Hi,

no, I am not talking about derived and composite roles in SAP. I ralk about role mapping in GRC Access Control Compliant user provisioning. There is a feature where you can map a (lets say role A) role to a Main role (role B). This has the effect, if you create a request (in Compliant user provsioning) for role B role A will be implemented (and provsioned in case of approval) as well by the same request. This is good and I don't want to change anything on this. I just dont want, that the Role A can be requested alone. It should be just possible by requesting via main role.

Okay?

Bianca

Bianca,

You won't be able to achieve this. If you don't allow users to select the mapped role then the roles will not get provisioned to SAP.

Alpesh

Thanks Alpesh,

I feared to hear this...

What do you think - it's "works-as-designed" but I guess, this would be a good feature...?!

Best reagards, Bianca

I agree. This would be a good enhancement. You should propose this to SAP.

Alpesh

Hello Bianca,

At my client we use the same , When ever a main is requested the child role will get attached along with it.

one way you can make the users nto request this is not to assign any attributes to it ( like Fucntion area, BP, SBP and approvers etc , in that way they cannot serach for it unless they know the role name.

since there wont be any approver assigned to the role the request will throw an error saying "no approver found " unless you have an escape route defined in case of "approver not found"

with sP9 there is a drawback with child roles , when you map child roles to main roles in CUP , and when the requestor request the main role he doesnt see the child role ,not until he submits the request , just in case if the user in the request already has this child role and if you want to set the action to KEEP ( cant be done) and this ends up getting assigned twice.

Regards

MK