cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Auto Provisioning at end of Each Path?

Go to solution
Former Member

on ‎11-05-2013 9:46 PM

0 Kudos

Hello all,

I need to understand if this workflow design is feasible.  My stages are:

     1. Manager

     2. Role Owner(s)

     3. Controls Team (Only if SOD is found at stage 2)

Stages 1 and 2 are a part of Path 1.

Stage 3 is in a separate path, Path 2.

The Standard SOD routing rule links stage 2 of Path 1 to stage 3 of Path 2.  This is working fine.

Now, here is the catch.  The client would like to have provisioning take place after stage 2, even if there is SOD.  Then, if there is an SOD, they would like approver in Stage 3 be "notified" but not "required" to act before provisioning takes place.  The rationale is that the approvers in Stage 3 could be traveling or away on business (or just take really long to approve) and they would like provisioning to take place after Stage 2 no matter what.

I've tried to change the provisioning settings to "Auto Provision at end of Each Path" thinking that Path 1 would finish, then provision, in both scenarios.  However, this does not work- the access is not provisioned until it is approved in Stage 3 when there is an SOD.

It looks like the SOD detour routing rule takes the request to a new "path", but it is not actually considering this a different path because it is linked to the activity of Path 1.

Any thoughts or recommendations of alternative design that isn't too complex?

Thanks,

Ken

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎11-05-2013 10:48 PM
0 Kudos

Hi Kenneth

The client would like to have provisioning take place after stage 2, even if there is SOD.

Doesn't this defeat the purpose of remediate and mitigate risk before user receives access? This business requirement is basically saying "we're too busy doing something else to review SoD issues".

If they are keen on assigning the access due to unavailability could you have an escalation if not approved in X days  by L3 then just auto approve (route to a path with no stages) and send a notification instead? Make the Controls Teams who are travelling go and manually run the reports and remediate/mitigate outside of workflow? That or let the risk be there and configure User Access Reviews more regularly?

Regards

Colleen

Regards

Colleen

Show replies
Show replies
Former Member
‎11-05-2013 11:09 PM
0 Kudos

It does indeed defeat the purpose, however the client is in infancy with controls (they have none) and they will be re-designing their roles in the coming months.

I like the idea of having a Controls Team path that the request routes to without having a stage for approval, but how would I send a notification to an approver if there is no stage configured?  The global notifications need to be used for normal situations, so they wouldn't be able to be customized for that need.

I appreciate the alternatives you have provided.  It sounds like detouring to a new path based on the SOD condidtion doesn't treat it as a "new path" or that the original path "finished", which is the issue.  I will steer the client down one of these alternatives.

Thanks!

Colleen
Advisor
Advisor
‎11-05-2013 11:13 PM
0 Kudos

Hi Kenneth

Possibly the solution is the send the notification to them when they are first sent to them with a paragraph stating "after X number of days user will receive access blah blah blah"

Another options could be to send to a stage for Security to approve it so Controls get the notification. Then you can have security chase Controls to manually complete the SoD steps?

You could also try two additional paths (one where it gets sent to controls again) and then an escalation of that for a short period to go to another path with no stages for auto approval

I haven't tried any of these suggestions, however

Regards

Colleen

Ps - I get it's a big culture change but there will be risk they never embed their SoD preventative culture if they aren't enforced from day 1.

Answers (0)

Ask a Question