cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Risk Analysis not performed at Approval Stage

Go to solution
former_member325725
Participant

on ‎06-19-2009 1:17 AM

0 Kudos

Hi,

We are doing an external IDM integration with CUP 5.3 SP7.We are trying to use the SAP delivered webservice like:SAPGRC_AC_IDM_SUBMITREQUEST for the request submission. The request gets created successfully and then forwarded to the Approver inbox. We use the attribute 'Role' as the Approver Determinator.

I've set 'Risk Analysis Mandatory' flag to Yes at the Role approval Stage. But this doesn't seem to force the system to perform a Risk Analysis when the request is getting approved. So the user gets provisioned in R/3 with risks and no mitigation assigned to the same!!!

But it DOES perform a RA if i have set the Property: 'Perform Risk Analysis on Request Submission' to Yes.(in Configuration Risk Analysis) and If i create the request through CUP(no IDM)

Is there a setting which will make it impossible to approve and provision an account unless an RA is performed and subsequently a mitigation applied??

It seems like the stage config param should have done this , but in fact NOT

Appreciate your inputs to fix this...

Regards,

Anil

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-19-2009 6:36 AM
0 Kudos

Sorry Anil. I am not able to follow this. It seems you are testing two different scenarios here.Can you try to create the same request for same role and use through CUP and see if it lets you to approve the request without RA or not? Make sure to not to keep the risk analysis on request submission on. If you keep it on then CUP will think that the RA is already done and it will not force approver to run the RA again.

Regards,

Alpesh

Show replies
Show replies
former_member325725
Participant
‎06-19-2009 6:15 PM
0 Kudos

Hi Alpesh,

Thx for checking this..

To get the basic stuff right, i've done the following tests in CUP (no req submission from IDM)

a. Set 'Perform Risk Analysis on Request Submission' to No

Set 'Risk Analysis Mandatory' flag to Yes at the Role approval Stage

Created a request with only one role(profile) and i know there are risks associated with that profile.

The system did let me approve and provision the account without performing a RA and a mitigation

b. Set 'Perform Risk Analysis on Request Submission' to Yes

Set 'Risk Analysis Mandatory' flag to Yes at the Role approval Stage

Created a request with only one role(profile) and i know there are risks associated with that profile.

The system did show up a red flag in the 'Risk Violations' tab when accessing the req for approval.

And I had to perform a RA and a mitigation before approval and provision the account.

c. Set 'Perform Risk Analysis on Request Submission' to No

Set 'Risk Analysis Mandatory' flag to Yes at the Role approval Stage

Created a request with only one role(profile) and i know there are risks associated with that profile.

I performed an RA and then mitigated the risk before approving the request.

Our requirement is that, no account should be provisioned with a Risk unless it's mitigated. So this will require a mandatory RA during approval stage.I've also set 'Approve Request Despite Risks' to No at the approval stage.

As to test the different scenarios, I've used the same id for the requestor as well as the approver (though this this should not have an effect)

It seems the system is not working as it's configured. Or did i miss something?

Regards,

Anil

former_member325725
Participant
‎06-19-2009 7:52 PM
0 Kudos

Hi All,

I just found the SAP Note: 1168508 - Compliant User Provisioning 5.3 Support Package (VIRAE) which lists down the bugs fixed with respective SPs and found this issue to be fixed with SP8

Regards,

Anil

Former Member
‎06-19-2009 7:56 PM
0 Kudos

Interesting. I thought this should be working. Just upgrade to SP8 and check it out.

Regards,

Alpesh

Answers (0)

Ask a Question