cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

BR role should only be available in access request

former_member670980
Explorer

on ‎2020 Apr 07 11:14 AM

0 Kudos
2,618

BRM in GRC 10: Role status - Dev or test & Provisioning status - Yes

I want to check if the below process is possible,

Technical role status will be maintained as dev or test, so that those roles will not be available for requesting in access request but when we use those technical roles in a business role, then it should get provisioned to the user.

Single role status - development or testing (we are not using composite roles)

Provision status and auto provisioning status - Yes

Already maintained role status - production

Requirement is that we don't want end users to request a set of single roles via access request but we want to use those single roles inside a business role for assignment.

Note: We have implemented business role concept only in one division of the company and other division are still requesting single roles via access request.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (3)

Answers (3)

sreekanth_sunkara
Active Participant
‎2020 May 13 5:15 AM
0 Kudos

Karthik,

This is possible. You can set both single/composite roles and Business roles in PRD status. but in addition to this please configure "Configure Attributes for role search criteria in access requests" in SPRO. Here you can restrict user to only see and select Business roles while requesting for access.

Thanks,

Sri.

Show replies
Show replies
former_member670980
Explorer
‎2020 Jun 01 8:24 AM
0 Kudos

Hello Sri,

I will try to clarify my requirement,

Consider 10 single roles (A, B, C, etc) are there in our production system,

  • Out of which 5 single roles (A,B,C,D,E) which are not part business role should be available for end users to request (Single role status - PRD)
  • Remaining 5 single roles (F,G,H,I,J) which are part of business role should not be available for end users to request

How to achieve this result?

piotr_skalski
Newcomer
‎2020 Oct 20 7:21 PM
Hi Collegues,In our company we have the same requirement. Of course, technically it is possible to maintain 2043 parameter and restrict authorizations with GRAC_ROLEP and respective role name value in. However in our company we are talking about hundreds of Technical Roles which are part of Business Roles and those TR's should not be searchable / shoppable. And talking into consideration another hundreds of TR's that are built per year it is almost impossible to be flexible enough and to be able to maintain them. Simply it would mean that we would need to maintain those hundreds of TR's in GRAC_ROLEP field (role name) and allow users to have authorizations to search for them. Or exlude condition to exlude them as "searchable". Are there any other ways to meet this, rather basic, requirement?

Thanks

Piotr

RameshVithanala
Active Participant
‎2020 Apr 27 8:30 PM
0 Kudos

Hi Karthik,

I am not sure I got your following requirement correctly

Requirement is that we don't want end users to request a set of single roles via access request but we want to use those single roles inside a business role for assignment.

You don't want end users to request a set of single roles via access request then its possible if we set the role status to DEV or TST,then if the same single role is in DEV or TST why you want to use/add inside the BR?

Thanks

Ramesh

Show replies
Show replies
former_member670980
Explorer
‎2020 Jun 01 8:24 AM
0 Kudos

Hello Ramesh,

I will try to clarify my requirement,

Consider 10 single roles (A, B, C, etc) are there in our production system,

  • Out of which 5 single roles (A,B,C,D,E) which are not part business role should be available for end users to request (Single role status - PRD)
  • Remaining 5 single roles (F,G,H,I,J) which are part of business role should not be available for end users to request

How to achieve this result?

madhusap
Active Contributor
‎2020 Apr 11 7:27 AM
0 Kudos

Hi Karthik,

Yes, the functionality you are looking for is possible.

Set Business Role status as "Production" and single/composite roles status as DEV or TEST. This way users can select only business roles in access request and cannot select Single/Composite roles and the provisioning side there will not be any issue as both Single/Composite roles gets provisioned as settings for Auto provisioning are set as YES.

Regards,

Madhu

Show replies
Show replies
former_member670980
Explorer
‎2020 Apr 23 6:24 AM
0 Kudos

Hello Madhu,

We tried the exact same settings but single/composite roles are not getting provisioned to user id until unless we open the BR role and manually update assignment. This method won't work during removal of BR. Single roles will remain in the target system itself.

UdayRachaputi_SAP
Discoverer
‎2025 Jun 01 8:44 AM
0 Kudos

Hello everyone, @madhusap 

Not sure if this thread is still active.

I am facing the similar issue. We have a requirement where we are using business roles for particular landscape and other landscape is composite roles.

For business roles, We added composite role as associated role keeping the Role status as DEV/TEST for composite role and PRD for business role. But, When we submit the access request the audit log show No provisioning log is available. We can set some condition in access request search configuration to business role only since there are other landscape where requests will be submitted for composite roles.

Can you please suggest your ideas on how to solve this.

Ask a Question