on 2018 Dec 03 5:58 PM
Dear SAP Community,
During the configuration of GRC 10.1 Access Request, I was trying to find the best way to manage expired and expiring role assignments. From my understanding, the only tool available is the security report "List Expired and Expiring Roles for Users", which does not offer a way of extending the role assignment validity or to notify either managers or end users of the incoming access limitation.
How did you tackle this issue in your implementations?
Is there a standard way to achieve any of this?
I was hoping that role reaffirm or user access review would provide this funcionality, but unfortunately they only serve to remove assignments, not to extend them...
Thanks and best regards,
MS
Hi Miguel,
the only way in Access Control to achieve this is with Access Requests. When you request access for a user, you can click on the "Existing Assignment" button to see all the roles that are assigned and likely to expire. You can then add them to the access request and have the action set to "Retain" (instead of "Assign" or "Remove"). Retain allows you to change the validity date.
You can also set parameter 2045 to 010 (Retain), so that the default provisioning action is always Retain when you select them from the existing assignments.
Cheers,
A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alessandro,
Thank you so much for your quick reply!
I was aware of the functionalities you described, but was wondering if there was any "smart" way of dealing with this issue, that did not involve custom coding... As the standard functionality stands, there is no alert for roles about to expire, and users (or managers) must submit the role extension request themselves.
To simplify this process, I believe two solutions could be:
a) Without custom coding
1. Periodically, extract the report "List Expired and Expiring Roles for Users", for user assignments that are about to expire in the next 30 days
2. Mass generate requests to extend those assignments, that would then be approved or rejected by the users' managers
b) With custom coding, create a background job that runs periodically and:
1. Checks table GRACUSERROLE for role assignments that are about to expire
2. Groups these role assignments by user
3. Creates an access request (which has the corresponding MSMP workflow configured) for role assignment extension for each user
Might there be a simpler way to achieve this? Or are these the only alternatives?
Best regards,
MS
Hi Experts,
Added to this aspect, i have a question related to this.
When a request was submitted for Retain/Change data provisioning action. It is going for manager and other approvers for approval. But, by the time the role gets approved the role was removed at from user assignments at backend ECC and request is going to Escapte path with conditon"Provisoning failure".
I would like to know what would be default time/period that a request will look for backend assignments.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi MS,
Role that you are referring here are Business Role(BR) or Technical Role(TR)?Did you try the following program for Role Expiry
GRAC_ROLE_EXPIRY
Thanks
Ramesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
9 | |
4 | |
4 | |
3 | |
3 | |
2 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.