Currently Being Moderated

Hi,

 

In  GRC10 – ARM  Access Request approver have the choice to do Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile”.  But In 5.3, Approver didn't have choice to decide while using from CUP.

 

When approver open access request in AC10 under Risk Violation tab Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis).  But the approver also has an option to deselect "Permission Level".

 

If you want to ensure that approver always keep "Permission Level" as an option, in other words option should be grayed out with permanent tick mark. This is to make sure that CUP enforce "Permission Level" check, otherwise if approver deselect then they can always skip the risk analysis by clicking different report types. Also possibility at times all the approver doesn't understand the meaning of each option.  Both accidental / intentional ways skipping Risk Analysis is possible.

 

As you can see Permission level is always selected but editable. Approver can deselect and submit the request with no violation. This way unmitigated risks can be submitted.


1.png


We have achieved this by deploying SAP NOTE 1796838 - UAM Risk analysis at permission level set to non editable and following below steps.

 

 

1. Go to transaction se80.

Select Package as ‘GRAC_ACCESS_REQUEST’.

Click on Web Dynpro -> Web Dynpro Application

 

2.png


2  .Drill down to application ‘GRAC_OIF_REQUEST_APPROVAL’. Right click on it and click Test.


3.png


3. Now, the following screen will appear.


4.png

 

Go to the URL of the above screen and add the following string to it.


Go to Transaction  SE16 and Enter table name as GRACREQ, enter any request number in REQ_ID field.

Click execute button and copy the value of field REQ_ID

 

Below is String to add in URL-

 

&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/<REQ_ID  checked from above step>

 

Below is example for string to add in above screen dump URL..

&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/984BE163CDB81EE2B79233F7361518D9

 

5.png

Observe that the dump will now get removed and an access request will be opened.


4. Go to the Risk Violation Tab and right click on the Type check boxes and choose ‘Settings for Current Configuration’

 

6.png


5. Now, the following pop up window will appear.


7.png

 

In this, you can go to each of the type of result options and click on ‘read only access’ check box.

 

8.png


6 For example, If you click on Permission Level and set Read-Only Access as ‘Yes’, permission level will appear as non editable on approval screens for all requests.


9.png


Click on ‘Save and Close’.

Please see that the Permission level check box is now disabled.

 

10.png

 

Hope this will help you if you meet such a kind of requirement. and prevent from submit unmitigated Risk.

 

Regards

Dilip Jaiswal.

GRC - IDM Consultant.

Comments

Actions

Filter Blog

By author:
By date:
By tag: