Approval process

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Developer,

I have a requirement where few select entitlements (AD groups) need to go with the separate approval process.
the approval should be done by the user’s manager and user’s director only for those 5-6 groups.

and this should not affect the current approval flow, which is manage and sr. manager for the end user request for any access request in the sailpoint iiq.

kindly guide me how I can take a approach on this matter.

Thanks in advance.
Riyazuddin

2

Hi @Riyazuddin99 ,

you can use Approval Assignment rule to have additional approvals for certain entitlements in Approve and Provision Subprocess in LCM Provisioning .

you can refer to this

https://community.sailpoint.com/t5/IdentityIQ-Forum/Two-step-approval-using-Approval-Assignment-Rule/m-p/33734#M32602

3

@Chathurya ,

Thanks for your response,
I recently got a update on the requirement, to have the approval still manager,

likely user’s manager , sr. manager , etc etc still director.
in this case same approach will be used??

also if you have any rule for the same that will be helpful.

Thank
Riyazuddin

4

Hi @Riyazuddin99 ,

  1. In the approval assignment rule , you will get the list of approvals(as per the approvalscheme) as input and expects the list of approvals as output.Considers the owners in the new approval list for approvals.
  2. you can iterate over the approvals , and check if any of the approval has an approvalItem which requires additional approval as per you requirement.Create a approval object and set the owner ( the additional owner) as per the approval items.
  3. And the created approval object to the list of approvals
  4. Return the new approvals list
5

Hello @Chathurya ,

Can you please share a sample code for my requirement.

Ex: roles from AD application, select groups startswith release*,
these should go with the approval hierarchy till director for a user.

approval like.
requester → user
approval → user’s manager, user’s sr manager, … → director

for few users it might have multi level till it reach to director.
for few users only 1/2/3 might be.

please let me know, if my requirement is clear.

can you please support me on this.

6

Hi @Riyazuddin99 ,

you can use the sample code as approval assignment role to have additional approvals for privileged Access.

 import org.apache.log4j.Logger;

  import sailpoint.object.Workflow.Approval;
  import sailpoint.object.ApprovalSet;
  import sailpoint.object.ApprovalItem;

  import sailpoint.object.Identity;

  List newApprovals = new ArrayList();
  
  List createdApprovals = new ArrayList();

  List privilegedAccessItems = new ArrayList();

  List nonPrivilegedAccessItems = new ArrayList();


  public Approval createApproval(List approvalItems,String owner){

    Approval newApproval = new Approval();

    ApprovalSet approvalSet = new ApprovalSet();

    approvalSet.setItems(approvalItems);

    newApproval.setApprovalSet(approvalSet);

    newApproval.setDescription("Approval for the user : " + identityName ); 

    newApproval.setOwner(owner);

    return newApproval;

  }


  public Identity getUserManager(Identity identity){

    if(identity!=null){

      Identity manager = identity.getManager();

      if(manager!=null){

        return manager;
      }

    }

    return null;
  }


  if(approvals!=null){

    for(Approval approval : approvals){

      if(approval!=null){

        ApprovalSet approvalSet = approval.getApprovalSet();

        if(approvalSet!=null){

          List approvalItems = approvalSet.getItems();

          if(approvalItems!=null && !approvalItems.isEmpty()){

            for(ApprovalItem approvalItem : approvalItems){

              if(approvalItem!=null){

                String requestedItem = approvalItem.getDisplayValue();

                if(requestedItem.toLowerCase().startsWith("release")){

                   privilegedAccessItems.add(approvalItem);

                }else{
 
                  nonPrivilegedAccessItems.add(approvalItem);
                
                }

              }

            }

          }

        }

      }

    }

  }

  
  if(privilegedAccessItems!=null && !privilegedAccessItems.isEmpty()){

    Approval parentApproval = new Approval();

    List privilegedAccessApprovals = new ArrayList();

    if(identityName!=null){

      Identity user = context.getObjectByName(Identity.class,identityName);

      if(user!=null){

        Identity manager =   getUserManager(user);

        while(manager!=null){

          String managerName =  manager.getName();

          if(managerName!=null){

            Approval newApproval = createApproval(privilegedAccessItems,managerName);

            privilegedAccessApprovals.add(newApproval);

            manager =  getUserManager(manager);

          }

        }
      }

    }



    if(privilegedAccessApprovals!=null && !privilegedAccessApprovals.isEmpty()){

      parentApproval.setChildren(privilegedAccessApprovals);
      parentApproval.setMode("serial");

      createdApprovals.add(parentApproval);

    }
  }

  if(nonPrivilegedAccessItems!=null && !nonPrivilegedAccessItems.isEmpty()){

    Approval parentApproval = new Approval();

    List nonPrivilegedAcessApprovals = new ArrayList();

    if(identityName!=null){

      Identity user = context.getObjectByName(Identity.class,identityName);

      if(user!=null){

        Identity manager =  user.getManager();

        if(manager!=null && manager.getName()!=null){

          String managerName = manager.getName();

          Approval firstApproval = createApproval(nonPrivilegedAccessItems,managerName);

          nonPrivilegedAcessApprovals.add(firstApproval);

          Identity seniorManager = manager.getManager();

          if(seniorManager!=null && seniorManager.getName()!=null){

            String seniorManagerName = seniorManager.getName(); 

            Approval secondApproval = createApproval(nonPrivilegedAccessItems,seniorManagerName);

            nonPrivilegedAcessApprovals.add(secondApproval);
          }

        }

      }

    }

    if(nonPrivilegedAcessApprovals!=null && !nonPrivilegedAcessApprovals.isEmpty()){

      parentApproval.setChildren(nonPrivilegedAcessApprovals);
      parentApproval.setMode("serial");

      createdApprovals.add(parentApproval);

    }

  }

  if(createdApprovals!=null && !createdApprovals.isEmpty()){

    Approval newParentApproval = new Approval();

    newParentApproval.setMode("parallelPoll");

    newParentApproval.setChildren(createdApprovals);

    newApprovals.add(newParentApproval);

    }

  return newApprovals;