on 07-07-2008 9:06 AM
Hello Experts,
We are currently implementing GRC Compliant User Provisioning for the client. Apart from the configuration team with role AEAdmin, we have few client experts to look into the sandox system and understand the cnfiguration we made is as per the requirement.
In doing so, they tend to modify some or other configuration at times knowingly/ unknowingly which lead us to longer debugging time.
Is there a way I can create a UME role with only View Configuration Action to avoid such circumstances.
Thanks
Rashmi
Hi Rashmi,
1- Assign following actions to Role:-
ViewReject
ViewHold
ViewCopyRequest
ViewCreateRequest
ViewSearchRequestAll
ViewRequstAuditTrail
ViewForwardRequest
ViewReRoute
ViewAccessEnforcer
ViewSelectPDProfiles
ViewMitigation
ViewRiskAnalysis
ViewSelectRoles
ViewReaffirms
ViewRiskAnalysis
ViewSelectRoles
ViewReaffirms
ViewApprove
ViewApproverDelegation
Using this action You can saw following Tabs in Access Enforcer
1- Access Enforcer
-Requests For Approval
-Create Request
- Search Requests
-Requests On Hold
-Approver Delegation
-Copy Request
-Search Request Audit Trail
-Role Reaffirms
2-Informer Tab
-Services Level For Requests
-Conflicts And Mitigations
-Request By Roles And Role Owners
-List Roles And Owners
-Requests By PD/Structural Profiles
3-Configuration Tab
-Monitoring
-System Log
-Application log
- Upgrade
Rest of the Tabs in Configuration is running along with Modify action in AE5.2.
2- Some new actions are added by SAP GRC RND Team In Compliant User Provisioning 5.3( Access Enforcer 5.3) for only view the Initiators,Stages,Path,Connectors,Provisioning,HR Trigger,Userdefaults Etc.
In AE 5.3 independent View and Modify actions are available
for each tab like for initiators ,Connectors Ect, But this type of provision is not available in AE 5.2.
Regards,
Jagat
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the response Ankur.
I want to limit the access of the user with View only to all the configurational data. Assigning Modify* Actions will let them editing the workflows, initiators etc.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Rashmi-
Yes, you can.
Create an ID with the action, ViewConfiguration and you can control their actions within the tab by assigning any of these actions:
ModifyRequestConfiguration
ModifyMitigationConfiguration
ModifyRiskAnalysisConfiguration ModifyServiceLevelConfiguration ModifyCustomFieldsConfiguration
ModifyWorkflowConfiguration
ModifyProvisioningConfiguration
ModifyApproversConfiguration
ModifyReaffirmsConfiguration
ModifyChangeLogConfiguration
ModifySearchChangeLog
ModifyNumberRangeConfiguration
Configuration
ModifySupportConfiguration
ModifyConnectorsConfiguration
ModifyAuthenticationConfiguration
ModifyBackgroundJobsConfiguration
ModifyRolesConfiguration
ModifyAttributeConfiguration
ModifyHRTriggersConfiguration ModifyUserDefaultsConfiguration
ModifyInitialSystemDataConfiguration
ModifyAttachmentFolder
ViewConfigSystemLogAction
ViewConfigApplicationLogAction ModifyConfigLDAPMappingAction
Ankur
GRC Consultant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.