on 10-24-2014 3:58 AM
Hi GRC Experts
We are currently helping a client implementing GRC AC10.1, our requirement is that ARM workflow just need to handle the Firefighter assignment request, for other request types, ARM workflow should be bypassed because all other requests should be approved in OA system and then be automatically submitted to GRC AC via WebService.
Is there any way to bypass ARM workflow based on certain request types and directly submit request without any approval in GRC?
Thank you in advance
James
Hi James,
Can you explain what you mean by bypassing?
In GRC if you want to maintain workflow only for Firefighter access, then you can just enable only Firefighter access workflow, maintaining only Firefighter access request type in your BRF+ decision table.
Is my understanding correct?
Regards,
Madhu.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Madhu
Thanks for your reply
Yes, I just want to only enable Firefighter access workflow, what I mean by bypassing is disabling other ARM access workflow. Have you an example about how to disable other request type? I'm wondering if I disable the ARM request type, can the request be automatically submitted or just raise error
Best regards
James
Hi James,
Go to SPRO -> IMG -> ACCESS CONTROL -> USER PROVISIONING -> Define Request Type
Here you can maintain all your request types. You can disable the request type from appearing in NWBC using the check box "ACTIVE" as shown below.
Deactivate all request types except Emergency User Access request type. Now users will see only one request type in NWBC i.e. Emergency User Access.
Then in your BRF+ initiator just maintain an entry with Emergency User Access request type and corresponding rule result.
Let me know if you need any more details.
Regards,
Madhu.
Hi Madhu
Now my question is that if I disable all other request types except Emergency User Access request type, can the Web Service calling still work for other request types? How does Web Service calling work in GRC? Directly post the request once the GRC get request from web service?
Best regards
James
Hi James,
In that case you can keep all your request types active and you can restrict the users access to only Emergency User Access by using below authorization object.
Make sure that the roles assigned to end user is controlled by this authorization object so that they can request access only for EAM.
Regards,
Madhu.
Hi Madhu
Thanks a lot, it's a reasonable way to restrict the end user can only apply Emergency User Access in GRC.
Here is my BRF+ demo configuration, but I don't know how can I process the request type 001-005 since there should no any approval for these request type. In my mind, we should just disable the workflow for request type 001-005, right? Can you please show me some demo about directly submit without approval? Thanks a lot
Best regards
James
Hi James,
Please follow below link and create your decision table. In case you face any issue, let me know.
BRF plus Flate Rule - GRC Integration - Governance, Risk and Compliance - SCN Wiki
In order to understand on Creating access request using we services please check below link
Regards,
Madhu.
Hi James
But our requirement is to directly submit the request without approval, how can I define the stages or paths?
If you want automatic approval you need to send the item down a path with zero stages. It will execute and complete the MSMP without sending it to an agent for approval.
To achieve this, have an initiator rule based on Request Type Check. In this if request type is 006 for Firefighter then rule result with be FF_REQ. If the request type <> 006 then rule results will be OTH_REQ.
Within the MSMP, you can then defined two paths - FF_PATH and OTH_PATH. The FF_PATH then needs the stages that you require for approval (how many approvers) whilst the OTH_PATH needs a path with no stages
The next thing I recommend you do is restrict which request types users can lodge requests for to limit them to 006 unless users still do lodge ARQ requests?
It's the same MSMP so you cannot just deactivate for some request types and not others. You must send them down a path.
It looks like you are almost there - it's the MSMP side you need to finish off as your BRF+ rule almost done. I would recommend doing <>006 instead of 001..005 in case you have other request types.
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.