cancel
Showing results for 
Search instead for 
Did you mean: 

Business Roles Provisioning - Issue

former_member187795
Participant
0 Kudos

Hi All,

We are following business role approach for GRC provisioning.

Business Role -> Combination of Position role (X) + Org.control role (Y)

Business Role1 -> Combination of Position role (X) + Org.control role (Z)

Business Role3 -> Combination of Position role (X) + Org.control role (A)

Assume that user requested for above 3 roles through GRC.

Since Position role (X) is common in all business roles, will GRC add it only once?

This is required for us because, position role is composite role in our scenario,if it gets assigned with every business roles assignment then max no of profiles 312 will be reached because of duplicate entries.

Is there a way in resolving my issue?

Please suggest

Regards,

Sai.

Accepted Solutions (1)

Accepted Solutions (1)

mamoonr
Active Participant
0 Kudos

Hi Sai,

Yes Role X will be added every time business role is added.Two optiion you can follow:

1) Use background jobs with program PRGN_COMPRESS_TIMES to remove duplicate roles.

2) Create a base business role including role X and Org.control role in other business role.

Thanks,

Mamoon

former_member187795
Participant
0 Kudos

Hi Mamoon,

Thanks for the details. I am aware of option 1, can you explain bit more about option 2?

Actually I am not clear from your explanation.

Base business role -> My Position Role X

Now

Business Role -> Base business Role + Org.control 1

Business Role1 -> Base business Role + Org.control 2

Business Role 2-> Base business Role + Org.control 3

This will be the same as above right?

May be I didn't understand it in correct way. Please help me with this.

Thanks in advance.

Regards,

Sai.

mamoonr
Active Participant
0 Kudos

Hi Sai,

I meant to say,Include role X in one business role(B1). Create another business role(B2, B3,B4..) with single  role Y Z.. etc.Assign position B2,B3.. to user in addition to B1.

In this way user will have two position B1 and B2,B3 etc depending on requirement.

Thanks,

Mamoon

Former Member
0 Kudos

The Issue you are worrying about is resolved in SP13. You will have multiple entries for the single roles assigned to the user in the SU01 record. If the validity dates are the same, then I recall seeing the entry only once, but somehow the GRC system knows not to remove all the entries by mistake when you remove one of the business roles containing the shared single role.

former_member187795
Participant
0 Kudos

Hi Mamoon and Harinam,

Below is my observation about business roles provisioning.

User request 2 business roles as shown below. Both business roles in same request or both business roles with same validity.

Business Role -> Combination of Position role (X) + Org.control role (Y)

Business Role1 -> Combination of Position role (X) + Org.control role (Z)

In this scenario user in backend gets roles X, Y, Z

When the same user request for removal of business role 1 then user in backend has roles X,Y

User who already have business role has requested for business role 1 with different validity. Now user in backend will have roles X+X+Y+Z

I have run PRGN_COMPRESS_TIMES, so user roles in backend are now X,Y,Z

I have run sync jobs and they are completed.

Now again the same user requested for removal of business role 1. Once this is done user has roles X,Y.

This is how business roles assignment or removal are working.

1981001 - Recommendations : Using business role provisiong in access request

As per this note running PRGN_COMPRESS_TIMES shudn't be run for business roles as GRC business role assignment and backend assignments will not be same

Looking forward to hear your thoughts on this.

Regards,

Sai.

Answers (0)