on 01-23-2009 10:31 PM
Hello,
has anyone attempted to process a Change Request in AE 5.2 where you attempt to remove the current roles of the user (e.g. no longer in that job function) and add the new roles associated with the new job function; some of the roles related to the new job function are the same associated with the old job function
Does AE get confused when attempting to delete and then add back the same roles?
Should something like this be performed in a two-step request: 1) remove alll the old access; 2) add the new access?
thanks for your replies
Jerry Synoga
Ryserson.Inc.
Hi Jerry,
I have not attempted to do this, but I am sure AE will get confused.
I will recommend you to go with 2 step approach where your remove the old access first and add the new roles.
Regards,
Alpesh
SAP GRC Manager (PwC)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Experts,
I am having the same issue. I am not able add the roles I deleted.
Situation is like this: After user submit the request it come to first approver and they deleted couple roles and it went to second approver and they want to add the roles which already deleted by first approver and they not able to add the roles back. Need suggestion how to comeout of this situation.
Hi Hyd,
I hope you are following the std. workflow process for AE. (Requestor -> Manager/Main Approver(s) -> Role Owner -> Security).
If yes, then I would like to bring this to your notice that ROLE OWNERS should not have rights to add new roles. These aterations should be done at the Stage 2 Manager/Main Approver(s) (it's his discreation to make out whether the requestor should have more roles or less than requested) itself. Else your process will not comply to the standard SOX Compliance policies. Thus, leading to SoD Violations in the Provisioning process itself.
I hope I am able to answer your concern.
--
Cheers!
Aman
Hello,
I left this as unansewred to see what type of responses may come in
After my initial posting, I have decided on the two step approach -
1) delete all roles from the user; process this request
2) define a new request providing the user with the roles necessary
This eliminated the confusion that AE may have in trying to remove and add the same role in the same request
My situation is different in that this issue is at the initial approver stage and not down the road a bit
After thinking this one through, I beleive AE is working as expected in the fact that it appears to clean up existing entries and redefines them if in an update request for the user. My situation consist where the same role may be defined for multiple "job positions" and that is where I run into a conflict
The two step approach works fine even though it requires two request for the same user; since the SAP Security group enters our requests and not the end user (we receive their email request) this was easy enough to follow
I agree that the other posting that deals with multiple approver stages should conform to who can add / remove roles while the other stages should either approve or reject the stage
Jerry Synoga
Aman we are following the stages as you mentioned however role owner has access to add remove role as role manager. So In my case
Role owner deleted the roles and role manager is trying to add it back or if even send this back to role owner level he is not able add the roles back which he deleted.
The other option to submit the another request that we do not want users to submit another request.
Hello,
I am cl;osing this message as it has been answered based on my initial report.
I have changed our practices in that whenever there is a request that is changing the access of an individual, we will remove all the access in one request and follow that with a second request to add the necessary authorizations.
this approach works well for us since we the security group enter the AE request after receiving the formal request through email from the users. We have not opened up AE to the users to enter their request and are still decising if that will be something in the future.
Jerry
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.