Skip to Content
0
Former Member
Jun 07, 2016 at 09:38 PM

GRC AC 10.1 SP12 UAR : Issues in detour path in Workflow

565 Views

Hi All,

I am configuring UAR in GRC AC 10.1 SP12. Below are my main configuration details.

Reviewer – Role Owner

Admin Review – No

Rejection option – Not used

Only options available for Role owner (Reviewer) – Approve & Remove

Requirement is to give option of “approve” or “remove” of role assignments to user. If role owner perform action “remove” for any user, it has to go to Security path (Detour). For approve action, no need of detour.

Used Standard Agent ID - GRAC_UAR_REVIEWER for Role owner agent

Used Standard routing rule - GRAC_MSMP_DETOUR_UAR_REV_ROLE for removal action

Used Custom Agent for security agent in Security path for role removal action (PFCG USER GROUPS based)

Assigned “SEC” user group to security people in logon data in SU01 in GRC

I have created some test roles and users in plug in system and ran all the required jobs.

Issue : Assume I have 4 roles and their user assignments as below.

User1 – Role1

User2 – Role1, Role2

User3 – Role1, Role2, Role3

User4 – Role1, Role2, Role3, Role4

I have generated UAR request based on below data.

Connector – ECCCLNT100

Role Name – Role1

Now the UAR request created and waiting for approval at role owner stage like below

1st Scenario:

Role1 Action

User1 - Approve

User2 - Approve

User3 - Approve

User4 - Approve

For the above request everything working fine and processed the request as expected.

2nd Scenario:

Role1 Action

User1 - Remove

User2 - Approve

User3 - Approve

User4 - Approve

For the above request the role owner processed the request as above and then as expected the line item “User1” for removal routed to “Secuirty” stage as per standard detour condition. Then security member process the request as it is and Role1 is removed from User1.

Note : After every request is processed, I am running the required sync jobs to enure I am using the correct data

3rd Scenario:

Role1 Action

User1 - Remove

User2 - Approve

User3 - Remove

User4 - Approve

Here also the request processed as expected. Role1 removed from User1 & User3 once the request detoured to security path

4th Scenario:

Role1 Action

User1 - Remove

User2 - Approve

User3 - Remove

User4 - Remove

Here also the request processed as expected by role owner & security team member.

5th Scenario:

Role1 Action

User1 - Approve

User2 - Remove

User3 - Approve

User4 - Approve

Here is the actual issue I am facing. Role1 removed from User2 without going to security path. Once the role owner processed the request as above Role1 removed from user2 and request closed

6th Scenario:

Role1 Action

User1 - Approve

User2 - Remove

User3 - Approve

User4 - Remove

Again same issue here also. Role1 removed from User2 & User4 without going to security path. Once the role owner processed the request as above Role1 removed from user2 & User4 and request closed

7th Scenario:

Role1 Action

User1 - Approve

User2 - Remove

User3 - Approve

User4 - Approve

Again not worked as expected. Role1 removed from user2 but with involving security stage in security path (Detour)

Like above I have processed many request but no request went to security stage but roles removed from users in 1st path only to whom the action is “Remove”. As per my analysis, if role owner did not select action as “Remove” for ATLEAST first user assignment(line item) of particular role, it is not going to detour path and role is getting removed from 1st path 1st stage only.

If the action is “remove” for 1st user assignment, the request is going to detour path and all the applicable below roles are getting deleted from security path(Detour) security stage. Sorry if I am confusing here by writing lengthy one. Please help me in this issue and let me know if we have any notes or I am missing something in configuration or workflow.

Please see attached file for detailed MSMP & UAR request screenshots.

IMPORTANT NOTE: If I process the request as administrator, the request getting processed as expected i.e roles are removed after taking detur path (Secuirty) from all applicable users irrespective of the position of user assignment line item in the request.


I am not able to attach all the screenshots here. Will attach remaining screenshots later.


Thanks In Advance,

Sathish Pallem

Attachments

3.png (34.6 kB)
2.png (54.5 kB)
1.png (46.4 kB)