Skip to Content
author's profile photo Rene Griffith
0
Rene Griffith
Feb 27, 2010 at 04:17 AM

Role Mapping For Portal Role Assignment and ABAP Role Assignment

98 Views

Summary:

- Under the GRC configuration of Roles> Role Mapping we are trying to utilize the role mapping feature in GRC for associating a dependent role to a main role.

- We want to use this role mapping feature for the purposes of adding an Enterprise Portal role for every ABAP role that gets approved for the user in an ABAP component system (i.e. ECC, BW, CRM etc). We will have a 1:1 mapping of Enterprise Portal role to ABAP role defined in the role mapping section in GRC.

- We want to set up the workflow in such a way that the main role (ABAP role) is the only role that needs to be approved. The dependent role (Enterprise Portal role) should be added or not added based on the approval or denial of the main role (ABAP role). In other words if the role owner for the abap role approves the abap role, then both the abap and EP role will be provisioned by GRC and if the role owner rejects/denies the role, then neither the abap or EP role will be provisioned by GRC.

Problem Description:

Our Scenarios we tested:

Scenario 1:

Main Role: Attached to Initiator A & workflow A (routes to single approver based on role)

Dependent Role: Attached to Initiator B & workflow B (routes to auto approval or no approval)

*Problem with the Scenario 1setup above, the dependent role will always get approved & provisioned regardless of the approval or denial of the main role.

Scenario 2:

Main Role: Attached to Initiator A & workflow A (routes to single approver based on role)

Dependent Role: Attached to Initiator A & workflow A(routes to single approver (same as main approver) based on role)

*Problem with the Scenario 2 setup above, the dependent role will always also need to get approved by the same approver as main role and it opens the possibility that the approver may accidently approve the main role and deny the dependent role, which is not the ideal setup as we inherit the risk of human error.

Questions:

1. Does the dependent role need to be defined in an initiator at all since it will never directly be requested directly?

2. If the dependent role does need to be in the initiator file, please describe how to properly setup the initiator and workflow stage & path so that we can maintain the desired relationship with the main role approval dependency? (if the role owner for the main role approves the main role, then both the main role and dependent role will be provisioned by GRC and if the role owner rejects/denies the main role, then neither the main role or depedent role will be provisioned by GRC

Edited by: Rene Griffith on Feb 26, 2010 10:22 PM