on 10-09-2014 6:33 PM
Hello all!
Our GRC AC is configured to work with Single and Composite Roles. We have 3 workflows to request access and the client wants to filter one of them to accept only Composite roles. Is it possible?
We need to maintain the other 2 workflows with the possibilite to request Single and Composite roles. Only one of them with the specified filter.
Thanks in advance,
Pedro
Hi Pedro,
Do you want users to restrict for role search within access request; for single..composite et al.
This can be done with role based authorization as well.
Check for the authorization object: GRAC_ROLEP
Here you can select the role type whichever you want users to be able ro search for.
Let us know if you meant something else.
Regards,
Ameet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Pedro,
The role type which you are maintaining in the role, have you maintained the same role type in SPRO-IMG..?
Usually by mentioning the role type either as Single/Composite or others, the restriction would be in place.
You can do one more thing: Under role name authorization field: You can mention the role-generic-name, e.g. for single role, I use to mention ZS*, for composite role, i use to mention ZC* and so on. This will make users to search only for the roles starting with these characters.
Try doing this, I am sure this will definitely help you in restricting users to search the roles to which they are not authorized.
Let us know how does it work.
Regards,
Ameet
Hi Pedro,
This is something which can't be acceptable.
Are you sure that this user is not getting the role search authorizations (for all roles) by any other roles or profiles.
There can't be any room for this to happen if you have restricted the user authorizations at the object level. I am already using the same way and I am sure others do as well.
This is the only way to restrict the users to search for the roles.
Hope you generated the role profile and did the user comparison post modifying/restricting the authorizations.
Try to log-off that user ID and log-in back and see if this works out.
Regards,
Ameet
Hi Pedro,
Can you explain about your 3 workflow scenarios.
Are you using template based access requests?
Regards,
Madhu.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Madhu,
Thanks for your reply and sorry for the delay answering. Please, imagine the standard workflow to grant access. The requestor can request Single and Composite Roles. I need a way to filter the WF for only one type of them. Can I do this through Initiator configuration? Any other type of configuration?
Regards,
Pedro
Hi Pedro,
Are the users are fixed like Users 1 to 10 requests only SINGLE roles and Users 10 to 20 requests only COMPOSITE roles?
If this is the scenario then controlling at auth object level using PFCG role is correct way as suggested by Ameet. If they can request sometimes SINGLE and sometimes COMPOSITE roles, then may be you need to have 2 different request templates and then within the templates role search can be restricted based on Functional area.
Assign Fun Area 1 to Composite Roles and Maintain this Fun Area 1 in EUP 1 of Template 1 - So if the user access this Template, they can search only COMPOSITE roles.
Assign Fun Area 2 to Single Roles and Maintain this Fun Area 2 in EUP 2 of Template 2 - So if the user access this Template, they can search only SINGLE roles.
Regards,
Madhu.
User | Count |
---|---|
14 | |
4 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.