Approving a role removal

Hi,
I created a role and added an approver, I would like the same approver/approvers to be required to approve not only when the role is granted but also when the role is removed from a user, what is the easiest way to implement this?
Thanks in advance

Hi,
thanks for your reply, I thought about that too but the remove button is pressed before the save, so the admin removing the role can still cancel the action.
Any other idea? My idea is to create a subprocess called "approve removal" where I select the approvers and then call the native "approval" process (here though I still need to figure out the parameters values); once this is done I will add the subprocess to the "create user" and "update user" workflows (cloning and renaming them)
Thanks
Sergio

Similar Messages

GRC 10.0 - Auto Approve default roles

Hello All,
Could you please help out me in the below scenarios.
     1) We have maintained default roles in NBWC- Access Management - Default roles.
     Also set the parameter 2038 to Yes- Auto approve roles without approver.
In MSMP we have maintained Escape path if approver is not found at the role level.
As default roles have no approver maintained request is taking the Escape Path which should not happen.
We just want to auto approve the defualt roles and other than defualt roles request should take escape path if no approver found.
     2) In other action its quite same as the above one.
     When we are using provisioning type REMOVE for role removal. Request also takes the Escape path as Defualt roles has no approver.
Once the ,Manager at first stage is approved, request should close for the removal type access.
Please advise. Thanks in advance.

In your custom initiator, you need to have mapped out all the scenarios of which path each line item in your request goes to.
The condition columns can be an array of attributes, i.e. Request Type, Role name, Role Connector (System the Role is in), Functional area etc.
In your case, if you want "default roles" auto approved, easiest thing to so is create an empty path (i.e. No stages) and have the initiator set so that if the "Role Name" is "X" (i.e. your default role), go to the path with no stages.
BRF plus Flate Rule - GRC Integration - Governance, Risk and Compliance - SCN Wiki

Initiater for Role removal.

Hi,
I need some update/input w.r.t Role removal Initiator. While configuring the role removal is it possible to use the role status in the initiator? If not how to identify this role is only for the role removal.
Normally we use to put only one stage for Role removal. In the config, no where we are having automatic check for the request is only for the Role removal. So we have to trust that particular stage owners. As per the CUP automation check is it possible to validate this?
Thanks in advance.
Regards,
Vasantha Kumar.

Hi Justin
I'm assuming you are involved in or victim of a security access review. I'm usually one of those security guys asking for role or transaction removal and you are the main contact in the business coordinating the changes.
The process of remediation will possibly consist of checking which transactions are causing segregation of duties conflict, if they are used or not and removing one side of the conflict by removing an unused transaction.
It shouldn't require the entire contents of a role to be removed - rather swapping role A for role B without a transaction or two.
Removing transactions that aren't used can have more subtle implications which hopefully are found during UAT but is usually missed until used in anger. This what support is for after go live.
Saying all that and depending on your time and skills, you could ask for access to the security person's test user in dev or qas where they are working to run transaction SUIM on transaction for user following the proposed changes and compare that to the actual access of the real affected user in prod. If you can get access to the informer tab in virsa you can use the standard simulation reports to also check the resulting conflicts which will help you talk to the business and advise on actions available. There should be role owners involved in all this as they have to owner the result: expect a request for these for CUP later on
If you can retain control and approval of the (controlled) changes being made to users you will have a better understanding of what is happening, catch potential errors and mediate between security and the business - you have an important task!
Ask for some basic training in standard SAP reports - the security team should be more than grateful for your input
Crikey that was hard typing on an iPhone!
Cheers
Edited by: David Berry on Jan 11, 2011 8:17 PM

GRC 10.0 Mass Role removal

Hello all,
we are using GRC AC 10.0 (SP14). Today I found out that the access removal for multiple user is not working. The role removal for one User is working fine. But for multiple user who all have the same role it is not possible to select this existing role. Is it a standard in GRC AC or did I miss some config parameters?
The button "ADD" (yellow) is not working, and there is no button "Existing assignements". Please let me know, whether this settings are standard or not.
Many thanks,
regards
Sabrina

Sabrina,
Multi user requests have been quite problematic. I encourage you to search for corrections; we had to implement numerous corrections for multi-user requests. Right now, though, multi user requests for role removal using the "Existing Assignment" function are working for us (SP12 with a lot of corrections from SP13 and SP14).
I should mention that our Provisioning Log in the closure notification only lists the first user, but all three accounts in my test request just now had the role removed as requested. We have treated that as a training issue with our request submitters for the time being. We implemented Note 1727135 to correct that issue and it made matters worse, so we had to revert.
Good luck!
Gretchen

SCCM 2012 SP1 - SUP role removal or reinstall issue resolution

Hello all,
I just want to share a fix regarding SUP removal (re-install) issue.
I think I found a bug regarding SUP role removal/re-install.
When I try to re-install secondary SUP on a site system, when I remove SUP via AdminUI – Administration – Site - Site Systems, it gets removed from the list but I get the following errors, which makes (re-)installation fail.
Severity
Type        Site code
Date / Time
System     Component
Message ID
Description
Information
Milestone PS1
4/12/2013 10:28:09 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
1021        Site Component Manager detected that this component should be deinstalled from this site system. Site Component Manager will attempt to deinstall the component every 60 minutes. Site Component
Manager will abort the deinstallation if it fails to succeed after 1440 minutes.
Information
Audit        PS1
4/12/2013 10:27:58 PM
sms02ss401.icbcagent.net
Microsoft.ConfigurationManagement.exe 30038
User "ICBC\ll1v3" deleted the role of the Windows NT Server "\\SMS02SS401.ICBCAGENT.NET" as a Software update point in the site control file at site PS1.
Error
Milestone PS1
4/12/2013 10:15:45 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
1020
Site Component Manager failed to reinstall this component on this site system.
Solution: Review the previous status messages to determine the exact reason for the failure. Site Component Manager will automatically retry the reinstallation in 60 minutes. To force Site Component Manager to immediately retry the reinstallation, stop
and restart Site Component Manager using the Configuration Manager Service Manager.
Error
Detail       PS1
4/12/2013 10:15:45 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
580
Could not delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER"
on computer SMS02SS401.ICBCAGENT.NET. The operating system reported error 997: Overlapped I/O operation is in progress.
Information
Milestone PS1
4/12/2013 10:15:40 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
1018        Site Component Manager is reinstalling this component on this site system.
Error
Detail       PS1
4/12/2013 9:14:39 PM
SMS02SS401.ICBCAGENT.NET
SMS_WSUS_CONTROL_MANAGER
580
Could not delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER" on computer SMS02SS401.ICBCAGENT.NET. The operating system reported error 997: Overlapped
I/O operation is in progress.
In fact, the registry is under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\SMS_WSUS_CONTROL_MANAGER
When I trigger uninstall via AdminUI, it failed to remove, thus it think that it is already there when I try to re-install it.
The fix was to manually remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\
SMS_WSUS_CONTROL_MANAGER registry key then re-try.
Thanks,
Young-
YPae

Yes!!! this worked for me. I have SCCM set up with a number of untrusted forests with a firewall in between my SCCM servers and the untrusted forests. The firewall went down and half of my site servers in the untrusted forests were giving
the "operating system reported error 997: Overlapped I/O operation is in progress" on a number of their components. Finally found this, deleted the reg keys under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads"
and that allows SCCM to reinstall.

CUP Workflow - Approval on role level

Hi Community,
I have a question regarding the design/capabilities of CUP.
Scenario:
Stage 1 - based on Functional Area --> approval on request level
Stage 2 - based on organisational area of role --> approval on role level
===========================================
In stage 2, the person A receives the request with all the roles (let's say 10). Out of these 10 roles, there are 3 within his area. I understand that 7 are greyed out and therefore only approval for "his" 3 roles is required.
Here come the questions:
- If I set the stage to "mitigation enforced", a risk analysis needs to be performed. That Risk Analysis will deliver risks that derive from all 10 roles or only the 3?
- Since approval needs to be given for the other 7 roles as well by person B, the request is forwarded to person B once the person A approves. What is the order that CUP applies here? Who gets the request first? I know that the request is not split and parallel processing does not take place since I do not use different initiators... so it must be some kind of order that is applied.
Any help on this is greatly appreciated.
Mo

Mo,
The risk analysis is always performed on full CUP request. It does not care @ who is the approver at that point.
Also, role owner level approval always happens parallely. You should try this and you will see it. There is no order. Both person A and person B can approve the request at same time.
Regards,
Alpesh

Approval of role creation

Hi All
I need to create a WET for role creation, this is simple But I need to incorporate approval of the creation of the new MX_ROLE entry. I can only find documentation/guides on how to implement approval of role and privilege assignment. Does anyone know if it is possible to setup approval on creation on a new entry?
Kind regards,
Heidi

I have tried to implement the MX_INACTIVE solution. Now it is not possible to see the role on the "Adminstrate"-tab, and there is an approval task on the "To do"-tab. When I click this task, details on the role are displayed properly, but when I try to process the request by clicking the "Show request"-button (button name translated from Danish, it might be translated differently...) I get an error: "Access denied".
I have set correct approver on the approval task, and I was able to process approval requests, before I set the role to inactive.
On the approval task, I have checked the "Use inactive entries" checkbox.
Does anyone have an idea what could be wrong?
Kind regards,
Heidi Kronvold

AE - Can we setup a system to only approve some roles and not for others ?

I would like to setup a test system with no approval of roles access except for some of them ? Will that be possible and how ?
Any suggestion ?
I would appreciate any feedback.
Thanks.

Hello Frank,
Thanks for the information and nice suggestion. This infact is a limitation. We can use this only in case our request has other roles, which have Role owners.
Dear Patrick,
Now you may use any of the options mentioned as per what kind of access requests comes in your organization but better to use the one which Frank suggested as this would hold true in all teh cases.
Regards,
Hersh.

Hot to remove 'Approver' from Role dropdown in Collaborator List?

Hello Experts,
How do you remove or add values to standard enumeration type fields?
For eg., if I wanted to add a value to 'STATUS_INDICATOR' in Prpoject (could not find it in the standard value list types).
Or if I want to remove 'Approver' from the Role dropdown of Collaborator list?
Thanks & Regards,
Subhasini

There's a Value list called Project Status you can edit to customize your list of project statuses.
The Collaborator Role Definitions can be edited by going to SETUP>General> Collaborator Role Definitions
however, i would not remove the Approver role as this would hinder system functionality surrounding approval workflows.

Role removal workflow

Hi experts,
I'm trying to understand what's needed to remove user roles using workflow. My understanding was that I needed to use the same workflow for user provisioning and just treat the removal as a user change (SAP_GRAC_ACCESS_REQUEST) but when executing the workflow I get the word "ERROR" under "Stage Status" (even thought nothing is showing up on SLG1 or ST22). Is there something that needs to be added to the workflow to allow the removal of roles? We are on GRC 10.1

This is what I see on GRFNMW_DBGMONITOR_WD. The detour condition is coming with an Error but when I simulate the conditions for that request I get expected results. After the error message the request staus goes to "Decision Pending" but it doesnt show any approver.

OIM 11.1.1.5 BP2 Roles removed from users automatically

Hi All,
We are using OIM 11.1.1.5 BP02 and facing issues with event handlers, role membership and access policy. We have a custom post create user handler and a custom user post update event handler. We are creating users through trusted reconcilication by using EBS Employee Recon connector and provisioning users to AD & Exchange by using the 11.1.1.5 ICF connectors.
The issue we are seeing is with the Roles of the users, the behavior we are seeing is that, on user creates through trusted recon, the users are getting roles correctly and then the resources are assigned correctly, but after sometime, the roles are removed from the user. We donot have 'Revoke if no longer applies' on the access policy and thus the resources are appearing fine for the user, but we donot want roles to be removed from the user since the rule membership rules criteria is still holding good for the user.
We are seeing this issue only with trusted reconcilication and not when we create users through the UI. Our custom event handlers have the same logic for both the execute methods; with the difference that the bulk execute method is working on the array of identities received from trusted recon while the normal execute method working on just one identity through the UI.
We are doing complex computation in the event handlers (& setting multiple fields of the user) and are forced to use UserManager API to set the fields in the create user handler (Following article: 1469286.1); this we believe is effecting the ordering of the custom event handler and the OOTB Role ChangeCalculator event handler.
We have already checked the bugs(14075985 & 14221435) and wanted to confirm if we are hitting the same and/or how can we debug this more. We have already checked the UPA_USR table but that does not tell us as to why the role is revoked from the user.
Anyone faced similar issue?
Thanks,
Bikash

The patch we were given was 14226386, also called 11.1.1.5.2AK. The readme has the following overview:
This patch addresses the concurrency issues encountered in 11g R1 PS1 as described below
1. Unlike in OIM 11g R1 PS1, when a user's role membership changes policy evaluation doesn't
     kick off immediately. Instead the user is flagged for policy evaluation in the future.
     'Evaluate User Policies' scheduled task then triggers policy evaluation for such users.
     The scheduled task ensures that there is only one policy evaluation for a user at any
     given time. So, duplicate accounts or entitlements wouldn't be provisioned to a user.
     With this fix, access policy based provisioning events will be triggered only when
     'Evaluate User Policies' scheduled task runs. Hence, the frequency of this scheduled
     task needs to be tuned for the customer's deployment. The recommendation is to set it to
     10 minutes.
     In addition to binary changes, this fix involves data model and metadata changes as
     described below.
2. In a custom event handler, use Platform.getServiceForEventHandler() instead of
Platform.getService() to get a handle to a Service available in OIM before making an API
     call. This ensures that the API completes in its entirety (including any post processing)
     when it returns. Also, this brings in predicability in the order of execution of OIM
     events on the same entity created from one another.
3. When trusted source reconciliation brings in multiple events on the same user these events
are processed by OIM sequentially.
But since then BP03 and BP04 have been released, I would suggest you find out if BP04 has resolved this from support before applying anything.
-Kevin

Incomplete Approval Work Item Removed from Agent Inbox

Dear All WF Experts,
I noticed this strange scenario:
Let say Agent A and Agent B are sent a work item.
If Agent A has executed the work item in SBWP previously, the work item is removed from Agent B's inbox (And the status is changed to 'STARTED'). However, the work item is not processed yet.
Is there anyway to make the work item stays in the inbox until either agent approved the work item?
Thanks in all advances.
Regards,
YL

Thanks Arghadip for your response. Sorry for my blunt question.
Actually, the Agent A and Agent B are the approvers for PR approval by position (Agent A and Agent B are the users in the mentioned position).
Thus, when a PR is raised, both Agent A and Agent B received the same PR work item.
If Agent A execute the work item but does not release the PR, the work item still remains in Agent A's inbox as there is no terminating event. So, based on the logic, in Agent B's inbox, the work item should still be there because the work item is not fully processed yet (no terminating event takes place).
But, now, from what I saw, as long as any of the responsible agents executed (started) the work item, even if they do not release it, the work item is removed from all other agents' inbox and only remain in the inbox of the agent who first executed the work item.
I interpreted this as there is at least one agent already view the work item and know the existence of the PR to be approved, thus the other agents do not need to bother about the PR anymore. But, is my interpretation correct? And is there anyway to make the work item stay in the inbox of all approvers until there is one terminating event?
Thank you so much.
Regards,
YL

OIM 11gR1 : Parallel approval for role assignment.

Hi,
I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.
Also, Is it possible to assign a Role instead of the users in the custom attributes ?
Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".
Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
Thanks,
Meni,

Bikash Bagaria wrote:
Meni wrote:
Hi,
I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.Try modifying the dataset. But I think there was an issue which someone reported here which said that you cannot add additional attributes to the role dataset. Logically it makes sense because there is no custom attribute for role in OIM so dataset should not allow it either.
I've noticed that the design console allows adding custom attributes to roles.
This can be done via Administration --> User Defined Field Definitions --> UGP (Table name).
Once a field is added, you'll need to choose "Properties" and add a "Visible Field = true" prop to the attribute chosen.
This will add a custom attributes section where your attributes will be shown.
Question is how you can add a "search users" lookup instead of plain string for this custom attribute,
and how those attributes will find their ways into the BPEL composite where business decisions based on those attributes may be taken (assign task per this attribute for an example).
Also, Is it possible to assign a Role instead of the users in the custom attributes ?
Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".You can create request for multiple roles in a single request and in your approval process you need to dynamically set the human task assignee based on the role selected. You also need to attach the approval process to orchestration level so that it generates a separate child request for each role selected.
I'm not sure I understand how the proposed approach helps avoid the decoupling of users to role admins attribute.
The intention was to have two roles, "Role_A" and "Role_A_Approver" where people that belong to "Role_A_Approver" will be assigned workflow tasks whenever Role_A is to be granted to end-users.
Currently, each role has a "Role Admin" attribute, this attribute however holds a user and not a container of users (role)..
Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
All about requests
Thanks,
Meni,-Bikash

GRC 10 BRM - Approve Single Role assignment in Business Roles

Hello,
I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
Do you know any way to configure this?
Thanks,
Fernando

Hi Claudio - thanks for breaking it down
@ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
By using this role approval methodology your single role approvers are indirectly allowing any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
As mentioned - you are using two different workflow process ids
Role Build - using BRM to approve the single roles being part of the business role
Access Assignment - approving the user to receive the business role which includes the single roles
Regards
Colleen

Role Removal for users

Hi Guys
How do we remove the role Y.R3.IS-XX.xxxxxx from all test users (T-) and assign the role Y.R3.IS-XX.RPT_FI_XXXX to all test users (T-) in Q
Any input on this is highly appreciated
Thanks
SV

Hi,
I am just sending you a sample of how to delete role using SCAT. you can modify to delete User from Role.
Use T-Code SCAT.
You will be prompted with initial screen
Test case      enter some name ex: Z_MASS_ROLE_DELETION
Click on Create (Blank page icon)
In the initial screen on left corner button TCD click on this for recording a transaction.
Enter T-code in PFCG
Click on -> arrow button to continue
In the next screen you will be displayed with PFCG screen
Enter the role Name which you want to delete
Click on the Delete button (Bin icon)
You will be prompted with message box with yes or no and cancel
Click on Yes
You will be prompted with information acknowledge it by click on continue
Now the role is deleted.
Click on Back button (F3)
You will prompted with Intial screen where you have enter T-code in the pop-up box (PFCG)
Click on RED small button to stop of recording the transaction
You will be prompted with next screen for Title.
Enter the Title ex: Mass Role Deletion
Click on SAVE button
Save as local object (click local object button)
Go Back by click F3 (Back arrow button on the menu)
Pop up box with save option appears save
Click on YES
You are ready with recording of T-Code PFCG
To create a variable click on the edit (Pencil icon)
In the next screen you will be prompted with
C Funct.      Object               Text
TCD           PFCG                 Role Maintenance
Double click on TCD column
In the next screen you will have the following information
Test case       Z_MASS_ROLE_DELETION           PFCG Role Maintenance
Transaction     PFCG                           Role Maintenance
Permitted msg.
Processing Mode
In the above screen click on FILED LIST button which is on top left menu bar.
In the next screen you will find the list of values check for the Variable part (ie role name what we have mentioned at the time of recording (TEST123 ROLE)
Role                     AGR_NAME_NEU                  030 TEST123
Replace TEST123 with & (this is done for the variable to be replace in future for new values)
Go back (F3) twice into initial screen and save
In the initial screen SCAT first screen
Go to the menu
GOTO -> Variant -> Export
Export will create a Text file (Z_MASS_ROLE_DELETION.TXT) save it on your desktop for easy editing
Open with EXCEL above text file (Z_MASS_ROLE_DELETION.TXT)
You will find below values
[Variant ID]     [Variant Text]     &AGR_NAME_NEU
-->     Parameter texts     Parameter contents
-->     Default Values     TEST123
Changes to the default values displayed above not effective
Place the list of roles which you have decided to delete under the column TEST123
Just Save file for any message just click on yes button.
Come back to SCAT initial screen click on execute (F8) clock icon on the right corner of menu tab.
In the next screen you will have option to choose
Log Type     Processing Mode   Variants
Long            Errors              External From file Choose
Choose the file (Z_MASS_ROLE_DELETION.TXT) which was edited with new values
Then Execute all the roles which are in file will be deleted.
I hope this helps
Try this with test roles first then on the Actual roles
If you have any problems let me know
Cheers
Soma

Approving a role removal

Similar Messages

Maybe you are looking for