cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 5.3 | CUP | Specific Interesting Workflow

Former Member

on ‎05-19-2009 10:39 AM

0 Kudos

Can anyone tell me if the following is possible:

  • Use as a stage CAD the web service 'Role Approver' in a AE workflow (while this is more a CAD for a RE workflow)

  • Risk owners have been defined in RAR. It is possible to enforce Risk Analysis before aproving provisioning in an AE workflow. Question: Is it also possible to automatically let GRC send an email to the relevant risk owners for approval only, i.e. only those for which Risk Analysis defined issues.

  • Is it possible to have as a stand-alone stage a risk-analysis which is initiated by the GRC system itself? (Maybe a "no stage" CAD with enforced risk analysis, but what happens with the result. - Reason: see point above.)

For more info, this is the workflow we'd like to implement

  • Request Submitter requests a set of roles

  • Only some - critical - roles need approval of a role owner

  • If all required roles are approved/rejected, automatically a risk analysis takes place

  • Issues that come out of that risk analysis are emailed for approval to the Risk Owners defined in RAR

  • If all approve (not reject) -> auto provisioning

I have no test system at my disposal so thank you for all input in advance!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member196034
Participant
‎05-19-2009 2:07 PM
0 Kudos

We have done something similar.

A workflow with two paths (one standard and one detour).

Path 1

1. User Change Request

2. Stage 1 - Request Approval (Approver = CAD 'Company')

3. Stage 2 - Role Approval (Approver = Role Owners)

Stage 2 has a mandatory Risk Analysis. If all roles are clean, the auto-provisionin commences and workflow ends.

If a risk is found in Stage 2, the role will need to be rejected or have a mitigating control applied. In the case of a mitigation, the Role Owner will select a Mitigating Control. A detour path is triggered which has one stage that requires a Mitigation Monitor to approve.

Path 2

1. Stage 1 - Mitigation Approval (Approver = Mitigation Monitor).

Upon approval of the Mitigation Monitor, the Role auto-provisioning commences and the workflow ends.

rgds,

Babak

Show replies
Show replies
Former Member
‎05-20-2009 11:09 PM
0 Kudos

Thx for your input Babak but this didn't fully answered my question yet.

I'd like to know if

  • I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service

  • Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis"

  • Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated.

Thx in advance!

Former Member
‎05-21-2009 12:50 AM
0 Kudos

Hi Karell,

Here is response to your questions:

  • I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.

  • Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.

  • Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.

Regards,

Alpesh

Former Member
‎05-26-2009 10:47 AM
0 Kudos

Thx Alpesh and Babak.

However, to me it is not logical that you can't refer to the Role Approver in an AE workflow.

In general, the one approving the role should also be the one/owner of approving role assignment of that role.

Former Member
‎06-11-2009 6:58 PM
0 Kudos

Just an update here to share info. It is possible to have Role Approvers in an AE workflow by selecting "Role" as CAD in the stage configuration. However, it is indeed not possible to use the web service to fetch the role approvers in ERM - as Alpesh said above.

This means that Role Approvers have to be defined in ERM and CUP which then again means that roles in CUP should be imported from ERM directly or from the upload xls template. When loading roles up from the back-end directly (the third possibility), the role approver is not defined by default.

Former Member
‎03-25-2011 1:33 PM
0 Kudos

Hi ,

Path 2

1. Stage 1 - Mitigation Approval (Approver = Mitigation Monitor).

*How this stage is possible I mean from where it will get Mitigation mointor ---

1.which CAD to be used ? should we used stanadrd CAD - Mitigation Mointor ?

2.How at first stage itself upon sod violation request will forward to Mitigation Mointor in RAR ?

3.How at first stage this can be configured ?

Upon approval of the Mitigation Monitor, the Role auto-provisioning commences and the workflow ends.

rgds,

Babak

Ask a Question