cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 10 BRM - Approve Single Role assignment in Business Roles

Go to solution
Former Member

on ‎03-21-2014 1:16 AM

0 Kudos

Hello,

I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.

The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.

Once the Business Role is created, the provisioning would be in charge of Business Role Owners.

Do you know any way to configure this?

Thanks,

Fernando

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎03-21-2014 1:33 AM
0 Kudos

Hi Fernando

You Single Role Approval would be again the BRM approval process - approving role content. You would need an initiator rule to split out role type to send to different path and then do line-by-line for single roles in the business role to the role owner.

Your Business Role Approval would be against CUP/ARQ - when a user request access you would just do Role owner approval for the business role being requested.

Curiosity - if you don't have a Security Administrator who does Security?

Regards

Colleen

Show replies
Show replies
Former Member
‎03-21-2014 12:43 PM
0 Kudos

Hi Colleen,

Thanks for your prompt reply.


My question is focused on the Business Role Approval process in BRM methodology. I need that any single role assigned to a Business Role requires an approval.


For example, if I create this Business Role: ZB_AP_ANALYST and assign these single roles:

ZS_AP_CREATE_VENDOR  -> Workflow to AP Data Owner

ZS_GL_POST_DOCUMENT -> Workflow to GL DataOwner


So what I would like to find is any way to control single role assignments.

SAP Security is decentralized in Functional Analysts and Basis Administrators.

Thanks again!

Fernando

Former Member
‎03-21-2014 3:09 PM
0 Kudos

Hi Fernando,

Like Collen said, you can make your own initiator rules in order to split your approval process. For example:

Single role -> path A

Derived role -> path B

Business role -> path C

Then you need to create the approval agent (role owners) for your business role approval step. You can make it throught BRF+ or using a function module (SE37).

Regards,

Colleen
Advisor
Advisor
‎03-23-2014 4:32 AM
0 Kudos

Hi Claudio - thanks for breaking it down

@ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners

By using this role approval methodology your single role approvers are indirectly allowing  any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).

As mentioned - you are using two different workflow process ids

  1. Role Build - using BRM to approve the single roles being part of the business role
  2. Access Assignment - approving the user to receive the business role which includes the single roles

Regards

Colleen

Former Member
‎04-15-2014 4:49 PM
0 Kudos

Hi Colleen / Claudio,

We resolved the problem with path C by setting a loop in BRF+ for every Single Role Owner. Now the workflows work ok.

Thanks for your help!

Regards.

Fernando

Former Member
‎01-22-2015 3:44 PM
0 Kudos

Hi Fernando

Can you please give me more information about how you fixed this issue?

I have the same scenario at my customer where we want to setup approvals based on the individual roles inside the business role and not the whole business role itself.

Thanks in advance,

Uma

Answers (1)

Answers (1)

Former Member
‎05-06-2015 4:18 PM
0 Kudos

Hi All,

My requirement is also similar to Uma. Client requirement is to have role owners based on the individual roles inside the business roles. Please advice.

Thanks and Regards,

Zarina

Show replies
Show replies
Ask a Question