BRF+ custom agent vs using existing functionality
I've configured a BRF+ flat rule initiator and it's working fine. Now I have to either configure a flat rule agent, or try to find a more manageable way to solve with my problem.
The problem is as follows.
All roles have one or more approver. Some roles need to get approved by an MDM person or a training person, or both. I've accounted for this in the initiator, so that those roles will get routed to a different path. So there's a separate ZMDMTRAIN.
Now I have to identify the MDM approver and/or the training person for the role.
One strategy I was pursuing was to leverage the alternate approver. I figured since we're not doing any escalations, I can use the alternate approve in the routing for these MDM and training roles so that once the role owner has approved the role, the second stage in that path will go to the alternate approver (which will either be the training person or the MDM approver). I would basically set it to all approvers (instead of any approvers) and so that will solve this problem.
Problem with this is that within BRM, a role can only have an alternate approver if there is an approver ... so if we have only 1 approver, but the role must go to MDM and to training, then that's not possible - it won't save.
But if it were possible, then this would solve the problem.
Before I go and build out an agent, I wanted to see if anyone had an idea on how I might leverage the existing functionality in the NWBC end of the GRC 10 interface, without having to build a custom agent.
You can create different paths for 1 level and 2 level approvals. In your case you may need to create three paths as follows:
1. For MDM - ZPATH_MDM
2. For Training - ZPATH_TRAINING
3. For both ZPATH_MDMTRAIN
Then configure your BRF+ rule based on your conditions such that rule returns the appropriate path.
Example if access request is for roles belonging to functional area MDM return ZPATH_MDM and likewise for others coniditions.