Skip to Content

GRC AC Role Removal without role owner approvals

Hello All,

I need some help with trying to set up a workflow that allows a user to request a role be removed from a users account without the request going to the role owner for approvals.

Currently using the default Workflow, if a submit a request for the removal of a role it automatically sends the request to the role owner to approve the removal action.

I would like input on the following:

1. Is there a way to use the default provisioning rules to complete this without having to create a custom BRF+ routing rule?

2. If this is not possible via the out-of-box processes, can I get some input on what I may be doing wrong with the custom BRF+ routing rule that I created:

Here is where I am at in the BRF+ routing rule:

I have created the below routing role ZBRF_ROUT_REMOVE_ROLE and have set the REQTYPE = 002 (Change)

PROV_ACTION = 009 (Remove Role)

For RULE_RESULT it was only a text entry field and when I left it blank and perform a simulation I got blank results. Looking at other posts I saw where someone said to populate it with a result name like (REM) and this will give me REM in my simulation but now I have no idea as to configure that rule result in the MSMP workflow to get it to recognize the correct action of "remove the role" without it going to the approver.

Any input as to what I am missing or if I have done this incorrectly would be appreciated.

I feel that if I can get some productive insight on this, it will help me understand some of the other BRF+ questions I am having.

routing-rule.jpg (112.0 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Jul 11, 2017 at 01:34 PM

    Hello Michael,

    The output of decision table has to be caught in MSMP.

    Please create routing rule in MSMP (ID will be same as BRF+ function ID). In this rule result value REM and set a triggre value.

    Now, in stage 6 of MSMP, create an entry for this routing rule ID, where the path and stage would be the one where you want to apply routing rile. The "To Path" value will be another path where the request with all roles to be removed has to be sent (in your case, the path without any stages).

    Please let me know if you have queries on this.

    Kind regards,

    Yashasvi

    Add comment
    10|10000 characters needed characters exceeded

    • Yashasvi,

      I figured out what I was doing incorrectly on the BRF+ decision table initially. I have set up the Request Type as a Condition but had set the "Prov_Action" up as a result and not a condition. I have corrected that as shown below and now have a perfectly functioning Decision table.

      Per your suggestion, I am going to remove the "If/Then" rule that I created and use the decision table now that it is working.

      Again thank you for you patience and response, I will close this issue.

      brfplus-table.jpg (133.0 kB)