Skip to Content
avatar image
Former Member

Grouping of business roles approvals

Hello Gurus

We need your help concerning on of our running project on IDM implementation (version 7.2 SP9) with GRC10 framework version 2.

Does anyone already implement a grouping of assignment requests for several business roles before sending it to GRC?

The limitation of the standard framework is to manage several requests in GRC AC in parallel >> analysis is done only for already assigned roles in the backend + roles in the current request but not with other parallel requests.

A lot of specific processes have already been developed around assignment requests for this project, both concerning privileges and business roles, to satisfy the client's request.

Among them are heavy adjustments to the GRC10 framework in order to support business roles requests approval after GRC check.

It means that we cannot go with the solution of creating a "Request" entry type to manage this grouping at this point of the project, it needs to be done with the standard entry types.

Be sure that we have been trying to discourage the client from this request. Our investigation leads (with a priority to keep the rest of the workflow intact) to a modification in the code of the dispatcher, in order to group roles requests the same way as privileges. Very risky!

Can you confirm our analysis of the issue, that modification to the internal processes of IDM is the only way to do this without redoing the whole projects workflows?

Thanks for your time

Julien Garagnon

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Oct 29, 2015 at 02:16 PM

    Hello Julien,

    I believe this is not addressed until IDM 8.0.

    Matt

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Tero Virta

      Hello Tero,

      We are aware of the limitation on sending business roles to GRC, which we have been able to work around with some custom development  to extract the privilege list from the role.

      What we need now is a way to group the business role requests, if possible in the same way as the privileges (with a GROUPING_GUID on the PVO) without losing all the developments on the approval workflow, which  doesn't seem possible without modification to the dispatcher code (very risky) or unstable hacks (grouping on request date, PVO MSKEY... Still risky in regards to audit)

      Regards, Julien

  • avatar image
    Former Member
    Nov 03, 2015 at 01:47 PM

    Hello ,


    As Tero mentioned since 7.20 SP10 and IdM 8.0 SP1  grouping the privileges from more than one Business role in one request to GRC is working.

    For example, if you have 2 (or more) Business Roles with Business Roles and privileges as children and all these is requested in one assignment request through web UI or assignments are initiated from a single job all privileges will be sent in one request to GRC or in groups as it is defined in their repositories.

    http://help.sap.com/saphelp_nwidmic_80/helpdata/en/32/bd66dad83c454fa0da2f59ba0d8500/content.htm?frameset=/en/44/538b91a02e4da08aadac973acddcf6/frameset.htm&current_toc=/en/6e/f1cbae4ecd45668d7e038edaccc588/plain.htm&node_id=16


    Sending Business Role itself for Risk analyse from IdM to GRC depends on the Business Role synchronization between IdM and GRC on which we are working at the moment and it is still not available.


    Best Regards,

    Penka

    Add comment
    10|10000 characters needed characters exceeded