Skip to Content
Jul 28, 2017 at 08:33 PM

Provisioning Roles only after Risks have been mitigated



I have completed most of my provisioning workflow tasks with much success, but have run into the below issue that i cannot find any information on here and have not been able to resolve.

When I create a request for a user that contains a role with a risk that should go through the remediation process with an existing mitigating control, currently the role owner is able to approve that role for assignment and it provisions without forcing the approver to assign a mitigating control which would then prompt my "Mitigation Assignment" workflow to start.

If I assign a control on my own it will trigger the "mitigation assignment" workflow as normal but I need this to be a mandatory feature as role owners if left to their own devices will just approve the access most times.

In 5.3 this was standard and a request could NOT continue until after a Risk was mitigated and then reviewed by a compliance officer.

my Risk Analysis config settings:

The request showing the High Risk Levels but allowing the role owner to still approve it and provision even with the risk.

On a side note I updated my original workflow to have an escape route for the GRAC_MSMP_DETOUR_SODVIOL thinking that maybe it was missing the workflow to prompt the SOD initiator but even when up update the role owner Stage with this, and create a new route for the SOD detour it still provisions without forcing a mitigating control.

Here are those stage updates...

Any help would be appreciated.



risk-violation.jpg (74.2 kB)
detour-stage.jpg (67.6 kB)
stage3-details.jpg (59.4 kB)