Approval Assignment rule not creating request when workgroup used for approval

karena · April 29, 2022, 8:20am

We have an approval assignment rule that handles are custom approvals for entitlements. Its been working well however we’ve recently added in the ability to set a ‘managed by’ group which ends up being a workgroup.
Scenarios

User requests access to a group with a managed by, user is not in the managed by group. Request goes for approval → All good
User requests access for someone to be added to a group with a managed by, user is in the managed by group. Request has no approval and there is no record in the IdentityRequest object stating what was asked for and user gets a rejection email → failure i would expect this to work like the below case
Owner of a group with no managed by requests for someone to be added to their group. Request doesn’t go for approval but the IdentityRequest shows the access being granted. → All good

Relevant log sections
Scenario 1

2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering isAutoApprove(approverName = IIQWORKGROUP)
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering getWorkGroupMemberNames(workGroupName = IIQWORKGROUP)
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering getWorkgroupMemberNames(workGroup = sailpoint.object.Identity@4812df6b[id=ac1201868023117f81806fe4f75122c3,name=IIQWORKGROUP])
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting getWorkgroupMemberNames = [USER1, USER2]
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting getWorkGroupMemberNames = [USER1, USER2]
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting isAutoApprove = false
2022-04-28 15:10:42.955 TRACE [https-openssl-apr-443-exec-388] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting buildApprovalInternal = sailpoint.object.Workflow$Approval@20ee022c

Scenario 2

2022-04-28 15:04:39.164 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering autoApproveAllowed()
2022-04-28 15:04:39.164 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - **Exiting autoApproveAllowed = true**
2022-04-28 15:04:39.166 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - **Exiting isAutoApprove = true**
2022-04-28 15:04:39.166 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering isSubManagerEdit(scheme = owner)
2022-04-28 15:04:39.167 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting isSubManagerEdit = false
2022-04-28 15:04:39.171 TRACE [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting buildApprovalInternal = null
2022-04-28 15:04:39.171 DEBUG [https-openssl-apr-443-exec-407] [sailpoint.workflow.IdentityApprovalGenerator] [buildApprovalsFromMap] [sailpoint.workflow.IdentityApprovalGenerator.buildApprovalsFromMap(IdentityApprovalGenerator.java:1114)] - **Approvals EMPTY.**

Scenario 3

2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering isAutoApprove(approverName = USER1)
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering getWorkGroupMemberNames(workGroupName = USER1)
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting getWorkGroupMemberNames = null
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering autoApproveAllowed()
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting autoApproveAllowed = true
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting isAutoApprove = true
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodEntry] [sailpoint.tools.TracingAspect.traceMethodEntry(TracingAspect.java:138)] - Entering isSubManagerEdit(scheme = owner)
2022-04-29 08:57:01.748 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting isSubManagerEdit = false
2022-04-29 08:57:01.764 TRACE [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [traceMethodExit] [sailpoint.tools.TracingAspect.traceMethodExit(TracingAspect.java:150)] - Exiting buildApprovalInternal = null
2022-04-29 08:57:01.764 DEBUG [https-openssl-apr-443-exec-406] [sailpoint.workflow.IdentityApprovalGenerator] [buildApprovalsFromMap] [sailpoint.workflow.IdentityApprovalGenerator.buildApprovalsFromMap(IdentityApprovalGenerator.java:1114)] - Approvals EMPTY.

Can someone help me understand why the method ‘buildApprovalsFromMap’ from sailpoint.workflow.IdentityApprovalGenerator is behaving differently?

IIQ Version 8.1p2
Code that regenerates the approvlas

//Method to re-genrated approvals
	public List reGenerateApprovals(Map reGenMap){
	// Generate the approval list from the approval map
		IdentityApprovalGenerator iag = new IdentityApprovalGenerator(wfcontext);
		newApprovals = iag.buildApprovalsFromMap(reGenMap, "Approval Request");
		return newApprovals;
    }

Thanks

Topic		Replies	Views
Automatic Approvals for Roles? IIQ IIQ Discussion and Questions identityiq , provisioning	5	53	October 1, 2024
Dynamic Group for approval process IIQ Discussion and Questions workflows	4	1109	July 19, 2023
I wanted to set up 3 level approvers (Manager, owner, Workgroup) for specific application's entitlement in Access Request. How to do that? Can you pls share the code IIQ Discussion and Questions identityiq , access-requests , entitlements	5	1255	December 10, 2023
Need to skip the workgroup member frrom approval, if he/she is a requester for the role IIQ Discussion and Questions workflows , identityiq	8	69	November 10, 2024
Access Request Approval - Level 2 approval skipped IIQ Discussion and Questions workflows , rules , identityiq , provisioning , access-requests , entitlements	3	656	December 2, 2023

Approval Assignment rule not creating request when workgroup used for approval

Related topics