on 05-19-2009 10:39 AM
Can anyone tell me if the following is possible:
Use as a stage CAD the web service 'Role Approver' in a AE workflow (while this is more a CAD for a RE workflow)
Risk owners have been defined in RAR. It is possible to enforce Risk Analysis before aproving provisioning in an AE workflow. Question: Is it also possible to automatically let GRC send an email to the relevant risk owners for approval only, i.e. only those for which Risk Analysis defined issues.
Is it possible to have as a stand-alone stage a risk-analysis which is initiated by the GRC system itself? (Maybe a "no stage" CAD with enforced risk analysis, but what happens with the result. - Reason: see point above.)
For more info, this is the workflow we'd like to implement
Request Submitter requests a set of roles
Only some - critical - roles need approval of a role owner
If all required roles are approved/rejected, automatically a risk analysis takes place
Issues that come out of that risk analysis are emailed for approval to the Risk Owners defined in RAR
If all approve (not reject) -> auto provisioning
I have no test system at my disposal so thank you for all input in advance!
We have done something similar.
A workflow with two paths (one standard and one detour).
Path 1
1. User Change Request
2. Stage 1 - Request Approval (Approver = CAD 'Company')
3. Stage 2 - Role Approval (Approver = Role Owners)
Stage 2 has a mandatory Risk Analysis. If all roles are clean, the auto-provisionin commences and workflow ends.
If a risk is found in Stage 2, the role will need to be rejected or have a mitigating control applied. In the case of a mitigation, the Role Owner will select a Mitigating Control. A detour path is triggered which has one stage that requires a Mitigation Monitor to approve.
Path 2
1. Stage 1 - Mitigation Approval (Approver = Mitigation Monitor).
Upon approval of the Mitigation Monitor, the Role auto-provisioning commences and the workflow ends.
rgds,
Babak
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thx for your input Babak but this didn't fully answered my question yet.
I'd like to know if
I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service
Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis"
Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated.
Thx in advance!
Hi Karell,
Here is response to your questions:
I can use the following CAD in an AE workflow: web service to fetch role approvers. I question this as it is merely a RE workflow service : No. As far as I know the web service is only for RE/ERM.
Can the Risk Analysis be initiated in stage x automatically once stage (x-1) was completed. So no person involved, it is mandatory however, in my opinion there should be no extra person involved to actually press the button "Risk Analysis" : No. There is no way to automate the risk analysis part. Someone will have to click on the button to check for SoD violations. You can configure to run automatic risk analysis when the request is submitted but this is not 100% perfect. If someone adds or removes role during approval phase, it will invalidate the risk analysis which was run during request submission.
Can somehow the Risk Owners defined in the RAR componed be asked to approve/reject risk that came out of the Risk Analysis described in my previous point. They should only be contacted when there is a risk indicated. : This is possible by following Babak's workflow.
Regards,
Alpesh
Just an update here to share info. It is possible to have Role Approvers in an AE workflow by selecting "Role" as CAD in the stage configuration. However, it is indeed not possible to use the web service to fetch the role approvers in ERM - as Alpesh said above.
This means that Role Approvers have to be defined in ERM and CUP which then again means that roles in CUP should be imported from ERM directly or from the upload xls template. When loading roles up from the back-end directly (the third possibility), the role approver is not defined by default.
Hi ,
Path 2
1. Stage 1 - Mitigation Approval (Approver = Mitigation Monitor).
*How this stage is possible I mean from where it will get Mitigation mointor ---
1.which CAD to be used ? should we used stanadrd CAD - Mitigation Mointor ?
2.How at first stage itself upon sod violation request will forward to Mitigation Mointor in RAR ?
3.How at first stage this can be configured ?
Upon approval of the Mitigation Monitor, the Role auto-provisioning commences and the workflow ends.
rgds,
Babak
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.