cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC BRM: Restrictions on role content approver from approving their own role changes

GRC7689
Discoverer

on ‎2024 Jul 05 7:03 PM

0 Kudos
291

Hello! I have been searching and searching with no luck so I am posting my question in case someone can help.

I have seen how you can prohibit a user from approving their own access requests in ARM but I do not see something similar for BRM. 

Our Security Team Lead is Role Content approver on all roles in BRM. This person will review the changes made to the roles for quality and accuracy purposes. We have set this up because we have an outside process for overall change management where a change request is created and business approvals are captured in that process. We do not want our business people in BRM reviewing technical PFCG role configurations because it is too confusing for them. Our Team Lead on the Security Team will review all role attributes assigned to the role in BRM as well as the technical PFCG role configuration.

That being said, this individual will also do role configuration changes in BRM. We do not want this person to be able to approve the changes they made. We will have this person and a backup as role content approvers on all roles so the backup person could approve the changes however we would like to see if there is some way to stop the Team Lead from approving in the system just to be safe. It would be nice to have a hard stop or error message.

I am assuming maybe it is a BRF+ rule that could help? I don't see any Access Control config parameters or any SPRO config that could help, or any MSMP config that could help.

We are on Access Controls 12, SP 22.

Thank you so much,

Cindy

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Hasan_Bostanoglu
Explorer
‎2024 Jul 08 7:23 AM
0 Kudos
Dear Cindy, Perhaps a solution can be provided by making some restrictions on the authorization objects. You can check the GRAC_ROLED object for the user you do not want to make changes to the role content. I hope this comment is helpful, and if you reach a solution, could you let us know whether it worked?
View Entire Topic
GRC7689
Discoverer
‎2024 Jul 26 1:44 PM
0 Kudos

Hi Hasan! Thanks so much for the reply. Apologies I am slow to reply back, as I was exploring my options.

Unfortunately we cannot use the auth object as a restriction because our Team Lead will need the ability to configure and change all roles.

I explored some options and we are going to handle this via workflow. I talked to our workflow person and he is going to put an exclusion on the role approval dialog step that will basically do a check at the point of submitting the role changes for approval to ensure that the person who initiated the approval request will not receive the email or work item in their Inbox to approve. It is a very easy fix thankfully and in our case it is simple from the sounds of it.

Thanks again,

Cindy

Show replies
Show replies
Ask a Question