on 06-30-2014 1:19 AM
I have been stuck in workflow issue for past few days. We have the following requirement
1. No SoDs >> Take approval from Role Owner and create user/ assign the access using workflow
2. SoDs found >> Role Owner approval and then Security team approval after this userid will be created and assign the access
I have configured as below
Maintain Paths
1.GRAC_DEFUALT_PATH . In this I have configured re routing using Functional module GRAC_MSMP_DETOUR_SODVIOL to route from Role Owner stage to Security stage
2. ZGRAC_NO_SOD_PATH . .with stage as role owner only
Maintain Route Mapping
1. Map GRAC_DEFUALT_result to Default_path
2. Map GRAC_MSMP_DETOUR_SODVIOL to Defualt Path again for any SOD violations
3. Used one more functional module GRAC_INITIATOR_SOD_VIOLATIONS to check SoDs and map No SOD result to ZGRAC_NO_SOD_PATH
Workflow is working perfectly for Scenario# where SoD exist
But for Scenario#1 , it is still following same path with 2 stages . Ideally it should go to role owner and assign the access
I believe this is due to it is just following 1 path GRAC_DEFUALT_PATH even though there are no SODs
Can anyone suggest the best way to fix this ??
Hi Anil,
Can you please clarify following :
1. Which Initiator are you using for access request process?
2. The Initiator you use to check SoD "GRAC_INITIATOR_SOD_VIOLATIONS" Is mapped to ZGRAC_NO_SOD_PATH when there is no SoDs, does it also map to GRAC_DEFUALT_PATH when there is an SoD?
3. If you are determining for SoDs at Initiator level is you AC parameter "1071" = YES
However, from your requirement's perspective you can also simplify the workflow by following:
1. AC parameter "1071" = YES
2. Use the default initiator
3. Use the default path, with one stage - role owner.
4. Have the Default Detour on SoD mapped to role owner stage of the main path
5. Have a one stage path - security and map this to the detour
Thanks,
Sammukh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Samnukh
1. Initiator I am using is defualt one - GRAC_AR_INITIATOR with process ID GRAC_ACCESS_REQUEST
2. Parameter 1071 already set to yes
3. SoD Rule result mapped to GRAC_DEFUALT_PATH
I have also tried to configure using detour functional module GRAC_MSMP_DETOUR_SODVIOL as mentiooned , but no luck
Thanks
Anil
Hi Anil -
First let me apologize for not replying to your original post on my other thread, I was tied up with a customer. I did see it though and intended to provide feedback before you removed your question.
As Samnukh has suggested, I believe your configuration can be simplified by using the workflow with the initiator going to the Default path. I don't believe a No SoD Path is necessary based on my understanding of your requirements.
Here is my recommendation:
In Step 5 (Maintain Paths) create two paths:
1) Default Path (GRAC_DEFAULT_PATH)
2) Custom Security Path (Z### some name: ZGRAC_SEC_PATH).
In path 1) define the Role Owner and for 'Routing Enabled' column define value of 'Yes' with the Rule ID {GRAC_MSMP_DETOUR_SODVIOL} routing rule.
In path 2) define the Security team (you can create a user group in GRC and assign the security users to it) but in this path, no routing rules are necessary - 'Routing Enabled' = NO.
Define any necessay stage configuratin for both.
In Step 6 (Maintain Route Mapping):
1) Use Rule ID GRAC_AR_INITIATOR to map to the Path ID GRAC_DEFAULT_PATH.
2) Define the Rule ID GRAC_MSMP_DETOUR_SODVIOL rule ID FROM 'GRAC_DEFAULT_PATH' at stage # (whatever you set the stage number to be for Default path - Role Owner stage)
TO Path ID 'ZGRAC_SEC_PATH'
In Step 7 (Generate the Versions)
----------------------------------------------------------------
What this should do is send all requests down the Default path to the Role Owner and then on Approval it will check if there are SoD's. If No SoD then it will be Provisioned and the workflow will Close.
If there are SoD's in the request, it will route after the Role Owner approval to the Security Path where the security team will receive the request for review.
After they Approve the request, it will be Provisioned and the workflow will Close.
I hope I understood your question correctly, but if not please let me know. This should work for what you are trying to do.
Also you may want to setup Step 1 (Process Global Settings) - Escape Conditions at the bottom of that page in cases where an Approver is not found or there is an Auto-provisioning failure. You could define a new path for a team to catch these types of request and on the stage use the 'Forwarding' functionality to put the request back on track if a Approver is not found.
If you have any follow up questions, let me know.
Darnell
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.