IIQ 8.3
HI team,
Is there a way to limit the number of items an end user can request on the Manage User access basically in the access request.
In my case if more than 25 entitlements are being requested they are getting failed hence I want to limit the entitlement selection to 20 or so
Thanks
we are limiting no. of entitlements by customizing OOTB LCM workflow. You can add a step , this step will read the plan and if plan has more than 20 adds , you can prompt an error to the user. however, user will need to submit request again with less no of entitlements. Apart from this I don’t think there is a way to limit the no. of adds in the access request.
Hi @gargshub5 ,
you will be able to achieve the goal by using a policy and enable Policy checking in the LCM workflow used for the Access Request.
Best regards,
Daniel
any idea about this?
You can modify LCM workflow. Add a new step before step initialize step in LCM. in this new step read the plan. now you can check how many “add” are there in the plan. if your condition meets then move to error step else continue. in the error step you can display why this request cannot be submitted as user requested more than 20 entitlements.
for eg.
<Step icon="Start" name="Start" posX="25" posY="10">
<Transition to="CUSTOM_STEP"/>
</Step>
now you can create your own libraries and pass the plan, where you can calculate adds etc etc.
<Step action="script:getAccessRequestErrorMessage(identityName, plan)" name=CUSTOM_STEP" posX="25" posY="10" resultVariable="accessRequestErrorMessage">
<Transition to="Exit With Error" when="script:null!=accessRequestErrorMessage"/>
<Transition to="initialise"/>
</Step>
This would definitely work.
However please take into consideration that there was already effort for the requester to sample together the request.
If now the request just fails the user experience may be negatively impacted.
That’s the reason why we use Policies to achieve the goal and that works really well.
Kind regards,
Daniel
HI @daniel_neubert please shed some light on how we can use policies for limiting the no. of entitlements during access request.
No OOTB option .
I would recommended try using custom plugin . Workflow modification won’t be a great approach as that will trigger after submission of request .
Hi @aditprad003 ,
basically the idea is to compare the persisted identity with the version passed into the policy check (policy rule).
If you compare the values
identity.getAssignedRoles().size()
with the persisted identity you should be able to retrieve the number of roles requested.
Based on the comparison you may want to create a Policy Violation.
Unfortunately I do not have access to the environment where we already made some tests but please have a look into the following post on Compass:
You’ll also find some example code there.
Best regards,
Daniel
Hi @daniel_neubert, this is a great idea, thank you for referring to the topic and sharing it :).
and thanks to @robertpatterson for the code…
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.