on 07-07-2014 7:53 AM
Hi All,
I would like to keep "RETAIN" provisioning action as default in ARQ while "adding" a role.
Actually, there is one configuration parameter "2045" which will make it possible. But this is ONLY applicable to the situation where a role is selected from existing assignment by clicking on "Existing Assignment" button.
As soon as a role is selected from the existing assignment automatically the provisioning actions is set to "RETAIN" (due to the config. parameter 2045).
But what I want is, whenever a user adds a role to a user in access request form, the default provisioning action should be set to "RETAIN". I could not find any suitable configuration parameter for this.
Has anyone set this before? Or does any one know how to set it?
Please advise.
Regards,
Faisal
Only way to get 'retain' is when you select a role from "existing assignment" option within the Access Request submission form.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Any help please?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Faisal,
I am not sure whether there is an option to set retain as default parameter as it doesn't make sense from my point of view.
What was your motive to have retain as defualt option? In case of a new assignment in my opinion it is correct with assign option.
Maybe if I understand the situation I can give you some input.
Looking forward to hear from you.
Best regards,
Alessandro
Hi Alessanrdo,
Thanks for your reply.
Actually the motive behing this option is to cover the "loop hole" of ARQ application. If you notice, we can "keep" adding the same role which is already assigned with different validity dates. ARQ does not control this!
Eventually, what happens that in the back end system, the user master record is overwhelmed with the same role entry with different validity dates!
Unfortunately, application does not have any control over this. Therefore, at least making "RETAIN" as the default provisioning action, we can have a "sort" of control over this. What happens is, if I add a role which is already assigned to a user and change the validity dates, there will not be any new entry in the back end system with the same role.
Hope this will help you understand the requirement and advise me.
Regards,
Faisal
Hi Faisal,
great consideration - you are absolutely right. In such situation it would make sense to have retain as default option.
Can you please post your idea on the idea place?
https://ideas.sap.com/ct/ct_list.bix?c=4F27C74D-5330-4569-8199-D69072C0D4AE
Thanks and regards,
Alessandro
Sammukh,
Thanks for sharing this
I believe this has to be run in GRC system (front end system). Secondly, How does it compress the duplicate assingments?
I mean for example, let say:
Role1: valid from=01.07.2014;valid to=31.07.2014
(Again) Role1: valid from=01.08.2014;valid to=15.08.2014
Now lets say I ran this job today, what will happen?
Or lets say I run this job on 16.08.2014, which entry will be removed? And on what basis this program decides this? What is the parameter it considers?
I would like to understand the behavior of this program.
Regards,
Faisal
Hello Faisal
This needs to run on the system where you want to reduce the user records in assignments. So if you want for ECC then it needs to run there.
The start validity is chosen as the earliest and the end validity is chosen as the last date. So basically the validities from different records are merged.
There is a simulation option in the program. You can run it from SE38 and test it understand the results better. Check the simulation checkbox below in the screen and it will only show you the analysis without making any changes. Hope this helps.
Thanks
Sammukh
Faisal,
you need to start this program in your central user master if you are using CUA or otherwise once in each system.
In the program you have two options available. First you can run the program in simulation mode to see what will happen (very useful if you are not aware). Second you can also delete expired assignments which is also helpful if you wanna delete them all in one shot. Be aware that sometimes it is very nice and helpful to have the history of already expired roles in the user master.
See the following example:
If you run the program it checks for validity dates as you can see in the picture. The system picks the earliest start date and the latest end date for the new validity.
Does this answer the question?
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.