2024 Oct 14 1:21 PM
Hello,
We have an issue in our SAP GRC Access Control system for the user provisioning.
When a user is asking for multiples roles with multiple approvers, we have to wait that all approvers approved their role so that the provisioning is done.
If an approver is absent, the provisioning can be delayed because of that.
We would like that when one role is approved, this role is provisioned
In conclusion, we would like to provision at item level, not at request level.
Does anyone has an idea on how to fix it?
We already created a case but no solutions were found.
Thanks
2024 Nov 17 11:32 PM - edited 2024 Nov 17 11:33 PM
Hi Louty.
When an access request is submitted it can be split in multiple paths, depending on your initiator settings.
Provisioning can be configured to happen in the end of the access request (when all these paths get fully approved) or in the end of each of these paths.
In theory you could have provisioning done after the approval of each role if you configure your workflow to generate one path per role. There are some ugly ways to do it, but they would make your workflow configuration very complex.
I would suggest you explore other options that are more suitable for this, like having more than one possible approver, using automatic time-based escalations or rejecting role assignments that go too long without being approved so the approved ones can be provisioned.
2024 Nov 22 10:59 AM
Hello Louty, I was thinking about same solution because of similar issues with absent or already left approvers few years ago when we were on GRC AC 10.0.
Based on investigation and mainly after upgrade to GRC AC 12.0 I realised that is easier to split request for roles approved by more GRC Role Approvers to more GRC AC requests - to create GRC AC request containing jobroles to be approved only by one GRC Role Approver. It's simple in GRC AC 12.0 because you can use Role Import functionality and Copy Request functionality. An effort spent on the creation more GRC AC requests on beginning is less than later to remind again and again pending GRC Role Approver/s or to proceed temporary switch of main GRC Role Approver and Alternate one (as deputy) and then back. I don't if it is common but even if is information about Delegation widely known, is used rarely. And yes, can be complicated to define Delegation if one GRC Role Approver has more deputies due more different jobroles.
As it is used on daily basis by our 1st level support and users appreciate fast solving their role requests, I can say it's fine working solution.
Have a nice day.