cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Detour Path for SOD Violation

Go to solution
mamoonr
Active Participant

on ‎03-26-2014 12:36 PM

0 Kudos

Hi,

Our New account access request workflow has only one stage of role owner .Once he approve it is auto-provisioned also they do the mitigation.Now we have a requirement to route the workflow to another stage(risk Owner) if it has any risk.At that stage mitigation should be done and then auto provisioned.I have configured the detour stage for SOD violation with rule GRAC_MSMP_DETOUR_SODVIOL. But once role owner have done risk analysis,at that moment it should go to risk owner  or role owner has to approve(submit) and then it will go to risk owner stage? Please share your thought on this.

Thanks,

Mamoon

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-26-2014 1:47 PM
0 Kudos

In my opinion,

Once the role owner has approved the request, and if the request contains any violations, I would detour the request (or if possible, then specific roles that cause new risks, i.e. line items) to a risk owner agent.

Compared to a typical role owner, the risk owner should have the knowledge to understand the violations and apply the mitigating controls, therefore agree with your thoughts/plan.

One thing to remember is that you should configure GRC to perform risk analysis upon the request submission (if possible). I know this may slow down the performance on submission, but it is not a big deal.

Alternatively, ensure that the Role Owner has to perform Risk Analysis, i.e. make it mandatory prior to approval of the request at that stage, therefore the most up to date risk analysis result is considered by the system to calculate if the request/line items require to be detoured to a risk owner/approver.

Show replies
Show replies
mamoonr
Active Participant
‎03-26-2014 1:58 PM
0 Kudos

Hi ,

What is difference between stage level and line item level in routing level?

Thanks,

Mamoon

Former Member
‎03-26-2014 2:03 PM
0 Kudos

WE probably should rephrase "Stage level" as "Request level" i.e. the whole request.

Request level - the request is considered/routed/approved/rejected as a whole. In this scenario, if one line item/role was causing an issue, you may not be able to reject that specific role in the request, the whole request may have to be rejected.

Line Item Level - the actual different contents, i.e. roles/systems, can be considered/routed/approved/rejected individually. If a stage is set up to be approved at Role/System level, then it provides greater flexibility for managing access requests.

Hope that helps.

mamoonr
Active Participant
‎03-26-2014 2:11 PM
0 Kudos

Thanks Harinam....

mamoonr
Active Participant
‎03-30-2014 9:40 AM
0 Kudos

Hi Harinam,

In Connection to above issue, if  workflow goes to SOD Detour path then for recipient I have defined agent as directly mapped users.

There are multiple person who can mitigate the risk.As of now detour path going to only one person defined at directly mapped user in MSMp.

If one distribution list(DL) is maintained ,then it would go to all owners.

Please let me know if there is any best practice for this.

Thanks,

Mamoon

Answers (0)

Ask a Question