cancel
Showing results for 
Search instead for 
Did you mean: 

Role Mapping For Portal Role Assignment and ABAP Role Assignment

0 Kudos

Summary:

- Under the GRC configuration of Roles> Role Mapping we are trying to utilize the role mapping feature in GRC for associating a dependent role to a main role.

- We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.

- We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.

Problem Description:

Our Scenarios we tested:

Scenario 1:

Main Role: Attached to Initiator A & workflow A (routes to single approver based on role)

Dependent Role: Attached to Initiator B & workflow B (routes to auto approval or no approval)

*Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role.

Scenario 2:

Main Role: Attached to Initiator A & workflow A (routes to single approver based on role)

Dependent Role: Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)

*Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.

Questions:

1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?

2. If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC

Edited by: Rene Griffith on Feb 26, 2010 10:22 PM

Accepted Solutions (0)

Answers (2)

Answers (2)

0 Kudos

This functionality is not available yet per SAP.

Former Member
0 Kudos

Hi Rene, You can achieve 1:1 or 1:n mapping with single approver in ABAP system using the role mapping like in your scenario you can define no approver for the portal role & define approver with ABAP role and do a role mapping for both the roles. In this case when user applies for single role in GRC automatically other role will also come in request with no additional approver. Hope I understand your required scenario correctly.

Regards

rupesh

0 Kudos

So let me understand what you are stating.

1. Define the abap role as the main role and the no-abap role as the dependent role.

2. Assign the abap role the inititiator requiring approval and then assign the non-abap role in the initiator with no approval required.

Expected result would be

1. Abap role selected then nonabap role also selected.

2. If abap role is rejected by the approver then non-abap role should not be provisioned correct?

Let me try that and see how it goes. Thanks.

0 Kudos

I tested this set up.

1. Defined ABAP role as Manin role

2. Defined Non-ABAP role as dependednt role

3. ABAP role is set up in initiator requiring business approval.

4. Non-ABAP role is set up in initiator with no approval required.

Results Where Business Approver approves the ABAP Role

1. Only the ABAP role is displayed in approver view which is desirable.

2. ABAP role is approved and Non-ABAP role and ABAP role is provisioned.

Results Where Business Approver rejects the ABAP Role

1. Only the ABAP role is displayed in approver view which is desirable.

2. ABAP role is rejected but Non-ABAP role is provisioned which is not what we want. We want the Non-ABAP role not to provision if the ABAP role is rejected by the business approval.

Thanks again for your help.

Former Member
0 Kudos

Hi Rene,

Sorry to say but CUP is not designed to handle this kind of request. The Role mapping does not help during rejection. Open a message with SAP and see what their response is.

Alpesh

0 Kudos

Thanks for working with me. We already have an open message with SAP. SAP IdM does have this functionality in case you wanted to know. The good news from SAP is that they are going to incorporate this "packaged request of the portal role and abap role" in GRC in what they are calling release 10 which is coming out in 2011 I think. We were just trying to think of a workaround until that is available. Thanks again.

Former Member
0 Kudos

Thanks Rene for letting me know. That is why SAP offeres integration services for IdM. I do know @ GRC AC 10.0 but I don't know how much time it will take for you to get a GA release.

Regards,

Alpesh