Skip to Content
avatar image
Former Member

GRC 10 Workflow to allow triggering multiple access role provisioning in parallel

We have GRC 10.0 running, and it currently has three stages for provisioning access requests:

1. Risk Analysis

2. Manager Approval

3. Role Owner Approval

The problem with the Stage #3 is that it could take several days before a user can have access to SAP before ALL role owners to complete their approval/rejection.  The approval notification is sent to all role owners simultaneously, but some approvers are quicker to complete their approval request than others.  By default, the actual provisioning won't take place until the final approval Stage #3 completes -- meaning all Role Owners have to approve or reject in order for the Stage #3 to complete and the provisioning workflow kicks in.

Is it possible to setup GRC 10 to provision approved access roles as soon as each relevant Role Owner approves at the Stage #3 above? 

Basically, the auto-provisioning process would have to be triggered in parallel at the Stage #3 so that those approved access roles can be provisioned as soon as each Role owner approves.  This means the auto-provisioning would have to be triggered before the Stage #3 completes as a whole. 

This would allow the user can start using the approved access as soon as one of the Role Owners approves.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Oct 14, 2013 at 01:12 AM

    Hi Jae An

    What setting do you have in IMG for Governance, Risk and Compliance > Access Control > User Provisioning > Maintain Provisioning Settings

    There is an option to provision at End of Each Path. What I'm unsure of it the Role Approval is treated as a single path or it's split

    Have you also configured reminder/escalation notifications to improve this? As much as you are trying to minimise impact to users, some culture training on the role owners is also needed so they don't let the items sit in their inboxes without action.

    Regards

    Colleen

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 24, 2013 at 02:00 PM

    You can set the Provisioning setting to provision "At the end of each path", given the request has been split to go down multiple parallel paths.

    However, If all the line items are going down the same single path, you still have your same issue.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 05, 2013 at 06:39 PM

    I have the same problem.....

    I only can think of to create different routes for each approver or atribute

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 05, 2013 at 07:41 PM

    Hello Jae,

    you can have Escalation enabled.

    Regards,

    Prasant..

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 29, 2015 at 02:00 AM

    Hello Jae An,

    I have configured the notification of approval for all owners of function simultaneously ships, but it presents a drawback is that the owners mitigate risks that do not belong to them, I can guide how you handle the mitigation on each owner? . Thank You.

    Regards,

    Freddy

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 09, 2016 at 01:00 PM

    Hi Jae An,

    Did you find the resolution to your issue? Since, the system is behaving as designed by SAP.

    Let me know if you find the solution for the same.

    Regards,

    Vandana

    Add comment
    10|10000 characters needed characters exceeded

    • Vandana Maini Prasant Kumar Paichha

      Hi prashant,

      Can you please provide some more details on the same. I have got the logic what you are saying, but I am not able to figure out how we should configure this in the system
      .

      Regards,

      Vandana