on 07-28-2014 1:50 PM
Hello GRC Experts,
we have implemented an Access Request Approval Workflow with a Detour Rule (GRAC_MSMP_DETOUR_SODVIOL).
The second workflow we are working at is the Role Approval Workflow. Is it possible to use the SOD Detour Rule also in Role Approval Workflow? I didnt find the SOD Detour Rule in the MSMP Role Approval Workflow.
We would like to implement a following Scenario:
if the role contains an SOD the request should take Path 1 and if not Path 2.
Is it in MSMP Standard possible or should we use BRF+ for creating a Detour Rule?
Thanks,
Best Regards
Sabrina
Hi Sabrina,
i have created a sample workflow to fulfill your requiters
There is 3 approver.
First approve immediate supervisor.
Then, send request to role owner.
After completing Role Owner stage, request check the SOD. If SoD violation then go to compliance stage and approved by one compliance agent. and if no SoD found then provisioning.
I have used routing function.
Regards,
Arif
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sabrina,
For Access Request workflow, we generally use GRAC_MSMP_DETOUR_SODVIOL to implement routing rule(based on detour condition - risk found). Purpose of same (if I am not mistaken) is to through the request to another level of approver wherein mitigation monitor agent reviews the mitigation performed by role owner stage and approve/reject the request.
But, when we create a role same is not the condition as we do not mitigate role level risk thus no need to go for mitigation monitor stage. May be you have some business scenario, if you can let us know will be gr8.
For the rule ID, did you try adding the rule ID ?(you may already know, still would like to cross check with you).
GRAC_MSMP_DETOUR_SODVIOL under list of rules for "
Role Approval Workflow" In the screenshot you have shown, just click on ADD feed -
Rule ID -GRAC_MSMP_DETOUR_SODVIOL.
Rule description - same as Access request.
Rule type - Function module based
rule kind - routing rule.
Add this and check if it works and let us know the result too.
Regards,
Nishant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Nishant,
in our Business Scenario we dont use mitigation Monitor. If the role contains SODs, the request will be routed to the Security Stage and they will perform the Risk mitigation by adjusting the permissions. This is working fine so far.
I have added the Rule ID GRAC_MSMP_DETOUR_SODVIOL and sent a request with a Business role containing SODs. But the Rule is not working. The request always goes the Default path. I am wondering, whether BRM has this functionality.
I hope, some more experienced GRC experts can give us some hints.
Good luck,
Sabrina
Hi Sabrina,
I presume you are maintainign the workflow for the "Approval" stage of the Role build methodology, which alls out the MSMP workflow.
I tried copying the SAP delivered rules in SP11 last year. Apparently rules (routing and agents) built for the Access Request MSMP flows are not portable/reusable on the other MSMP flows like the Role Change workflow.
You will have to either create your own BRF+ rule to make such a SOD detour rule for the Role Creation/Change approval workflow.
Having said that, have a look at this nice article
Instead of making a custom initiator for the Access Request workflow (as described in the article) why don't you create the same as a routing rule for the "Role Approver workflow"? That should work in theory as you want.
Let me know what you think?
Hello Harinam,
nice idea, but somehow this instructions didnt help me I followed the instructions to create the custom rule for the Access Request Workflow, but at the end I wasnt able to use this rule in the msmp workflow. The end of the story: I created BRF+ Rules just using the decision table for roles with critical Level "low" (Auto provisioning based on the critical Level) and for Roles removal workflow (Auto provisioning based on the request type) and as SOD Rule we are using GRAC_MSMSP_DETOUR_SODVIOL.
I would love to implement the Scenario from this nice article, but as I said, it didnt work for me.
No we are still thinking how to solve the issue with SOD within the Role approval workflow.
If there is no SOD Detour, that would mean that the role owner will get all requests and has to check in every request whether there is an SOD or not.
I will let you know, if I will find the solution for this issue.
regards
Sabrina
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.