cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC - Temporary Roles

Former Member

on ‎10-13-2014 9:07 PM

0 Kudos

Hello Community,

Someone knows if we can configure GRC AC Access Request WF to grant roles for the maximum of 90 days for example? I know we can configure this in the Roles Expiration. But I want to enforce this requirements. Users should not be able to request roles for more than 90 day at only one of my WF´s.

Thanks in advance,

Pedro

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

kevin_tucholke1
Contributor
‎10-14-2014 11:59 AM
0 Kudos

Pedro:

As you stated, this is ONLY possible in the role definition and is configurable by system.  When you configure this on the role, this is ENFORCED at 90 days and cannot be extended beyond that.  If, as I am guessing, that you are trying to do this by particular request attributes (i.e. employee type), this would have to be monitored by the owners/approvers that are in the workflow path.  It would be very difficult to set this as a default such as has been suggested for mitigation assignment and FF assignment, which can be overridden when the request is being processed.

If you have such a requirement, I would suggest that depending upon your criteria, add a stage that should act as the gate keeper that this request be set for 90 days.

This will be the same for AC 10.1 as well.

Thanks,

Kevin Tucholke

Show replies
Show replies
Former Member
‎10-14-2014 12:33 PM
0 Kudos

Hi Kevin,

If the validity date under request form has been changed then same will be provisioned. isn't it? Or I am missing something?

If the role expiration is set, will it update the " valid to"  under form as valid from + 90 days?  or it remains 31.12.9999.

Trying to understand the possibility you updated, if you can share more information will be great.

( Re read the question, request is only to make date change for one specific WF, will update thread had slightly different scenario in one proj for terminate account))

Regards,

Nishant

Message was edited by: Nishant Chourasia

Former Member
‎10-14-2014 2:25 PM
0 Kudos

Hello Kevin,

This is a specific requirement for a specific WF dedicated for this cases. Third party access. I´m sorry but your suggestion to add a stage is not clear to me. Can you please give more details?

Thanks in advance,

Pedro

kevin_tucholke1
Contributor
‎10-14-2014 3:11 PM
0 Kudos

Pedro:

This is what I was referring to in my reply (i.e. Employee Type).  What you can do is to drive this request down a different path or include a routing based upon Employee Type (3rd Party), and create a stage where the approver would validate/maintain the correct Valid From / Valid To dates are correct per this Employee Type.  This is just one suggestion to handle this, you could use any attribute on the request header to do this.

If these roles are available to ALL users and not just 3rd Party, the configuration on the role for valid for settings would not work as that would apply any time the role is requested.

Hope this helps.

Kevin Tucholke

SAP America

Principal Technology Consultant


Former Member
‎10-14-2014 3:16 PM
0 Kudos

Kevin,

Right, thanks for your time and clarification!

Regards,

Pedro

Former Member
‎10-14-2014 11:33 AM
0 Kudos

Hi Pedro,

No such possibility as of GRC AC 10 SP15.

SAP have provided default dates for mitigation assignment(1011) and Firefighter assignment(4001) but same has not been given for role assignment validity date. it has been hard coded as 31.12.9999.

You can cross validate if same has been given in 10.1.

You can request SAP(via OSS/Idea Place) to provide particular feature, providing example of 1011 and 4001 since those will give clue to the consultant how quickly they can achieve.

*Every-time updating the date manually will not be ease for end users/appprover.

Regards,

Nishant

Message was edited by: Nishant Chourasia

Show replies
Show replies
Former Member
‎10-14-2014 2:23 PM
0 Kudos

Hello Nishant,

I´m considering this possibility. Thanks man!

Regards,

Pedro

madhusap
Active Contributor
‎10-14-2014 12:12 AM
0 Kudos

Hi Pedro,

Please correct me if my understanding is incorrect.

Roles requested by user should be assigned for 90 days validity i.e., VALID FROM to VALID TO is 90 days?

If this is the scenario during admin stage, please update the validity dates as per your requirement before approving.

I will check if the validity can be enforced automatically and update you

Regards,

Madhu.

Show replies
Show replies
Former Member
‎10-14-2014 2:22 PM
0 Kudos

Madhu,

Your understanding is corretct. This WF is for third party employees. The main idea is to avoid giving access to this users for more then the needed time.

Thanks for your reply.

Regards,

Pedro

Former Member
‎10-15-2014 4:30 AM
0 Kudos

Hi Pedro,

Any requests either for internal or external employess, at the role approver stage you can always define/set the "validity to" time frames before approving such requests, as mentioned by Madhu as well.

This will help you meeting your needs with minimal efforts compared to if you wish to configure some unique workflow.

You can always define the employee type as internal, external..third party in your case. So once the requests will be at the role owner stage, approver can see that if the request is for third party employee or internal and then the role validity dates can be limited to 90 days.

Hope this is clear.

Regards,

Ameet

Ask a Question