cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Standard Approvers on GRC 10.0

simon_persin4
Contributor

on ‎09-22-2011 10:33 AM

0 Kudos

Hi Guys,

I've got a quick queston for you all.

Do you know where I can define the Point of Contact and Security Agents in GRC 10?

I have assigned the user ID as a Point of Contact in the "Access Control Owners" area but I cannot find where to associate that user to a functional area or into the master data setup in the NWBC. I'm sure I'm missing a setup step here where the standard approvers are identified against the relevant data elements.

I have the workflow paths setup in the MSMP workflow config, but it cannot determine the recipients for the approval and therefore it goes nowhere!

If you can help, it will be greatly appreciated.

Cheers, Simon

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎11-21-2012 2:18 PM
0 Kudos

Hi again,

I found SAP note Note 1670504 - AC 10.0 Risk Owner Wokrflow Agent - Class Based Rule that allows you to create the Risk Owner agent in the Access Request workflow.

Hope this helps you (a little bit late I guess)

Thanks!!

Show replies
Show replies
Former Member
‎12-14-2011 10:55 AM
0 Kudos

Hey Simon,

Did you ever find the answer to this? I am trying to do the same thing with Risk Owner. I've set up the Risk Owners in Access Control Owner, linked it to a risk. But cannot see how this can be connected in MSMP. Can't see an GRC API Rule for Risk Owner... ~Triera

Show replies
Show replies
Former Member
‎12-14-2011 11:36 AM
0 Kudos

Hi ,

Following Function modules are available in 10.0 . You can define point of contact and Security lead in Access Control Owners application and then use them in msmp using following FM :

GRAC_MSMP_POINT_CONTACT_AGENT , GRAC_MSMP_SECURITY_LEAD_AGENT

Former Member
‎12-14-2011 11:46 AM
0 Kudos

Hi Aman,

Any idea about Risk Owner? This, I cannot see in MSMP...~Triera

Former Member
‎12-14-2011 11:48 AM
0 Kudos

currently it is not available . but you can create custom function module based agent

Former Member
‎12-14-2011 12:56 PM
0 Kudos

Thanks Aman,

I've started creating an FM Agent Rule, but it looks to be defined very different than a standard BRF+ Rule. Not sure if I even need to create a Decision Table. Any chance you have details on how to create a FM Agent Rule through BRF+? ~Triera

Edited by: Triera Holley on Dec 14, 2011 5:32 PM

UPDATE: After researching this further, it looks like a BRF+ Agent Rule will not address this issue because you cannot link the Risk ID; therefore you cannot link the Risk Owner to an Agent Rule. There does not seem to be an automated workaround to send an approval to the associated Risk Owner.

simon_persin4
Contributor
‎12-14-2011 5:55 PM
0 Kudos

Hi Triera,

That's not strictly true. It is possible to derive risk owner into the decision table but it does not allow you to have it as the result in this case. Creating FM rules is effectively ABAP coding. For BRF+ I would use the Flat Rules and then setup the details in the decision tables.

Having chewed this around with a few colleagues, we came to the conclusion that its actually a fairly stupid requirement in the end anyway. Picture the scene...

You have multiple roles in the request and then you submit it.

Each of these roles then generate risks based upon the access. There could be multiple risks for each role and some roles which could indeed generate risks which might have multiple owners. They could also create risks when assigned together but that is only visible after each role owner has approved. Effectively, this could have endless branches and sub branches and explode out the required approvals. Once those branches get split, the approver (risk owner will only be looking at their own risk) and then would not really be assessing the total request as such.

It works fine as a requirement if you'll only have 1 risk generated but any more than that and it gets proper messy.

I still think there is value in being able to use agents across different Process IDs and so it's not completely dead but I'm not going to advocate Risk Owner directly in this manner for the access request process. The closest I would get is to effectively generate the CAD on the new technology (directly mapped users) and manage it from there.

Cheers,

Simon

Former Member
‎12-15-2011 1:20 PM
0 Kudos

Hi Simon,

Thank you...I would agree with you that the requirement can lead to havoc and certainly slow the approval process. But I suppose it depends on how many different risk owners an organisation would have across their Business Processes. I wouldn't expect there to be a lot of risks across multiple business processes for a user. I'll look into using one of the other AC Owners, such as a Point of Contact, or I might propose we have a Direct Map agent with a decision table based on Business Process. Appreciate your insight and I hope you are doing well! ~Triera

Former Member
‎11-21-2012 11:52 AM
0 Kudos

Hi!!

I was reading all related post I found to Point of Contact configuration on GRC AC 10 and I haven´t got a clear idea how this should works.

SAP documentation says "Point of Contact is an approver for a specific Functional Area. Functional Area is an attribute used to categorize users and roles."

In which way can be mapped a point of contact with a functional area?

Hope that BRF+ Flat rule doesn´t be the only way...

Thanks a lot in advance. Great job supporting us guys!!

Ask a Question