cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BRF+ custom agent vs using existing functionality

Go to solution
santosh_krishnan2
Participant

on ‎09-10-2014 10:13 PM

0 Kudos

Hi guys,

I've configured a BRF+ flat rule initiator and it's working fine.  Now I have to either configure a flat rule agent, or try to find a more manageable way to solve with my problem.

The problem is as follows.

All roles have one or more approver.  Some roles need to get approved by an MDM person or a training person, or both.  I've accounted for this in the initiator, so that those roles will get routed to a different path.  So there's a separate ZMDMTRAIN.

Now I have to identify the MDM approver and/or the training person for the role.

One strategy I was pursuing was to leverage the alternate approver.  I figured since we're not doing any escalations, I can use the alternate approve in the routing for these MDM and training roles so that once the role owner has approved the role, the second stage in that path will go to the alternate approver (which will either be the training person or the MDM approver).  I would basically set it to all approvers (instead of any approvers) and so that will solve this problem.

Problem with this is that within BRM, a role can only have an alternate approver if there is an approver ... so if we have only 1 approver, but the role must go to MDM and to training, then that's not possible - it won't save.

But if it were possible, then this would solve the problem.

Before I go and build out an agent, I wanted to see if anyone had an idea on how I might leverage the existing functionality in the NWBC end of the GRC 10 interface, without having to build a custom agent.

Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-11-2014 9:41 AM
0 Kudos

Hi Santosh,

You can create different paths for 1 level and 2 level approvals. In your case you may need to create three paths as follows:

1. For MDM - ZPATH_MDM

2. For Training - ZPATH_TRAINING

3. For both ZPATH_MDMTRAIN

Then configure your BRF+ rule based on your conditions such that rule returns the appropriate path.

Example if access request is for roles belonging to functional area MDM return  ZPATH_MDM and likewise for others coniditions.

Regards,

Ravi

Show replies
Show replies
santosh_krishnan2
Participant
‎09-11-2014 5:28 PM
0 Kudos

Hi Ravi,

I woke up this morning and saw your email, and thought, this guy was in my brain last night.  Arrived at the same conclusion while sleeping on the problem.

So this is all good to go but there is a related issue.

Once I set this up, I delegated approval for the training coordinator to some other user.  This other user gets the request correctly, but when he goes to approve it, Access Control asks him to enter his password.

Now the thing is that passwords are deactivated in the SAP system, so the user can't submit the request.


We attempted to activate his password, and then he could approve the request successfully.

So, basically, the delegated approver gets the request correctly, and then can't submit as GRC asks for a password in order to proceed.  We wouldn't want that.

Please let me know if you are able to assist.

Former Member
‎09-16-2014 11:30 AM
0 Kudos

Hi Santosh,

You are on which version and SP? Do you have SNC implemented and SNC settings maintained for the delegated approver.

Regards,

Ravi

santosh_krishnan2
Participant
‎09-16-2014 11:55 AM
0 Kudos

Version 10.1 SP05. I haven't maintained anything regarding SNC as it's not been implemented, as far as I know.

Answers (0)

Ask a Question