cancel
Showing results for 
Search instead for 
Did you mean: 

SOD Detour in Role Approval Workflow possible?

Former Member
0 Kudos


Hello GRC Experts,

we have implemented an Access Request Approval Workflow with a Detour Rule (GRAC_MSMP_DETOUR_SODVIOL).

The second workflow we are working at is the Role Approval Workflow. Is it possible to use the SOD Detour Rule also in Role Approval Workflow? I didnt find the SOD Detour Rule in the MSMP Role Approval Workflow.

We would like to implement a following Scenario:

if the role contains an SOD the request should take Path 1 and if not Path 2.

Is it in MSMP Standard possible or should we use BRF+ for creating a Detour Rule?

Thanks,

Best Regards

Sabrina

Accepted Solutions (1)

Accepted Solutions (1)

Arif1
Active Participant
0 Kudos

Hi Sabrina,

i have created a sample workflow to fulfill your requiters

There is 3 approver.

First approve immediate supervisor.

Then, send request to role owner.

After completing Role Owner stage, request check the SOD. If SoD violation then go to compliance stage and approved by one compliance agent. and if no SoD found then provisioning.

I have used routing function.

Regards,

Arif

Former Member
0 Kudos

Hi Arif,

Your screenshots are for Access Request. Sabrina is enquiring about having a SOD routing rule for the BRM Role Approval msmp process.

Former Member
0 Kudos

Hello Arif,

as Harinam said, your screenshots are for Access Request Workflow, which is working fine with GRAC_MSMP_DETOUR_SODVIOL Rule. But thanks for answering anyway

What is about the Role Approval Workflow? Do you use the same Scenario for your Role Approval workflow?

Regards

Sabrina

Former Member
0 Kudos

Hi Sabrina, in relation to my initial response, SOD routing rule is only delivered for Access Request. You will have to make your own version via BRF+.

Former Member
0 Kudos

Thanks Harinam,

I was assuming that, but was not sure. Well, I hope SAP will make SOD Routing rules available also for Role Approval Workflows.

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Sabrina,

For Access Request workflow, we generally use GRAC_MSMP_DETOUR_SODVIOL to implement routing rule(based on detour condition - risk found). Purpose of same (if I am not mistaken) is to through the request to another level of approver wherein mitigation monitor agent reviews the mitigation performed by role owner stage and approve/reject the request.


But, when we create a role same is not the condition as we do not mitigate role level risk thus no need to go for mitigation monitor stage. May be you have some business scenario, if you can let us know will be gr8.



For the rule ID, did you try adding the rule ID ?(you may already know, still would like to cross check with you).
GRAC_MSMP_DETOUR_SODVIOL under list of rules for "
Role Approval Workflow" In the screenshot you have shown, just click on ADD feed -

Rule ID -GRAC_MSMP_DETOUR_SODVIOL.

Rule description - same as Access request.

Rule type - Function module based

rule kind - routing rule.


Add this and check if it works and let us know the result too.


Regards,

Nishant

Former Member
0 Kudos

Hello Nishant,

in our Business Scenario we dont use mitigation Monitor. If the role contains SODs, the request will be routed to the Security Stage and they will perform the Risk mitigation by adjusting the permissions. This is working fine so far.

I have added the Rule ID GRAC_MSMP_DETOUR_SODVIOL and sent a request with a Business role containing SODs. But the Rule is not working. The request always goes the Default path. I am wondering, whether BRM has this functionality.

I hope, some more experienced GRC experts can give us some hints.

Good luck,

Sabrina

Former Member
0 Kudos

Hi Sabrina,

I presume you are maintainign the workflow for the "Approval" stage of the Role build methodology, which alls out the MSMP workflow.

I tried copying the SAP delivered rules in SP11 last year. Apparently rules (routing and agents) built for the Access Request MSMP flows are not portable/reusable on the other MSMP flows like the Role Change workflow.

You will have to either create your own BRF+ rule to make such a SOD detour rule for the Role Creation/Change approval workflow.

Having said that, have a look at this nice article

Instead of making a custom initiator for the Access Request workflow (as described in the article) why don't you create the same as a routing rule for the "Role Approver workflow"? That should work in theory as you want.

Let me know what you think?

Former Member
0 Kudos

Hello Harinam,

nice idea, but somehow this instructions didnt help me I followed the instructions to create the custom rule for the Access Request Workflow, but at the end I wasnt able to use this rule in the msmp workflow. The end of the story: I created BRF+ Rules just using the decision table for roles with critical Level "low" (Auto provisioning based on the critical Level) and for Roles removal workflow (Auto provisioning based on the request type) and as SOD Rule we are using GRAC_MSMSP_DETOUR_SODVIOL.

I would love to implement the Scenario from this nice article, but as I said, it didnt work for me.

No we are still thinking how to solve the issue with SOD within the Role approval workflow.

If there is no SOD Detour, that would mean that the role owner will get all requests and has to check in every request whether there is an SOD or not.

I will let you know, if I will find the solution for this issue.

regards

Sabrina