on 06-19-2009 1:17 AM
Hi,
We are doing an external IDM integration with CUP 5.3 SP7.We are trying to use the SAP delivered webservice like:SAPGRC_AC_IDM_SUBMITREQUEST for the request submission. The request gets created successfully and then forwarded to the Approver inbox. We use the attribute 'Role' as the Approver Determinator.
I've set 'Risk Analysis Mandatory' flag to Yes at the Role approval Stage. But this doesn't seem to force the system to perform a Risk Analysis when the request is getting approved. So the user gets provisioned in R/3 with risks and no mitigation assigned to the same!!!
But it DOES perform a RA if i have set the Property: 'Perform Risk Analysis on Request Submission' to Yes.(in Configuration Risk Analysis) and If i create the request through CUP(no IDM)
Is there a setting which will make it impossible to approve and provision an account unless an RA is performed and subsequently a mitigation applied??
It seems like the stage config param should have done this , but in fact NOT
Appreciate your inputs to fix this...
Regards,
Anil
Sorry Anil. I am not able to follow this. It seems you are testing two different scenarios here.Can you try to create the same request for same role and use through CUP and see if it lets you to approve the request without RA or not? Make sure to not to keep the risk analysis on request submission on. If you keep it on then CUP will think that the RA is already done and it will not force approver to run the RA again.
Regards,
Alpesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alpesh,
Thx for checking this..
To get the basic stuff right, i've done the following tests in CUP (no req submission from IDM)
a. Set 'Perform Risk Analysis on Request Submission' to No
Set 'Risk Analysis Mandatory' flag to Yes at the Role approval Stage
Created a request with only one role(profile) and i know there are risks associated with that profile.
The system did let me approve and provision the account without performing a RA and a mitigation
b. Set 'Perform Risk Analysis on Request Submission' to Yes
Set 'Risk Analysis Mandatory' flag to Yes at the Role approval Stage
Created a request with only one role(profile) and i know there are risks associated with that profile.
The system did show up a red flag in the 'Risk Violations' tab when accessing the req for approval.
And I had to perform a RA and a mitigation before approval and provision the account.
c. Set 'Perform Risk Analysis on Request Submission' to No
Set 'Risk Analysis Mandatory' flag to Yes at the Role approval Stage
Created a request with only one role(profile) and i know there are risks associated with that profile.
I performed an RA and then mitigated the risk before approving the request.
Our requirement is that, no account should be provisioned with a Risk unless it's mitigated. So this will require a mandatory RA during approval stage.I've also set 'Approve Request Despite Risks' to No at the approval stage.
As to test the different scenarios, I've used the same id for the requestor as well as the approver (though this this should not have an effect)
It seems the system is not working as it's configured. Or did i miss something?
Regards,
Anil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.