Show TOC

Procedure documentationMaintaining Tasks and Authorizations for Request Approvers Locate this document in the navigation structure

 

In the Stage Details screen of the MSMP Configuration, you can select the tasks that are available to approvers on the Access Request screen for approvers, and specify what they are authorized to do. For example, you can allow approvers to reject a request or forward the request to another approver.

Procedure

  1. Choose the Customizing activity Maintain MSMP Workflows, under   Governance, Risks, and Compliance   Access Control   Workflow for Access Control  .

    The MSMP Workflow Configuration screen appears.

  2. In the Process Global Settings phase, select the process for Access Request Approval Workflow, and then choose the Maintain Paths phase.

  3. Under the Maintain Stages area, choose Display Task Settings.

    The Stage Definition screen appears.

  4. Under the Task Settings section, select the checkboxes for the features you want to be available to approvers on the access request screen.

    Field

    Description

    Runtime Configuration Change OK

    Use configuration changes available at runtime.

    Path Reevaluation New Role

    When applied to the access request workflow, this setting allows approvers to analyze the roles in the request against the initiators to determine if another parallel workflow must be created. You can choose from the following:

    • All Roles in Evaluation Path

      Reevaluate all roles.

    • New Roles Only

      Reevaluate only new roles.

    • None

      Do not reevaluate any roles.

    Reroute

    Allows approvers to reroute the request to a previous stage as an alternative to rejecting the request.

    Note Note

    The approval workflow is comprised of stages and paths. For a standard approver, the application does not display the reroute option in the first stage, because there is no previous stage. For an administrator, the reroute option is available for all the stages because the administrator has the ability to send the request to different paths.

    End of the note.

    Confirm Approval

    Displays an additional screen that requires approvers to confirm that they approve the request.

    Confirm Rejection

    Displays an additional screen that requires approvers confirm that they reject the request.

    Approve By E-mail

    Approvers receive e-mails informing them that a request requires their attention. Such e-mails include a link that opens the user provisioning screen.

    Reject by E-mail

    Approvers receive e-mails informing them that a request requires their attention. Such e-mails include a link that opens the user provisioning screen.

    Approve Despite Risk

    Allows approvers to approve requests despite risk violations.

    Reaffirm Approve

    Requires approvers to confirm their identities before approving requests.

    Reaffirm Reject

    Requires approvers to confirm their identities before rejecting requests.

    Change Request Details

    Allows approvers to change the content of requests.

    Approval Level

    Allows approvers to approve requests for the following levels:

    • Request

      Approvers have the authority to approve all roles in a request. For example, security approvers can approve any role relevant to a request.

    • Role

      Approvers can approve only those roles that belong to them.

    • System and Role

      Approvers have the authority to approve systems and roles.

    Rejection Level

    Allows approvers to reject requests for the following levels:

    • Request

      Approvers have the authority to reject all roles in a request. For example, security approvers can reject any role relevant to a request.

    • Role

      Approvers can only reject those roles that belong to them.

    • System and Role

      Approvers have the authority to reject systems and roles.

    Comments Mandatory

    Requires approvers to enter comments when approving or rejecting a request.

    EUP ID

    End User Personalization (EUP) allows you to define the behavior of the fields and pushbuttons on the Request Access screen, such as the following:

    • default values for the fields

    • whether the field is mandatory

    • whether the field is editable

    • whether the field is visible on the screen

    You set the parameters in the Customizing activity Maintain End User Personalization, under   Governance, Risk, and Compliance   Access Control   User Provisioning  .

    In the EUP ID field, you enter the ID of the end user personalization you want to use.

    Override Assign Type

    • Direct

      Roles are assigned to users.

    • Indirect

      Roles are assigned to positions or organizations.

    • Combined provisioning

    Note Note

    In the provisioning configuration, you must also set Manual Provisioning to True.

    End of the note.

    Add Assignment

    Allows approvers to add assignments for roles or systems to the request.

    Request Rejected

    Allows approvers to reject requests.

    Forward Allowed

    Allows approvers to forward requests to another approver.

    Display Review Screen

    Allows approvers to see the Access Review screen.

    Risk Analysis Mandatory

    Requires approvers to perform risk analysis before approving or rejecting a request.

    E-mail Group

    Note Note

    The application does not use this field. We provide it only for backward compatibility.

    End of the note.

    Allow Manual Provisioning

    Allows approvers to provision directly from the stage approval screen.

  5. Choose Save.