on 06-01-2012 11:40 AM
Hi All,
I've managed to configure the HR triggers to generate Access requests for creation, changes, and deletions.
My issue is that the deletion request does not seem to consider the HR trigger configuration around validity dates.
I have set the proposed valid to / from dates in the HR Trigger configuration but they do not appear on the Access Request.
Also, approvers are not able to override these blank entries despite having configured the workflow stages to allow them to edit change details and add assignments to the request.
The impact of this is that if the HR record meets the criteria for a leaver (even if the effective date of the action is in the future), the access request is triggered immediately. If the approver then approves the request, the deletion is also effective immediately. This means that if the users' access will be removed immediately even though the users are not leaving immediately,
Ultimately, I want the ability to trigger a deletion request which will either automatically consider the EFFECTIVE date of the HR Action or allow the approvers to have the flexibility specify the date when the deletion should be performed. Any ideas on how to achieve this?
Simon
Simon:
Have you reviewed SAP Note 1705700? This already release, but will be included in SP09.
thanks,
Kevin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kevin,
Thanks for that, I have got that note implemented. I can see in SLG1 that there are some additional log entries generating but I now think that I need to adjust the BRF+ logic to make it date specific. Will that log entry be kept in a buffer and trigger if I have a statement in the rule that says BEGDA=Current Date or will that only be applicable for the actual date that the log / trigger is generated?
Thanks,
Simon
Simon:
Sorry, I don't have the knowledge to answer that question for you and don't want to even guess at it because I could see it going either way.
You may want to address that question to the greater community...
Will that log entry be kept in a buffer and trigger if I have a statement in the rule that says BEGDA=Current Date or will that only be applicable for the actual date that the log / trigger is generated?
thanks.
Simon,
No buffering happens to allow future deletion . This is how it works.
1)Future termination is provided by delimiting the user validity dates upto the date of termination. As an example, if the user is intended to be deleted on 1st May 2012, the users validity dates would be changed from current date till 1st May, 2012.
2) For the GRC system to understand that the future termination has to be made, Action Type 'Change User' & 'Delete User' would have to be associated with the corresponding Action_id for Delete. This is a prerequisite from the customer's side to make this functionality work as expected.
Regards
Sharad
Create the BRF+ rule to update the BEGDA for the HR action. You also need to add "delete" action to the request type (in SPRO-->GRC-->User Provisioning-->Define Request Type) that will be using the HR trigger because the request needs to "delete" the value for the field and then update it with the future date. I implemented this for HR terminations and it was quite tricky. Don't forget to map the BRF+ function ID to the AC Application Mapping in SPRO as well.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Simon,
Were you able to achieve this? I'm trying to do something similar.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.