cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Auto provisioning roles already approved list

Former Member

on ‎09-15-2015 3:06 PM

0 Kudos

Hello everyone,

I am designing the workflow for requesting access GRC 10.0 and the main idea is to avoid BRF + rules for the following case:

I need to create a way to read a list of roles that are already approved by the business and provisioned automatically without asking for approval on stage. if you can create a list of roles that do not ask for approval? and only pass through the stage roles that require approval under the same application ?.

They can colaborarme with ideas for the theme. Thank you very much for your answers!

Regards,

Freddy

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎09-15-2015 3:32 PM
0 Kudos

hi Freddy,

how would GRC know, that these roles are already approved by business?

So, Create a custom table, in GRC system, with 2 fields Role_Name and Approval_Status. Maintain this table manually, at back-end where you mark, roles approved by Business as YES, else NO

Now, include a DBLookup, in your decision table, which  returns a BOOLEAN value, from this table. i.e, YES, if Approval_STATUS is YES

condition in DBLookup: where GRAC_S_REQUEST_RULE_LINE_ROLE_NAME = Role_Name

For YES, include a Rule result, which goes to a path, with no stages. For NO, the rule resuly should route to a path, for approval.

Regards

Plaban

Show replies
Show replies
former_member193066
Active Contributor
‎09-15-2015 4:07 PM
0 Kudos

I think,

you can easily find which roles are already assigned to users from table GRACROLEUSAGE.

this has information which role has already been assigned to user on which system.

i do not think of creating another table and making development of updating that table using sync job. as standard sync job will not update that custom  table.

BRF+ will help using DB LOOKUP only to roles which are already assigned to user.

Sync job interval will play important role.

Regards,

Prasant

alessandr0
Active Contributor
‎09-15-2015 3:15 PM
0 Kudos

Dear Freddy,

I had similar requirements and used a role attribute to identify pre-approved roles. In one case we used a business process (incl. subprocess) to auto approve roles. In that particular case we defined a business process "Technical > Auto Approval". Within BRF+ we then routed this roles to a path without stages (= auto approval).

Another option might be to define a custom table and define a function module that checks / compares requested roles with pre-approved roles and route them to a path with no stages.

It is also possible to approve roles without approvers. But by activating this function you need to consider any security issue if another role (beside the pre-approved) has no approve since this role will also be approved.

I recommend to use BRF+ or a function module to achieve your requirement. BRF+ delivers standard functionality to modify your workflow behaviour.

Keep us posted.

Regards,

Alessandro

Show replies
Show replies
Ask a Question