Hello Shreya,

All the points listed by you are configured correctly.

The only issue is the CUP Request is not getting created because roles are not getting fetched from position.

If we do not assign roles at position but manually assign them in CUP Request created through HR Triggers, then everything works fine. But when we are assigning roles at positions they are not getting fetched through HR Triggers hence at role approver stage we are getting error: No Approver Found, because there are no roles attached to the request.

Hi Aditi,

At the moment, I don't believe that the HR Trigger can look through the HR records to find the roles to propose onto the access request. You can automatically assign default roles based upon the request header or system assignment but it will not be able to pick the appropriate roles based upon the position. You may have to rely on manually adding the roles through the "Existing Assignment" but that will rely on you having a stage prior to Role owner because there will not be any roles assigned.

Simon

Hello Simon,

You are saying HR Triggers do not support Indirect Provisioning???

We are using GRC 5.3, where in Auto Provisioning Option Under Workflow, we have option to select Provisioning Type as Direct/Indirect and if Indirect then on what level Position/Job/Org Unit.

I'm saying that I don't think that it will be able to read and propose the roles subject to approval.

If the roles are already assigned to the position and the user is also assigned to the position, then the user has the access anyway so why would you want an access request in the first place?

Hello Simon,

Actually our requirement is: whenever a user is hired in SAP HR System against a position (which already has roles assigned to it), an automatic CUP Request is created having the roles which are present at the user's position. Now based on the roles attached to CUP Request it goes to the approver, which does Risk Analysis and all and once the request is approved in CUP, the SU01 record of newly hired user is created in SAP with the same roles assigned to it that were present at the position.

Now the issue is when we are hiring user in SAP at a position with roles already assigned to it, CUP request is not getting created because NO Roles are selected for the request which means Roles from Position in SAP are not getting transffered to CUP Request in CUP.

Ok, so you do direct role assignment but have the roles already mapped to the position?

That seems quite complicated to me. If you've gone to the trouble of already mapping the roles into job positions, then your risk analysis and approval of access should be based upon the assignment of a user to that position. The very fact that you've hired the person into that position demonstrates that you think them capable of doing that job so I'm not sure what value the additional approval workflow actually has in the user management process.

The proper workflow approval should be focussed on changes of authorisations assigned to that position which would then use the indirect provisioning functionality but not HR Triggers.

I would be inclined to amend your controls to align with your authorisation management processes.