Which IIQ version are you inquiring about?
8.2p6
Share all details about your problem, including any error messages you may have received.
We are trying to implement roles that combine both connected and disconnected applications.
We have two business roles. One base for all users, and another one for users in a certain area.
Both roles, base one and area one, have a combination of IT roles per application. Some of these roles are connected apps like AD, and others are disconnected, which need a manual work item to be generated to the Provisioning team for handling.
I read the documentation, and saw that we need to enable the option “Enable the generation of work items for unmanaged parts of the provisioning plan” in the Refresh Identity Cube task, along with the Role options, to create a manual work item for the disconnected applications.
The thing with this approach is that, it is first creating a workflow for that manual work item, and identity will not get the automated apps provisioned until that manual work item is completed by the provisioning team. We don’t want other apps to be affected by this, as we want to provide as much accesses we can on day one.
If Provisioning team takes a week to complete these items, then other apps will not provision until that work item is closed and that workflow is complete.
If we try to refresh the identity while that work item is open, it skips the identity mentioning that it has an active workflow occuring.
I tried to split the business roles with disconnected and connected apps, but looks like it still gives priority to disconnected apps first.
Another thing we tried is to hard code the following two values in the task XML but what it does is, every time we run the task, it will generate a new duplicated work item for the provisioning team, causing duplication of work.
<entry key="noCheckPendingWorkflow" value="true"/>
<entry key="provisionIfChanged" value="true" />