Share all details related to your problem, including any error messages you may have received.
I am working on an integration with IIQ and ServiceNow, to allow users to request access from IIQ in ServiceNow. We are provisioning access to a system where the AD groups giving access are region specific (due to an AD limitation), so the access for ‘User’ has two AD groups ‘NA-USER’ and ‘EO-USER’ but both give the exact same access. Currently the proposal is to show these are two entitlements, but build a filter in ServiceNow to only show the relevant choice based on the user’s region. Building logic like this in ServiceNow looks like the wrong way to do it, as it would be better centralized in IIQ
My question: is it possible to create one Role for ‘User’ and then provision the AD Group dynamically in IIQ based on users attributes? - in this case their Region, a value we have in IIQ
The IIQ developers are telling me this isn’t possible, but it seems like functionality that would be very useful for a tool like IIQ
Apologies if my use of Role and Entitlement is unclear, IIQ isn’t a system I’m very familiar with
Note - this is a custom integration rather than the prebuilt connector, as some functionality we needed isn’t yet available in the connector
For me it sounds like you have to use attribute based access control. A role in IIQ can be requested manually or it gets assigned because of its attributes. Your requirement is attribute based. So you need two Roles. One Role includes NA-User and the other Role includes EO-User. These roles then need a AssignmentRule inside it. You can add it in Role Editor. There you define a script that say: “if Identity has region X assign him this Role” the same for the other Role. Hope this is an option for you.
Many thanks for sharing this. The requirement we have is slightly different, rather than auto-provisioning the access, it should be requestable (through ServiceNow), but I need to be able to offer one option to the user (this could be a role or entitlement) called ‘User’ that will then add the users to an AD group based on their Region (e.g. EO-User or NA-User). Is this possible or do we need to have both choices, and filter them in the ServiceNow side?
So you request an entitlement in ServiceNow and then in IIQ this Request is created also and provisioned right? In general its possible with some code to make your requirement happen. You said you use a Custom Integration so i think your custom code has to be enhanced to match this extra functionality in IIQ. From the outside its hard to give advise to this. For me it sounds like its a 50/50 situation. Do the special logic in IIQ or ServiceNow. But probably you can check if the AD Team has a solution for region/gruop topic.
Thanks for your help Maximilian, this is really helpful. I think we will make the change in ServiceNow, its good to know that there’s not a way to do this in IIQ that we are missing out on
Hi Alex,I
I believe you can do that by using provisioning policy for the role you are requesting - I would try to just setup the provisioning policy where attribute memberOf is calculated via Beanshell rule based on your conditions.