Access request and approval workitem creation

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

Hi, I’m trying to create an account and send it for an approval(workgroup). How can i leverage out of box workflows to create the identity request for the account creation and also an approval workitem with owner as a workgroup.

2

I would suggest going through the documentation, Lifecycle Manager Workflows - Compass (sailpoint.com) and look for approvalscheme as identity. You can leverage roles for account creation or update the provisioning plan to include account creation.

3

Easiest way
Go to process designer, fins workflow called LCM Provisioning and set variable approvalSchema to manager if you want manager approval, owner if you want owner approval, identity if you want certain identity to apprpve request.

Easiest way would be to set approwal schema to owner and than make workgroup you want to approve as owner of the object (Role or ManagedAttribute)

There is one major disadvantage of this solution - you set approval schema globaly for all requests. If this is acceptable then this would be the easiest solution. If not you need to go into dynamic approval which would be far more complex solution.

1 Like
4

Thanks Kamil! This is for an account creation and the application doesn’t have groups. I tried setting the approvalSchema to Identity and added the workgroup object to a list and passed it to approvingIdentities in LCM Provisioning. But got the following error

2024-04-10T16:52:02,908 ERROR Thread-8472 sailpoint.api.Workflower:4575 - An unexpected error occurred: NullPointerException
sailpoint.tools.GeneralException: NullPointerException
        at sailpoint.server.ScriptletEvaluator.doCall(ScriptletEvaluator.java:149) ~[identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.server.ScriptletEvaluator.evalSource(ScriptletEvaluator.java:63) ~[identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.evalSource(Workflower.java:5910) ~[identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.advanceStep(Workflower.java:5149) ~[identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.advance(Workflower.java:4536) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.startCase(Workflower.java:3122) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.launchSubcase(Workflower.java:5452) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.launchSubcases(Workflower.java:5345) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.advanceStep(Workflower.java:5136) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.advance(Workflower.java:4536) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.startCase(Workflower.java:3122) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.launchSubcase(Workflower.java:5452) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.launchSubcases(Workflower.java:5345) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.advanceStep(Workflower.java:5136) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.advance(Workflower.java:4536) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.startCase(Workflower.java:3122) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.launchInner(Workflower.java:2791) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.launch(Workflower.java:2644) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.api.Workflower.launch(Workflower.java:2478) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.request.WorkflowRequestExecutor.execute(WorkflowRequestExecutor.java:177) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
        at sailpoint.request.RequestHandler.run(RequestHandler.java:163) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919]
Caused by: java.lang.NullPointerException
2024-04-10T16:52:02,937  WARN Thread-8472 sailpoint.workflow.IdentityRequestLibrary:848 - Complete requested, but identityRequest was missing.
5

Hi Ravi,

Are you getting this error while generating an access request?

6

I am using 8.3 IIQ. I tried the same using Business Process UI and it works fine. I have tested until the submission and noticed access request is assigned to the Workgroup for approval.

7

Hi @ravnekka I second that… what Kamil mentioned is the easiest way and will work perfectly, the disadvantage here is that setting the approval schema will be global for all the requests.