We are experiencing a scenario where manual form are being generated for identities where user has to select the owner identity for role during “Leaver” process
Only after selecting, the leaver process is progressing.
We have found out this might be caused due to a Workflow variable inside the “Do Provisioning Forms” Workflow
The variable accountSelectionForm says this in it’s description:
“Dynamic Account selection Form generated when target account is ambigous”
What does this mean? Is it because the user might have two accounts on the target Application?
It means that when an identity have more than an account for the same application or when a process expects one account and if finds more than one, IIQ produce a form where the user can choose the target account.
Also, you can deploy an accountSelector rule for automate the process.
I havent an example now, bit I find it into the doc:
import sailpoint.object.Link;
if ("UI".equals(source) || "LCM".equals(source))
return null;
if (null != links) {
for (Link link : links) {
if ("false".equals(link.getAttribute("app2_privileged"))) {
return link;
}
}
}
return null;
simply the rules returns the link where to apply the role and you can set it on IT roles configuration:
and this the description:
The AccountSelector rule was introduced in IdentityIQ version 6.3 to support provisioning of entitlements
through role assignments when a user holds more than one account on the target application. It provides the
logic for selecting a target account for provisioning entitlements for an IT role (or any role type with an
entitlement profile).
Account selector rules run during an identity refresh task with the Provision assignments option selected, when
a business role is assigned which has required IT roles that specify these rules. This rule must provide the logic
for choosing the account to which the entitlement should be provisioned. Account selector rules also run to
chose a target account when a role is requested through Lifecycle Manager; if it does not select a target
account, the LCM requester is prompted to select one from a list in the UI.
One or more account selector rules can be specified for each IT role; the system supports a global rule which
applies to all applications involved in the role profile as well as a rule per application
Were you able to develop a rule based on the suggestions provided by Emanuele in the previous post?
In the account selector rule you will get the list of all possible target links. You can traverse thru the list and add condition based on the link attribute and associated value to make a decision to return the correct link.
