on 02-03-2015 4:44 PM
Dear Experts,
the user who create access requests should be not allowed to approve/submit own request from their GRC Work Inbox.
I have used Alessandro Banzer excellent handling document which I have found here.
http://scn.sap.com/docs/DOC-55401
It works very well...with one exception.
We have problem with the risk control assignment workflow, which will be started in the Work Inbox of the requestor.
After the initial creation of the AR by the requestor, GRC runs an automatic risk analysis.
The requestor will see the result in the GRC Work Inbox. (also for the own user requests)
If an risk is identified, a risk mitigation is necessary.
At the moment, the requestor can start the risk mitigation / control assignment inside of the AR for his own user.
If the request is for the own user, it should not be allowed the the requestor can press the button "Mitigate Risk" OR
- on the following screen - press the button "Submit" without getting the message "You are not allowed to approve your own request"
The requestor should not be allowed to start the risk mitigation workflow for the own user.
Does someone know how handle this?
Thank you in advance!
BR
Melanie
Hi Melanie,
As @Alessandro already highlighted the product limitation in achieving the functionality you are looking far, I will give you the details on how we are using this functionality:
1. User or Requestor running risk analysis is mandatory during Access request creation.
2. MEDIUM risks should be mitigated before request submission. We have enhancement in place to auto assign mitigation controls for MEDIUM risks (Predefined in system based on our ruleset) and HIGH risks cannot be mitigated
In your scenario, I assume you can enable parameter to "Run risk analysis in background during request submission and based on risks approver at first stage can submit MC assignment workflow.
Basically there is one more limitation in MC assignment workflow as there will be no relation between Access request and MC assignment workflow request and it was difficult for MC assignment approvers to relate to which Access request they are approving those for.
In your scenario assume that requestor submitted MC assignment workflow and then didn't SUBMIT the request or cancelled the request, still MC owner can approve MC assignment request. So, doing mitigation at approver stage will have advantage and however there are some product limitations which can be submitted in ideas place.
Regards,
Madhu.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
first of all all you requester going to use end user link.
a guest account is associated, remove this authorization from guest account .
you should be good.
Regards,
Prasant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Melanie,
what is your current release and SP level? I have shortly tested your case but I am unable to click "Submit" on the mitigation screen as I have only Save and Cancle buttons available. Hence I cannot approve my own request.
Let me know.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Melanie,
probably I had mixed it up.. you are using control assignment workflow (SAP_GRAC_CONTROL_ASGN and parameter 1062 is set to YES), aren't you? In that case you have the "Submit" button available on the mitigation screen in the access request. What are you going to submit is the control assignment workflow and not the access request. The access request is still pending for approval and you are not allowed to approve your own request.
As far as I know there is standard functionality availabe to avoid mitigation for own user. Anyways, give me some time to check the possibilities we have.
Regards,
Alessandro
Hi Melanie,
I have tested your scenario and the system behaviour is correct from my point of view. By clicking "Submit" on the mitigation screen you are going to submit a new workflow (mitigation control assignment workflow as customized in 1062) for the assignment of a mitigation control. The access requests itself is still pending for your approval and as the approval is pending for your own user you are not allowed to approve the access request.
The assignment of the mitigation control workflow must be approved by the mitigation control monitor and hence is handled in a new workflow and has nothing to do with the access request.
Conculusion: from my point of view it is correct that an end user is allowed to submit a new workflow for control assignment. The access request is not approved and is still pending for approval.
In my eyes with the standard configuration you have the 4-eyes-principle in place and hence it should be okay from compliance point of view.
I have also tried to avoid the submission of the assignment workflow for the own user. Unfortunately, this is not possible in the standard. Also there is no default configuration available that the mitigation monitor is not allowed to approve requests for his own user. Hence this functionality is missing. It might be a good idea to place this requirement in the idea portal.
Sorry for not having a better solution at the moment. Hope my answers help you at least to understand the SAP standard.
Let me know if you need more details.
Best regards,
Alessandro
Hi Alessandro,
I have opend a ticket at the SAP Support additionally.
They told me set a parameter 1014 "Enable separate authorization check for Mitigation from Access Request" (parameter group 02 Mititgation) in the access control configuration settings.
Unfortunately the parameter is not available.
Do you now a possibility to add and activate the parameter?
BR
Melanie
Hi Melanie,
regarding parameter 1014 refer to: http://service.sap.com/sap/support/notes/1996151
But I am not sure if this helps... give me some time to test.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.