on 09-10-2014 10:13 PM
Hi guys,
I've configured a BRF+ flat rule initiator and it's working fine. Now I have to either configure a flat rule agent, or try to find a more manageable way to solve with my problem.
The problem is as follows.
All roles have one or more approver. Some roles need to get approved by an MDM person or a training person, or both. I've accounted for this in the initiator, so that those roles will get routed to a different path. So there's a separate ZMDMTRAIN.
Now I have to identify the MDM approver and/or the training person for the role.
One strategy I was pursuing was to leverage the alternate approver. I figured since we're not doing any escalations, I can use the alternate approve in the routing for these MDM and training roles so that once the role owner has approved the role, the second stage in that path will go to the alternate approver (which will either be the training person or the MDM approver). I would basically set it to all approvers (instead of any approvers) and so that will solve this problem.
Problem with this is that within BRM, a role can only have an alternate approver if there is an approver ... so if we have only 1 approver, but the role must go to MDM and to training, then that's not possible - it won't save.
But if it were possible, then this would solve the problem.
Before I go and build out an agent, I wanted to see if anyone had an idea on how I might leverage the existing functionality in the NWBC end of the GRC 10 interface, without having to build a custom agent.
Thanks.
Hi Santosh,
You can create different paths for 1 level and 2 level approvals. In your case you may need to create three paths as follows:
1. For MDM - ZPATH_MDM
2. For Training - ZPATH_TRAINING
3. For both ZPATH_MDMTRAIN
Then configure your BRF+ rule based on your conditions such that rule returns the appropriate path.
Example if access request is for roles belonging to functional area MDM return ZPATH_MDM and likewise for others coniditions.
Regards,
Ravi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ravi,
I woke up this morning and saw your email, and thought, this guy was in my brain last night. Arrived at the same conclusion while sleeping on the problem.
So this is all good to go but there is a related issue.
Once I set this up, I delegated approval for the training coordinator to some other user. This other user gets the request correctly, but when he goes to approve it, Access Control asks him to enter his password.
Now the thing is that passwords are deactivated in the SAP system, so the user can't submit the request.
We attempted to activate his password, and then he could approve the request successfully.
So, basically, the delegated approver gets the request correctly, and then can't submit as GRC asks for a password in order to proceed. We wouldn't want that.
Please let me know if you are able to assist.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.