cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC access request workflow

former_member594607
Discoverer

on ‎08-27-2018 4:10 PM

0 Kudos

Hello GRC experts,

I need help with a very basic requirement and unfortunately I am not able to build the logic. Here is the requirement:

When a new/change user request is submitted, it should go to manager for approval. If request has any role for removal action (prov. action) then it should auto provision.

For any other action, request should go to role owner. If role has no role owner and no SOD in request, it should auto provision. However, if there is no role owner and SOD in request, it should go to compliance.

Post role owner's approval (where role owner exists) request should go to compliance if SOD exists in request and auto-provision else it should auto provision after role owner's approval.

Now I create a custom brf routing rule at manager stage and rule results 1. for prov action "remove", 2. for SOD + no role owner in role, 3. no SOD + no role owner. I submit new access request with 2 roles - one has role owner and other does not and request has SOD. The request first goes to manager, then it splits and goes to compliance for roles that do not have RO and at the same time also goes to RO. Post RO's approval, request again goes to compliance.

How can I build a logic where all requirements are satisfied but request goes to compliance only once towards the end of request.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎09-06-2018 4:57 PM
0 Kudos

Smriti,

I am little confused with your requirements. Here is my take on this..

If Req Type : 001 : Create I am not sure why there will be a provision action remove?

I do agree on the Req Type : 002 : Change there will be a provision action add or remove or retain.

When you say role owner( I am guessing it role assignment approver not role content approver)

What if the role owner wants to remove a role from the request(stage level setting)?how you want to tackle this?

Can you share more details on how your DT looks like in your BRF+(initiator rule)? As Gustavo mentioned do you have any Routing Rules?Any escape path if there is no approver found?

How many Path and Stages you have configured?

Thanks

Ramesh

Show replies
Show replies
gustavo_soares
Participant
‎08-29-2018 9:00 AM
0 Kudos

You may want to try first testing the Routing Level of the stages in MSMP.

Show replies
Show replies
gustavo_soares
Participant
‎08-29-2018 8:54 AM
0 Kudos

Hi Smriti,

It seems that your MSMP has two separate stages for Compliance: one in the same path after R.O. and another in another path, as a result of the detour after manager.

Try to have only one Compliance stage in a separate path then built a routing rule after manager and another after R.O. Both rules will send to the same Compliance stage.

Do let us know if that works.

Have you proposed to have Compliance before R.O.? That would simplify the process

Cheers.

Show replies
Show replies
former_member594607
Discoverer
‎08-29-2018 8:45 AM
0 Kudos

Hello,

I can really use some help or suggestions here.

For now, we are planning to add a role owner to all the SOD access roles so that we don't end up in a situation where we have SOD and no role owner.

Show replies
Show replies
Ask a Question