Approval Assignment rule not creating request when workgroup used for approval

karena · April 29, 2022, 8:20am

We have an approval assignment rule that handles are custom approvals for entitlements. Its been working well however we’ve recently added in the ability to set a ‘managed by’ group which ends up being a workgroup.
Scenarios

User requests access to a group with a managed by, user is not in the managed by group. Request goes for approval → All good
User requests access for someone to be added to a group with a managed by, user is in the managed by group. Request has no approval and there is no record in the IdentityRequest object stating what was asked for and user gets a rejection email → failure i would expect this to work like the below case
Owner of a group with no managed by requests for someone to be added to their group. Request doesn’t go for approval but the IdentityRequest shows the access being granted. → All good

Relevant log sections
Scenario 1

2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering isAutoApprove(approverName = IIQWORKGROUP)
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering getWorkGroupMemberNames(workGroupName = IIQWORKGROUP)
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering getWorkgroupMemberNames(workGroup = sailpoint.object.Identity@4812df6b[id=ac1201868023117f81806fe4f75122c3,name=IIQWORKGROUP])
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting getWorkgroupMemberNames = [USER1, USER2]
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting getWorkGroupMemberNames = [USER1, USER2]
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting isAutoApprove = false
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting buildApprovalInternal = sailpoint.object.Workflow$Approval@20ee022c

Scenario 2

2022-04-28 15:04:39.164 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering autoApproveAllowed()
2022-04-28 15:04:39.164 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - **Exiting autoApproveAllowed = true**
2022-04-28 15:04:39.166 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - **Exiting isAutoApprove = true**
2022-04-28 15:04:39.166 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering isSubManagerEdit(scheme = owner)
2022-04-28 15:04:39.167 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting isSubManagerEdit = false
2022-04-28 15:04:39.171 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting buildApprovalInternal = null
2022-04-28 15:04:39.171 DEBUG [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [buildApprovalsFromMap] [sailpoint.workflow.IdentityApprovalGenerator.buildApprovalsFromMap(IdentityApprovalGenerator.java:1114)] - **Approvals EMPTY.**

Scenario 3

2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering isAutoApprove(approverName = USER1)
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering getWorkGroupMemberNames(workGroupName = USER1)
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting getWorkGroupMemberNames = null
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering autoApproveAllowed()
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting autoApproveAllowed = true
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting isAutoApprove = true
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering isSubManagerEdit(scheme = owner)
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting isSubManagerEdit = false
2022-04-29 08:57:01.764 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting buildApprovalInternal = null
2022-04-29 08:57:01.764 DEBUG [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [buildApprovalsFromMap] [sailpoint.workflow.IdentityApprovalGenerator.buildApprovalsFromMap(IdentityApprovalGenerator.java:1114)] - Approvals EMPTY.

Can someone help me understand why the method ‘buildApprovalsFromMap’ from sailpoint.workflow.IdentityApprovalGenerator is behaving differently?

IIQ Version 8.1p2
Code that regenerates the approvlas

//Method to re-genrated approvals
	public List reGenerateApprovals(Map reGenMap){
	// Generate the approval list from the approval map
		IdentityApprovalGenerator iag = new IdentityApprovalGenerator(wfcontext);
		newApprovals = iag.buildApprovalsFromMap(reGenMap, "Approval Request");
		return newApprovals;
    }

Thanks

Topic		Replies	Views
Dynamic Group for approval process IIQ Discussion and Questions workflows	4	757	July 19, 2023
Create Active Directory Group - Entitlement Update Worklofw IIQ Discussion and Questions workflows , identityiq , entitlements	6	531	January 29, 2024
sailpoint.tools.GeneralException: Unable to find the approval assignment IdentityIQ (IIQ)	2	3413	February 24, 2022
ApprovalAssignmentRule error: Unable to find the approval assignment IIQ Discussion and Questions workflows , identityiq	10	438	March 26, 2024
Access request and approval workitem creation IIQ Discussion and Questions workflows , identityiq , access-requests	6	69	April 16, 2024

Approval Assignment rule not creating request when workgroup used for approval

Related Topics