Hello All,
I need some help with trying to set up a workflow that allows a user to request a role be removed from a users account without the request going to the role owner for approvals.
Currently using the default Workflow, if a submit a request for the removal of a role it automatically sends the request to the role owner to approve the removal action.
I would like input on the following:
1. Is there a way to use the default provisioning rules to complete this without having to create a custom BRF+ routing rule?
2. If this is not possible via the out-of-box processes, can I get some input on what I may be doing wrong with the custom BRF+ routing rule that I created:
Here is where I am at in the BRF+ routing rule:
I have created the below routing role ZBRF_ROUT_REMOVE_ROLE and have set the REQTYPE = 002 (Change)
PROV_ACTION = 009 (Remove Role)
For RULE_RESULT it was only a text entry field and when I left it blank and perform a simulation I got blank results. Looking at other posts I saw where someone said to populate it with a result name like (REM) and this will give me REM in my simulation but now I have no idea as to configure that rule result in the MSMP workflow to get it to recognize the correct action of "remove the role" without it going to the approver.
Any input as to what I am missing or if I have done this incorrectly would be appreciated.
I feel that if I can get some productive insight on this, it will help me understand some of the other BRF+ questions I am having.
- SAP Managed Tags:
Accepted Solutions (1)
Yashasvi,
Thank you for your time in responding to this. I have followed your instructions in what I think is the correct process but it still does not seem to be identifying my BRF+ requirements for Account Change, Remove access.
I have created the Rule ID as you stated with the following information inputted:
I also created the Route mapping so that it would come off the GRAC Default path for that Rule ID and go to the "No Role Owner" path which is empty (and works fine for my no role owner roles still)
I have created a couple of different requests and they all seem to me ignoring the new rule set as the Rule ID does not show up in my Provisioning audit log.
If you see something in my MSMP workflow that is incorrect please let me know.
If it is a BRF+ issue then I'll post pictures of how it is configured for your input if needed.
Yashasvi,
I figured out what I had done incorrectly. I was treating the routing rule as if it would work on it's own without having to be added to the default GRC workflow path.
Once I updated the GRC default path to add the BRF+ routing rule to the Security stage it started acting semi-correctly.
I am now running into the issue that when I try to add a role back the BRF+ rule I created is for some reason seeing my request to add the role the same way it would see the removal and states that it is meeting the Detour condition rules of REM....which I don't get because the whole routing rule is supposed to be set to only see 002 (change) and 009 (remove) actions.
I am posting complete screens of all of my routes and Logs:
1. here you can see the "request access" triggered the routing rule because value REM was satisfied. But my BRF+ rule should have only provided that value with a 002 (change) and 009 (remove) action, and this was a 002 (change) and 001 (add)
Next is my default path Security stage
with my routing rule for the BRF+ remove role action.
for prospective here is the Manager Stage that contains my escape route for "no role owners" in case there is a request for a role with no owner (this was working fine before I added the BRF+ escape on the Security stage)
Finally the Role Owner stage of the Default path: as you can see there is not escape on this one.
Next is my Remove Role Path: Here is where I added stage 020 so that my Managers would approve all role removals. This path should only get triggered on a removal action but now ALL my requests are going to here.
Just for visual here is my "No Role Owner" path. This is also now not being used as nothing is making it to it since everything is now going to the "Role Removal Path"
Finally here is my routing tables:
BRF+ routing for role removal
and No role owner routing table:
finally here is the BRF+ rule that shows my logic:
Looking at Ramesh's reply it looks like he may be having the same issue as me OR he saw something I didn't..
Yashasvi,
I have actually answered my own issue and found the mistake in my BRF+ rule that I created.
I updated my Remove role rule in BRF+ to be an event based rule and then changed my Operand from a A "and" B statement to an "If all True" statement which meant that both A and B must be valid for the then statement to apply.
Thank you for your time and input on this.
I am assuming that if in the future I want to have multiple different items that trigger workflows outside of the default, then I am most likely going to have to create a custom initiator that contains all of my rules in it as well as the default actions?
exm: contractors get password disable or custom roles, locking accounts that are in a specific job status, ect...
Yashasvi,
I figured out what I was doing incorrectly on the BRF+ decision table initially. I have set up the Request Type as a Condition but had set the "Prov_Action" up as a result and not a condition. I have corrected that as shown below and now have a perfectly functioning Decision table.
Per your suggestion, I am going to remove the "If/Then" rule that I created and use the decision table now that it is working.
Again thank you for you patience and response, I will close this issue.
Answers (0)
| User | Count |
|---|---|
| 15 | |
| 4 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.