Changing the approvalScheme based on the Requester Identity

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

IIQ 8.3p3

Share all details about your problem, including any error messages you may have received.

Hello everyone!

Currently we have a requirement where for the Account Management (operations Enable/Disable/Delete) the users from one workgroups should be able to submit any of the operations without the approvals, but every other identity should be able to submit it with the manager approval on this operation.

I’ve tried changing the approvalScheme in the LCM provisioning workflow to the custom script, but all the time (even for the specified identities) the approval items are generated for the manager.
Has anyone encountered this type of requirement before? Perhaps someone could help me with this, I would really appreciate any help.
Here is the script snippet:

if(plan.getRequesters() != null && !plan.getRequesters().isEmpty()) {
        String requester = plan.getRequesters().get(0).getName();
        if (requester.equals("*identity_id*")){
          return "none";
        }
		else{
		return "manager";
		}
}else{
     return "manager";
}
2

Hi @d_pustovoitov,

I have tried the script below. It sets the ApprovalSchema to “none” for workgroup members and to “manager” for others. You can incorporate the following script into your approvalschema variable within the LCM Provisioning workflow.

Please check and let me know if any issue.

image
image883×436 13.7 KB

Regards,
Arun

1 Like
3

Hi @Arun-Kumar !

Thank you! I’ll try it now.

4

Hi @Arun-Kumar ,

Thanks again, you’ve helped me a lot!
It works fine, but the only thing that confuses me is that if the users from the workgroup are not the requesters, but also one who’s account is disabled\enabled, there are also no approvals.

For example, if I use the system administrator user to block a random user it generates the manager’s approval, but if I block the user from the specified workgroup (“ISA” in our environment) there are no approvals for them and the operation will proceed immediately.

Thank you!

5

Hi @d_pustovoitov,

Use this code.


import java.util.List;
import sailpoint.api.ObjectUtil;
import sailpoint.object.*;
  
  String identityName=identity.getName();
  Identity workgroup = context.getObjectByName(Identity.class,"WorkGroupName");
  log.error("workgroup :"+workgroup);
  List wrkgmemnberList = new ArrayList();
  if(workgroup.isWorkgroup()){

    Iterator wrkGrpmembers = ObjectUtil.getWorkgroupMembers(context, workgroup, null);
    while(wrkGrpmembers.hasNext()){
    Object[] object = (Object[]) wrkGrpmembers.next();
    Identity ids = (Identity) object[0];
    wrkgmemnberList.add(ids.getName());     
}
  }
       if(wrkgmemnberList.contains(identityName)  || wrkgmemnberList.contains(launcher)){
      
      return "none";
    }
    else{
      return "manager";
    }

If a workgroup member submits a request for themselves or another user, or if an admin submits a request for workgroup member, the approval scheme is set to ‘none’.

Let me know, if you have any issue with this code.
Regards,
Arun

1 Like
6

Hi @Arun-Kumar, @d_pustovoitov,

The proposed code is correct but you can use the identity method launcher.isInWorkGroup (workgroup), it reduces the code.

KR,
Gonzalo

3 Likes
7

Hi @Arun-Kumar ,

Thank you for your reply.
There are 2 questions for now.

  1. Typed variable declaration : Attempt to resolve method: getName() on undefined variable or class name: identity : at Line: 5 . I’ve fixed it with the Identity identity = plan.getIdentity();
  2. And the second one is [Undefined argument: launcher : at line: 17]. And I have no idea how to fix it…

I’d really appreciate your help with this.

Best regards,
Danylo

8

Hi @d_pustovoitov,

  1. Typed variable declaration : Attempt to resolve method: getName() on undefined variable or class name: identity : at Line: 5 .
    you can remove the line no 5. You will get the identityName directly from the workflow variable.

2.And the second one is [Undefined argument: launcher : at line: 17].
please check the workflow variable. If the launch is not present, you add the below variable to the workflow.
** <Variable input=“true” name=“launcher”/>**

Regards,
Arun

1 Like
9

Hi @Arun-Kumar ,

Everything is now working as intended.
Thank you again. You’ve helped me a lot.
Have a great day!

1 Like
10

Hi @d_pustovoitov,

I’m glad to hear it’s working now.

Regards,
Arun

11

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.