Hi Diego,

Thank you for your quick reply!

On the Workflow A - "No Stage" stage I have set the option of "Risk Analysis Mandatory" to "YES".

The Auto Provisioning Type is "No Auto-provisioning"; it is NOT set to "Auto Provision At End of Request".

But under the Auto-Provisioning section, in the "Auto Provisioning - Provisioning - Change Request Options" subsection, the "Create If User Does Not Exist" option is set to "YES"; should this change?

And in the "Provisioning - Role Assignment" subsection the "Provision Effective Immediately" option is set to "YES"; should this change?

and the "Perform Risk Analysis on Request" option is set to "YES".

based on this, what do you feel needs to change?

And, should I be using "No Stage" for the Workflow A? or should it be something else?

Thanks a ton for your help!

Best regards,

Sandeep

Hi Sandeep!

You said in your first post: " ....unforutnately get automatically approved and provisioned rather than being sent to Workflow B"

And later: "The Auto Provisioning Type is "No Auto-provisioning"; it is NOT set to "Auto Provision At End of Request"."

This cannot be possible, if you're using "No Auto-provisioning" NO provision should take place!. Possible causes for this error are:

1) You have a different provision type for this specific system. Check "by system" tab

2) You have changed this recently, after the request was sent to the workflow

3) There's a program error

Regarding your other questions:

"Create If User Does Not Exist" option is set to "YES"; should this change?:

This setting applies for request of type "change". If the user you provide does not exist, the system creates the user. This isn't important for your issue.

And in the "Provisioning - Role Assignment" subsection the "Provision Effective Immediately" option is set to "YES"; should this change?:

No, this is just for a "user comparison" after the role assignment

Going back to your initial issue:

Is the workflow A path configured with the detour flag deactivated? Are the WF B and C paths configured with the detour flag activated?

Anyway, please re-check the auto-provisioning issue.

Cheers,

Diego.

Hi Diego!

Once again; thank you for your quick reply!

I did recheck the auto-provisioning issue and I can confirm that it is definitely set to "No Auto-provisioning" and it hasn't been changed recently. The strange thing is that the detour works for NO SoD violations, but doesn't work for SoD violations; find below the audit trail for detour working:

Request XXX Submitted by Sandeep (SANDEEP) on 01/28/2012 02:04  
   Z_111111-ECC Role Added with validity dates 01/28/2012-12/31/9999 
   
 Request submitted for approval by admin(system) on 01/28/2012 02:04  
  
Approved by Sandeep (SANDEEP) on behalf of Sandeep (SANDEEP) at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 02:04  
   Approved Z_111111-ECC role for Add action with validity dates 01/28/2012-12/31/9999 
   
Request has taken a detour to path C_WORKFLOW and stage C_STAGE on 01/28/2012 02:04  
   Detour condition SOD Violations with value No is satisfied at path WORKFLOW_A and stage WORKFLOW_A

and find below the audit trail for the detour not working:

Request YYY Submitted by Sandeep (SANDEEP) on 01/28/2012 01:53  
   Z_222222-ECC  Role Added with validity dates 01/28/2012-12/31/9999 
   
 Request submitted for approval by admin(system) on 01/28/2012 01:53  
  
Approved by Sandeep (SANDEEP)  on behalf of Sandeep (SANDEEP)  at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 01:53  
   Approved Z_222222-ECC role for Add action with validity dates 01/28/2012-12/31/9999 
   
 Request Closed By Sandeep (SANDEEP) on 01/28/2012 01:53  

I even checked the CUA System section, and the "By system" tab and it was empty; there were no specific system configurations.

And to answer your questions:

Since Workflow A is the path with the Initiator, the detour flag is deactivated and the active flag is activated.

WF B & C have both the active and detour flags activated.

Thanks a lot again for your quick responses and all the help you've provided so far!

Best regards,

Sandeep

Hello!

Definitely the role is not getting provisioned. You don't have a message like:

Auto provisioned for request on 01/28/2012 <time>

I meant the "by system" tab in "Auto provisioning". But it doesn't matter because this is fine, an the user is not getting provisioned as supposed.

I'd try doing the following: only one detour instead of two detours, I think this simplifies the idea, I mean:

- Deactivate the detour with risk violations set to YES.

- Deactivate the path B_WORKFLOW

- Add B_STAGE at the end of the path WORKFLOW_A

If the request has no risks, it takes the C_WORKFLOW. This is working now.

If the request has risks, it doesn't take the detour and take it'll follow the WORKFLOW_A to the stage B_STAGE.

You don't need two detours:

<Initiate WORKFLOW_A>

If (no violations)

jump to detour;

<here continues WORKFLOW_A>

Please, let me know if you don't get the point of what I'm saying...

Cheers,

Diego.

Hello Diego,

Thank you again for your response!

Yes, as you figured, there was nothing set in the "By System" tab of the Auto Provisioning section.

And as you suggested I have deactivated the "Stage B" and the Workflow B; I am extending the Workflow A to have both Risk Approval followed by Role approval; as a result of this, I am not able to add "No Stage" as the first stage since that can only be done when the path has 1 stage. What would be the stage where the detour is applied to then? the Risk approval stage? or NO Stage? or some other new stage and with what approver determinator?

Previously Workflow A just had 1 Stage - "NO Stage" with which the 2 detours were configured.

Now, Workflow A has 2 stages: Risk approval (With mitigation approver as Approver determinator) and role approval (with Role as the approver deteriminator).

Workflow C just has 1 stage and is purely for Role Approval (with ROLE as the approver determinator).

is this right? does anything have to change? what approver determinator should we be using? As we seem to be getting an error "No Approver Found" when choosing "Mitigation Approver".

Thanks a ton!

Best regards,

Sandeep.

Hello!!

Well..I'm a little bit confused. Let me tell you what's should be the complete configuration as per my knodelge. I've changed the names for better understanding

Stages

======

CHECK_SOD_STAGE

RISK_APPROVAL

ROLE_APPROVAL

PATHS

=====

WORKFLOW_WITH_SOD (3 stages, active, NO detour)

WORKFLOW_NO_SOD (1 stage, active, detour)

PATH WORKFLOW_WITH_SOD configuration:

=====================================

start -> CHECK_SOD_STAGE -> RISK_APPROVAL -> ROLE_APPROVAL -> Finish

PATH WORKFLOW_WITH_SOD configuration:

=====================================

start -> ROLE_APPROVAL -> Finish

Custom approver determinator

============================

I don't know what you want to do here...Who are the approvers??

but, for example, "Mitigation Approver" is for Mitigation control workflows, not for user's workflow.

Cheers,

Diego.

Hi Diego,

Thanks a ton for your continued assistance with this issue! Really sorry for troubling you with this.

We already have a RISK_APPROVAL & ROLE_APPROVAL stage.

All the paths are configured as well, except our WORKFLOW_WITH_SOD path has only 2 stages; we unfortunately don't have a CHECK_SOD_STAGE.

We would configure a risk approver for a set of mitigation controls, and a role approver for specific roles from specific business processes.

Currently what we have is a two stage WORKFLOW_WITH_SOD path; a RISK_APPROVAL stage & a ROLE_APPROVAL stage; the RISK_APPROVAL stage is the one doing the work of the CHECK_SOD_STAGE as we aren't too sure how to configure a stage purely for checking SOD; as a result of this, even a role added without any risks ends up needing approval once at the "RISK_APPROVAL" stage and then after being detoured requires an approval at the "ROLE_APPROVAL" stage. This is definitely wrong and I'm guessing shouldn't be configured this way.

How do we create the CHECK_SOD_STAGE? What should the Workflow type be? and what should the Approver determinator be?

Thanks so much again for all your help so far!

Cheers,

Sandeep

Hello,

In this case, You'll find a simmilar configuration WF here:

Cheers,

Diego.

Hi Diego,

Thank you for your reply! We were able to now get the workflow working with the logic we needed.

Thanks a lot for your help!

Best regards,

Sandeep