SAP - Role Assignment to Position
This type of request enables you to:
- Assign SAP roles to a specific position, for example, to a manager
- Revoke roles assigned to a position
Roles can be assigned or revoked to only one position at a time. SAP HR data has to be extracted into Infor Risk & Compliance prior to creating this request.
By default, this type of request is not available for selection in the drop-down list on the Requests page. To include it in the drop-down list, the ApprovalOperations.xml file needs to be modified. For details, refer to the SAP - Configuration Settings Guide.
To create an SAP - Role Assignment to Position type of request:
-
Provide details on the
following panels
-
General Information: Use this panel to provide the following general information about
the request.
- Request Name: Provide a unique name to identify the request .
- Request Priority: From the drop-down list, select a priority for the request .
- Connection: Select the connection
for which the request is to be created. You can set this connection as default
from the Preferences page. All users from this connection are available for new
role assignment through this request. To select a connection, type in a part of
the connection name. All connections matching your search criteria are
displayed. Select the required connection. Alternatively, browse and select the
required connection and click
OK.
Note: In case of secured connections, users signed into Infor Risk & Compliance can view and use only those connections that they have access to.
- Select Position:
Select the position for which role assignments are to be changed. To select a
position, type in a part of the position name and select the required position
from the drop-down list. Alternatively, browse and select the required position
and click
OK . All positions
from the connection selected in the
Connections field
are available for selection.
Note: If a request for the selected position is already pending, Infor Risk & Compliance displays an alert message. You have the option to continue, cancel the request or select another position.
If the request is continued, a message is displayed in the Comments section and can be viewed by the approver.
- New Roles to be
assigned: This panel enables you to add new roles to the selected position. It
also allows users to set the validity period for newly assigned roles. New
roles are marked with an icon. Click a role name link to drill down to view the
authorizations in that role. You may further drill down from an authorization
to view attributes and their values.
-
Add new roles: To select the roles to be
assigned to the position , type in a part of the role name. All roles from the
selected connection and matching the search criteria are displayed.
Alternatively, browse and select the desired role and click
. The selected
roles appear in the
Add New Roles field
marked with an icon. All roles from the selected connection are available for
selection. To remove a selected role, select the check box next to the role and
click
.
Import Roles : If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles can be imported and selected to be assigned:
-
Set validity period: The
Valid From and
Valid Through fields
enable users to determine the validity period for newly assigned roles:
- Valid From: The Valid From text box enables users to provide a date from which the selected role assignment is valid. To set a valid from date for the selected role assignment, select Date of Approval and provide the required date or click the icon to select a specific date .
- Valid Through: The Valid Through text box enables users to provide a date till which the selected role assignment is valid. To set a valid through date for the selected role assignment, click and provide the required date or click the icon to select a specific date or select Never Expires.
-
Add new roles: To select the roles to be
assigned to the position , type in a part of the role name. All roles from the
selected connection and matching the search criteria are displayed.
Alternatively, browse and select the desired role and click
. The selected
roles appear in the
Add New Roles field
marked with an icon. All roles from the selected connection are available for
selection. To remove a selected role, select the check box next to the role and
click
.
- Already assigned Roles:
This panel displays roles already assigned to the position in the selected
connection and their validity period. Click a role name hyperlink to view the
authorizations in that role. You may further drill down from the authorization
to view attributes and their values. Composite roles are marked with an icon
next to them
Note: Click Undo to reset the revoked roles.
- Revoke existing roles: This panel
enables you to revoke any of the roles already assigned in the selected
connection. Roles assigned to this user in other connections cannot be revoked.
To revoke a role, select the check-box next to the role to be revoked and click
. The role will be revoked
after the request undergoes the approval process. By default, all existing role
assignments can be revoked through this request. This means that users can have
zero role assignments. You can modify this default setting in the AMSConfig.xml
file to ensure that all existing roles are not revoked. For details see the
Configuration Settings Guide .
Note: Indirect assignments, that is, single roles belonging to a composite role cannot be revoked. Only direct assignments can be revoked or the validity period changed.
Composite roles are listed on the User Interface marked with an icon.
Note: The Valid From and Expires On dates can be changed for existing roles assigned. The validity date changes can be viewed from the Request Details for SAP page. - Modify validity period of the role: The Valid From field for already assigned roles is disabled, irrespective of whether the role is valid or expired. However, the Valid Through field for valid roles may be modified to reduce the validity period of the role.
- Revoke existing roles: This panel
enables you to revoke any of the roles already assigned in the selected
connection. Roles assigned to this user in other connections cannot be revoked.
To revoke a role, select the check-box next to the role to be revoked and click
. The role will be revoked
after the request undergoes the approval process. By default, all existing role
assignments can be revoked through this request. This means that users can have
zero role assignments. You can modify this default setting in the AMSConfig.xml
file to ensure that all existing roles are not revoked. For details see the
Configuration Settings Guide .
- More Details
- Comments: Provide additional information about the request through comments. Comments are mandatory if the Infor Risk & Compliance option check box on the Access Management section of the Configuration page is selected.
- E-mail settings: This tab
enables you to send email notifications to request participants or other users
at specific stages of a request.
- Select any of the request status check boxes next to a user. Email notifications will be sent to that user when the request reaches that status. The option Approval Email Notification ensures that a user is notified whenever a request is posted to that user's inbox.
- Select the check box Display comments in email notifications, if you want the application to display comments in the notification.
- Other users can be notified by selecting the option Others. Provide the email address for the other users in the Other emails text box and click the Add icon.
Note: Email settings are enabled and may be changed only if the check box Override this Option is selected in the Options panel of the Approval Process Template page. - Approval Stages : This panel provides details of the approval stages of the request and its present status .
-
General Information: Use this panel to provide the following general information about
the request.
- Click . The request is sent to the specified approvers and is displayed on the Requests home page. Click the request link to view the request details and take further action.
Note: When creating a role assignment to position request:
- A new role, an existing role or an expired role may be assigned more than once to the same user as long as the validity periods of the roles for these assignments do not overlap. But if the value in the Valid Through field for a role is selected as Never Expires, such a role cannot be re-assigned to the same user.
- If an approver approves a role assignment request for an existing role to be assigned again to the same user before the expiry of the validity period of previous assignment, then such a request will fail.