors and Connection Types
Now click on Maintain connectors and Connection Types going to below path as this is required for assigning the connection type to our connector which is created in the above step.

You will get the below screen where you can see different types of connection types available in the GRC system.

Maintain the entries for your connector as mentioned below. Source connector is not required.

Now our connector needs to be assigned connector group. This is similar to logical system in GRC 5.3 where we group similar systems under one logical system. You can create your own connector group or else, when you activate BC sets for SOD rules automatically connector groups gets created in the system which were used in the SOD rules. Then you can assign your connector to the connector group as shown below. Change the setting “Max No. of BG...“parameters to “3“ (i.e. this connector will use a maximum of 3 background jobs for synch jobs)

Once you have these connector groups, then assign the connector group to group type as shown below.

Next step is to assign connectors to connector group as shown below.


Maintain Connection Settings
Connectors must be assigned to the all integration scenarios (AM, ROLMG, SUPMG, AUTH, PROV) available as it is a good practice according to SAP (under Common Component Settings -> Integration Framework -> Maintain Connector Settings). In the same way mentioned below repeat for ROLMG, SUPMG and PROV scenarios.


Maintain Connector Settings

Now go to below mentioned path for maintaining connectors with application types and enabling PSS.

Maintain Mapping for actions and Connector Groups
For POC purpose we are connecting GRC 10 system to ECC system and hence only one Connector group is there in active status.

From the same screen we can define default connector to be used for different actions as shown below.

For example if you are creating LDAP connector then the mapping between AC and LDAP fields are maintained in assign group field mapping. Once all the above mentioned steps are performed, then the next step would be to schedule the synchronization jobs in the order advised by SAP.

Step 2: Creating FF Users, FF Owners, FF Controllers in GRC 10

1. FF Users executes Tcode /n/GRCPI/GRIA_EAM from Plug-in system and login with firefighter Id’s assigned to them. So users no need to exist in GRC system any more.
2. FF Id’s will be created in plug-in system and assign the role SAP_GRAC_SPM_FFID or its “Y” or “Z” equivalent to make it recognizable as FF Id.
3. FF Owner, FF Controller, Reason Codes are created and maintained in GRC system.

       NWBC -> Setup -> SuperUser Assignment and NWBC -> Setup -> SuperUser Maintenance
   4.    FF Controller should also exist in the plug-in system with valid Email ID as FF login notifications will be sent to controller’s Mail Id maintained in plug-in system.
   5.    FF log notifications are sent to FF controller’s mailed maintained in GRC system. Hence FF controller should exist in both GRC and Plug-in systems.

Step 3: Synchronization Jobs in GRC 10
In GRC 10 synchronization jobs can be run from SPRO->IMG, navigating to Governance, Risk & Compliance>Access Control>Synchronization Jobs

Authorization Synch
Synchronizes PFCG Authorization data

Repository Object Synch
Synchronizes Profiles, Roles, and Users master data

Action Usage Synch
Synchronizes action usage data

Role Usage Synch
Synchronize role usage data

Firefighter Log Synch

Synchronizes the firefighter logs from plug-in system to GRC system

Firefighter Workflow Synch

Initiates FF log report review workflow based up on your workflow settings which sends the FF log report to FF controller for review.

EAM Master Data Synch

This is the new job introduced as part of De-centralized firefighting. Synchronizes the EAM data from GRC box to Plug-in system. Once you have created all required users execute this job to synchronize the data from GRC to plug-in system.

These reports can also be maintained as scheduled background jobs.

Step 4: Configuration Parameters
SAP has introduced a new configuration parameter 4015 which has to be maintained as “YES” in order to enable De-centralized firefighting as shown below.
Configuration Parameters – GRC system


Configuration Parameters – Plug-in system

Step 5: Assigning FF Ids to Users
Unable to find FF Id’s in NWBC.

1. Please check whether configuration parameters are maintained as mentioned in step 3.
2. Please check whether all synchronization jobs are executed as mentioned in step 2.
3. Please check whether the user who is searching for FF ID’s in NWBC has required access.
4. Please check the below mentioned configuration also.

Assign Owner, and Controller:

Without assigning an owner and a controller, you might not be able to assign the FF ID to a Firefighter. From NWBC –> Setup –> Super User Assignment, assign Owner, and NWBC –> Setup –> Super user Maintenance, assign Controller.

Now you can assign the Firefighter Id to Firefighters either directly or through GRC access request.

   5. In plug-in system you will find all the FF roles required for user, controller etc. You need to create Y or Z copy of them and should assign them to the users.

Step 6: FF ID is assigned to the FF User

1. FF user has been assigned with the FF Id.
2. Now FF Users executes the Tcode /n/GRCPI/GRIA_EAM in plug-in system and can see the FF Id assigned to his User ID. When FF users tries to login with the FF Id assigned user will get the below error.
3. 
4. We already has RFC connector SECCLNT100 created in GRC system to connect from GRC to SEC and vice-versa. This error was resolved after creating RFC connection locally by the same name SECCLNT100 as system is expecting a local RFC connection with the same name.
5. Once this issue is fixed, users are able to login as Firefighters from plug-in systems and complete their tasks.

Step 7: Fire fighter Login and Log notifications
Configurations required for the Login Notification:

1. In the GRC Box, maintain configuration parameters as mentioned above in Step 4.
2. Make sure that 'EAM master sync job' is complete.
3. Into the Plug-in system, maintain configuration parameters as mentioned above in Step 4.
4. In the Plug-in system, FFID controller must exist with a valid email Id, as email notification is sent from the Plug-in system.
5. Login notification mail will be sent from Firefighter User SU01 Mail Id itself in de-centralized model. Make sure that email Id of the firefighter User is also maintained properly.
6. FF User time zone and system time zone should be the same in plug-in system.

Login Notification sent from Plug-in system:



Configurations required for the Log report Notification
Unlike Login notification, Log Report notification is sent from the GRC Box. Almost, all of the steps are same as in case of centralization.

1. Make sure that the configuration parameter 4002 is maintained into the GRC BOX.
   1. If the 4007 is set to 'Yes' then schedule only job 'GRAC_SPM_LOG_SYNC_UPDATE'. This job will send the Log Report notification as well.
   2. If the 4007 is set to 'NO' then schedule job GRAC_SPM_LOG_SYNC_UPDATE for synchronization. It will not send the Log Report Notification. For the Log Report, another job is required to be scheduled which is 'GRAC_SPM_WORKFLOW_SYNC'.
2. Controller of the FFID is configured with the valid Email Id.
3. In the NWBC -> Access Management -> Controller -> make sure that 'Notification By' column is selected to 'Email'.
4. Make sure that 'EAM master sync job' is complete.
5. There is no setting which is required to be maintained into Plug-in system in this case.

Log Notification sent from GRC system

SAP GRC Access Approver application Android App

Now we have SAP GRC Access  Approver application is available for android mobiles. We can download this application from any android phone.

By using this application, approvers can approve requests at anytime from  anywhere from their mobiles.

Download Procedure:

Google Play store- search for SAP GRC Access  Approver

Here below  I am sending administrators guide for SAP GRC Access Approver application. Please check it .

Video Link:

          http://www.youtube.com/watch?v=VNOWhcUTBR0

SAP Courses

Hi Greeting  from Thesarustrainings!!!!

We are providing online training for below modules....

Course Name

1)   SAP BASIS

2)   SAP BASIS with Netweaver

3)  SAP Security with GRC (Access Control)

4)   SAP GRC 10.O &GRC 10.1(Access Control)

5)    SAP BASIS with HANA

6)   SAP HANA Studio

7)   SAP BI/BO

8)   SAP BI/BO with HANA

9)   SAP SRM

10)   SAP CRM Functional

11)   SAP CRM Technical

12)   SAP Meterial Management

13)   SAP Sales &Distribution

14)  SAP FICO

15)  SAP APO

16)  SAP ABAP

17)  SAP OIL &GAS

18)  SAP EH&S 

                       

                                      etc.............

Damn Sure Questions in GRC AC 10 Certification Exam(C_GRCAC_10)

NO.1 Your customer has created a custom transaction code ZFB10N by copying transaction FB10
and  implementing a user exit.
How can you incorporate the customer enhancement into the global rule set so that it will be
available for Risk Analysis?

A. Update security permissions in all relevant authorization objects, maintain the custom program
name in all relevant functions, and generate the access rules.
B. Update all relevant functions with ZFB10N, maintain the permission values for all relevant
authorization objects, and generate the access rules.
C. Update all relevant functions with ZFB10N, maintain the permission values in the relevant
access risk, and generate the global rule set.
D. Update the relevant access risk with ZFB10N, maintain access rules in all relevant functions,
and generate the global rule set.
Answer: B

NO.2 Which of the following objects can you maintain in the "Maintain Paths" work area of MSMP workflow configuration? (Choose three)
A. Paths
B. Path versions
C. Rules for path mappings
D. Stage notification settings
E. Stages
Answer: A,D,E

NO.3 Which configuration parameters determine the content of the log generated by the SPM Log
Synch job? (Choose three)?
A. Enable Risk Change log (1002)
B. Enable Authorization Logging (1100)
C. Retrieve System log (4004)
D. Retrieve OS Command log (4006)
E. Retrieve Audit log (4005)
Answer: C,D,E

NO.4 Your customer wants to eliminate false positives from their risk analysis results.
How must you configure Access Control to include organizational value checks when performing a
risk analysis? (Choose two)?\

A. Configure organization rules for each relevant function.
B. Update the functions that contain each relevant action by activating the fields for the required
permissions and maintaining a value for each specific organization.
C. Configure organization rules for each relevant risk.
D. Update the functions that contain each relevant action by activating the fields for the required
permissions.
E. Configure organization level system parameters to incorporate all organization levels for each
relevant risk.

Answer: C,D

NO.5 What do you mitigate using Access Control?
A. Roles
B. Users
C. Risks
D. Functions
Answer: C

NO.6 Your customer wants a manager to fulfill both MSMP workflow agent purposes.
How do you configure this?

A. Maintain the manager agent twice, once for each purpose, using the same agent ID.
B. Maintain the manager agent once and assign both purposes to it without using an agent ID.
C. Maintain the manager agent twice, once for each purpose, using different agent IDs.
D. Maintain the manager agent once and assign both purposes to it using the same agent ID.
Answer: C

NO.7 You have identified some risks that need to be defined as cross-system risks. How do you
configure your system to enable cross-system risk analysis?
A. 1. Set the analysis scope of the function to cross-system.
2. Create cross-system type connectors.
3. Assign the corresponding connectors to the appropriate connector group.
4. Generate rules.
B. 1. Set the analysis scope of the risk to cross-system.
2. Create cross-system type connectors.
3. Assign the corresponding connectors to the appropriate connector group.
4. Generate rules.
C. 1. Set the analysis scope of the risk to cross-system.
2. Create a cross-system type connector group.
3. Assign the corresponding connectors to the connector group.
4. Generate rules.
D. 1. Set the analysis scope of the function to cross-system.
2. Create a cross-system type connector group.
3. Assign the corresponding connectors to the connector group.
4. Generate rules.
Answer: D

NO.8 What does assigning the Logical Group (SOD-LOG) type to a connector group allow you to do?
A. Run a cross-system analysis.
B. Use the connector group for transports to the target system.
C. Monitor the target system.
D. Use the connector group as a business role management landscape.
Answer: D

NO.9 Who approves the review of the periodic segregation of duties?
A. Mitigation monitors
B. Role owners
C. Mitigation approvers
D. Risk owners
Answer: D

NO.10 How are lines and columns linked in a BRFplus initiator decision table?
A. A column to a column through a logical OR
B. A column to a line through a logical OR
C. A column to a column through a logical AND
D. A line to a line through a logical AND
Answer: C

NO.8 What does assigning the Logical Group (SOD-LOG) type to a connector group allow you to do?A. Run a cross-system analysis.?
B. Use the connector group for transports to the target system.
C. Monitor the target system.
D. Use the connector group as a business role management landscape.
Answer: D

NO.9 Who approves the review of the periodic segregation of duties?
A. Mitigation monitors
B. Role owners
C. Mitigation approvers
D. Risk owners
Answer: D

NO.10 How are lines and columns linked in a BRFplus initiator decision table?
A. A column to a column through a logical OR
B. A column to a line through a logical OR
C. A column to a column through a logical AND
D. A line to a line through a logical AND
Answer: C

NO.11 Which periodic review process allows a role owner to remove roles from the users? 

A. UAR Review
B. SoD Review
C. Firefighter Log Review
D. Role Certification Review

Answer:A

NO.12 You want to assign an owner when creating a mitigating control. However, you cannot find the user you want to assign as an owner in the list of available users. What could be the reason? 

A. The user is already assigned as an owner to another mitigating control.
B. The workflow for creating a mitigating control has not yet been approved.
C. The user is locked.
D. The user has not been assigned as an owner in the organizational hierarchy.

Answer:D

NO.13 Which report types require the execution of batch risk analysis? (Choose two)?
A. Ad-hoc risk analysis reports
 B. Offline risk analysis reports
C. User level simulation reports
D. Access rules detail reports
E. User and role analysis dashboards

Answer:B,E

NO.14 Where can you define a mitigating control? (Choose three)? 

A. In the mitigating controls workset in Access Control
B. In the rule setup in Access Control
C. In the Access Control risk analysis result screen
D. In the central process hierarchy in Process Control
E. In the activity setup in Risk Management

Answer:A,C,D
NO.15 You have created a new end-user personalization (EUP) form. Where can you make use of this EUP form? (Choose two)?

 A. In a stage configuration of a workflow
 B. In an organizational assignment request
C. In a template-based request
D. In a model user request
E. Company 2

Answer: A, C

NO.16 You have maintained an end-user personalization (EUP) form and set a particular field as mandatory. Which additional field attribute settings are required? (Choose two)?

A. The field attribute Visible must be set to "Yes".
B. A default value must be maintained for the field.
C. The field attribute Editable must be set to "Yes".
 D. The field attribute Visible must be set to "No".
E. The field attribute Editable must be set to "No".

Answer: A, C
 
NO 17.You want to maintain roles using Business Role Management. How do you import the roles from the back-end system? 

A. Use an SAP transport.
B. Execute the Role Import background job directly in the back-end system.
C. Use the standard import template.
D. Execute the Role Repository Sync program

Answer: C

NO 18 Which activity can you perform when you use the Test and Generate options in transaction MSMP Rule Generation/Testing (GRFNMW_DEV_RULES)?

A. Generate and activate a BRFplus flat rule for workflow-related rules.
B. Create a rule type for workflow-related rules.
C. Create an MSMP process ID for workflow-related rules.
D. Generate and activate function modules for workflow-related rules.

Answer: D

NO 19 You want to assign an owner when creating a mitigating control. However, you cannot find the user you want to assign as an owner in the list of available users.
What could be the reason?

A. The user is already assigned as an owner to another mitigating control.
B. The workflow for creating a mitigating control has not yet been approved.
C. The user is locked.
D. The user has not been assigned as an owner in the organizational hierarchy.

Answer: D

Table to see ROLE owners and ROLE approvers in GRC AC 10

First Open SE16  -->Give table name  GRACROLE  execute

     Give your role name and execute.

Then you will get ROLE ID.  Copy the Role ID

And open table GRACROLEAPPRVR

 Give copied Role id in the role id field and execute

There you can see owner and approver of a particular role