cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 10.1 - Issue with SoD routing workflow

Go to solution
Former Member

on ‎06-30-2014 1:19 AM

0 Kudos

I have been stuck in workflow issue for past few days. We have the following requirement

1. No SoDs >> Take approval from Role Owner and create user/ assign the access using workflow

2. SoDs found >> Role Owner approval and then Security team approval  after this userid will be created and assign the access

I have configured as below

Maintain Paths

1.GRAC_DEFUALT_PATH . In this I have configured re routing using Functional module GRAC_MSMP_DETOUR_SODVIOL to route from Role Owner stage to Security stage

2. ZGRAC_NO_SOD_PATH  . .with stage as role owner only

Maintain Route Mapping

1. Map GRAC_DEFUALT_result to Default_path

2. Map GRAC_MSMP_DETOUR_SODVIOL  to Defualt Path again for any SOD violations

3. Used one more functional module GRAC_INITIATOR_SOD_VIOLATIONS to check SoDs and map No SOD result to ZGRAC_NO_SOD_PATH

Workflow is working perfectly for  Scenario# where SoD exist

But for Scenario#1 , it is still following same path with 2 stages . Ideally it should go to role owner and assign the access

I believe this is due to it is just following 1 path GRAC_DEFUALT_PATH even though there are no SODs

Can anyone  suggest the best way to fix this ??

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member204479
Active Participant
‎06-30-2014 5:22 PM
0 Kudos

Hi Anil,

Can you please clarify following :

1. Which Initiator are you using for access request process?

2. The Initiator you use to check SoD "GRAC_INITIATOR_SOD_VIOLATIONS" Is mapped to ZGRAC_NO_SOD_PATH when there is no SoDs, does it also map to GRAC_DEFUALT_PATH when there is an SoD?

3. If you are determining for SoDs at Initiator level is you AC parameter "1071" = YES

However, from your requirement's perspective you can also simplify the workflow by following:

1. AC parameter "1071" = YES

2. Use the default initiator

3. Use the default path, with one stage - role owner.

4. Have the Default Detour on SoD mapped to role owner stage of the main path

5. Have a one stage path - security and map this to the detour

Thanks,

Sammukh

Show replies
Show replies
Former Member
‎07-01-2014 12:33 AM
0 Kudos

Thanks Samnukh

1. Initiator I am using is defualt one - GRAC_AR_INITIATOR with process ID GRAC_ACCESS_REQUEST

2. Parameter 1071 already set to yes

3. SoD Rule result mapped to GRAC_DEFUALT_PATH

I have also tried to configure using detour functional module GRAC_MSMP_DETOUR_SODVIOL as  mentiooned , but no luck


Thanks

Anil

Former Member
‎07-02-2014 4:27 PM
0 Kudos

Hi Anil -

First let me apologize for not replying  to your original post on my other thread, I was tied up with a customer. I did see it though and intended to provide feedback before you removed your question.

As Samnukh has suggested, I believe your configuration can be simplified by using the workflow with the initiator going to the Default path. I don't believe a No SoD Path is necessary based on my understanding of your requirements.

Here is my recommendation:

In Step 5 (Maintain Paths) create two paths:

1) Default Path (GRAC_DEFAULT_PATH)

2) Custom Security Path (Z### some name: ZGRAC_SEC_PATH).

In path 1) define the Role Owner and for 'Routing Enabled' column define value of 'Yes' with the Rule ID {GRAC_MSMP_DETOUR_SODVIOL} routing rule.

In path 2) define the Security team (you can create a user group in GRC and assign the security users to it) but in this path, no routing rules are necessary - 'Routing Enabled' = NO.

Define any necessay stage configuratin for both.

In Step 6 (Maintain Route Mapping):

1) Use Rule ID GRAC_AR_INITIATOR to map to the Path ID GRAC_DEFAULT_PATH.

2) Define the Rule ID GRAC_MSMP_DETOUR_SODVIOL rule ID FROM 'GRAC_DEFAULT_PATH' at stage # (whatever you set the stage number to be for Default path - Role Owner stage)

TO Path ID 'ZGRAC_SEC_PATH'


In Step 7 (Generate the Versions)


----------------------------------------------------------------

What this should do is send all requests down the Default path to the Role Owner and then on Approval it will check if there are SoD's. If No SoD then it will be Provisioned and the workflow will Close.

If there are SoD's in the request, it will route after the Role Owner approval to the Security Path where the security team will receive the request for review.

After they Approve the request, it will be Provisioned and the workflow will Close.

I hope I understood your question correctly, but if not please let me know. This should work for what you are trying to do.

Also you may want to setup Step 1 (Process Global Settings) - Escape Conditions at the bottom of that page in cases where an Approver is not found or there is an Auto-provisioning failure. You could define a new path for a team to catch these types of request and on the stage use the 'Forwarding' functionality to put the request back on track if a Approver is not found.

If you have any follow up questions, let me know.

Darnell

Former Member
‎07-03-2014 6:07 AM
0 Kudos

Thanks Darnell and Sanmukh , issue got resolved now

Answers (0)

Ask a Question