cancel
Showing results for 
Search instead for 
Did you mean: 

SAP IDM & GRC Issue - Cumulative Privilege Assignment

0 Kudos

Hello,

We are working with version 8.0 SP6 of SAP Identity Management.

IDM and GRC Access Control were integrated for risk analysis and mitigation when assigning S/4HANA system privileges to users.

When we assign at the same time two privileges (or more) of this system (S/4HANA) which generate a risk (when assigned to the same user) and must go through GRC for validation, we notice that the IDM approver receives only one request for a single role among the 2 assigned.

If the IDM approver chooses to validate the request he received:

- The 2 privileges are validated in IDM and the AC Request is sent to GRC (both are displayed in the GRC approver Interface)

If the IDM approver chooses to reject the request:

- The privilege that he received is rejected and therefore it has a “Rejected” status in IDM, but the other privilege goes directly to OK status without needing validation / rejection from the IDM approver.

We want the IDM approver to receive 2 requests for the 2 privileges assigned to manage them separately.

Is there anyone who has encountered the same problem before?

Could you please help us resolve this issue?

Thank you.

Best regards,

Issam

Henrik1
Participant
0 Kudos

Does this always happen when you have 2 or more privileges? I'm wondering if it's because the attribute for risk analysis has not been set on one of the privs... Just trying to rule out the easy ones first 🙂

0 Kudos

Hi Henrik,

Thank you for your reply.

Yes it always happens when we assign 2 or more privileges of the S/4HANA system to a user.

I checked and the triggers are set the same for all privileges of this system so I don't think it was because of the risk analysis attribute not being set for one of the privileges.

We found the cause of the problem, it is a P:-4 choice of privilege grouping in the MX_PRIV_GROUPING_RULE repository constant. And when changed to P:-1 the privileges arrive separately in the UI of the IDM approver.

Best regards,

Issam

Accepted Solutions (0)

Answers (0)