on 04-22-2014 8:52 AM
Hi All,
We are following business role approach for GRC provisioning.
Business Role -> Combination of Position role (X) + Org.control role (Y)
Business Role1 -> Combination of Position role (X) + Org.control role (Z)
Business Role3 -> Combination of Position role (X) + Org.control role (A)
Assume that user requested for above 3 roles through GRC.
Since Position role (X) is common in all business roles, will GRC add it only once?
This is required for us because, position role is composite role in our scenario,if it gets assigned with every business roles assignment then max no of profiles 312 will be reached because of duplicate entries.
Is there a way in resolving my issue?
Please suggest
Regards,
Sai.
Hi Sai,
Yes Role X will be added every time business role is added.Two optiion you can follow:
1) Use background jobs with program PRGN_COMPRESS_TIMES to remove duplicate roles.
2) Create a base business role including role X and Org.control role in other business role.
Thanks,
Mamoon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mamoon,
Thanks for the details. I am aware of option 1, can you explain bit more about option 2?
Actually I am not clear from your explanation.
Base business role -> My Position Role X
Now
Business Role -> Base business Role + Org.control 1
Business Role1 -> Base business Role + Org.control 2
Business Role 2-> Base business Role + Org.control 3
This will be the same as above right?
May be I didn't understand it in correct way. Please help me with this.
Thanks in advance.
Regards,
Sai.
The Issue you are worrying about is resolved in SP13. You will have multiple entries for the single roles assigned to the user in the SU01 record. If the validity dates are the same, then I recall seeing the entry only once, but somehow the GRC system knows not to remove all the entries by mistake when you remove one of the business roles containing the shared single role.
Hi Mamoon and Harinam,
Below is my observation about business roles provisioning.
User request 2 business roles as shown below. Both business roles in same request or both business roles with same validity.
Business Role -> Combination of Position role (X) + Org.control role (Y)
Business Role1 -> Combination of Position role (X) + Org.control role (Z)
In this scenario user in backend gets roles X, Y, Z
When the same user request for removal of business role 1 then user in backend has roles X,Y
User who already have business role has requested for business role 1 with different validity. Now user in backend will have roles X+X+Y+Z
I have run PRGN_COMPRESS_TIMES, so user roles in backend are now X,Y,Z
I have run sync jobs and they are completed.
Now again the same user requested for removal of business role 1. Once this is done user has roles X,Y.
This is how business roles assignment or removal are working.
1981001 - Recommendations : Using business role provisiong in access request
As per this note running PRGN_COMPRESS_TIMES shudn't be run for business roles as GRC business role assignment and backend assignments will not be same
Looking forward to hear your thoughts on this.
Regards,
Sai.
User | Count |
---|---|
6 | |
5 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.