on 09-22-2011 10:33 AM
Hi Guys,
I've got a quick queston for you all.
Do you know where I can define the Point of Contact and Security Agents in GRC 10?
I have assigned the user ID as a Point of Contact in the "Access Control Owners" area but I cannot find where to associate that user to a functional area or into the master data setup in the NWBC. I'm sure I'm missing a setup step here where the standard approvers are identified against the relevant data elements.
I have the workflow paths setup in the MSMP workflow config, but it cannot determine the recipients for the approval and therefore it goes nowhere!
If you can help, it will be greatly appreciated.
Cheers, Simon
Hi again,
I found SAP note Note 1670504 - AC 10.0 Risk Owner Wokrflow Agent - Class Based Rule that allows you to create the Risk Owner agent in the Access Request workflow.
Hope this helps you (a little bit late I guess)
Thanks!!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey Simon,
Did you ever find the answer to this? I am trying to do the same thing with Risk Owner. I've set up the Risk Owners in Access Control Owner, linked it to a risk. But cannot see how this can be connected in MSMP. Can't see an GRC API Rule for Risk Owner... ~Triera
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Aman,
I've started creating an FM Agent Rule, but it looks to be defined very different than a standard BRF+ Rule. Not sure if I even need to create a Decision Table. Any chance you have details on how to create a FM Agent Rule through BRF+? ~Triera
Edited by: Triera Holley on Dec 14, 2011 5:32 PM
UPDATE: After researching this further, it looks like a BRF+ Agent Rule will not address this issue because you cannot link the Risk ID; therefore you cannot link the Risk Owner to an Agent Rule. There does not seem to be an automated workaround to send an approval to the associated Risk Owner.
Hi Triera,
That's not strictly true. It is possible to derive risk owner into the decision table but it does not allow you to have it as the result in this case. Creating FM rules is effectively ABAP coding. For BRF+ I would use the Flat Rules and then setup the details in the decision tables.
Having chewed this around with a few colleagues, we came to the conclusion that its actually a fairly stupid requirement in the end anyway. Picture the scene...
You have multiple roles in the request and then you submit it.
Each of these roles then generate risks based upon the access. There could be multiple risks for each role and some roles which could indeed generate risks which might have multiple owners. They could also create risks when assigned together but that is only visible after each role owner has approved. Effectively, this could have endless branches and sub branches and explode out the required approvals. Once those branches get split, the approver (risk owner will only be looking at their own risk) and then would not really be assessing the total request as such.
It works fine as a requirement if you'll only have 1 risk generated but any more than that and it gets proper messy.
I still think there is value in being able to use agents across different Process IDs and so it's not completely dead but I'm not going to advocate Risk Owner directly in this manner for the access request process. The closest I would get is to effectively generate the CAD on the new technology (directly mapped users) and manage it from there.
Cheers,
Simon
Hi Simon,
Thank you...I would agree with you that the requirement can lead to havoc and certainly slow the approval process. But I suppose it depends on how many different risk owners an organisation would have across their Business Processes. I wouldn't expect there to be a lot of risks across multiple business processes for a user. I'll look into using one of the other AC Owners, such as a Point of Contact, or I might propose we have a Direct Map agent with a decision table based on Business Process. Appreciate your insight and I hope you are doing well! ~Triera
Hi!!
I was reading all related post I found to Point of Contact configuration on GRC AC 10 and I haven´t got a clear idea how this should works.
SAP documentation says "Point of Contact is an approver for a specific Functional Area. Functional Area is an attribute used to categorize users and roles."
In which way can be mapped a point of contact with a functional area?
Hope that BRF+ Flat rule doesn´t be the only way...Thanks a lot in advance. Great job supporting us guys!!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.