on 03-03-2015 7:04 PM
Hi All,
Through BRM I initiate a Role creation in a target system. As we know the role is saved in the target system and its generation is possible only after its approval by the Role content approver.
Now when the approver rejects this role request, agreed that the role is not generated but what about the role name that is created in the target system. How do we ensure that these are deleted. The issue that is hovering in mind is if its an existing role and the request was raised by modifying it.
Is there a standard approach or practice or a BG job o handle this maintenance activity ?
I was referring this note which made me more curious.
http://service.sap.com/sap/support/notes/1986347
Plz provide your inputs on the same.
Regards.
Arun
Hi Arun,
This same thought did come across my mind when configuring BRM and testing the role build methodologies I had designed for a demonstration. Only a "Complete" role will be provision-able via GRC ARM, but as you have rightfully pointed out the role is there within the actual back-end in PFCG, so there is a risk of manual amendment and assignment (if people have the access to do so!)
In most cases, a role build/amend request has been raised by the business outside of GRC, therefore it is more than likely that a new role or a role change is likely to take place and be completed unless a real exceptional issue is faced (hence in this situation, a delete role option during build phase is viable).
I think the easiest workaround at the point of rejection is for a notification to be sent to the actual role builder (person who initiated the approval step in BRM) and notify them of the rejection in the approval workflow and then have them read any comments added by the approver. The role builder would have to either amend the built role and resubmit for approval, or delete it from BRM in NWBC (which will subsequently delete it from front and back end).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.