cancel
Showing results for 
Search instead for 
Did you mean: 

Grouping of business roles approvals

Former Member
0 Kudos

Hello Gurus

We need your help concerning on of our running project on IDM implementation (version 7.2 SP9) with GRC10 framework version 2.

Does anyone already implement a grouping of assignment requests for several business roles before sending it to GRC?

The limitation of the standard framework is to manage several requests in GRC AC in parallel >> analysis is done only for already assigned roles in the backend + roles in the current request but not with other parallel requests.

A lot of specific processes have already been developed around assignment requests for this project, both concerning privileges and business roles, to satisfy the client's request.

Among them are heavy adjustments to the GRC10 framework in order to support business roles requests approval after GRC check.

It means that we cannot go with the solution of creating a "Request" entry type to manage this grouping at this point of the project, it needs to be done with the standard entry types.

Be sure that we have been trying to discourage the client from this request. Our investigation leads (with a priority to keep the rest of the workflow intact) to a modification in the code of the dispatcher, in order to group roles requests the same way as privileges. Very risky!

Can you confirm our analysis of the issue, that modification to the internal processes of IDM is the only way to do this without redoing the whole projects workflows?

Thanks for your time

Julien Garagnon

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hello ,


As Tero mentioned since 7.20 SP10 and IdM 8.0 SP1  grouping the privileges from more than one Business role in one request to GRC is working.

For example, if you have 2 (or more) Business Roles with Business Roles and privileges as children and all these is requested in one assignment request through web UI or assignments are initiated from a single job all privileges will be sent in one request to GRC or in groups as it is defined in their repositories.

http://help.sap.com/saphelp_nwidmic_80/helpdata/en/32/bd66dad83c454fa0da2f59ba0d8500/content.htm?fra...


Sending Business Role itself for Risk analyse from IdM to GRC depends on the Business Role synchronization between IdM and GRC on which we are working at the moment and it is still not available.


Best Regards,

Penka

former_member2987
Active Contributor
0 Kudos

Hello Julien,

I believe this is not addressed until IDM 8.0.

Matt

terovirta
Active Contributor
0 Kudos

Based on what I heard in TechEd, grouping privileges for GRC-approval is available on 7.2 Sp10 but I got no certain answer to when it would be possible to approve Business Roles in GRC.

In perfect world it would be nice model/maintain the Business Roles in GRC, import them to IdM, for(non-GRC) approval workflows, provisioning, requesting etc.

regards, Tero

Former Member
0 Kudos

Hello Tero,

We are aware of the limitation on sending business roles to GRC, which we have been able to work around with some custom development  to extract the privilege list from the role.

What we need now is a way to group the business role requests, if possible in the same way as the privileges (with a GROUPING_GUID on the PVO) without losing all the developments on the approval workflow, which  doesn't seem possible without modification to the dispatcher code (very risky) or unstable hacks (grouping on request date, PVO MSKEY... Still risky in regards to audit)

Regards, Julien