on 05-10-2018 12:57 AM
Hi,
we have a requirement to change the "user group" in "User System Details" tab in GRC access request before approving the "lock account" request. Basically this is to move the terminated user to a diff group. Similarly for a new user account the approver should add the new user group for the user based on the user location or some other criteria.
In the approval screen we can see the System entry in "User System Details" tab but cannot modify the "User group". please let me know how approver can modify the "user group" in Access request before approving the request.
Please also find the attached screen shots.user-group.pnguser-logon-data.png
Thanks,
Sri.
Hi Sri,
SPRO>GRC>Access Control>User Provisioning>Define Request Type - and check which actions are assigned to the "Lock Account" request type. For your scenario, you will need "Change User" action assigned to this request type in addition to "Lock user".
If that isn't the solution, check the configuration of "Maintain End User Personalization" for the EUP template that you are using in MSMP workflow (defined in MSMP Stage Task Settings). There is an entry for User Group that should be set to "Editable".
If these don't resolve it, check your MSMP configuration for the Approval Stages and "Change Request Details" should be enabled for the Lock Account path.
Let us know if these don't resolve the issue and we can continue to brainstorm.
-Ken
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Resurrecting this thread...
We are able to maintain/change User Group with no issues before submitting a GRC request.
However, is there a way to limit who can do this. If we have this enabled, will everyone be able to do this? (if they have access to raise that request type). Or can we limit the "User System Details" tab to display somehow, for certain users only? I had a look at auth object GRAC_REQ but it appears this is not possible?
Thanks
Shaun
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sri,
In addition to what Ken mentioned, you can change the action to "Change & Lock User"(Instead of maintain to actions separately).
Just curious to know why you have the approver stage for lock account?You can add the usergroup(INACTIVE or LOCK etc) to the lock request type before submitting the access request.
Thanks
Ramesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ramesh,
approver team need to perform some other manual activities(non-SAP) before locking account.
you mean setup the Default User group based on the request type? is that through BRF+? or through User Defaults configuration? Also, when user selects a particular req type can we configure so that it automatically adds a particular system for those request types.
Thanks,
Sri.
User | Count |
---|---|
15 | |
3 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.