Custom WorkFlow

Which IIQ version are you inquiring about?

[8.4P3]

*[*Does we have any OOTB workflow that can create multi level approval (manager and workgroup members) without any provisioning plan as we are not doing any provision in sailpoint IIQ
Flow should be like below.

Start >> Collect Form Data >> Confirmation Form(Read-Only) >> IdentityRequest should be created>> WorkItem will generate for Manager >> Notify Manager about the request

If Manager approved >>
User should get notified and it should create workitem for workgroup approval>>Notify Workgroup members individually >>
If WorkGroup any member approved >> user should get notified and End >> IdentityRequest should be completed
If Workgroup member rejected >> user should get notified and End >> IdentityRequest should be completed
If Manager Rejected >> User should get notified and End >> IdentityRequest should be completed

If Any suggestions how to acheive this, appreciate it.]

You don’t need to create any custom workflow to achieve it. We have OOTB LCM Provisioning workflow, which you can leverage, and enhance it as per your requirement.

Hi Naveen,

How we can prevent provisioning in LCM provisioning as they are performing manual activitiy on the applications which they are selecting in quicklink form.

Workgroup members will take action on this manual activity.

Fyi, applications are not integrated in IIQ

What I understood is that, You want to create a quicklink for request submission, and then you want to put the validation, as per the requirement you have mentioned. You can write your own workflow, with all these steps, you can refer lcm provisioning workflow, to build your quicklink workflow. You can trying writing it and see if it works, else let us know, we can enhance it and customize it as per your requirement.

Naveen,

I have tried already by refering LCM provisioning.

I have used Identity Request Initialize and Finalize sub process to create identityrequest and close identityrequest.

In IdentityRequest i can see interactions for Manager and workgroup approvals.

Notifications are not going properly for the respected users(manager, requester, work group members)

But it is not working as expected.

TransferAccessRequest.zip (12.4 KB)

Hi Naveen,

I have attached object Xml’s which i have developed. Please check once and let me know if anything needs to be modified or should I create brand new by referring LCM provisioning

Hi Naveen Kumar,

Could please let me know the updates on this?

I will have a check, Give me sometime please.

Hi Naveen,

Could you please let me know if you have any update on my request?

Hi Venkatesh, last week was very busy for me, I will try to fix it this week. Please allow me sometime.

Hi Venkatesh,

This requirement can be achieved using the existing LCM Provisioning Workflow. Since you already have a custom workflow linked to the QuickLink, you can leverage approval configuration through workflow arguments.

You can configure sequential approvals by adding the following argument:

<Arg name="approvalScheme" value="manager,securityOfficer"/>

With this configuration:

• The request will first go to the Manager for approval.

• Once the Manager approves, the approval will be routed to the Security Officer stage.

For routing the second-level approval to a Workgroup, specify the workgroup name as the security officer:

<Arg name="securityOfficerName" value="WorkgroupName"/>

This ensures the approval request is sent to the specified Workgroup, where any one member’s approval or rejection will complete the request.
Notifications and IdentityRequest completion will follow the standard LCM workflow behavior.

Hi @rchilkuri ,

How we can prevent provisioning in LCM provisioning as they are performing manual activitiy on the applications which they are selecting in quicklink form.

Workgroup members will take action on this manual activity.

Fyi, some applications which are listed in quicklink form are not integrated in IIQ

Hi Venkatesh,

Yes, this requirement can still be achieved. Provisioning can be conditionally skipped by intercepting the ProvisioningPlan in the custom workflow before invoking the LCM Provisioning workflow.

In the custom workflow, add a script step after all approvals are completed and before the provisioning step is called. This step should read the ProvisioningPlan to extract the requested access details for the specific application and store them on the IdentityRequest (preferred for audit and traceability).

Once the required details are captured, clear the provisioning plan using:

plan.setAccountRequests(null);

Since the plan is empty, the LCM workflow will complete without triggering provisioning.

Below is the Flow:

Approvals → Extract Request Details → Store on IdentityRequest → Clear ProvisioningPlan → Invoke LCM → Send Email Notifications → Complete IdentityRequest

Hope this helps. Please let me know if this works for you or if any further clarification is needed.

Best Regards,

Rana Chilkuri

Hi @ Venkatesh Kavitharapu

In your LCM Provisioning just add the below variables:

<Variable initializer=“manager, identity” input=“true” name=“approvalScheme”

<Variable initializer=“string:FirstLevlApprovals” input=“true” name=“approvingIdentities”

Note: FirstLevlApprovals means workgroup name.

Hi @rchilkuri ,

I have attached the XML’s in previous replies which i have developed, can you please check and let me know if anything needs to modified in my workflow.

Hi @naveenkumar3 ,

Do you have any update on my request? Did you check the XML’s which i have provided?

Hi @Venkatesh0510 ,

I have corrected your workflow, the email notification rule, and created the email template, and shared it you.

There were lot of issues in the workflow and the rule, which is now fixed.

Please confirm, if the issue is resolved, by importing the updated workflow, rule notification and template.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.