Skip to Content
avatar image
Former Member

Auto Provisioning at end of Each Path?

Hello all,

I need to understand if this workflow design is feasible.  My stages are:

     1. Manager

     2. Role Owner(s)

     3. Controls Team (Only if SOD is found at stage 2)

Stages 1 and 2 are a part of Path 1.

Stage 3 is in a separate path, Path 2.

The Standard SOD routing rule links stage 2 of Path 1 to stage 3 of Path 2.  This is working fine.

Now, here is the catch.  The client would like to have provisioning take place after stage 2, even if there is SOD.  Then, if there is an SOD, they would like approver in Stage 3 be "notified" but not "required" to act before provisioning takes place.  The rationale is that the approvers in Stage 3 could be traveling or away on business (or just take really long to approve) and they would like provisioning to take place after Stage 2 no matter what.

I've tried to change the provisioning settings to "Auto Provision at end of Each Path" thinking that Path 1 would finish, then provision, in both scenarios.  However, this does not work- the access is not provisioned until it is approved in Stage 3 when there is an SOD.

It looks like the SOD detour routing rule takes the request to a new "path", but it is not actually considering this a different path because it is linked to the activity of Path 1.

Any thoughts or recommendations of alternative design that isn't too complex?



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Nov 05, 2013 at 10:48 PM

    Hi Kenneth

    The client would like to have provisioning take place after stage 2, even if there is SOD.

    Doesn't this defeat the purpose of remediate and mitigate risk before user receives access? This business requirement is basically saying "we're too busy doing something else to review SoD issues".

    If they are keen on assigning the access due to unavailability could you have an escalation if not approved in X days  by L3 then just auto approve (route to a path with no stages) and send a notification instead? Make the Controls Teams who are travelling go and manually run the reports and remediate/mitigate outside of workflow? That or let the risk be there and configure User Access Reviews more regularly?





    Add comment
    10|10000 characters needed characters exceeded

    • Hi Kenneth

      Possibly the solution is the send the notification to them when they are first sent to them with a paragraph stating "after X number of days user will receive access blah blah blah"

      Another options could be to send to a stage for Security to approve it so Controls get the notification. Then you can have security chase Controls to manually complete the SoD steps?

      You could also try two additional paths (one where it gets sent to controls again) and then an escalation of that for a short period to go to another path with no stages for auto approval

      I haven't tried any of these suggestions, however



      Ps - I get it's a big culture change but there will be risk they never embed their SoD preventative culture if they aren't enforced from day 1.