Skip to Content

GRC AC 10.1 Role Removal should expire the role

Hello Experts,

In our current scenario, if the user requests for Role Removal, the role should not be removed from the user record in SU01. Instead, it should become expired, e.g. the validity date of the role should be changed to yesterday (effective date of provisioning minus 1).

Is it possible to achieve that without writing any code, e.g. using MSMP and/or BRF+? Would you please have some insights on how?

Thanks and best regards,
Gustavo

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Jan 26, 2017 at 12:47 PM

    Hello Gustavo,

    why don't you change the provisioning type from "Delete" to "Change/Retain"? In that case you can terminate roles based on the "Valid to" date. There is also the option to define the provisioning type as default when selecting roles from "Existing Assignments".

    Hope that helps.

    Regards, Alessandro

    Add comment
    10|10000 characters needed characters exceeded

    • Hello Alessandro, thanks for your reply. Indeed that is the alternative way that we will use for the time being till we get an ABAPer. The downside however is that it is not explicit to the users and to the approvers, though a short training should address it. Best regards.

  • Jan 27, 2017 at 04:24 AM

    Yes, Possible.. you would need an abaper for the same.

    you can always write explicit function,good thing is it will not have side effect on SP update also.

    Regards,

    Prasant

    Add comment
    10|10000 characters needed characters exceeded