cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Risk Analysis @ Role Owner stage

Go to solution
Former Member

on ‎05-29-2012 10:44 PM

0 Kudos

Hello All,

We are currently working on SP08

Our workflow for ARQ currently consists of two level Approval:

Manager --> Role Owner. At the role owner stage there is a detour path for SoD.

If request consists of ZROLE1 with ROLE_OWNER1 and ZROLE2 with ROLE_OWNER2.

And ZROLE1 and ZROLE2 consists of an SoD violation together.

When the request is at the Role Owner stage, and the Role Owner runs risk analysis. He does not see the risk violations for the entire request. Therefore, the SoD detour is not taken.

Is this an issue with SP08? or a functionality gap overlooked?

Thanks all for your replies.

Puneet

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

simon_persin4
Contributor
‎05-31-2012 4:15 PM
0 Kudos

Hi Puneet,

If you want the detour to be invoked, you'll need to have the risk analysis executed prior to the role owner stage. Once you split the request to line item level, then it is too late. However, you can maintain the stage task settings to allow role owners to see all objects on the request and they can then see their elements in the context of the wider request.

You can also get risk analysis automatically performed at submission using parameter 1071 but be aware that this will hamper performance and also only run the risk analysis against the default settings.

Cheers, Simon

Show replies
Show replies
Former Member
‎05-31-2012 7:21 PM
0 Kudos

Hello Simon,

Thank you for your response.

We have configured parameter 1071 and are running risk analysis at submission. This does not have a significant performance impact for us therefore we are using this option.

My question: Which stage setting allows the Role owner to see an entire request? Our Path:

Initiator --> Manager --> Role Owner (Respective).

I know at the detour level you can select the detour to be 'line item' vs 'stage level' but, I am not aware of how to route the entire request to all the role owners.

simon_persin4
Contributor
‎05-31-2012 9:12 PM
0 Kudos

Hi,

You can mark the role owners to approve at Request level rather than Role / System level as part of the Stage configuration.

You can also restrict the roles which Approvers can see using parameter 2031 but they just have to click the "show all assignments" button in the approver screens to be able to see the roles for which they are not owners.

Simon

Former Member
‎06-01-2012 8:27 AM
0 Kudos

Hi Simon

So you are not using parameter 2023 with 2031. Is 2031 all you need to show roles for which you are owner. And then for all roles just click that button.

Jarmo

Answers (1)

Answers (1)

Former Member
‎05-30-2012 6:34 PM
0 Kudos

I believe this is the functionality as we had the same concern.  We had to implement a stage before the role owners where 1 of our security folks can run the risk analysis prior to the approval.

Show replies
Show replies
Former Member
‎05-31-2012 8:54 AM
0 Kudos

Hi Chris

How to achieve this in submission level? Requestor runs risk violation and risk is found. How to configure workflow so that risk violataion found is iniator for workflow. Because in a case requestor is responsible for risk violation analysis then next step should be risk owner. With BRF+ initiator rule this can not be achieved I think. Any thoughts?

Thanks

Jarmo

Former Member
‎05-31-2012 1:57 PM
0 Kudos

Hi Jarmo, I know some companies limit who can create a request and if the request is coming from the IT team and they understand risk analysis and the mitigating controls then this may work.

For us, we have ~ 35000 employees and allow everyone to create their own requests. Our work flow is as follows

Initiator -> Manager -> Security Team -> Auto Provision

We are currently testing...

Initiator -> Manager -> Security Team -> Role Owners -> Auto Provision

We expect that the initiator write in the comments on what type of access is require and their manager signs off on this.  The security team identifies the roles and this is also where the risk analysis is mandatory.

Ask a Question