Hello,
Can anyone help me getting the SOD rule name and the remidiators list of a SOD rule in approval workflow. For example one access request is containing app role as 105 & 106 for DMS application, the approval activity should get assigned to 3 persons highlighted in red in below SOD configuration settings -
The Approval workflow I'm thinking of like below -
Any solution/approach for this requirement will be helpful. We are in RSA VIA 7.0.2.
Thanks, Amit
Thanks Boris.
So if the change request contains a violation you want the relevant SOD rule remediatiors to approve or reject it?
If they approve it, when the rule will be processed it will create a new violation for them to maintain or reject.
Results in extra work for them. In my opinion, not ideal.
We thought about that and highlighted the concern you have to our client. They are coming with below business justifications -
1. The conflicting entitlements of the SOD rules are very sensitive in nature
2. These kind of requests should always be verified by re-mediators before the details gets provisioned as extra validation
3. The remediation task will be triggered after collection only. The collection happens everyday midnight, and the request gets auto provisioned in morning, then the user is already having access till next day before re-mediators revoke them. (Also if the collection gets failed, the user is getting additional 1 more day to hold the access and the re-mediators takes few more time to perform the action on these tasks). This produces a risk to them
Can't we get them in any view or any table to get the re-mediators handy ? Is parsing the xml the last option to get the re-mediators ? Also we need to get the rule name/ID in the workflow to get this in workflow, how do we get that ? To whome the task gets assigned to in below screenshot -
Thanks, Amit
I understand the business justifications. In the end it's risk and risk mitigation.
There are few approaches you can mitigate/lower the risk. For example:
With regards to your questions:
Q: Can't we get them in any view or any table to get the re-mediators handy?
A: I'm not aware of such view
Q: Is parsing the xml the last option to get the re-mediators ?
A: currently it's the only option
Q: Also we need to get the rule name/ID in the workflow to get this in workflow, how do we get that ?
A: In PV_CHANGE_REQUEST view there is a VIOLATIONS column (in xml format) which lists the detected violations for a specific request.
Items to consider:
Things can become complex if you have a request which has violations from different rules.
You will need to split the change items between the relevant violations remediators.
I suggest you consider alternatives.
My 2 cents.
Ha ha .. Cents are on the way to Sydney
Hi Boris,
We tried to parse the PV_CHANGE_REQUEST table VIOLATIONS columns, but we couldnt get the out, can you please help with this:
select td.ID, x.* from PV_CHANGE_REQUEST td,
XMLTABLE ('/simple-record/recod'
PASSING td.VIOLATIONS
COLUMNS "ruleName" varchar2(100) PATH '@rule-name')x where td.ID = '541';
NOTE: 541 is the cr ID.
OUTPUT: 0 rows (even if I remove the filter for ID 541)
Please let us is the way we are parsing is wrong.
I did couple of changes to your query. Give it a try. Screenshot below.
select distinct td.ID, x.* from PV_CHANGE_REQUEST td,
XMLTABLE (
xmlnamespaces(default 'http://www.aveksa.com/schemas/policy'),
'/simple-record/record' PASSING td.VIOLATIONS
COLUMNS "ruleName" varchar2(100) PATH '@rule-name')x where td.ID = '850';Hi Boris,
Thanks a lot. It works. Along with that we have also done parsing of remediators of a SOD rule. Below are the two view we have created
_______________________________________________________________________________________________
CREATE OR REPLACE VIEW V_AVR_SOD_VIOL_IN_CR AS
select distinct td2.ID as CR_REQ_ID, x.* from PV_CHANGE_REQUEST td2,
XMLTABLE (
xmlnamespaces(default 'http://www.aveksa.com/schemas/policy'),
'/simple-record/record' PASSING td2.VIOLATIONS
COLUMNS "VIOL_RULE_NAME" varchar2(100) PATH '@rule-name',
"VIOL_RULE_ID" NUMBER PATH '@rule-id')x ;
_______________________________________________________________________________________________
CREATE OR REPLACE VIEW V_AVR_SOD_VIOL_REMEDIATORS AS
Select distinct td1.ID as RULE_ID, td1.Name as RULE_NAME, x.* from T_AV_RULES td1,
xmltable(
xmlnamespaces('http://www.aveksa.com/schemas/policy' as "pol"),
'/pol:RuleActions/pol:assign-remediator/pol:remediator[@type="designated"]' passing xmltype.createxml(td1.IMPLEMENTATION)
COLUMNS "REMEDIATOR_ID" varchar2(100) PATH 'pol:remediator-id' ) x where td1.status = 'A' and td1.IS_DELETED = 'FALSE' ;
Now, the real challenge is to group the approvals per remediator and assign. While going thru some posts got to see the below link
how to group request by a custom attribute
Appreciate your help. As this is very much requirement from client.
Tried with all the options available for grouping but none can be useful
So if the change request contains a violation you want the relevant SOD rule remediatiors to approve or reject it?
If they approve it, when the rule will be processed it will create a new violation for them to maintain or reject.
Results in extra work for them. In my opinion, not ideal.
I've found the requested information in T_AV_RULES table under IMPLEMENTATION column.
The information is stored in a xml format.
It's not a best practice to read from a table directly as the structure may change, unlike views.
Here is an example:
Here is the SOD rule configuration screenshot: