LCM Provisioning - Workflow for approvals

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hello team,

We are having some issues when we want to configure approvals:

We have two main points:

  1. ITRoles with owner defined for approvals
  2. entitlements with no owner defined.

We want to avoid approvals when users request an entitlement with no owner.

In other words, when a user request one entitlement who does not have an owner assigned this entitlement has to be approved automatically and if an owner is detected, this request has to pass through this owner.

We are working in LCM Provisioning workflow and configure these two points:
Approvers → Owner
Fallback approver → empty

image

When we try to test even if the “fallbackApprover” is empty the request will be sent to approve or revoke to the application owner by default.
We tried to set up “fallbackApprover” and “approvalScheme” in the Approve and Provision Subprocess (xml-via) but it does not work. The request is always sent to the application owner.

How we can control the request to auto-approve if no owner is detected?
Please could anyone give us help or give any clue?

Thank you so much in advance.

2

You might need to use an ApprovalAssignment Rule here, or dynamically change the “approvalScheme” variable value (using a Script block) based on what is being requested. Although, modifying the “approvalScheme” to omit the “owner” value will simply skip that approval level, it won’t auto-approve.

1 Like
3

Hello Paulo and thank you for your response.

We are working in this way:

  1. Approve and Provision Subprocess
  2. Editing step “approve”
  3. Adding an approval rule.

image
image1311Ă—450 49.8 KB

See the code below:

import java.util.List;
import java.util.ArrayList;
import sailpoint.api.SailPointContext;
import sailpoint.object.*;
import sailpoint.object.ApprovalItem;
import sailpoint.object.ApprovalSet;
import sailpoint.object.Identity;
import sailpoint.object.ManagedAttribute;
import sailpoint.object.Workflow.*;
import sailpoint.object.Workflow.Approval;

    List newApprovals = new ArrayList(); 

    for (Approval approval : approvals) {    

        ApprovalSet currentApprovalSet = approval.getApprovalSet();        
        for (ApprovalItem approvalItem : currentApprovalSet.getItems()) {
        
            if ("EntitlementAdd".equals(approvalItem.getAttribute("operation"))) {
                String entId = (String) approvalItem.getAttribute("id");
        

                ManagedAttribute ent = context.getObjectById(ManagedAttribute.class, entId);
               
                Identity owner = ent.getOwner();

                if (owner != null) {
                    newApprovals.add(approval);
                }
                
            }
        }
    }


    return newApprovals;

Even adding this block of code, we are not receiving the result we want.
We are giving a “nullPointerError” as bellow:

image
image1103Ă—389 40.5 KB

Do you think that even we skip the approver is impossible to “auto-approve” the request?
How could we do this modification?

  • Skip the approval in entitlements with no owner
  • Auto-approve this request.

Please any help or clue will be grateful.

Thank you in advance.

4

Hello team,

We were working on the code and currently is working, here is the code:

import sailpoint.object.*;
import sailpoint.object.Link;
import sailpoint.object.Bundle;
import sailpoint.object.Identity;
import sailpoint.object.ManagedAttribute;
import sailpoint.object.Workflow.Approval;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;

String appname = null;
String appOwner = null;

List newApprovals = new ArrayList();


for (Approval approval: approvals) {
    List childApprovals = approval.getChildren();
	
    if (childApprovals != null && !childApprovals.isEmpty()) {
        for (Approval child : childApprovals) {
            ApprovalSet appset = child.getApprovalSet();
            List items1 = appset.getItems();

           
            for (ApprovalItem item1: items1) {
				
                String appname = item1.getApplication();

				if(item1.getOperation().equalsIgnoreCase("Add")){				
					if(appname.equalsIgnoreCase("IIQ")){
						String roleId = (String) item1.getAttribute("id");

						Bundle role = context.getObjectById(Bundle.class, roleId);			
						String owner = role.getOwner().getName();					

						newApprovals.add(child);
						}else{											

						String entId = (String) item1.getAttribute("id");								
						ManagedAttribute ent = context.getObjectById(ManagedAttribute.class, entId);					
						String identityName = workflow.get("identityName");
						Identity identity = context.getObjectByName(Identity.class, identityName);	
						Identity owner = ent.getOwner();
						
						if(owner != null){						 
							newApprovals.add(child);
						}
					}          
            	}
		  	}   
        }		
    } 

}
return newApprovals;

But now we are seeking to split the access request because if the user makes a request with an entitlement (with approver) and an entitlement (with no approver) the access request creates something like this:

image
image1221Ă—228 14 KB

We need to separate this because one of the entitlements (the one with no approver) has to be approved automatically. Is this possible?
Could someone give us some advice?

Thank you so much.

5

I had the same issue even when split provisioning was set up correctly when two business roles were for the same application and application account had not been created yet.

6

Were you able to solve the issue? What was the solution?