cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Difference between Accessing 'Access Request' link from End User Logon Page and NWBC Screen

Go to solution
former_member184114
Active Contributor

on ‎05-08-2016 5:04 PM

0 Kudos

Hi,

I am finding it quite difficult to understand the difference between accessing 'Access Request' link from EULP and normal NWBC screen. I have noticed that:

1. If this link is accessed through EULP, normal Access Request form is displayed. This page is NOT controlled by any role(s) in GRC system. No 'Requester' role is assigned, but still user is able to access 'Access Request' page. On the top of it, the authorizations controlled in 'Requester' role in GRC system is not effective as this is not assigned to the user (even if this is assigned, does not have any impact). All the 'request types' and 'Request For' fields are available from the drop downs.

2. If think link is accessed through NWBC screen, the authorizations are controlled and user is displayed only allowed values for fields: Request Type and Request For in the 'Requester' role.

I would like to understand/know:

a. What is the best approach to access this link from?

b. How to control authorizations for the point#1, if this approach is accepted.

Please advise.

Regards,

Faisal

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member184114
Active Contributor
‎05-09-2016 6:43 AM
0 Kudos

Any help please?

Show replies
Show replies
Former Member
‎05-09-2016 12:05 PM
0 Kudos

Hi Faisal,

Point 1 -->when a request is created from the end user logon screen, technically the end-user is not raising the request.

The SICF user maintained in EU logon service will raise the request on behalf of the end-user.

Point 2--> request creation can be controlled via authorizations.

Point 1 is mostly preferred for request submission as there is no need to set up the user in GRC and the end-user does not require any authorizations to raise the request.

Regards,

Manju

Colleen
Advisor
Advisor
‎05-09-2016 12:27 PM
0 Kudos

Hi Faisal

Manju has pretty much covered it

The End User Login is what you want the general user to request. The Service User against the services in SICF is checked for all PFCG authorisations. At this stage, you can decide if you want to restrict the user.

The NWBC version requires the user to have an SU01 account. You have the option of allowing your GRC SU01 accounts having the link here or force them to use NWBC. The benefit of this if you might decide to have other templates, etc available for administrators or additional priveleges.

An example is you would want to restrict the SICF user for End user from requesting/managing users in SUPER group (i.e. System/Service accounts) but may need the Administrators to manage them via NWBC to ensure all users are managed via GRC and not in each client.

Regards

Colleen

former_member184114
Active Contributor
‎05-09-2016 2:38 PM
0 Kudos

Colleen and Manjunath,

Thanks for your replies.

So if we want the users to raise request from End User Page, we can use it without having to create any requester in SU01 of GRC system.

Now I get the point of showing all types of requests (as mentioned above) to a user though it is controlled via a role. However, this role was not assigned to the service user used in SICF. I had used the same role for a user in SU01 and it reflected appropriate result.

Thanks for your help 🙂

Faisal

former_member184114
Active Contributor
‎05-10-2016 1:17 PM
0 Kudos

Manjunath,

I have created a customized role with limited access and assigned to the user used in End User Logon service . However, it still shows extra systems and details!

Am I missing anything else? Can you please advise?

Regards,

Former Member
‎05-10-2016 2:56 PM
0 Kudos

Hi Faisal,

You need to restrict the field value(Connector Id) for GRAC_SYS object , to limit the system selection while creating access request. Looks like you have maintained * value currently.

Please make sure that if you have assigned this authorization object in other custom roles also, the value is maintained everywhere.

Regards,

Manju

former_member184114
Active Contributor
‎05-10-2016 4:28 PM
0 Kudos

Manjunath,

Thanks for your reply.

Actually the problem was with the browser!

In IE it was showing as intended while in chrome, it was showing all the request types. I deleted the cache and browser's history and now it seems to be showing the restricted values.

But now I am facing another problem. I am getting error message: "You are not authorized to create the request"

Not sure why this is coming. This role is assigned to another user and that user was able to submit the request properly.

Any guesses?

Regards,

former_member184114
Active Contributor
‎05-10-2016 5:00 PM
0 Kudos

Accessing 'Access Request' through EUL Page:

Another problem I have noticed is that, the 'System' field in search criteria does not show any values at all!

Unable to understand this bizarre behavior of the application.

Secondly, if I click on 'search' button without providing any values for: System, Role Type, etc..., this is pulling roles from all the connectors.

If Access Request Submission form is access normally (without EUL Page), this field is showing the permitted system connectors.

Can you share your experience please?

Regards,

former_member184114
Active Contributor
‎05-11-2016 7:37 AM
0 Kudos

This message was moderated.

Answers (0)

Ask a Question