Skip to Content

BRF + Setup for change role account request.

Hi Experts,

I have one requirement in GRC request.

Scenario : I want to assign some roles to user, but user is already expired (in past validity). So in that case if i will raise a change account role assignment request (only to assign some extra role to existing user ) with roles which will lead to conflict, then the conflict can't be checked during approval process as user is in past validity. So user will be assigned with conflicting role, and later when user will get activated then the SOD will pop up during the report.

Requirement : So now the requirement is that, requester should not able to raise a role assignment request when user is in past validity.

So what will be the BRF+ configuration for this scenario only. Can this be done for only change role request type with the existing BRF+ Initiator rule.

Please let me know in case more information.


Thanks in advance.


Regards,

Biswaranjan

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Oct 21, 2015 at 07:58 AM

    HI Biswa,

    An immediate solution is to set parameter 1028 as NO, or to remove the expired users from system. I cannot recall now, if there is any standard functionality which restricts Request creation, for Expired user. So, i suggest, let the request be created, but route it to a path, where Security team rejects it.

    So, in BRF+, use DBLookup to retrieve Valid to date from GRACUSERCONN, and if the same is less than System's date(from SYST), then route it to Rejection path. Else, route it to remaining paths

    Regards

    Plaban

    Add comment
    10|10000 characters needed characters exceeded