How to populate role provisioning form for bulk assignments

Which IIQ version are you inquiring about?

8.4

Please share any images or screenshots, if relevant.

NA

Please share any other relevant files that may be required (for example, logs).

NA

Share all details about your problem, including any error messages you may have received.

I have a requirement to bulk assign roles. The role is having a provisioning policy attached and requires user’s input for certain fields. But for bulk assignment, I get the field values in csv file and I have to populate the fields using csv file. I’m generating the provisioning plan to assign the role, but unsure how to populate the form fields programatically. When I set the form fields as new attribute requests, and launch the LCM provisioning workflow, the form values are not set and the requests are pending for form completion. Any help will be greatly appreciated.

@Ravikumar_Subramanyam By default, you can’t set form field in the batch request csv. It only allows predefined columns while doing the assignment.

In the past, we added a column for comments and later in batch request LCM, we modified the plan to set the comments. You can also try the same, add a step in batch LCM, read the value of the additional columns, and then modify the plan to set them.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

Hello @Ravikumar_Subramanyam

As per my understanding, you need to pass value as Provisioning Arguments not attribute requests.

For Example:

plan.getArguments().put(“fieldName”, value);

If this helps please confirm.

Provisioning attribute should be in attribute request.. Have you tested plan.getArguments().put(“fieldName”, value); ? Not sure, if this is a right approach? Please confirm.

Hi @Ravikumar_Subramanyam I would say you can handle this scenario within the provisioning policy itself, instead of changing the LCM Provisioning Workflow. If the source is a batch request, read the CSV file and return the values in the provisioning policy field.

Thanks,

PVR.

@Ravikumar_Subramanyam one option i can think of in LCM provisioning workflow. you have to inject in plan. like

<Step name="Inject CSV Values"> 
<Script> 
<![CDATA[ 
ProvisioningPlan plan = (ProvisioningPlan) workflow.get("plan"); 
String costCenter = csvMapData.get("CostCenter"); // csvMapData is map data from csv
if (plan != null) 
{ 
for (AccountRequest ar : plan.getAccountRequests()) 
{ 
ar.add(new AttributeRequest("costCenter", ProvisioningPlan.Operation.Set, costCenter)); 
} 
} 
workflow.put("plan", plan);
 ]]> 
</Script> 
</Step>

this is just an idea sample. 

it should be little complex but i don’t see any other option if you really need to go through csv options.

Thanks for all your inputs.

@Puja_IAM @neel193 - plan.getArguments().put(“fieldName”, value); didn’t work.

@Peddapolu - Could you please explain how I can get access to the source inside Role Provisioning policy?

@pravin_ranjan - I tried this approach but still the request is expecting interaction from user to fill the form.

I’m using the below script to bulk assign the role. It will be a run rule task, iterates the csv file and launches LCM provisioning workflow for each user in the csv.

Identity id = context.getObjectByName(Identity.class, IdentityName);
    ProvisioningPlan plan = new ProvisioningPlan();     
    plan.setIdentity(id);     
    plan.setSource("BulkRoleAssignmentFromExcel");
    AccountRequest iiqReq = new AccountRequest(AccountRequest.Operation.Modify, "IIQ", null, id.getName());     
    iiqReq.add(new AttributeRequest("assignedRoles", ProvisioningPlan.Operation.Add, "Test Role"));
    plan.getArguments().put("firstname",  csvRow.getFirstName());
    plan.getArguments().put("lastName",  csvRow.getLastName());
    plan.getArguments().put("email",  csvRow.getEmail());
    plan.getArguments().put("operatorType",  csvRow.getOperator());
    plan.getArguments().put("printers",  csvRow.getPrinter());
    plan.getArguments().put("functionLevels",  csvRow.getFunctionalLevels());
    plan.getArguments().put("userGroups",  csvRow.getUserGroups());
    plan.getArguments().put("enterpriseSecurity",  csvRow.getEntrSecurity());
	
    plan.add(iiqReq);
    
    //Construct Workflow Arguments
    Attributes wfArgs = new Attributes(); 
    wfArgs.put("approvalScheme", "none"); // This skips the approval step
    wfArgs.put("notificationScheme", "none");
    wfArgs.put("source", "Batch_Upload_Task"); 
    wfArgs.put("policyScheme", "none"); 
    wfArgs.put("workflow", "LCM Provisioning"); 
    wfArgs.put("launcher", "spadmin"); 
    wfArgs.put("identityName", IdentityName); 
    wfArgs.put("plan", plan);
    Workflow wf = (Workflow)context.getObjectByName(Workflow.class,"LCM Provisioning");
    WorkflowLaunch wflaunch = new WorkflowLaunch();
    wflaunch.setWorkflowName(wf.getName());
    wflaunch.setWorkflowRef(wf.getName());
    wflaunch.setCaseName("Batch_Upload_Task"+id.getName());
    wflaunch.setVariables(wfArgs);
    Workflower workflower = new Workflower(context);
    WorkflowLaunch launch = workflower.launch(wflaunch);

After launching the workflow, I see the access request is generated but waiting for interaction to complete the form. I’ve tried setting the form values inside AttributeRequest as well but no luck.

Below is the screenshot of the pending request for user interaction.

image1770×807 38.1 KB

I am hoping you removed reviewRequired = true from form. pls check once. let me check if we need to do more changes.

This role is requestable through UI as well. When requesting from UI, user will have to enter the fields manually and we need to display few prepopulated fields like name and email etc. So removing reviewRequired = true will cause issues in UI flow.

Removing reviewRequired=true and setting the values in AccountRequest’s attribute request solved the issue. But for UI submissions, reviewRequired should be enabled. I’m trying to add conditions in the Form field attribute’s script to control reviewRequired value based on Plan’s source. Not sure if that’s doable. I will try and update here. Thanks for your help!

@Ravikumar_Subramanyam In the Role Provisioning Policy rule, there is a project argument form where you can get the batch request , you can read the CSV and return the value. I hope this should work.

Thanks,

PVR.

      <entry key="source" value="Batch"/>

@Peddapolu the project argument is coming as void in the Role Provisioning policy rule.

no @Ravikumar_Subramanyam, I configured one role provsioning policy and confirmed it, below are the logs that were obtained, and even the value comes in the access request.

image1907×862 35 KB

image1902×588 25 KB

Thanks,

PVR.

@Ravikumar_Subramanyam could you please share the rule you modified and role you are using (removing any PII data).

@Peddapolu Thanks for the details. But in my case, few fields are marked as ReviewRequired=true(this setting is needed because when this role is requested from UI, we need to display these fields to the user). Due to this, the submitted batch request is always forcing the user interaction step. I was trying to control the reviewRequired attribute based on the source in Form field’s value settings Rule. Unable to get the source in Form Field Value rule.

Hi @Ravikumar_Subramanyam , Okay, got it. If you get the source has batch, I think you can set the ReviewRequired flag to false. Try this option.

Thanks,

PVR.

@Ravikumar_Subramanyam As discussed over chat, I have shared the sample code snippet which should help you out. Please give it a try and let us know for any further help.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.