on 08-04-2016 8:08 AM
Hello Experts
Whenever I am using a model user request,apart from roles,even the "system" and "Profiles" are getting added to the request by default which in turn makes the GRC request VOID.
Is there any way how I can make only roles to be selected automatically when I am using the model user request WF?
Appreciate your detailed explanation on this.
-Ganesh
Hello Ganesh,
Change parameter id 2044 to No in maintain Configuration Settings in SPRO and try again
refer
1667816 - UAM: Profiles visible by default in user access management
Regards
Baithi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ganesh,
System selection cannot be restricted using config parameters , but only at the object level.
But ,restriction at the object level(GRAC_SYS) can introduce other side effects as well when you do it explicitly for Model user request.
As a workaround you can enable the standard routing Rule ID "GRAC_MSMP_ROUTE_NO_ROLEOWNER" before the request reaches the role owner to take care of your system line items and default roles if any.
Hope this helps.
Regards,
Manju
Hi Manju
Standard routing rule ID GRAC_MSMP_ROUTE_NO_ROLEOWNER is already in use.
But the request comes to GRAC_ADMIN team for final approval as it takes the NO_OWNER_DETOUR_PATH.
If there are more number of roles involved,GRC team would not be able to approve and this should go to the respective role owners.
Any suggestion on this?
-Regards
Ganesh
Hi Ganesh,
Enable the task settings Approval Level and Rejection Level at the request level for the GRC Admin.Request Rejected should be checked as well.
For the role owner this should be set at the Role level.
The standard Agent GRAC_ROLEOWNER will ensure the role lineitems are sent to the appropriate owners if you have maintained the assignment approvers for the roles selectable in access requests.
What do you mean by request comes to GRAC_ADMIN for final approval as it takes DETOUR_PATH.Do you have additional stages for your detour Path?
Can you give more details on your WF design to suggest.
Thanks
Regards,
Manju
Hi Manju
Yes whenever a request come to the Detour_path,the request will be directly routed to the GRC admin team for approval.
So in my case,when we select system and role in Model user request,it goes for the manager stage approval and he approves it.
Then the application searches for the role owners and if system is added in the request,it automatically takes GRAC_MSMP_ROUTE_NO_ROLEOWNER and comes to the GRC team for approval.
So "system" added acts as a culprit here and not able to get the request flow.
Entire role along with system takes Detour_path.
Regards
Ganesh
Hi Ganesh,
The reason for this being , you have enabled routing at the stage level for the Manager Agent. Due to this, after the manager approval the entire stage is getting routed to the detour path. Can you change the routing level to line item level in the manager stage so that only the system lineitem and default roles(if any) will be routed to the detour path and other lineitems will move to your roleowner stage after manager approval.
Also , i would recommend you to remove GRC Admin as the approver for your Detour Path and have this as a No stage path and enable auto-provisioning at the end of request.
Regards,
Manju
Hi Manju
Your solution worked.
But If I remove GRC Admin as the approver for Detour Path and have this as a No stage path and enable auto-provisioning at the end of request then any request with no role owner will get auto provisioned too.
This will again lead to a new concern.
Your thoughts on this?
Regards
Ganesh
Hi Ganesh,
I would suggest you to have only the default roles without approvers. Any other roles without approvers should either not be imported to BRM or if you want these in the repository make sure they are not available for selection in the access request by setting Provisioning allowed attribute to NO in BRM.
I would recommend you to have an assignment approver for every role that is selectable in the access request except the default.
Let me know if you have any other questions.
Regards,
Manju
Hi Manju
Thanks you for all your suggestions and quick turn around.
But I would still have the GRC admin team as approver on a safer note.
BRM in my account is a bit clumsy and cannot take risks as of now by removing the approver for Detour Path.Once I clean up BRM ,will implement your suggestion.
Regards
Ganesh S
Hi Manju
After changing the stage level to "line item" and simulating the WF,I am getting below mentioned warning for other WF's.
Routing Result 'NO_ROLE_OWNER' (Rule 'F/GRAC_MSMP_ROUTE_NO_ROLEOWNER') used in Path/Stage 'change_account' not mapped.
Any idea why this is popping up?
Can we ignore since it is only a Warning?
-Ganesh
Hello Ganesh,
If you are making use of Decision tables, put role Name as "Is initial" and let them take separate path without any stages. so that the line items with system will get auto provisioned.
Hope this change can clear most of the issues with system and role line items.
Regards,
Surya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.