Question Re: Detour or initiator determination based upon Authorization in Additional Q&A

Detour or initiator determination based upon Authorization

Former Member — Fri, 16 Nov 2012 06:07:31 GMT

Hi Experts,

I need your opinion and help on this requirement. We are working on GRC AC10 and client has put a requirement that user access workflow will have only one stage except when it has BOM related authorizations where it will go for special approval.

I tried to look at two options -

Detour with particular Roles.

Initiator and Path determination based upon authorizations.

I found no option for that, as detour has only two primary options - either no role owner found or SOD violations. We can't have BOM roles without owner which will be required at the time of role creation or modification approval.

For SOD, the single stage approver will take care, so it will not serve the purpose.

For initiator, Role based initiator is a messy process. If you can suggest any other option which could meet the requirement, that would be helpful.

Thanks in advance,

Regards,

Sabita

Re: Detour or initiator determination based upon Authorization

simon_persin4 — Fri, 16 Nov 2012 16:42:31 GMT

Hi Sabita,

You could achieve this by creating a custom Routing rule which is built in BRF+ based upon Role name. If you really want to get into the details you could use some of the other BRF+ expressions to built the initiator or routing rules based upon nested expressions and use a DB table lookup to roles with the specific BOM authorisation. You'd have to ensure that a GRC table contains a flag or an identifier for that to trigger on though since you cannot look directly at the SAP backend system from within BRF+. Alternatively, use a field in BRM to identify these roles (like sensitivity / criticality) and make the BRF+ rule trigger on those.

A few options available for you there!

Re: Detour or initiator determination based upon Authorization

Former Member — Mon, 19 Nov 2012 04:55:04 GMT

Thanks Simon,

The second option suggested by you looks easier to implement, have you or someone worked with this option? Before actually working on it, we have to confirm our client whether it is possible or not.

One more thing I wanted to know - Client is implementing SAP and GRC, so not aware of workflow options and what would suit best to them. What they want is to implement the easiest workflow and later on expand it if they feel need of doing so. Can you confirm if it is possible to change workflow in a live system where requests are already generated?

I know in AC 5.3 it was possible only after closing and archiving all requests, but not aware about GRC AC10.

Your input is really valuable to me. Thanks,

Sabita

Re: Detour or initiator determination based upon Authorization

former_member184114 — Mon, 19 Nov 2012 09:29:39 GMT

Sabita,

I believe, when we save and activate the MSMP workflow configuration, this will generate a new version and this can be saved into a transport request. Then you can transport the same to your target system.

This way you can change the existing workflow.

Regards,

faisal

Re: Detour or initiator determination based upon Authorization

simon_persin4 — Mon, 19 Nov 2012 09:50:26 GMT

Hi Sabita,

I've worked on numerous client sites with v10.0 and have implemented routing rules similar to the situation which you're trying to achieve. For example a particular set of roles for one client needed approval from All approvers rather than just one of the approvers and I used a similar mechanism to meet that requirement.

Regarding the changes of workflow after the initial creation, Faisal is correct. The workflow is transportable meaning that you can generate a new version and migrate that through the landscape. If you have open workflows at the time, you have a configuration option for each stage which governs whether the workflow will automatically route to the new version or stay on the old version until it is complete.

You should be careful about when you move the transports though as if you make large changes to the routes or paths, then you might end up with processing errors for those workflow items already in progress.

Cheers,
Simon

Re: Detour or initiator determination based upon Authorization

Former Member — Mon, 19 Nov 2012 12:07:21 GMT

Hi Simon and Faisal,

Thanks for your conclusive replies, which saved lots of my time doing trial and error.

Simon, I see some standard fields in BRM like -

Criticality

Sensitivity

Business Process and Sub-process

Functional Area

Can we use any of them for detour? It will save trouble creating custom fields.

For Role approver, In 5.3 we had an option to choose Role approver based upon Business Process, Sub-process etc which excluded any necessity to assign Role owner to each individual roles. Is this possible in AC10?

Thanks,

Sabita

Re: Detour or initiator determination based upon Authorization

simon_persin4 — Mon, 19 Nov 2012 13:00:03 GMT

Yes Sabita,

All of those fields mentioned can be used for the basis of either a routing or an initiator rule condition.

For Role approvers, you can also identify them as default approvers through BRF+ by configuring the Approver functionality in BRM. To do this, you specify the input conditions (e.g. functional area, business process etc,) and then link to a "condition group" as the result of the expression. You then link the approvers to the condition group and can then when the roles are updated, you have the approvers set as default.

Alternatively, you can manage the assignment of the approvers through the Role Import functions and use flat text based files for uploading the attributes (including approvers).

Have fun,

Simon