on 12-04-2009 10:20 AM
Hello all,
I have to map some role to a Main role. The mapped roles shouldn't be available for requesting.
Have an idea?
Thanks!
Bianca
Thanks all!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Are you talking about derived and composite roles?
"The mapped roles shouldn't be available for requesting" -
is it in GRC?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
no, I am not talking about derived and composite roles in SAP. I ralk about role mapping in GRC Access Control Compliant user provisioning. There is a feature where you can map a (lets say role A) role to a Main role (role B). This has the effect, if you create a request (in Compliant user provsioning) for role B role A will be implemented (and provsioned in case of approval) as well by the same request. This is good and I don't want to change anything on this. I just dont want, that the Role A can be requested alone. It should be just possible by requesting via main role.
Okay?
Bianca
Hello Bianca,
At my client we use the same , When ever a main is requested the child role will get attached along with it.
one way you can make the users nto request this is not to assign any attributes to it ( like Fucntion area, BP, SBP and approvers etc , in that way they cannot serach for it unless they know the role name.
since there wont be any approver assigned to the role the request will throw an error saying "no approver found " unless you have an escape route defined in case of "approver not found"
with sP9 there is a drawback with child roles , when you map child roles to main roles in CUP , and when the requestor request the main role he doesnt see the child role ,not until he submits the request , just in case if the user in the request already has this child role and if you want to set the action to KEEP ( cant be done) and this ends up getting assigned twice.
Regards
MK
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.