Skip to Content

Approver cannot modify/Edit User group in "User System Details" Tab while approving access request

Hi,

we have a requirement to change the "user group" in "User System Details" tab in GRC access request before approving the "lock account" request. Basically this is to move the terminated user to a diff group. Similarly for a new user account the approver should add the new user group for the user based on the user location or some other criteria.

In the approval screen we can see the System entry in "User System Details" tab but cannot modify the "User group". please let me know how approver can modify the "user group" in Access request before approving the request.

Please also find the attached screen shots.user-group.pnguser-logon-data.png

Thanks,

Sri.

user-group.png (15.7 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    May 10 at 01:46 PM

    Hi Sri,

    SPRO>GRC>Access Control>User Provisioning>Define Request Type - and check which actions are assigned to the "Lock Account" request type. For your scenario, you will need "Change User" action assigned to this request type in addition to "Lock user".

    If that isn't the solution, check the configuration of "Maintain End User Personalization" for the EUP template that you are using in MSMP workflow (defined in MSMP Stage Task Settings). There is an entry for User Group that should be set to "Editable".

    If these don't resolve it, check your MSMP configuration for the Approval Stages and "Change Request Details" should be enabled for the Lock Account path.

    Let us know if these don't resolve the issue and we can continue to brainstorm.

    -Ken

    Add comment
    10|10000 characters needed characters exceeded

    • Thanks a lot Ken,

      I did set up all the configurations you mentioned above. Now i am able to Enter/select the user group in "User Details tab" in the approval screen and user group successfully updates in the user master record (SU01).

      Thanks,

      Sri.

  • May 10 at 03:12 PM

    Hi Sri,

    In addition to what Ken mentioned, you can change the action to "Change & Lock User"(Instead of maintain to actions separately).

    Just curious to know why you have the approver stage for lock account?You can add the usergroup(INACTIVE or LOCK etc) to the lock request type before submitting the access request.

    Thanks

    Ramesh

    Add comment
    10|10000 characters needed characters exceeded

    • Ramesh,

      approver team need to perform some other manual activities(non-SAP) before locking account.

      you mean setup the Default User group based on the request type? is that through BRF+? or through User Defaults configuration? Also, when user selects a particular req type can we configure so that it automatically adds a particular system for those request types.

      Thanks,

      Sri.