Share all details related to your problem, including any error messages you may have received.
Hi Everyone,
I have a requirement to add user to specific AD security groups, when user request for an application(Non-AD) entitlement.
For example, when user request for an entitlement on application XYZ once the request approved completely it will create Manual work item for application team to grant access. Parallelly we need to add AD group to user AD account.
What are the different ways to achieve this.
We have a container model (Roles) in IIQ which bundles two entitlement together ,so the end user can request and get the both the access together. Create a business role with both the access and to avoid end user requesting the access individually make sure it not requestable in entitlement catalog
You can utilize RBAC approach creating Business Roles tied up with IT Role or you can customize After Provisioning rule to check the committed result and then use provisioner api to execute your request.
I can share some sample code if you are looking for it.
Hi @kavithak ,
There are multiple ways to achieve this.
After provisioning rule → As mentioned by @Saket95606
RBAC → The second AD entitlement should be part of an IT role and tag the IT role to a Business role. In Business role add the assignments rule to assign the role only when the user already have access to XYZ application.
Sample code below
List links = identity.getLinks();
for(Link link : links){
String appName = link.getApplication().getName();
if("XYZ".equalsignoreCase(appName){
return true;
}
}
Note: The above 2 ways will work, when the link is already created for the user which means the manual workitem need to be closed and account aggregation successfully pulls the account details from the target.
In case your requirement is to process both the requests in parallel (without completion of approval of the XYZ application request), you can create IT role where entitlement of XYZ application and AD application are the direct entitlements.
If you want to wait untill the manual workitem has been created for application XYZ, you can follow the option 2, and change the assignment rule to either check workitem object for the identity which is created for application XYZ or check approval status of IdentityRequest object which is created for the identity which contains the XYZ application entitlement.
I cannot use Before provisioning and After provisioning rules as this application doesn’t have Provisioning feature. And the workflow doesn’t enter into these provisioning rules.
I know we can use roles for this which I am working on now. Just wondering if any other approach to address this requirement.
