cancel
Showing results for 
Search instead for 
Did you mean: 

GRC 10.1: Issue with Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls

0 Kudos

Hi All,

As per our project requirement, post Role owner Risk analysis the High risk should route to SOD Violation path whereas Low & Medium Risk should move to No SOD Violation path.

I have created my BRF+ as per the document of Amanjit (link below), I am able to move the High risk to SOD Violation path but Low & Medium Risk are not being moved to No SOD Violation path.

The routing rule is moving the whole request to routing path rather than separating the line items.

My requirement is to move Role with Low & Medium to another path not to the Risk owner of high risk.

BRF+ Decision Table - Screenshot

MSMP Config - Screenshot

Access Request Audit Log - Only one route of SOD Violation is taken, roles without SOD violations are also moved to the same path

Any input is highly appreciated.

Thanks,

Harris

Accepted Solutions (0)

Answers (1)

Answers (1)

madhusap
Active Contributor
0 Kudos

Hi Harris,

As per GRC design I would suggest using routing based on Violations exist or not rather than going to Risk Level.

For example assume that your request has a role which is creating HIGH, MEDIUM and LOW risk violations to the user who requested it, then which path should the workflow take?

Consider below approach (if meets your requirement)


1. If request has violations HIGH or MEDIUM or LOW, route the request to Compliance Team stage.

2. If request has HIGH risk violations either request should be REJECTED or the role causing HIGH risk violations should be REJECTED.

3. If the request has MEDIUM/LOW risk violations allow the violation to be mitigated (Pre-define Mitigating controls for MEDIUM/LOW Risk Ids)

Let me know your thoughts on this as well as why client's requirement is based on risk level if there is any specific reason for it.

Regards,

Madhu.

0 Kudos

Hi Madhu,

Thanks for your suggestion.

I recommended the same approach to client,  moving high medium and low risk through SAP standard SOD violation routing rule to GRC admin / compliance team but the client dosen't want GRC admin / compliance team to be in place. They want everything to be handled at Role owner & Risk owner level. Only error / escape path should go to GRC Admin / Compliance team.

Currently I have set the same approach as you have mentioned above

1. Low & medium risk can be provisioned directly in the system at Role Owner stage

2. High and Critical risk role cannot be submitted by role owner until mitigated (enabled mitigation policy)

3. If HIGH risk then role owner should mitigate it and post mitigation owner approval the role would be authorized to user.

4. Critical risk no provision should happen.

Now they want the following approach:

1. Low & medium risk can be provisioned directly in the system at Role Owner stage

2. Critical risk no provision should happen.

3. High risk should be routed to Risk owner

4. Risk Owner would mitigate the risk and provision would happen.

I am able to configure the approach required by client but getting stuck at routing of High risk to risk owner.

madhusap
Active Contributor
0 Kudos

Hi Harris,

I understand your requirement.

SAP has provided a SAP note to implement actual "Risk ID" approvers as a agent type for access request. Can you check below note and see if it can suffice your requirement by using Risk Owner agent. (Make sure all your Risk IDs have a owner maintained)

1670504 - AC 10.0 Risk Owner Wokrflow Agent - Class Based Rule

Regards,

Madhu.

0 Kudos

Yes Madhu,

I have implemented that SAP note as Risk Owner Approver, I have configured that Agent in my routing stage.

If I have a single role with high risk then it definately moves to SOD violation stage and Agent rule for approver works for it. If I have mix of role medium / low with high risk then the routing tries to route the whole request to risk owner stage.

My issue is with routing of No SOD violation roles ( I mean here role with medium / low / no risk), these roles are not moving to path No SOD violation.