Solved: Block/Restrict access request page on CUP

former_member325725 · ‎07-01-2009

Hi All,

I've an interesting requirement.

We use a CUP 5.3 SP7. We would be using the IDM webservices to create access requests to CUP and we want all our requests to be initiated ONLY through our IDM solution. Is there a way we can restrict the /AE/index.jsp page access to only the users with a AEAdmin role? (Assuming the Admins follow the rules !!!)

I've succeeded in taking out the Create Request and Copy Request from the AEApprover role mby adjusting the UME actions, but the same user can still access the /AE/index.jsp page to create a request.

Any insight/work around is greatly appreciated.

Thanks & Regards,

Anil

Former Member · ‎07-01-2009

Hi Anil,

The purpose with the landing page is that users not registred in UME can create a request. The authentication is done against a backend or LDAP system defined in CUP>>Config>>Authentication.

If you don't have a system selected, non-ac users won't be able to create a request.

I've tried to deselect our authentication system, without any luck. I don't know if it's a bug or not.

I guess it is possible to create a connector to a backend client that is not in use and chose it as the authentication system. Because there is no active users in that client, no one would have access to create a request from the landing page.

Non kosher workaround

Former Member · ‎07-01-2009

Hi Anil,

The /AE/index.jsp page can not be restricted by any role or action. The page is coming for all without checking any authorization.

You can restrict only buttons, tabs,columns etc etc which are displaying after login with user id and password.

If you require anything else then please let me know.

Regards,

Sudip.

Former Member · ‎07-01-2009

Anil,

You can edit the index_left_nav.jsp page on the GRC server to disable the request access link on the Index page. To achieve this open the index_left_nav.jsp page and comment the whole tr and th lines containing the following words.

 LocaleUtil.getLabel(AELabels.LBL_IDX_NAV_REQUESTACCESS

Commenting is done by the following characters .

- Naveen

former_member325725 · ‎07-01-2009

Hi Naveen,

Thanx for your suggestion.

We were looking for some config setting that might have helped us rather than going for a code change. Anyways, i can understand from your and Sudip's response that there is no way we cud do this.

Regards,

Anil

former_member325725 · ‎08-03-2009

just to update on Naveen's suggestion. modifying the indx_left_nav.jsp won't fully help you in disabling access to the request access page as it still gets launched when we use the URL:http://<host:port>/AE/index.jsp

thx, Anil

Former Member · ‎07-01-2009

Hi Anil,

The purpose with the landing page is that users not registred in UME can create a request. The authentication is done against a backend or LDAP system defined in CUP>>Config>>Authentication.

If you don't have a system selected, non-ac users won't be able to create a request.

I've tried to deselect our authentication system, without any luck. I don't know if it's a bug or not.

I guess it is possible to create a connector to a backend client that is not in use and chose it as the authentication system. Because there is no active users in that client, no one would have access to create a request from the landing page.

Non kosher workaround

former_member325725 · ‎07-01-2009

Thanks Vit...

Yes, there should be a user repository for the GRC system access. As we don't have a requestor role , I believe the only option would be to tamper with indx_left_nav.jsp file as Naveen proposed.

Former Member · ‎07-01-2009

Anil,

This is not at all possible out of the box. Basically, SAP has not associated any UME actions with this page so it is wide open for everyone.

Only way to achieve this is via making a code change. If you go with code change then you need to remember to take back up when you upgrade.

Regards,

Alpesh