Showing results for 
Search instead for 
Did you mean: 

Risk mitigation path before role owner approval in GRC 10 Access request

Former Member
0 Kudos

Hi Friends,

We are implementing ARM and we are facing issues with the design. Please help.

We want the workflow as below:

1) Access Request submitted

2) If there are SOD violations, route it to Security/point of contact. Security will mitigate and either send back to role owner approver or

auto provisioning

3) If No SOD, it should goto role owner approval stage and then auto provisioning

If the request is for role remove, it should go to auto provisioning without approvals but notify the role owner.

Please help me.


Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Krishna ,

In your case you have to route your request based on risk analysis at request submission.

You can use the Function module GRAC_INITIATOR_SOD_VIOLATIONS , this is a initiator rule and it executes at the time of request submission.

So this means you will have to maintain this initiator rule in your Global Rules area.

There will be two results for this initiator SOD_VIOLATIONS and NO_SOD_VIOLATIONS.

So the request can take two paths based on the risk results one will be Role owner and other will be to security.

Let me know if this is what you were looking for.



Former Member
0 Kudos

Solution is... need to create a dummy stage and skip to next level. maintain SOD detour in the dummy path

Answers (1)

Answers (1)

Active Participant
0 Kudos

Hi Vamsi,

You should make use of BRF+ application to customize the workflows.

Under GRAC Access request management process ID please create initiator rules.

Create two initiator rules 1. For Role assignment 2. Role removal

Create Agent rule and maintain agents as approvers (Role Owner and Security POC).

Create Route mappings as per the initiator rule and map the same to stages and paths.

You may also have to create Routing rule to send back the request from Security POC to role owner.

Create necessary notifications to send updates about the request to the concerned requestors. You may please go through the below link for more detailed explanation.

Actually your question cannot be answered in SCN forums. Please dig the GRC book and explore yourself. SCN always there to help you to do better if you got stuck at any point.



Former Member
0 Kudos

Thanks Surya! I have already created  the rules, BRF+ but it is working as below.

1) Request submitted

2) Role Owner approval

3) SOD violation - detour to Security

but I need help in configuring other way.

1) Request submitted

2) SOD violation - detour to Security

3) Role Owner approval

How can we create 2 initiator rules and map to one Process ID? I dont think it is possible