cancel
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10.1 Managing expired and expiring roles: how to extend role assignment validity

mseruya
Explorer
0 Kudos
1,701

Dear SAP Community,

During the configuration of GRC 10.1 Access Request, I was trying to find the best way to manage expired and expiring role assignments. From my understanding, the only tool available is the security report "List Expired and Expiring Roles for Users", which does not offer a way of extending the role assignment validity or to notify either managers or end users of the incoming access limitation.

How did you tackle this issue in your implementations?

  • must users (or managers) create a new access request, each time their roles are about to expire?
  • do you notify the users (or managers) that their roles are about to expire?
  • did you create a workflow for role assignment validity extension, where managers review their users' assignments and extend the necessary ones?

Is there a standard way to achieve any of this?

I was hoping that role reaffirm or user access review would provide this funcionality, but unfortunately they only serve to remove assignments, not to extend them...

Thanks and best regards,

MS

Accepted Solutions (0)

Answers (3)

Answers (3)

alessandr0
Active Contributor

Hi Miguel,

the only way in Access Control to achieve this is with Access Requests. When you request access for a user, you can click on the "Existing Assignment" button to see all the roles that are assigned and likely to expire. You can then add them to the access request and have the action set to "Retain" (instead of "Assign" or "Remove"). Retain allows you to change the validity date.

You can also set parameter 2045 to 010 (Retain), so that the default provisioning action is always Retain when you select them from the existing assignments.

Cheers,

A

mseruya
Explorer
0 Kudos

Hi Alessandro,

Thank you so much for your quick reply!

I was aware of the functionalities you described, but was wondering if there was any "smart" way of dealing with this issue, that did not involve custom coding... As the standard functionality stands, there is no alert for roles about to expire, and users (or managers) must submit the role extension request themselves.

To simplify this process, I believe two solutions could be:

a) Without custom coding

1. Periodically, extract the report "List Expired and Expiring Roles for Users", for user assignments that are about to expire in the next 30 days

2. Mass generate requests to extend those assignments, that would then be approved or rejected by the users' managers

b) With custom coding, create a background job that runs periodically and:

1. Checks table GRACUSERROLE for role assignments that are about to expire

2. Groups these role assignments by user

3. Creates an access request (which has the corresponding MSMP workflow configured) for role assignment extension for each user

Might there be a simpler way to achieve this? Or are these the only alternatives?

Best regards,

MS

alessandr0
Active Contributor
0 Kudos

Hi MS,

correct - I don't see another option within the standard.

Regards,

Alessandro

0 Kudos

Hi Experts,

Added to this aspect, i have a question related to this.

When a request was submitted for Retain/Change data provisioning action. It is going for manager and other approvers for approval. But, by the time the role gets approved the role was removed at from user assignments at backend ECC and request is going to Escapte path with conditon"Provisoning failure".

I would like to know what would be default time/period that a request will look for backend assignments.

RameshVithanala
Active Participant
0 Kudos

Hi MS,

Role that you are referring here are Business Role(BR) or Technical Role(TR)?Did you try the following program for Role Expiry

GRAC_ROLE_EXPIRY

Thanks

Ramesh