- SAP Community
- Products and Technology
- Additional Q&A
- Auto approval Roles without SoD GRC 10.0
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Auto approval Roles without SoD GRC 10.0
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 05-30-2013 7:53 AM
Hi everyone,
I am designing the Workflow for the Access Request in GRC 10.0 and the main idea is avoiding BRF+ rules, so let me explain you my solution:
I use the initiator and the GRAC_MSMP_DETOUR_SODVIOL rules.
1)Create one path for the No SoD condition. It has no stages.
2)Create another one for the SoD condition. The stage would be the role owner stage.
Can do you think about it? Is there any step I am not considering?
Thank you very much for your responses!
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi John
I have a better solution for you in case you want to follow.
Create 1 stage workflow with standard initiator provided by SAP which will be called Role_Owner where you check for risk analysis and if there is any SOD's then it will take a detour path with 1 stage of compliance where after the risk is mitigated it will be auto-provisioned post approval at that stage.
Else if there is no SOD then at Role owner stage just the role owner need to approve and it will be auto provisioned.
Let me know if it works for you.
Regards
Pradeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello,
For initiator rule you must have that in either header or line litem of a request.
either rolename or connectr or request id or request type etc.
your requirement would require atleast 1 stage to detemine the SOD and routing rule you can use.
you can create a new data element under GRAC_S_REQUEST_RULE_LINE. them use it.
Regards,
Prasant
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi John,
Whilst I can see your requirement, the question is how will you check whether the roles have SOD violations or not in the access request?
They could be contributing to an SOD or critical access violation depending on the way in which the roles are assigned to the users.
Unless you evaluate the Risk analysis at the point in time then you'll never know. You can set the risk analysis to run automatically but that will only consider the default values and may therefore miss elements in the reporting.
You should really have at least one human interaction stage initially to certify that the analysis is done and that the request is genuine & appropriate but then it can be auto-provisioned from there onward.
Why are you trying to avoid BRF+ rules? Its not that hard and really enhances the solution by enabling you to configure proper behaviours based upon more complete use cases than simply hoping that you can align to the standard SAP template.
Simon
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi John,
You can combine the logic of the SOD violations determined from the function module GRAC_MSMP_DETOUR_SODVIOL in the initiator rule . Now the initiator rule determines two results on request submission. One result with SOD violation and other without violations. Route the no violation result to a No Stage path and the one with violations to a Role Owner Path.
Regards,
Shilpa
Answers (3)
Answers (3)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi John,
Can you let me know whether you had any luck in creating workflow for scenarios you described
1)Create one path for the No SoD condition. It has no stages.
2)Create another one for the SoD condition. The stage would be the role owner stage.
I have created the workflow , but it is assigning roles to the users even though there are SoD Conflicts
One path is for provisoning if there are no conflicts
second path is for forwarding to security team
Step 1
Process Global Settings
Select Process ID >> GRAC_ACCESS_REQUEST with Rule ID : GRAC_AR_INITIATOR
Escape Conditions
Auto provisioning failure : Set Escape Routing >> Escape path >> SOD Review >> Escape Stage : 002
Step 2
Maintain Rules
Select Rule ID : GRAC_AR_INITIATOR
Rule Results
1.GRAC_DEFAULT_RESULT
2.SODVIOL_DETOUR_PATH
Step 3
Maintain Agents
Not maintained anything
Step 4
Maintain Variables& Templates
Not maintained anything
Step 5
2 paths
Path#1 : GRAC_DEFAULT_PATH with no stages ( Automatic Assignment of roles )
Path#2: SOD Review ( Custom path name )
Maintain Stages in Path#2
Stage Config ID : GRAC_SECURITY
Agent ID : GRAC_SECURITY
Routing Enabled: Yes
Rule ID : GRAC_MSMP_DETOUR_SODVIOL
*** Intention is to route any SoD conflicts to Security team if there are any risks . If no risks found , then create user without any approvals***
Step 6
Maintain Route Mapping
Rule ID : GRAC_AR_INITIATOR
Rule result : GRAC_DEFAULT_RESULT
To Path ID : GRAC_DEFUALT_PATH
Rule ID : GRAC_MSMP_DETOUR_SODVIOL
Rule result : SODVIOL_DETOUR_PATH
From Path : GRAC_DEFUALT_PATH
To Path: SOD REVIEW ( Custom path created)
Step 7
Activate
UserID has been created and roles assigned even though there are conflicts. Ideally it should check the path SOD REVIEW and forward this to Security Team for approval
Can you let me know what went wrong ??
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
please check this useful for requirement like your.
example based on role, but you can refer for your initiator condition
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- SAP Business Transformation Journeys: Insights from ASUG Members on the Center of Excellence in Technology Blogs by Members
- Automatic Hire in Human Capital Management Blogs by SAP
- Business Rule Framework Plus(BRF+) in Enterprise Resource Planning Blogs by Members
- RISE with SAP advanced PLM package in Supply Chain Management Blogs by SAP
- Introducing the market standard of electronic invoicing for the United States in Enterprise Resource Planning Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.