2528109 - Case scenarios to make use of BAdI: Ignore Role Assignment Validation for Provisioning Actions Remove

This article describes a few case scenarios where the solution is achieved by implementing the BAdI delivered in Note 2145358, where by ABAP code can be introduced to ignore role assignment validation for provisioning actions Remove, Retain, Extend.

Case scenarios (1)

When trying to remove an existing role, or change/retain role from the user's account, the following errors are thrown:

a. Single Role <XXX> is not assigned to user in system <RFC Dest>. The action Remove cannot be performed
b. Single Role <XXX> is not assigned to user in system <RFC Dest>. The action Retain/Change Date cannot be performed

Case scenario (2)

The Portal or LDAP connectors return the user id in lower case and as a result, the user assignments fetched from the repository table GRACUSERROLE (via Existing Assignments button) are not found. This table has user ids in upper case, therefore the validation fails. This validation was added newly in 10.1, and the request throws the error:

Role <XXX> is not assigned to user in System <XXX>. The action <XXX> cannot be performed.

Case scenario (3)

Access Request submission containing retired roles is allowed by the application, when the request is created via templates or copy request functionality which contain retired roles.

• SAP GRC Access Control 10.x/12.0
• Access Request Management

ignore assignment validation action removal remove retain extend single role is not assigned to user in system the action cannot be performed validation existing non-existing role CV_CONTINUE_VALIDATION IF_REQ_ITEM_VALIDATE VALIDATE VALIDATE_REQITEM_PROV_ACTION bypass validations submission approve error retired template copy ignore, no changes were made to the user, user does not have role to be removed, roles to be removed were not assigned to the user, SLG1, escape path, escape route , KBA , GRC-SAC-ARQ , Access Request , How To