on 08-25-2014 5:23 AM
When creating a role request in IdM we want to utilize mandatory attribute MX_REASON as part of the MXREF_MX_ROLE request. The UI task produces a MX_PENDING_VALUE object. The attributes of the pending object are used to construct the request which is send to GRC.
However, currently the reason MX_REASON of the request is not passed to MX_PENDING_VALUE and therefore cannot be forwarded to GRC.
I guess the we have missed a very simple configuration step - assuming that it's a standard case to create role requests in IdM and run the approval process in GRC. Do you have a description of the main configuration steps to enable passing MX_REASON to GRC?
Mit freundlichen Grüßen / Kind regards
Frank Buchholz
Hello Frank,
I am using IDM 7.2 SP8 Version and I can see that MX_REASON attribute is assigned to entry type: MX_PENDING_VALUE which inturn sends the reason to GRC while submitting request.
There is a piece of Java script involve to calculate the reason.
Please see below and check the script code for script:
sap_grc10_setRequestReason
Thanks
Deepak Gupta
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Gupta,
I guess, that I've seen the same code in the script which creates the GRC request like in your screenshot (here converted to text):
REQUEST_EMPLOYEETYPE $FUNCTION.sap_grc10_getGlobalVariable(GRC_ROLE_EMPLOYEE_PERMANENT)$$
REQUESTREASON $FUNCTION.sap_grc10_setRequestReason(%$rep.GRC_REASON%)$$
In our case here, we see that the attribute is available for the PVO but not set and we cannot find a corresponding record in the database. Therefore sap_grc10_setRequestReason simply pulls the repository constant instead of the reason of the request.
Can you confirm, that the attribute MX_REASON of MX_PENDING_VALUE actually gets the text of the reason from the request (and that this individually text is then send to GRC)?
If you have the seen it live, than we would know that something is wrong with our configuration.
We can see the reason of the request in table idmv_link_ext2 (Thank you Savas for this tip!):
"SELECT mcOtherMSKEY, mcValidFrom, mcValidTo, mcReason FROM idmv_link_ext2 NOLOCK WHERE mcThisMSKEY = " + thisMskey + " AND mcLinkState != 2 AND mcLastAudit = " + auditID
Table idmv_link_ext2
https://help.sap.com/saphelp_nwidmic72/en/mc/dse_views_for_reference_attributes.htm
However, we do not want to modify the GRC integration script (or sap_grc10_setRequestReason) to read this table.
Kind regards
Frank
Thanks for confirmation!
Well, then I need to search deeper for the root cause...
Could it be an issue with roles vs. privileges? In our case users request roles in IdM, but the request for GRC contains the privileges (as far as I have understood it). GRC knows only yout the IdM privileges = ABAP roles, but not about the roles in IdM.
Kind regards
Frank
User | Count |
---|---|
84 | |
24 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.