Entitlement approval fallback question

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

We currently don’t have owners defined for our entitlements and had approvals turned off. We now have an instance where someone wants a specific security group to have to have an approval when it is requested through SailPoint. Here’s what I did to try to achieve this:

  • Added an owner to an entitlement
  • Made a copy of the LCM Provisioning Business Process. In this copy I unticked the “Disable Approvals” and added “Owner” as approver. I cleared out the “Fallback Approver” as I don’t want any entitlements that don’t have owners to have to be approved.
  • In Lifecycle Manager > Business Process > Request Access, I put the copy of the business process I created.
  • Test
    The results of my test were that the owner of the entitlement got an approval request which was what I wanted, however, when I requested entitlements that didn’t have an owner, the fallback went to spadmin. This was not what I expected to happen since I had removed Fallback Approver.

When I looked through the Business Process I saw that it was calling the “Provisioning Approval Subprocess” so I took a look at that code. It seems that subprocess ignores the fallback approver defined in the original process and automatically assigns spadmin to the approval:

  <Variable initializer="spadmin" input="true" name="fallbackApprover">
    <Description>
      A String that specifies the name of the Identity that will 
      be assigned any approvals where the owner of the approver 
      can't be resolved. Example if the scheme is "owner" and the 
      application doesn't specify and owner.
    </Description>
  </Variable>

I would have expected this to follow the fallback approver of the originating process but it isn’t.
So here are my questions:

  1. Have I read this all correctly?
  2. Is this expected behavior or is this a bug that no one runs into because it’s an odd case?
  3. Would the way to solve this be to copy this subprocess removing the initializer and then reference the new subprocess in my copied business process or is there another way that would be preferable/more correct?

Thanks for any insight you can provide.

1 Like
2

I see 2 solutions of this problem

  1. In fallbackApprover write a small rule which always returns requesters identity name - in this case request will be autoapproved.
  2. In approvalScheme attribute, write a rule which will calculate approval scheme dynamicaly.

There are however some consequences and drawbacks you have to be aware in terms of seting approval schema.
For example in IIQ approval mode is set globaly for whole request that means you cannot set it for certain entitlement in the request (in the end you can but it is more complex topic).

In SSF there is also something called dynamic approvals - you can try this integration to achieve your requirement.

1 Like
3

Thanks Kamil.

This article, while not the same approval type, suggests that if the approver and fallback approver are empty that the object will be approved: Approvals for Changes to Entitlements
The same goes for this dev topic:
Entitlement Update Approval

That was what prompted me to ask about having the fallback empty achieving my goal. Since the majority of the entitlements do not have an owner, they would fall through and be approved. The one(s) with an owner would require that approval. Finding that the subprocess didn’t respect the fallback approver from the main process automatically negates that possibility and is what brought up that it might be a bug.

I appreciate the insight and I’ll keep reading up on other possibilities.

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.