on 10-29-2013 8:33 PM
Hi folks,
I know you all have "struggled" with this before, and I wanted to ping you on this.
I've looked at the entire list of GRC roles and assigned them to test users according to the arguably obvious names of the roles. However, users don't always get all the authorizations that they need.
Here's my specific role assignment quandary.
I want new users to be able to request roles and Firefighter IDs in the GRC central system. These users are going to use Firefighter IDs for some of their jobs.
I have assigned the following roles (renamed into customer namespace, but the rest of the role names are the same as delivered):
ZGRAC_ACCESS_REQUESTER
ZGRAC_BASE
ZGRAC_END_USER
ZGRAC_NWBC
ZGRAC_SUPER_USER_MGMT_USER
These roles do not allow the user to actually list out the available Firefighter IDs, making it impossible to complete the access request. To help identify the issue, I assigned role ZGRAC_ALL, which is the super admin GRC role, and this allowed the user to list out the available Firefighter IDs. I then did some deductive reasoning and found the two objects below.
GRFN_API
GRFN_CONN
Providing these objects in a test role allowed the test user to list out the Firefighter IDs, but the user wasn't able to look at the systems available to choose from. Please refer to screenshots to see what I mean.
So now, I'm just trying to understand the minimum set of roles and objects required for the following types of users:
Thanks guys. I really appreciate this.
Screenshot notes: The one with the badly scrawled ME in it is what I see when I go in as an admin (note that there is a system name indicated in the dropdown and the associated firefighter ID).
The one with the badly scrawled "test user" doesn't have a system name indicated, but when I hit the go button, it shows the ID available.
The test user only has the roles mentioned above PLUS the two objects in a test role.
Santosh
Hi Santosh
I recommend you treat GRC security access no more special than you would if you had to build an ERP security role
Start with your requirements - which you have and prototype. It's the best way to learn and understand how functionality is restricted. Create a test user and build a test role that you can keep topping up the authorisations as you encounter issues based on SU53/ST01. for NWBC screen layout there are some KB articles on how to configure your own launchpad if you want to restrict as well
Good luck with it.
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.