on 03-17-2009 7:04 PM
Hi GRC guru's
As we are in the process of customizing CUP ,I have couple of questions so kindly help me out here
1. When requestor select roles which belong different approvers how does the request gets processed
example roles selected are Z_XYZ who's role approver is Tom and second role Z_ABC with role approver John , how is this request handled ?
2. When you run risk anlysisin CUP and you find out that there are risks and there is no mitiagtion control in RAR for risk produced , how will the approver proceed ? should he go back and perform the mitigation in RAR and then mitiagte the risk in CUP or is there a way to mitigate the new risk in CUP which can then be automaticallly pushed to RAR ?
3. Is there way to populate user group in the access request form and is there way to populate the license type in CUP?
Kindly clear my doubts ,Thanks in advance
Regards
Keith.
Hello Keith,
In response to
2. When you run risk anlysisin CUP and you find out that there are risks and there is no mitiagtion control in RAR for risk produced , how will the approver proceed ? one other option for you is to set a config parameter specifying that the approver can approve the request containing risks as well, without mitigating the same. Though this would not be recommended but just wanted to share that you do have the option in case the need be so.
Regards,
Hersh.
+91-9823055233.
Edited by: HERSH GUPTA on Mar 18, 2009 12:48 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Keith,
Please find my response below:
1. When requestor select roles which belong different approvers how does the request gets processed
example roles selected are Z_XYZ who's role approver is Tom and second role Z_ABC with role approver John , how is this request handled ? Both the role owner would get email and can approve the request at same time. Unless untill both these approvers approve/reject the request, request can not move to next stage.
2. When you run risk anlysisin CUP and you find out that there are risks and there is no mitiagtion control in RAR for risk produced , how will the approver proceed ? should he go back and perform the mitigation in RAR and then mitiagte the risk in CUP or is there a way to mitigate the new risk in CUP which can then be automaticallly pushed to RAR ? CUP can handle this automatically via Webservices. There is a menu called 'Mitigation' in configuration section of CUP. You specify Webservice URL in this menu and then approver can create/assign mitigation in RAR via CUP. You don't need to login to RAR to create mitigating control.
3. Is there way to populate user group in the access request form and is there way to populate the license type in CUP? Yes, you can populate user group by configuring user defaults or via creating a custom field and mapping it to user group in SAP. There is no direct way to populate license type but you should be able to create custom field in CUP and map it to the field in SAP.
Regards,
Alpesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alpesh and all
I would like to follow up with your answer to Keith's question below.
1. When requestor select roles which belong different approvers how does the request gets processed
example roles selected are Z_XYZ who's role approver is Tom and second role Z_ABC with role approver John , how is this request handled ? Both the role owner would get email and can approve the request at same time. Unless untill both these approvers approve/reject the request, request can not move to next stage.
My question,
Is there a way to allow users to submit one request with 2 roles with different approvers, if the 1st approver approved the role, the 1st role to be provisioned to immediately without having to wait for the 2nd approver to approve the 2nd role?
The two roles both satisfy the critiria of the same initiator (attribute Role, and both roles are in the role list). Since the roles fall under the same path and stage (only 1 role owern approval stage), I noticed the 1st approved role was not provisioned until the 2nd role is approved. Is there a way to work arond that? It make sense to go ahead provision the 1st role without having to waiting for the 2nd role to be approved or rejected. The roles have the same approval requirement so they should use the same initiator and workflow path.
If you or anybody knows the work around, I would appreciate your sharing the info.
Thanks.
p.s.
I did a test to submit a request with 2 roles, each role satisfy a different workflow initiator therefore different paths are used. 1st role was approved through 1st path and provisioned immediately while 2nd role was waiting in approval stage in the 2nd path. The request is closed once both path were completed.
Hi Limei,
We are also looking for options to get the provisioning happen with the approved roles/profiles and not waiting for all the requested profiles approval. As I understad, SAP is yet to implement this enhancement request with GRC 5.3 SP8.
I saw your statement that:
"I did a test to submit a request with 2 roles, each role satisfy a different workflow initiator therefore different paths are used. 1st role was approved through 1st path and provisioned immediately while 2nd role was waiting in approval stage in the 2nd path. The request is closed once both path were completed."
As we are exploring the options, i was curious to know how did you get to configure the above use case in CUP?
We use to implement a role based approval and hence the workflow initiator would be roles. We also have the approval stage configured to be roles.
Any inputs would be greatly appreciated.
Thanks,
Anil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.