We have a requirement to invoke a logic (e.g. send notification) after the provisioning, more specific, I am trying to analyze the provisioning project and retrieve information from the IT role. And we would like to invoke this in every provisioning related process such as access request, recertification, mover, leaver and role propagation. However, this means we will need to modify several workflow or rules to achieve this. Do we have something like the “After Provisioning Rule” also for IIQ role assignments ?
@mike818148 no need to modify everything , just go to workflow end step and there you will see everything , project access request and send email from there as you need to send consolidate one single email
thanks a lot for the reply, may you express more on this end step? I know for LCM Provisioning workflow yes, also other workflow related process, but what about process such as Recertification revocation ? any idea there.
There isn’t a specific after-provisioning rule just for roles. However, you can use the after-provisioning rule of the connector (application) to achieve this. Keep in mind that this rule won’t be triggered if all entitlements (as per the IT role) are filtered out, which is the default behavior. However, you can customize this as well.
@mike818148 End Step in workflow , that mean if you are using Access request then it will be your lcm provisioning workflow you can find the exact workflow name in “Lifecyclemanager” -->“Business Process”–>"Request Access "
I think you can explore the option of life cycle event where you have the old identity and new identity objects and can find the difference between role assignments and based on that find the transactions over the identity and perform whatever is as per your requriement.
Thanks a lot for the reply. We know the ability of customizing the LCM Provisioning workflow, my concern is we of course can update multiple workflows per each process, however, this might bring up more maintenance effort in the future. Therefore, I was wondering any hook can be done with every role assignment provisioning.
thanks for the idea. yes, comparing between identity would be one of the solution, but this is also a bit depends on the customer expectation, we will further clarify. As an add-on to this, I am having the idea to have a Service Definition to monitor the ProvisioningTransaction table periodically and therefore, we may have a way to react on each transaction.
@mike818148
Sure you can explore Service Definition, but I remember Service definition has known issues where sometimes don’t trigger so please check with Sailpoint on this once.