cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access Control-Model User Request

Go to solution
ganesh_srini
Participant

on ‎08-04-2016 8:08 AM

0 Kudos

Hello Experts

Whenever I am using a model user request,apart from roles,even the "system" and "Profiles" are getting added to the request by default which in turn makes the GRC request VOID.

Is there any way how I can make only roles to be selected automatically when I am using the model user request WF?

Appreciate your detailed explanation on this.

-Ganesh

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member197694
Active Contributor
‎08-04-2016 8:24 AM
0 Kudos

Hello Ganesh,

Change parameter id 2044 to No in maintain Configuration Settings in SPRO and try again

refer

1667816 - UAM: Profiles visible by default in user access management

Regards

Baithi

Show replies
Show replies
ganesh_srini
Participant
‎08-04-2016 11:37 AM
0 Kudos

Hi Baithi

Profiles are gone now.

But we still have systems added,do we have anything to eliminate systems as well?

-Ganesh

Former Member
‎08-05-2016 10:25 AM
0 Kudos

Hi Ganesh,

System selection cannot be restricted using config parameters , but only at the object level.

But ,restriction at the object level(GRAC_SYS) can introduce other side effects as well when you do it explicitly for Model user request.

As a workaround you can enable the standard routing Rule ID "GRAC_MSMP_ROUTE_NO_ROLEOWNER" before the request reaches the role owner to take care of your system line items and default roles if any.

Hope this helps.

Regards,

Manju

ganesh_srini
Participant
‎08-05-2016 10:56 AM
0 Kudos

Hi Manju

Standard routing rule ID GRAC_MSMP_ROUTE_NO_ROLEOWNER is already in use.

But the request comes to GRAC_ADMIN team for final approval as it takes the NO_OWNER_DETOUR_PATH.

If there are more number of roles involved,GRC team would not be able to approve and this should go to the respective role owners.

Any suggestion on this?

-Regards

Ganesh

Former Member
‎08-05-2016 12:00 PM
0 Kudos

Hi Ganesh,

Enable the task settings Approval Level and Rejection Level at the request level for the GRC Admin.Request Rejected should be checked as well.

For the role owner this should be set at the Role level.

The standard Agent GRAC_ROLEOWNER will ensure the role lineitems are sent to the appropriate owners if you have maintained the assignment approvers for the roles selectable in access requests.

What do you mean by request comes to GRAC_ADMIN for final approval as it takes DETOUR_PATH.Do you have additional stages for your detour Path?

Can you give more details on your WF design to suggest.

Thanks

Regards,

Manju

ganesh_srini
Participant
‎08-05-2016 12:15 PM
0 Kudos

Hi Manju

Yes whenever a request come to the Detour_path,the request will be directly routed to the GRC admin team for approval.

So in my case,when we select system and role in Model user request,it goes for the manager stage approval and he approves it.

Then the application searches for the role owners and if system is added in the request,it automatically takes GRAC_MSMP_ROUTE_NO_ROLEOWNER and comes to the GRC team for approval.

So "system" added acts as a culprit here and not able to get the request flow.

Entire role along with system takes Detour_path.



Regards

Ganesh

Former Member
‎08-05-2016 12:31 PM
0 Kudos

Hi Ganesh,

The reason for this being , you have enabled routing at the stage level for the Manager Agent. Due to this, after the manager approval the entire stage is getting routed to the detour path. Can you change the routing level to line item level in the manager stage so that only the system lineitem and default roles(if any) will be routed to the detour path and other lineitems will move to your roleowner stage after manager approval.

Also , i would recommend you to remove GRC Admin as the approver for your Detour Path and have this as a No stage path and enable auto-provisioning at the end of request.

Regards,

Manju

ganesh_srini
Participant
‎08-09-2016 6:04 AM
0 Kudos

Hi Manju

Your solution worked.

But If I remove GRC Admin as the approver for Detour Path and have this as a No stage path and enable auto-provisioning at the end of request then any request with no role owner will get auto provisioned too.

This will again lead to a new concern.

Your thoughts on this?

Regards

Ganesh

Former Member
‎08-09-2016 6:16 AM
0 Kudos

Hi Ganesh,

I would suggest you to have only the default roles without approvers. Any other roles without approvers should either not be imported to BRM or if you want these in the repository make sure they are not available for selection in the access request by setting Provisioning allowed attribute to NO in BRM.

I would recommend you to have an assignment approver for every role that is selectable in the access request except the default.

Let me know if you have any other questions.

Regards,

Manju

ganesh_srini
Participant
‎08-09-2016 6:22 AM
0 Kudos

Hi Manju

Thanks you for all your suggestions and quick turn around.

But I would still have the GRC admin team as approver on a safer note.

BRM in my account is a bit clumsy and cannot take risks as of now by removing the approver for Detour Path.Once I clean up BRM ,will implement your suggestion.

Regards

Ganesh S

ganesh_srini
Participant
‎08-26-2016 5:57 AM
0 Kudos

Hi Manju

After changing the stage level to "line item" and simulating the WF,I am getting below mentioned warning for other WF's.

Routing Result 'NO_ROLE_OWNER' (Rule 'F/GRAC_MSMP_ROUTE_NO_ROLEOWNER') used in Path/Stage 'change_account' not mapped.

Any idea why this is popping up?

Can we ignore since it is only a Warning?

-Ganesh

Former Member
‎08-26-2016 9:56 AM
0 Kudos

Hi Ganesh,

Can you check if the Route mapping is properly maintained for the Rule ID "GRAC_MSMP_ROUTE_NO_ROLEOWNER" to an actual Path ID.

Refer the below screenshot

Can you share the screen shot of the stage details that uses this routing rule and the route mapping entries.

Regards,

Manju

ganesh_srini
Participant
‎08-26-2016 12:35 PM
0 Kudos

Hi Manju

Please find the route mapping screenshot attached.

I did not find this "No owner stage" configured in change account WF" stage settings" at all,but still I am getting the warning.

-Ganesh

Former Member
‎08-26-2016 12:48 PM
0 Kudos

Hi Ganesh,

You can ignore the warning message and give a try.

In case you are stuck I would need few more screenshots to analyze the issue.

Regards,

Manju

Answers (1)

Answers (1)

surya_appala
Active Participant
‎08-05-2016 3:49 PM
0 Kudos

Hello Ganesh,

If you are making use of Decision tables, put role Name as "Is initial" and let them take separate path without any stages. so that the line items with system will get auto provisioned.

Hope this change can clear most of the issues with system and role line items.

Regards,

Surya

Show replies
Show replies
Ask a Question