cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to avoid GRC provisioning dynamically

Go to solution
Former Member

on ‎12-19-2014 4:47 PM

0 Kudos

Hi All,

I have typical scenario like this:

I have integrated IDM with GRC for risk analysis and SAP system provisioning. I have various workflows where GRC provisioning framework is getting called when GRC privileges are assigned or revoke.

But in one workflow, I need to assign GRC privileges to user but I do not want "AC Submit request" to be invoked.I want privileges to be assigned to the user without sending to GRC.

Any suggestions how I can stop invoking "AC Submit Request" dynamically?

Thanks,

Dhiman Paul.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-22-2014 1:09 PM
0 Kudos

Hi jai,

Yes {A}{BYPASS_MEMBER_TASK=1} is working if we are writing directly in the To IdentityStore pass. Please find the below screenshot.

But if we are using the script and trying to set the BYPASS_MEMBER_TASK=1 then we are not able to set the value.

Below is the code:

var PrivMskey = uIS_sGet(IDStore,"MSKEYVALUE",BRolePrivilege,true);--> Used to fetch the Mskey of the privileges.

var task_property="{A}{BYPASS_MEMBER_TASK=1}";

var tempval=task_property+PrivMskey;

var SetPrivToUser = uIS_SetValue(mskey,IDStore,"MXREF_MX_PRIVILEGE",tempval);

We are calling uIS_Setvalue to assign privileges to User through Action pass.

This method is returning the following error, {A}{BYPASS_MEMBER_TASK=1}PrivMSKEY BYPASS_MEMBER_TASK=1 is getting concatenated with PrivMskey while BYPASS_MEMBER_TASK should have got set to 1.

Please find the below screenshot.

Thanks,

Dhiman

Show replies
Show replies
jaisuryan
Active Contributor
‎12-22-2014 1:40 PM
0 Kudos

Hi Dhiman,

So BYPASS_MEMBER_TASK=1 did not invoke "AC Submit" task?

For using script, in destination tab, use script of your choice

MXREF_MX_PRIVILEGE = $FUNCTION.z_test()$$

In z_test script, the logic goes like this

  1. Get the MSKEYVALUE of the privilege - in your case  BRolePrivilege
  2. Concatenate the attribute value - var tempval = "{A}{BYPASS_MEMBER_TASK=1}<"+BRolePrivilege+">";
  3. Return the string - return tempval

Kind regards,

Jaisuryan

Answers (7)

Answers (7)

former_member268206
Discoverer
‎01-22-2015 11:47 AM
0 Kudos

Hello Everyone,

I'm having simillar scenario, where GRC is used only for risk analysys, and provisioning is done by IdM. I  would also like to have a possibility to bypass validation task in case of different scenarios, although provisioning in our system is based on MX_ROLE entry, not MX_PRIVILEGE. According to my tests, BYPASS_VALIDATE_TASK parameter works great in case of MX_PRIVILEGE, but unfortunately does not work with MX_ROLE. That's strange since SAP documentation says clearly:

"This operator is used to disable a Validate add, Validate remove or Validate modify validity task when assigning/deassigning a role or privilege."

I wonder if any of You had some experiences with role based provisioning and risk validation in GRC. maybe even a similar problem. I would like to ask You for any suggestions how role provisioning could be initiated in order to avoid GRC call.

Thanks in advance!

Jakub

Show replies
Show replies
normann
Advisor
Advisor
‎01-26-2015 1:46 AM
0 Kudos

Hi Jakub,

the application help is right. The problem is that you have all events twice for business roles. First you are assigning the role to the user where you have a validation task. Once the role assignment is in state OK, the privileges of that role will be inherited to the user and you have a validation task again for this inherited assignment.

So what you can do is checking for direct assignment in the validation task (in case of GRC-Integration you have to adapt the AC Validation task and add a conditional task where you read the attribute mcAssignDirect from idmv_link_ext (1 = direct assignment -> do validation; 0 = inherited)). But I think this gets a bit more complicated as you might still want to use validate add events on inherited assignments as well - means you have to check where the assignment got inherited from and whether this role was assigned with validation (validate add audit), but what if the privilege gets inherited multiple times.... this will become very complicated.

You might consider to control it on privilege level or switch the validation off on the GRC repository.

Regards

Norman

Former Member
‎12-23-2014 9:17 AM
0 Kudos

Hi Jai,

Thanks a lot. Yes its working without {A}.

Now when we are trying to delete the privilege, It's working for the pass concept that is

{D}{BYPASS_MEMBER_TASK=1}PrivMskey is working

But if we are using the same concept in script privileges are not getting deleted. We tried with {D}{BYPASS_MEMBER_TASK=1}PrivMskey as well as {BYPASS_MEMBER_TASK=1}PrivMskey in the script.

Thanks,

Dhiman

Show replies
Show replies
jaisuryan
Active Contributor
‎12-23-2014 10:09 AM
0 Kudos

Hi Dhiman,

If you were able to assign and remove privs without invoking AC request, then please close this thread marking correct and helpful answers. Lets keep one issue per thread.

As I said already, I haven't and wouldn't use uIS_SetValue function for this task so I have limited thoughts on these. The application help has more useful information regarding the usage of the function. please check if you have included AttrOperation (1: delete case sensitive, 2: delete case insensitive) in your parameter list like below,

uIS_SetValue(mskey, IDStore,MXREF_MX_PRIVILEGE,tempvalue,2);


tempvalue should be "{BYPASS_MEMBER_TASK=1}PrivMskey"


Open a new thread for this issue and we will see where we get.


Kind regards,

Jaisuryan



Former Member
‎12-22-2014 3:16 PM
0 Kudos

Hi Jai,

Thanks for your continuous support.

I understand your solution. But I am assigning privileges via

uIS_SetValue(mskey, IDStore,MXREF_MX_PRIVILEGE,tempvalue); standard function.

I am passing "{A}{BYPASS_MEMBER_TASK=1}<"+BRolePrivilege+">"; within tempvalue.

But this standard function is returning "Wrong attribute property/value Syntax:Attribute:MXREF_MX_PRIVILEGE"


When I am passing only MSKEY of the privilege within tempvalue then the standard function is not throwing any error. But this is not solving my purpose. I have to pass BYPASS_MEMBER_TASK as concatenated with MSKEY within tempvalue.


Any thought?

Thanks,

Dhiman Paul.

Show replies
Show replies
jaisuryan
Active Contributor
‎12-22-2014 3:22 PM
0 Kudos

Hi Dhiman,

I always use 'to Identity Store' pass for writing into IDM. I never use standard function such as uIS_SetValue as their behavior is unpredictable. So I have less thoughts on that. May be you can try to pass tempval as "{BYPASS_MEMBER_TASK=1}PrivMSKEY" i.e. without {A}

Kind regards,

Jaisuryan

Former Member
‎12-22-2014 7:45 AM
0 Kudos

Hi Jai,

We are using GRC distributed provisioning framework 5.3 and IDM we are using Provisioning framework version 1.

Please let us know if we are not able to find the attributes because of version mismatch.

Thanks,

Dhiman.

Show replies
Show replies
normann
Advisor
Advisor
‎12-22-2014 9:41 AM
0 Kudos

Hi Dhiman,

The error you get is thrown by IdM runtime as the option you are using is not valid as mentioned by Jai.

Here is how you can find the according help document:


Regards

Former Member
‎12-22-2014 7:09 AM
0 Kudos

Hi,

Thanks for the reply. Yes we tried the same,setting the MX_VALIDATE_ADD_TASK=1 for the assigned privilege but we are getting the error of "No such attribute property".

Please find the screenshot of the error and the To identity store pass.

Thanks,

Dhiman

Show replies
Show replies
jaisuryan
Active Contributor
‎12-22-2014 7:14 AM
0 Kudos

Hi Dhiman,

Please confirm if GRC is used for only risk analysis or for provisioning as well?

If GRC is used only for risk analysis - Then use {A}{BYPASS_VALIDATE_TASK=1}

If GRC is used for SAP system provisioning as well - Then use {A}{BYPASS_MEMBER_TASK=1}

{A}{MX_VALIDATE_ADD_TASK=1} is not a attribute property, hence you are getting the error. As Norman suggested, please read the help file, it had more useful information regarding the attribute properties available.


Kind regards,

Jaisuryan

Former Member
‎12-22-2014 7:26 AM
0 Kudos

Hi Jai,

We are not able to find the attribute BYPASS_MEMBER_TASK in help as well as in global attributes.

We are using SAP IDM 7.2 SP09 version. Is this attribute available in this version because we are not able to find it in help as well as in global attribute.

Thanks,

Dhiman

jaisuryan
Active Contributor
‎12-22-2014 10:46 AM
0 Kudos

Hi Dhiman,

BYPASS_MEMBER_TASK and BYPASS_VALIDATE_TASK are not an attributes. These are properties of an attribute. Norman's screenshot shows what to find in help.

Below is the snippet for example,

Kind regards,

Jaisuryan

jaisuryan
Active Contributor
‎12-20-2014 1:46 PM
0 Kudos

Hi Dhiman,

Norman's suggestion would work for centralized scenario where GRC is used only for risk analysis and priv is assigned by IDM.

From your description, I understand that you are using GRC for risk analysis and for SAP systems provisioning (Distributed scenario).

If so, then you should use BYPASS_MEMBER_TASK=1 instead of BYPASS_VALIDATE_TASK=1.

We had used a script to add "{A}{BYPASS_MEMBER_TASK=1}" before, and "|" after, all the priv's to be assigned and return the string to MXREF_MX_PRIVILEGE

Kind regards,

Jaisuryan

Show replies
Show replies
normann
Advisor
Advisor
‎12-19-2014 9:47 PM
0 Kudos

Hi Paul,

you can do that by assigning the privilege with option

BYPASS_VALIDATE_TASK=1

An example would be {A}{BYPASS_VALIDATE_TASK=1}<PRIV:ROLE:...>

If you want to do it in a UI task you have to use a temporary attribute and copy it to MXREF_MX_PRIVILEGE later with above option.

Please consider you have to put that option to every single privilege. So in case you are assigning multiple privileges it would look like

{A}{BYPASS_VALIDATE_TASK=1}<PRIV:ROLE:...>|{A}{BYPASS_VALIDATE_TASK=1}<PRIV:ROLE:...>|...

You can find detailed documentation about those options in application help searching for BYPASS_VALIDATE_TASK

Regards

Norman

Show replies
Show replies
Ask a Question