cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC - Filter Role Type by Workflow

Go to solution
Former Member

on ‎10-09-2014 6:33 PM

0 Kudos

Hello all!

Our GRC AC is configured to work with Single and Composite Roles. We have 3 workflows to request access and the client wants to filter one of them to accept only Composite roles. Is it possible?

We need to maintain the other 2 workflows with the possibilite to request Single and Composite roles. Only one of them with the specified filter.

Thanks in advance,

Pedro

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-10-2014 4:57 AM
0 Kudos

Hi Pedro,

Do you want users to restrict for role search within access request; for single..composite et al.

This can be done with role based authorization as well.

Check for the authorization object: GRAC_ROLEP

Here you can select the role type whichever you want users to be able ro search for.

Let us know if you meant something else.

Regards,

Ameet

Show replies
Show replies
Former Member
‎10-13-2014 5:30 PM
0 Kudos

Thanks for your reply Ameet.

I will check this. But if possible, it would be better to filter in the WF level.

Regards,

Pedro

Former Member
‎10-15-2014 3:52 PM
0 Kudos

Ameet,

I tried this restriction but without success, even after the change users can search for and request singles roles at the access request screen. Please check the print bellow with the configuration made at the object:

Am I missing something?

Regards,

Pedro

Former Member
‎10-15-2014 6:32 PM
0 Kudos

Hi Pedro,

The role type which you are maintaining in the role, have you maintained the same role type in SPRO-IMG..?

Usually by mentioning the role type either as Single/Composite or others, the restriction would be in place.

You can do one more thing: Under role name authorization field: You can mention the role-generic-name, e.g. for single role, I use to mention ZS*, for composite role, i use to mention ZC* and so on. This will make users to search only for the roles starting with these characters.

Try doing this, I am sure this will definitely help you in restricting users to search the roles to which they are not authorized.

Let us know how does it work.

Regards,

Ameet

Former Member
‎10-15-2014 6:34 PM
0 Kudos

No Pedro,

This has nothing to do with the WF-configuration.

This restriction can be only met with authorization level restriction in PFCG

Ameet

Former Member
‎10-15-2014 7:46 PM
0 Kudos

Hey Ameet,

I adjusted the object to restrict by role name but it´s not working. Looks like the restrictions are being completely ignored. Strange.

Regards,

Pedro

Former Member
‎10-15-2014 8:23 PM
0 Kudos

Hi Pedro,

This is something which can't be acceptable.

Are you sure that this user is not getting the role search authorizations (for all roles) by any other roles or profiles.

There can't be any room for this to happen if you have restricted the user authorizations at the object level. I am already using the same way and I am sure others do as well.

This is the only way to restrict the users to search for the roles.

Hope you generated the role profile and did the user comparison post modifying/restricting the authorizations.

Try to log-off that user ID and log-in back and see if this works out.

Regards,

Ameet

Former Member
‎10-16-2014 3:22 PM
0 Kudos

Ameet,

My bad, I´ve missed the authorization object at other role assigner to the same user. Sorry about that.

Thank you very much. This solution is ok for my case.

Have a good day.

Regards,

Pedro

Former Member
‎10-16-2014 3:34 PM
0 Kudos

Hi Pedro,

I am glad to know that you were able to make the most out of the provided suggestions. That's why we are here to share knowledge.

You too have a good day.

Cheers,

Ameet

Answers (1)

Answers (1)

madhusap
Active Contributor
‎10-10-2014 3:43 AM
0 Kudos

Hi Pedro,

Can you explain about your 3 workflow scenarios.

Are you using template based access requests?

Regards,

Madhu.

Show replies
Show replies
Former Member
‎10-13-2014 5:29 PM
0 Kudos

Hello Madhu,

Thanks for your reply and sorry for the delay answering. Please, imagine the standard workflow to grant access. The requestor can request Single and Composite Roles. I need a way to filter the WF for only one type of them. Can I do this through Initiator configuration? Any other type of configuration?

Regards,

Pedro

madhusap
Active Contributor
‎10-14-2014 12:44 AM
0 Kudos

Hi Pedro,

Are the users are fixed like Users 1 to 10 requests only SINGLE roles and Users 10 to 20 requests only COMPOSITE roles?

If this is the scenario then controlling at auth object level using PFCG role is correct way as suggested by Ameet. If they can request sometimes SINGLE and sometimes COMPOSITE roles, then may be you need to have 2 different request templates and then within the templates role search can be restricted based on Functional area.

Assign Fun Area 1 to Composite Roles and Maintain this Fun Area 1 in EUP 1 of Template 1 - So if the user access this Template, they can search only COMPOSITE roles.

Assign Fun Area 2 to Single Roles and Maintain this Fun Area 2 in EUP 2 of Template 2 - So if the user access this Template, they can search only SINGLE roles.

Regards,

Madhu.

Ask a Question