cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can CUP auto-provision an acc when no SOD conflicts thru IDM SUBMIT WS

Go to solution
former_member325725
Participant

on ‎10-05-2009 7:15 PM

0 Kudos

Hi Experts,

Does the GRC CUP 5.3 offers a feature that we can auto provision SAP accounts when it gets a new or change request submitted through IDM Web Service? Can anybody detail the config if you have configured the system to get this done?

But, we need to re-route the request for the role owners approval if there is a Risk identified with the request.

Right now we have configured the system to a single level approval by the role owner in CUP. The profile owner has to approve all the profiles/ request even through there may not be any risks with the request.

We are still yet to get the WS doing the Risk Analysis , but i already got an update that this is working for some customers and hence the assumptions is that the WS will successfully do the RA when submitting the request through the IDM submit WS.

Thanks & Regards,

Anil

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

koehntopp
Product and Topic Expert
Product and Topic Expert
‎10-06-2009 10:19 AM
0 Kudos

No problem at all. That's easy to do.

Show replies
Show replies
former_member325725
Participant
‎10-06-2009 3:08 PM
0 Kudos

Hi Frank,

Can you let me know the specifics on how can we get CUP to do this?

Thanks,

Anil

koehntopp
Product and Topic Expert
Product and Topic Expert
‎10-06-2009 3:58 PM
0 Kudos

What did you do so far that didn't work?

Frank.

former_member325725
Participant
‎10-06-2009 5:08 PM
0 Kudos

Hi Frank,

Currently, our system is designed such that there is a single stage approval where in the role / profile owners are approving their profiles for the account to provision automatically for new and change requests. So it involves an approval from the role/profile owners. And the requests are being submitted through the SAP delivered IDM SUBMIT REQUEST webservice.

Now we are trying to see if we can get the system configured to auto provision an account (change too) if there are no SOD conflicts identified with the request. Basically, we are trying to get rid of the role/profile owners approval at CUP if there is no conflict with the request. The reason for this approach is that the role owners are setting up the request through a custom IDM solution and hence have already approved the access though that system.This approval in fact triggers the WS call to submit requests to CUP.

I was exploring the detour option in CUP to see if i can get this done. But no successes yet. Do you have some inputs on how this can be achieved in CUP?

Thanks,

Anil

former_member325725
Participant
‎10-19-2009 8:39 PM
0 Kudos

Hi Frank,

Did you get a chance to check on this scenario? Any inputs are greatly appreciated..

Thanks, Anil

Former Member
‎10-28-2009 6:34 PM
0 Kudos

If you design your workflow in a way that enables self approval when no conflicts are identified, you should be able to configure CUP to do this.

You will need to have the Workflow stages configured to allow this and also assign the Approval authorisations to appropriate individuals.

Simon

former_member325725
Participant
‎10-28-2009 8:03 PM
0 Kudos

Thanks Simon for your input...

I've tried to check if there some way we can do this in CUP, but unfortunately couldn't see any option yet.

The issue here is that the request has to choose an initiator/workflow when we submit that request to the system. So the system should be able to make that decision to flow through auto approval path when no SOD conflicts and unfortunately, i don't think we have this capability with SAP delivered web services.

Hence I was thinking to set up a workflow with 2 stages, with the system gives an option to perform a detour on 1st stage to the 2nd one if there are SOD conflicts. I wanted the 1st stage configured to No Stage as the Approver Determinator this is what we expect from auto approval.But this is not possible as when you set as above, you will get an option to chose this stage in your work flow path. Basically what i've found out is that the system can take a detour based on what happens at one approval stage in CUP. And we want to hide this approval

So i would be glad to have any thoughts to make this work.

Regards,

Anil

koehntopp
Product and Topic Expert
Product and Topic Expert
‎11-03-2009 8:30 PM
0 Kudos

You're thinking too complicated

- configure risk analysis on request

- create a request type for IdM requests

- link a 1 stage path to that initiator with a "No Stage" approver

- do a detour on SoD risks in that stage to an SoD remediation/mitigation path

You will have to make sure that the SoD approver can not change the request (i.e. only reject or mitigate), otherwise IdM will be confused because a different role than the one requested may have been provisioned.

Frank.

former_member325725
Participant
‎11-10-2009 4:32 PM
0 Kudos

Thanks Frank.

This really helped...

But we decided to go with a regular approval WF due to challenges like the ones raised by you and some others.

Answers (1)

Answers (1)

Former Member
‎10-06-2009 8:53 AM
0 Kudos

Hi Anil,

Just go through with the following link...

Hope it will help.....

Regards,

Mohit

Show replies
Show replies
Ask a Question