Hi Shailesh

Remove the change user action and add assign, retain and remove actions for change request type. This should remove system as a selection in ARQ.

Thanks

Anthony

Anthony,

Can we achieve resolution without using above action??

Reason is its a business requirement to have SYSTEM option while submitting request.

Can't we ignore or delete or redirect system entry ?

Many thanks in advance

Regards,

Shailesh

Hi Shailesh

I am lost with what you are trying to achieve. What do you mean by the statement below.

Is there any better way to handle this?  client do not wants to APPROVE requests with SYSTEM entries but ready to handle requests with no role owner request.

Thanks

Anthony

I mean... with option which I have configured.. 1st stage owner will see entry of system+roles which he will add(which has role owner for example)

when he will submit it, system entry(1st row) will follow escape route and routed to escapae stage,

whereas roles having approval will follow intended ROLE OWNER stage..

Business requirement is they can approve escapate route requests which has no role owners BUT not entries which will have ONLY systems...

With above example, only system will take escapate route which business has to approve manually, which is not expected to them

Hi Shailesh

Based on the above requirement, there is no need to add system in the request line item before submission. Once the role is selected, GRC will automatically populate the system field. As for business to manually approve roles with no role owner, I would configure Approver not found escape routes to route the roles with no role owners to the business for manual approval.  You dont even need to setup a routing for that.

My suggestion is for you to go back to the client and ask why they need system to be included before request submission. It makes no sense to have it based on your requirement.

Thanks

Anthony

Hi Anthony,

I agree, system field will be populated in request once user selects a role. But not necessary end users will know which role to request for appropriate access. Generally they will know system and tcodes e.g.  so requirement is to have system field while submitting.

In 5.3, business were able to see application(system) field while raising change authorization request and they want exactly same in grc 10.

Please share any thought on this.. agree, this is weird requirement.

Hi Faisal,

with change request, user will request to change authorizations (assign/remove), however he will only submit system in which he needs access, next stage person will add appropriate roles.

Any suggestion or idea?

settings mentioned by you can't be done since system field needs to be visible

Hi Faisal,

Can you provide solution to my query?

This is still possible Shailesh,

Your request submitters will only raise a request with the System access, therefore ensure that if you have any custom initiator in place, it considers line items that are just "systems".

As well as ensuring the request type has the "Assign object" attribute assigned, within your secondary stage setting, ensure the approver is able to change/add/remove assignments within the request.

Within the "Default Stage settings" (in MSMP workflow config screen 5 - Maintain Paths) ensure the stage has "Add Assignment" and "Override assign type" is ticked.

Thanks Harinam..

Can you provide how the custom initiator should look like:

"
how to ensure, it(request) will considers line items
that are just "systems". "

and do we need to change initiator rule?  I was under impression that 1st stage rule(Agent rule) should have some condition to do that.

Pleeej help

Hello,

1) you want a path for systems only, so you need to create a path to deal with systems only. Who are the approvers?

2) In the initiator, you need the condition to catch "System only" requests, so as stated in previous answers to you in other threads, you need to utilise the condition column "Role Connector" and have the value set to "Is initial" - and the result to point to the trigger result "System only path" (or whatever you name it).

3) Who is approving the roles? the actual role owners or a general approver based on access request header level attributes like Business Process etc? If you are using such header level attributes, the whole request (both roles and systems) can be kept together and approved by the same approver. If you are using Role owners, then you will have to probably create a seperate path to deal with those aspects of the request.

Consider looking at the following threads again in detail:

- your post and Neeraj has responded to you

Faisal,

I have marked it

Regards,

Sai.

Hi Faisal,

I have followed the link ARQ: How to route a request based upon system and role??? to create my initiator.

This is working absolutely fine but i found a issue recently when i raised a EAM request. My initiator table has a condition to direct requests with request type to FFPATH but instead they are going to default path and getting auto approved.

I assume that you are also using same initiator decision table. Have you come across any such issue?

Regards,

Sai.

Hi Faisal,

If the request type is empty for the row which has ROLE_CONNECTOR with "Is Initial", then FF requests are going to defaultpath.

I updated request type for first row as 001 and 002 and now everything works fine. You can check below blog for the same.

Regards,

Sai.