on 10-05-2009 7:15 PM
Hi Experts,
Does the GRC CUP 5.3 offers a feature that we can auto provision SAP accounts when it gets a new or change request submitted through IDM Web Service? Can anybody detail the config if you have configured the system to get this done?
But, we need to re-route the request for the role owners approval if there is a Risk identified with the request.
Right now we have configured the system to a single level approval by the role owner in CUP. The profile owner has to approve all the profiles/ request even through there may not be any risks with the request.
We are still yet to get the WS doing the Risk Analysis , but i already got an update that this is working for some customers and hence the assumptions is that the WS will successfully do the RA when submitting the request through the IDM submit WS.
Thanks & Regards,
Anil
No problem at all. That's easy to do.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Frank,
Currently, our system is designed such that there is a single stage approval where in the role / profile owners are approving their profiles for the account to provision automatically for new and change requests. So it involves an approval from the role/profile owners. And the requests are being submitted through the SAP delivered IDM SUBMIT REQUEST webservice.
Now we are trying to see if we can get the system configured to auto provision an account (change too) if there are no SOD conflicts identified with the request. Basically, we are trying to get rid of the role/profile owners approval at CUP if there is no conflict with the request. The reason for this approach is that the role owners are setting up the request through a custom IDM solution and hence have already approved the access though that system.This approval in fact triggers the WS call to submit requests to CUP.
I was exploring the detour option in CUP to see if i can get this done. But no successes yet. Do you have some inputs on how this can be achieved in CUP?
Thanks,
Anil
Thanks Simon for your input...
I've tried to check if there some way we can do this in CUP, but unfortunately couldn't see any option yet.
The issue here is that the request has to choose an initiator/workflow when we submit that request to the system. So the system should be able to make that decision to flow through auto approval path when no SOD conflicts and unfortunately, i don't think we have this capability with SAP delivered web services.
Hence I was thinking to set up a workflow with 2 stages, with the system gives an option to perform a detour on 1st stage to the 2nd one if there are SOD conflicts. I wanted the 1st stage configured to No Stage as the Approver Determinator this is what we expect from auto approval.But this is not possible as when you set as above, you will get an option to chose this stage in your work flow path. Basically what i've found out is that the system can take a detour based on what happens at one approval stage in CUP. And we want to hide this approval
So i would be glad to have any thoughts to make this work.
Regards,
Anil
You're thinking too complicated
- configure risk analysis on request
- create a request type for IdM requests
- link a 1 stage path to that initiator with a "No Stage" approver
- do a detour on SoD risks in that stage to an SoD remediation/mitigation path
You will have to make sure that the SoD approver can not change the request (i.e. only reject or mitigate), otherwise IdM will be confused because a different role than the one requested may have been provisioned.
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.