cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BRM: What should happen if violations arise while role creation???

Go to solution
former_member184114
Active Contributor

on ‎03-26-2014 1:28 PM

0 Kudos

Hi,

I have configured the role methodology and it is working fine. But, I would like to know if any violations are arising while performing analysis, what should be done? Should be routed to some one? If yes, then how can we do it?

What should be the standard process?

Please help me understand this.

Regards,

Faisal

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

AndrzejP
Active Participant
‎03-26-2014 1:53 PM
0 Kudos

Hi Faisal,

it depends on business requirements, from my perspective roles should always be SoD conflicts free (maybe with exception of FF roles), so I prevent generation of roles with SoD conflicts (via parameter setup).

Regards, Andrzej

Show replies
Show replies
former_member184114
Active Contributor
‎03-27-2014 5:25 AM
0 Kudos

Andrez,

Thanks for your reply.

Yes, it should be risk free. However, there may be a case where a role should have conflicting tcodes in it and that role is to be mitigated after role generation, for example. Or, take necessary actions by respective person/team .

Please share your thoughts.

Regards,

Faisal

AndrzejP
Active Participant
‎04-02-2014 9:48 PM
0 Kudos

Hi Faisal,

If you have conflicts on action level that is not an issue, if on permission level nothing was reported.

From practical perspective I prefer to have one role for one business activity, each time when broad roles where created it was very difficult to resolve SoD issues. Maybe instead of one you will have to assign two / or more to users, but long term it is really easier to maintain environment SoD clean. All other roles could go through FF.

Unless you have some specific situation (like job position roles or sth similar), please share if this kind of approach may be suitable for you environment, or what could be the blocker.

Best regards, Andrzej

Answers (1)

Answers (1)

Former Member
‎03-26-2014 1:51 PM
0 Kudos

Hi Faisal,

I have to admit that I have not thought about "detouring" within the BRM methodology flow. What does your Role Maintenance workflow look like?

If the detour is available, maybe implement it like how you would do a Access Request SoD detour. If BRM is being used to approve role creation/changes, then I would assume that the organisation is mature enough to have their Role owners understand the risks they are approving at a role level.

Show replies
Show replies
former_member184114
Active Contributor
‎03-27-2014 5:23 AM
0 Kudos

Harinam,

Thanks for your reply. I have created any rule like that. I was just thinking about this possibility. Its seems to be common scenario that while role creation, I may get violations and then based upon that need to take a call like: either reject it or route it to role owner by by-passing further steps if any, or route it to "some one" who is responsible for taking care of creating mitifation controls and alike. There are several possibilities like this. But nevertheless, the idea is to route it based upon the business requirements.

Any idea?

Regards,

Faisal

Ask a Question