Share all details about your problem, including any error messages you may have received.
I am looking for a way to prevent IIQ from auto approving an access request if the requester is part of the approval group.
For example, if I was part of “AD Approvers” workgroup, and I requested access for another user for an entitlement with “AD Approvers” as the owner - I want that workitem to be created still, assigned to the workgroup owner, but I am unable to approval the request.
I created a rule and assigned it to the LCM Provisioning “approvalAssignmentRule” that essentially does the following:
List approvalItems = approvalSet.getItems();
List finalApprovals = new ArrayList();
for (ApprovalItem approvalItem : approvalItems) {
String owner = approvalItem.getOwner();
Identity ownerIdentity = context.getObjectByName(Identity.class, owner);
finalApprovals.add(ownerIdentity);
}
return finalApprovals;
This is close to what I’m looking for - it allows the workgroup to be set as the approver no matter the requester, but the requester (who is still part of the workgroup), is able to approve that workitem.
Hi @supafongboon - yes this can be done. In the Provisioning Approval Subprocess Workflow there is an Approval step. Under the workItemRequester Arg, there is an interceptorScript, right after that add a validationScript Like this:
<ValidationScript>
<Source>
/*
This validation script will check to make sure whoever is trying to approve the
WorkItem form is not the Identity for which the access was requested. We do this by
getting the "completer" value from the WorkItem, if that is the same as the target identity
"identityName" then a red alert will be shown to that person when they attempt to approve
the item and they will not be allowed to continue. Other members of the workgroup will be
allowed to complete it.
*/
import java.util.*;
import sailpoint.api.ObjectUtil;
//returns the displayName - so need to get the actual identity
String completer = item.getCompleter();
//owner from the WI, checking to make sure it is a workgroup
Identity wiOwner = item.getOwner();
if(null != wiOwner){
if(wiOwner.isWorkgroup()){
//utility call that returns all the members of the workgroup in question
ObjectUtil obj = new ObjectUtil();
Iterator members = obj.getWorkgroupMembers(context, wiOwner, null);
if (null != members){
while(members.hasNext()){
//get the individual identity from the list of wg members
Identity identityCube= (Identity)(members.next()[0]);
String identityDisplayName = identityCube.getDisplayName();
//does the workgroup identity have the same display name as the completer?
if(identityDisplayName.equalsIgnoreCase(completer)){
//found the displayname of the approver in the wg, get the unique ID
String identityCubeName = identityCube.getName();
//if unique id of the wg member with matching displayName as "completer" matches
//the unique id of the target identity, we have a self approval - throw error
if(identityCubeName.equalsIgnoreCase(identityName)){
return "Self approvals are not allowed. Please have another Workgroup approve this request.";
}
}
}
}
}
else{
//Check if the completer is just an id, if the id's displayName is equal to completer ... send auto-approve
//message
Identity requesteeId = context.getObjectByName(Identity.class, identityName);
if(null != requesteeId){
if(completer.equalsIgnoreCase(requesteeId.getDisplayName())){
return "Self approvals are not allowed. Please have another approver approve this request.";
}
}
}
}
</Source>
</ValidationScript>
You can customize the return text to be however you want to alert the approver.
I tried with and without an ApprovalAssignment rule. The approval scheme is the owner initially.
The rule shows String completer = item.getCompleter();, but the value returned for that is blank, the workitem doesn’t have a completer, so the user is able to click and approve the workitem.
To note, I added logging into the validation script, but it I can’t get it to reach that script (no logs post). When should I be seeing the error message or logs trigger?
The workflowCase does show the validation script in the xml