cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC Manager

Murali_Shanmu
Active Contributor

on ‎03-12-2013 1:58 AM

0 Kudos

Hi,

I am working on IdM - GRC Integration.

When I set the value as 'sam101' for GRC_MANAGER_ID in GRC repository constant, this particular user 'sam101' is able to get all the provisioning request in his GRC-AC Work Inbox.

As per the documentation "This is only relevant if the web service UserAccessRequest requires the manager ID parameter –i.e. if the manager user is responsible for approving the request on the SAP Access Control side. The value NULL is also allowed, in which case the request is forwarded to the default manager."

What does default manager actually refer to ?

I know that in GRC-AC while activating the "SAP_GRAC_ACCESS_REQUEST" MSMP workflow, there is a provision to provide the Manager ID. This can also be hard coded here.

I am trying to find the best practice. In my scenario, there will be always one GRC_MANAGER (say sam101) and attimes, need to replace him with another user when on leave. Is it good to hard code the value in IdM or just manage this in GRC-AC side. I can assign the GRAC_MANAGER to a PFCG role and this remove the need of hard coding anywhere.

Please suggest.

Cheers

Murali.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎05-06-2013 2:22 PM
0 Kudos

Hi Murali,

I have read about your question and unfortunately I cannot answer it right now. I am not experienced to much regarding the MSMP Agents but maybe you could help me with one question on those?

We do not have LDAP or HR org model but require to find a Manager per UserID in the GRC Access Requests. I read in your question that it´s possible to determine the Manager by PFCG role:

Does this mean we could change the MSMP agent for Manager to a certain PFCG role object and this would read the PFCG authorisation of the requestor / user of the GRC access request and put in the field value as Manager?

Thanks for your answer!

Regards,

Markus

Show replies
Show replies
Murali_Shanmu
Active Contributor
‎05-10-2013 6:28 AM
0 Kudos

Markus,

Sorry that I couldn't respond to you earlier. Been a busy week. I think you misunderstood what I referred to as PFCG Role.

In the MSMP, instead of assigning the agent as GRAC_MANAGER, you could refer a PFCG role - say ZSECURITY_ADMIN. Any administrator who has this role assigned will receive the access requests.

If I understand your requirement - you want an option where the access requests originated in IdM should go to the user's line manager in GRC. I am not sure if this is possible in GRC as you have mentioned there is no HR Org Structure. Where is the User - Manager relationship stored in your landscape ?

This should be possible from IdM. Against each user, you would have to maintain their manager. Leave the GRC_MANAGER_ID in GRC repository constant blank. This will automatically look for the user's manager in GRC system and send the request to this person in GRC.

I just put my thoughts in this blog

Am I clear ?

Cheers,

Murali.

Former Member
‎05-13-2013 2:05 PM
0 Kudos

Hi Murali,

many thanks for your response. In the meantime I have set up the following mainly using your original posting:

1. Changing MSMP Manager stage to PFCG role and assigned Z role

2. Added BRF+ rule to read Company of UserID in Request

3. The rule result will determine a MSMP patch by each country where the Manager is assigned by PFCG

As we do not user IdM nor HR Org Model this sholuld be our way to identify the Manager of a UserID. All UserIDs of a certain Country do have the same Manager in our GRC landscape.

Thanks and regards,

Markus

Ask a Question