Dear Madhu,
Sorry for the delay... I have been away of GRC topics for some time, I have been assigned other responsibilities.
Let me see if I can be of any assistance to you...
Your Issue #
1. I do believe that parameter 2038 is ignored in Custom Rule (BRF+), I think that, if you "Role Owner" determination is not the standard GRAC_ROLEOWNER agent, you have to provide proper code yourself in a Function Module that reads GRAC_CONFIG table for parameter 2038 and handle it.
2. I did a different approach. As we have few "Default Roles" that needs no approval, I am handling it in Initiator and spliting it to a specific path with no stage.
This way I "auto-approve" and prevent any further stage for specific roles, can be sure all others must have an approver assigned and path/stages.
Notice that this can only work in a Create User AND Assign Role request if provisioning is set to END-OF-REQUEST.
technically, I already had rule based on system and request type, then I added the Role_name field in initiatior rules and duplicated my entries in the decision table: one entry for Role_name * "except" my named default roles resulting in my normal path and another entry with Role_name = one of my named default roles.
The advantage of an initiator is that you don't need to run the first stage to get it in the proper path.
3 and 4 - I see no way around it. Only end-of-request provisioning setting ensures that you do not try to assign a role to a not yet created user.
What you can try is to have a "Provisioning failure" escape route directing the request to someone who will wait for the other path (create user) completes and then re-submit the request. Not a neat solution, depends on manual check.
As far as I can see, we do not have much different scenarios, and you could work as we do: parameter 2038=NO, provisioning setting END-OF-REQUEST, and split the request in 2 paths (one for default roles, other for all the others).
I currently split some request in 3 paths (1 for Create User, 1 for the role assignments and a 3rd for auto approve roles in a no-stage). It is working fine, allows me to handle all situations, including different notifications scenarios.
Only routings I have are for SOD violations.
I hope this can help.
Best Regards,
Vaner