on 01-11-2013 4:06 PM
Hi Experts,
Need your inputs in Detour Path in SAP GRC 10.
We have 2 Cases: -
Case 1. When no SoDs exists then Approvers approve the request then Auto provisioning of request.
Case 2. When SoDs exists then it goes to Local Approvers to approve the request then Auto provisioning of request.
For Case 1 i used Initiator for this with Directly Mapped User. Its gone fine.
For Case 2 is i have to used other, rather then Initiator?
is i have to create 2 Paths One for no SoD & other For SoD?
In Path other than GRAC_Default_Stage & GRACE_SECURITY stage i have to create any other stage.
Need your help in this.
Hello Sachin
For Case 2 - you have to use Routing rule - they are similar to initiator rules, except that they are activated during workflow process and they do not initialize a primary workflow like the Initiator rules do. There is additional configuration required to finalize Routing Rules in MSMP workflow (rule and available results must be declared and routings must be maintained.
Filip Nowak
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Filip,
Thanks for input.
To extend this discussion I am looking for your advice
Please correct me if I am wrong.
Are you trying to have something determined instantly at the "Intiator" and then have the request go to a single stage in each respective path? i.e
1) make request
2) submit....this kicks off the initiator that determines where the request goes?
If there is a risk, go to "Local approver"
else go to "Directly Mapped users"
3) End of request
What I would advise is to use the SAP provided SOD Detour rule, but maybe have that take place after an initial stage that all requests have to go through. I know "Blank" stages were spoken about over a year ago on the forum, not sure how successfully this was utilized.
All the best.
Hi Harinam,
What i am trying to do is
If a request contains no SoD then it goes to approvers after this goes to security team & Then auto provisioning.
If a request contains SoD then it goes to Local approvers after this goes to security team & Then auto provisioning.
So where i maintain Local Approvers?
For case one i am using Directly Mapped users for case 2 i am also looking for Directly Mapped users any advice on this.
To be honest, I would only use Directly Mapped users if they are going to be approving any request that comes via their route, regardless of which dept/country/team the user is from etc.
I presume the "Local" approver would differ per request, as the personal attributes of the user or the type of access requested should determine this. In this case, a custom Agent is more applicable, which can be created via BRF+. Within this custom agent, map out all the different results in that path within a Decision table and then determine the "Approver" for each result.
But going back to your main question, a SOD check can take place upon submission of a request form, but someone else may be better suited to answer your question about if you can use the SOD routing rule prior to hitting the first stage of any path.
My preference for such a workflow would be to have the request go through a generic initial stage which is verified by a Local Admin team/ Super User or Manager, then have the SOD routing rule kick in for the progress of the request, which would branch out into 2 paths after stage 1.
Hope that helps and all the best designing your solution.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.