on 10-23-2011 5:54 PM
Hello Guru's,
we would like a stage where all Role Owners should approve their roles. However, not all roles have an owner. We would like these rpoles to be ignored, i.e. the request should go to the next stage when all owned roles are approved?
What is the best way of doing this??
I was thinking of a detour path triggered by "Role Owner Missing" with a stage similar to a 5.3 "no stage", is this still possible in 10?
Thx!
Yes, it's possible with an empty path without stages.
Regards,
Daniela
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you want to configurate a "no_stage" like in 5.3., you have to create the following entries in MSMP:
- step 6 "maint route mapping":
RuleID: GRAC_MSMP_ROUTE_NO_ROLEOWNER
RuleResult:NO_ROLE_OWNER
PathID: Z_XXXX_NO_STAGE (your own name)
- step 5 "maintain path":
select your path and the relevant stage.
Open the stage details and activate the routing with the Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER and the Routing Level: Line Item Level
I must be doing something wrong. Would it be possible to verify below:
Step 5:
2 paths:
Main path with 2 stages
Detour path without stages
Main path: stage 2 - Role Approvers
Stage Config Id: GRAC_ROLEOWNER
Agent ID: GRAC_ROLEOWNER
Routing Enabled: Yes
Rule Type: Function Module
Rule Id: GRAC_MSMP_ROUTE_NO_ROLEOWNER
Level: Line Item
Step 6:
Rule Id: GRAC_MSMP_ROUTE_NO_ROLEOWNER
Rule Result: NO_ROLE_OWNER
From Path: empty
From Stage: empty
Path ID: [name detour path]
Saved and activated flow.
However, when going into stage 2 -> System keeps saying "no agent found ... GRAC_ROLEOWNER"
What should I change? Thx!
I assume that would be the same as a detour with the Sec Amin as stage in a detour.
There is also the parameter 2038 which auto approves requests for roles without a role owner. However, I understood that all roles in the request should then be owner-less.
Didn't find a good alternative for the "no_stage" of 5.3 yet.
Hi,
Just been thinking about the scenario you described in your last post.
If you were to enable "Access Request Role Selection: 2038 Auto Approve Roles without
Approvers = YES"
This should allow to automatically approve access requests for roles without role owners at the role owner stage, as well as having roles with owners being approvable. What I would suggest is that if there are any SOD violations, it gets detoured to the Security Admin after this stage.
Have you considered trying this flow out and seeing what happens?
Hope this does help.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.