cancel
Showing results for 
Search instead for 
Did you mean: 

Detour Path in SAP GRC 10

Former Member
0 Kudos

Hi Experts,

Need your inputs in Detour Path in SAP GRC 10.

We have 2 Cases: -

Case 1. When no SoDs exists then Approvers   approve the request then Auto provisioning of request.

Case 2. When  SoDs exists then it goes to Local Approvers to  approve the request then Auto provisioning of request.

For Case 1 i used Initiator for this with Directly Mapped User. Its gone fine.

For Case 2  is i have to used other, rather then Initiator?

                  is i have to create 2 Paths One for no SoD & other For SoD?

                  In Path other than GRAC_Default_Stage & GRACE_SECURITY stage i have to create any other stage.

                  

                  Need your help in this.

Accepted Solutions (1)

Accepted Solutions (1)

FilipGRC
Contributor
0 Kudos

Hello Sachin

For Case 2 - you have to use Routing rule - they are similar to initiator rules, except that they are activated during workflow process and they do not initialize a primary workflow like the Initiator rules do. There is additional configuration required to finalize Routing Rules  in MSMP workflow (rule and available results must be declared and routings must be maintained.

Filip Nowak

Former Member
0 Kudos

Hi Filip,

Thanks for input.

To extend this discussion I am looking for your advice

  1. 1. Process Id SAP_GRAC_ACCESS_REQUEST which is a initiator rule.[I am Looking for this one]
  2. 2. For Rule Id Maintenance GRAC_DETOUR_SODVOL_NO_ROLOWN OR GRAC_MSMP_DETOUR_SODVOL [Which one I have to take]
  3. 3. Agents I am using Directly Mapped Users for Approval Purpose.
  4. 4. Notification Templates GRAC_AR_APPROVED
  5. 5. Maintain Paths I Have 2 Paths, One Path Contain 2 Stages & Other One contains 3 Stages.
  6. 6. Maintain Route Mapping I have to create 2 Routes One for no SoD Other for SoD.

Please correct me if I am wrong.

FilipGRC
Contributor
0 Kudos

Hi Sachin,

i would select GRAC_MSMP_DETOUR_SODVOL routing rule as this is standard programmed by SAP (function module) for the cases exactly you have described. This will activate path for cases where you would like to have additional approval around SOD risks found.

Regards,

Filip

Former Member
0 Kudos

Hi Filip,

Thanks for input.

I have to concate both cases so how i added this routing role GRAC_MSMP_DETOUR_SODVOL.When i added this rule then in both cases it checked SoD.So how i solve this.

Former Member
0 Kudos

Are you trying to have something determined instantly at the "Intiator" and then have the request go to a single stage in each respective path? i.e

1) make request

2) submit....this kicks off the initiator that determines where the request goes?

     If there is a risk, go to "Local approver"

     else go to "Directly Mapped users"

3) End of request

What I would advise is to use the SAP provided SOD Detour rule, but maybe have that take place after an initial stage that all requests have to go through. I know "Blank" stages were spoken about over a year ago on the forum, not sure how successfully this was utilized.

All the best.

Former Member
0 Kudos

Hi  Harinam,

What i am trying to do is

If a request contains no SoD then it goes to approvers after this goes to security team & Then auto provisioning.

If a request contains  SoD then it goes to Local approvers after this goes to security team & Then auto provisioning.

So where i maintain Local Approvers?

For case one i am using Directly Mapped users for case 2 i am also looking for Directly Mapped users any advice on this.

Former Member
0 Kudos

To be honest, I would only use Directly Mapped users if they are going to be approving any request that comes via their route, regardless of which dept/country/team the user is from etc.

I presume the "Local" approver would differ per request, as the personal attributes of the user or the type of access requested should determine this. In this case, a custom Agent is more applicable, which can be created via BRF+. Within this custom agent, map out all the different results in that path within a Decision table and then determine the "Approver" for each result.

But going back to your main question, a SOD check can take place upon submission of a request form, but someone else may be better suited to answer your question about if you can use the SOD routing rule prior to hitting the first stage of any path.

My preference for such a workflow would be to have the request go through a generic initial stage which is verified by a Local Admin team/ Super User or Manager, then have the SOD routing rule kick in for the progress of the request, which would branch out into 2 paths after stage 1.

Hope that helps and all the best designing your solution.

Former Member
0 Kudos

Hi Harinam,

Thanks for inputs.

1.Is there any way rather than BRF+?

2.When a request goes to Approver & he /she runs the risk analysis then that request contains SoD then it is route to Local Controller.

3.How i mapped 2 branch(SoD & No SoD) in one path?

any advice on this.

Answers (0)