- SAP Community
- Products and Technology
- Additional Q&A
- Using SAP_GRAC_ACCESS_REQUEST for SPM and role gra...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Using SAP_GRAC_ACCESS_REQUEST for SPM and role grant access
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 10-17-2013 2:27 AM
I would like to keep using the standard workflow on MSMP and it suggest me on default config to keep using this same workflow to create, modify users and even to SPM workflow. BUT I have different approvers for modify users and for SPM. For example, I have a role owner approver that works fine when I'm openning a request to grant access to a role, but, when I try to open another request to SPM generates an error (sure, because the SPM WF doesn't have role for approval step).
How you all resolve this issue using MSMP standard templates? Or those standard templates are just for a very basic provisioning, where on a 'perfect world' everything necesary to grant access pass thru exactly the same kind of approvers?
Accepted Solutions (0)
Answers (3)
Answers (3)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
This has probably been discussed many times on this forum
One needs to understand how to create a new path in the Access Request process and also create a custom initiator rule via BRF+.
Sadly quiet a lot of the "default" config provided out of the box is insufficient for many customers who wish to use EAM and ARM side-by-side. But once a GRC Consultant or Super-user gets used to the technology, it is not too much work to make the changes.
I am sure there are some various forum threads where the "how-to" is explained in detail.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
This message was moderated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Colleen
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Eduardo
Have you attempted to create a BRF initiator rule based on Request Type. If it's EAM send it to one path, otherwise all others can go elsewhere? You EAM path can then pick a different agent
The BC set is a basic example. You will need to modify the MSMP information to suit your business requirements.
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Collen
Thank you very much for your answer.
I'm working on the BRF option but I was really interested to confirm that the SAP_GRAC_ACCESS_REQUEST doesn't fit to these needs.
I'm surprised that, even being a standard solution with basic examples, that the 3 suggested workflows designed to work on the same SAP_GRAC_ACCESS_REQUEST doesn't work together just because we need different approvers on Firefighters for example, or even because we need a role owner approver on the other side.
Kind regards,
Colleen
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
"I'm surprised that, even being a standard solution with basic examples, that the 3 suggested workflows designed to work on the same SAP_GRAC_ACCESS_REQUEST doesn't work "
You'll have an easier time with GRC if you're not. I think GRC10 is brilliant but sometimes get the impression the functionality has been developed by different teams and then integrated at the end.
BC sets for MSMP are really there as a guide. I suspect FF access was added later and SAP didn't want to change the path definitions to keep the example simple. Also, most of their default rules are simple function modules and they encourage us to use BRF+
Good luck with it. I can't answer you question directly as I do not represent SAP
If you need help with the initiator rule, search this community as there are plenty of examples with screen shots
Regards
Colleen
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
The magic of GRC 10 MSMP with BRF+ is you have lot of flexibility.
since you have single initiator for proces ids.
so you can utilize BRF+ to meet the requirement.
Initially it little confusing, but its more comfortable afterwards.
GRC 10.0 has lot of flexibility to meet complex requirments.
in the above case you can refer to BRF+ Initiator ule , and decision of rule result can be based on request type.
Regards,
Prasant
- ISAE 3000 for SAP S/4HANA Cloud Public Edition - Evaluation of the Authorization Role Concept in Enterprise Resource Planning Blogs by SAP
- Onboarding Users in SAP Quality Issue Resolution in Technology Blogs by SAP
- Configure Custom SAP IAS tenant with SAP BTP Kyma runtime environment in Technology Blogs by SAP
- How do i grant select access to SYS schema for Database Analysis User in Datasphere in Technology Q&A
- Single Sign On to SAP Cloud Integration (CPI runtime) from an external Identity Provider in Technology Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.