cancel
Showing results for 
Search instead for 
Did you mean: 

AE 5.2 Change Process - Remove and Add roles that are the same name

Former Member
0 Kudos

Hello,

has anyone attempted to process a Change Request in AE 5.2 where you attempt to remove the current roles of the user (e.g. no longer in that job function) and add the new roles associated with the new job function; some of the roles related to the new job function are the same associated with the old job function

Does AE get confused when attempting to delete and then add back the same roles?

Should something like this be performed in a two-step request: 1) remove alll the old access; 2) add the new access?

thanks for your replies

Jerry Synoga

Ryserson.Inc.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Jerry,

I have not attempted to do this, but I am sure AE will get confused.

I will recommend you to go with 2 step approach where your remove the old access first and add the new roles.

Regards,

Alpesh

SAP GRC Manager (PwC)

Former Member
0 Kudos

Experts,

I am having the same issue. I am not able add the roles I deleted.

Situation is like this: After user submit the request it come to first approver and they deleted couple roles and it went to second approver and they want to add the roles which already deleted by first approver and they not able to add the roles back. Need suggestion how to comeout of this situation.

Former Member
0 Kudos

Hi Hyd,

I hope you are following the std. workflow process for AE. (Requestor -> Manager/Main Approver(s) -> Role Owner -> Security).

If yes, then I would like to bring this to your notice that ROLE OWNERS should not have rights to add new roles. These aterations should be done at the Stage 2 Manager/Main Approver(s) (it's his discreation to make out whether the requestor should have more roles or less than requested) itself. Else your process will not comply to the standard SOX Compliance policies. Thus, leading to SoD Violations in the Provisioning process itself.

I hope I am able to answer your concern.

--

Cheers!

Aman

Former Member
0 Kudos

Hello,

I left this as unansewred to see what type of responses may come in

After my initial posting, I have decided on the two step approach -

1) delete all roles from the user; process this request

2) define a new request providing the user with the roles necessary

This eliminated the confusion that AE may have in trying to remove and add the same role in the same request

My situation is different in that this issue is at the initial approver stage and not down the road a bit

After thinking this one through, I beleive AE is working as expected in the fact that it appears to clean up existing entries and redefines them if in an update request for the user. My situation consist where the same role may be defined for multiple "job positions" and that is where I run into a conflict

The two step approach works fine even though it requires two request for the same user; since the SAP Security group enters our requests and not the end user (we receive their email request) this was easy enough to follow

I agree that the other posting that deals with multiple approver stages should conform to who can add / remove roles while the other stages should either approve or reject the stage

Jerry Synoga

Former Member
0 Kudos

Aman we are following the stages as you mentioned however role owner has access to add remove role as role manager. So In my case

Role owner deleted the roles and role manager is trying to add it back or if even send this back to role owner level he is not able add the roles back which he deleted.

The other option to submit the another request that we do not want users to submit another request.

Former Member
0 Kudos

Hello,

I am cl;osing this message as it has been answered based on my initial report.

I have changed our practices in that whenever there is a request that is changing the access of an individual, we will remove all the access in one request and follow that with a second request to add the necessary authorizations.

this approach works well for us since we the security group enter the AE request after receiving the formal request through email from the users. We have not opened up AE to the users to enter their request and are still decising if that will be something in the future.

Jerry

Answers (0)