cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC workflows customization

former_member485656
Explorer

on ‎11-30-2018 8:33 PM

0 Kudos

Hi Experts,

I have a requirement from a customer where they have 2 types of roles (Central roles and Department roles). The workflow they are looking for is; for Department roles they would have one stage approval (Department Administrator and Central role they would have 2 stage approval (Central Role owner and Department Administrator).

Assumptions:

1. 'Central role' role owners will to UAR for Central roles and department role owner will do for their respective department roles.

2. Department users can request any type of roles.

3. Central role contains '.CR.' in the naming.

4. Lot of attrition rate a department administrator level.

5. Each department has one or more Department Administrator.

I came up with two options. Please can anyone suggest if there are any better options to handle this requirement.

Option1:

Route1. Create a BRF+ line by line initiator rule. The decision table will look for the role name containing '.CR.' and the department of the user in the request. Depending on that it will route the request to a path where the first agent would be defined by PFCG role agent rule. (all department administrator will get a unique role for that department). Then the request would route to the 'Central role' role owner.

Route2. If the request has any department role, then it will directly route to the role owner of the department role which is Department Administrator.

This would be a lineitem-by-lineitem rule because the line item with central role will go for two stage approval(Route1) and line item for department role will go directly to the department administrator(Route2).

Drawbacks

1. Every time a new department is created we need to update the BRF+ initiator rule and create a custom new path-agent rule.

2. Number of department would define the number of path in the MSMP workflow. (About 100 paths)

Advantage

1. Easy to perform UAR

2. Less frequent updates to BRF+

3. More flexible on who could be the department administrator.

Option2:

1. Create one initiator rule for New/change access request. Set the parameter for no role owner found, request auto approve(2038)

2. Only assign role owners for Central Roles. Department role will not have any role assignment owners.

3. Create only one path with two stages. In first stage assign BRF+ agent rule. This agent rule would be based on department. The decision table will contain assignment of Department to Department administrator. The rule will return the department administrator user id.

Second stage would be role owner stage.

Drawbacks

1. Constant update to BRF+ due to high attrition rate of department administrators.

2. User access review for Department role would be difficult to perform.

3. Not sure if we can have multiple department administrator for one department and any one of them can approve.

Advantage

1. Only one path

2. Just BRF+ (only Decision table) needs to be updated in case of new Department or Department Administrator. No MSMP needs to be updated, no new PFCG agents needs to created.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

madhusap
Active Contributor
‎12-02-2018 4:45 AM

Hi Ram,

Correct me if I my understanding is not correct.

You have two types of roles:

Central Roles: Workflow Path (Department Administrator -> Central Role Owner)

Department Roles: Workflow Path (Department Administrator)

Department is determined based on User Details.

Initiator rule will be simple where all requests by default will be routed to a path "Department Admin" which will have a stage called Department Admin and the agent for this stage is determined based on PFCG role.

Create another routing rule which will verify the role naming convention if it is a department or central role and if central role routes the request to "Central Role Owner" path which will have a Central Role Owner and the agent for this stage is determined based on Standard Role Owner or any custom requirement you have.

Use the routing rule in DEPARTMENT ADMIN path of DEPARTMENT ADMIN stage.

When an access request is submitted with CENTRAL and DEPARTMENT roles, following will be the flow of your workflow:

- Request goes to Department Admin stage of Department Admin path and approvers are based on PFCG role.

- Once the request gets approved, routing rule will check if the roles are CENTRAL or DEPARTMENT roles and then only routes the Central roles to role owners.

BRF+ PFCG agent rule for determining Department Administrators may require maintenance when a new department gets created and I assume a new department setup is a bigger activity compared to adding new entry in BRF+ decision table for PFCG agent rule 🙂

Let me know your thoughts on this.

Regards,

Madhu

Show replies
Show replies
former_member485656
Explorer
‎12-04-2018 5:06 AM
0 Kudos

Thank you Madhu. I think this would be a great option.

former_member485656
Explorer
‎12-10-2018 6:24 AM
0 Kudos

Hi Madhu,

In this case though we would have multiple path right. One for each department?

Since we don't have a BRF+ PFCG agent option. As far as i know we just have PFCG roles agent or PFCG user groups as a option in agent type field.

Thanks,
Ram

madhusap
Active Contributor
‎12-11-2018 2:39 AM
0 Kudos

Hi Ram,

I may have confused you with my terminology.

You can create a BRF+ agent rule for role owner stage in which you can get the rule to return the approvers details based on the role name.

Role information will be in your request details and you have to perform a DBLOOKUP (against AGR_USERS) with role names to get the role owners based on the users assigned to the role. So, your agent will return the role owner details based on the role name.

Regards,

Madhu

Show replies
Show replies
former_member485656
Explorer
‎12-10-2018 8:43 PM
0 Kudos

Hi,

I think I found a solution to this.

1.Create a initiator rule to where all requests by default will be routed to a path "Department Path".

2. Department Path will have one stage approval, where the agent would be defined by a BRF+ agent rule.

3. This rule will contain a decision table, where the department of the user in request would be the input value and the result value would be a generic user id. This generic user id would be unique to each department.

4. There would be a routing rule where if there is any Central role request based on the naming convention in the role, we would route it to the Central role owner, ( Standard Role Owner Agent).

5. If there are any SoDs this request will route to Compliance stage.

Now the purpose of using Generic User id as Department stage approver is, we would set up delegate for these generic user ids as the actual department administrator user ids. This is a master data and can be updated in production directly which could be done quickly.

Since we are using a generic user id as approver, even if there is high attrition at the department administrator stage, there is no requirement of having to update the MSMP workflow or BRF+ decision table everytime.

Even if we have a new department, we just need to update the decision table thats it.

Show replies
Show replies
madhusap
Active Contributor
‎12-10-2018 7:59 AM
0 Kudos

Hi Ram,

Yes, you will have one main path and second path will be your detour path which will be triggered based on CENTRAL or DEPT role. I suggest you to use BRF+ PFCG agent role based on role naming convention or role name to determine role owners which is quiet straightforward.

Regards,

Madhu

Show replies
Show replies
former_member485656
Explorer
‎12-10-2018 5:42 PM
0 Kudos

Hi Madhu,

Thank you for the quick response.

I have not used BRF+ PFCG agent rule. Please can you share some info here? I have used BRF+ Agent rule separately and I have used PFCG agent rule separately. I dont know how do we use BRF+ PFCG agent rule. I am not sure how would you look up an approver's role and determine the agent in Decision table.

If i follow your recommendation, do in need to find path with BRF+ or approver? If we find path, my number of path in MSMP would be equal to number of department and there would be only one stage which is based on PFCG agent rule. Correct me if i am wrong here?

Note: I dont want to hardcode the user ids in the BRF+ rules due to large turn over.

Ask a Question