cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10: Role Owner Detour when system is choosen

Former Member

on ‎07-04-2014 11:49 AM

0 Kudos

Dear experts,

We have an issue regarding Access Request Creation. We have configured the New/Change Account workflow with Role Owner stage, the problem appears when the user sets the system. The following screenshot shows the MSMP configuration:

I will try to explain this issue with two examples:

     Example 1: Only roles are selected, the workflow works properly:

               Acces Request Creation: Two roles (with Role Owner) was selected:

               The request is splitted and sent to the two role owners:

                    Role Owner 1:

                    Role Owner 2:

This is the desired scenario.

Example 2: System and roles are selected, the workflow do not work properly:

               Acces Request Creation: Two roles (with Role Owner) and system was selected:

               The request is sent to detour stage No Role Owner because the system have not Assignment Agent:

                    No Role Owner stage:

I was searching this issue in forums and internet, but i did'n find anything.

Could you help me to find the solution for this problem? The system have not Role Owner but rules are detecting this field empty.

Thanks & Regards.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎11-18-2014 10:38 PM
0 Kudos

Hi Jose,

did you find a better solution, than creating a dummy path with the automatic approval of the system?

I think this is a gap in the design of msmp, because the role owner is able to reject the request. In this case the roles aren't provisioned but the user is created on the target system. (system line item in request)

Thanks for your answer.

Regards,

Manuela

Show replies
Show replies
madhusap
Active Contributor
‎11-19-2014 3:41 AM
0 Kudos

Hi Manuela,

You can disable user from selecting the SYSTEM in access request by modifying your New/Change account request type as shown below. Remove "Create User" and "Change User" action from New/Change account request type.

In System Provisioning settings maintain as mentioned below

Regards,

Madhu.

alessandr0
Active Contributor
‎07-04-2014 12:11 PM
0 Kudos

Dear José,

as the system does not have an approver the request is routed directly without approval. You can create an exception that in case an owner is missing the workflow gets routed to a pre-defined stage.

Instead of adding the system with "create user" parameter in the request you can also enable that a user gets created if he doesnt exist. This can be configured in the global provisioning configuration.

Hope this helps.

Regards,

Alessandro

Show replies
Show replies
former_member204204
Active Participant
‎07-04-2014 12:08 PM
0 Kudos

Hi,

The workflow is behaving as per the design. If you want your system line item to get approved without any system/role owner assigned then create a path with no stage and in your route mapping send the NO_ROLE_OWNER result to that dummy path, then the request which will have no role owner or system owner for the role/system will be approved automatically and the rest will continue the normal path.

Regards,

Neeraj

Show replies
Show replies
Ask a Question