Need to skip the workgroup member frrom approval, if he/she is a requester for the role

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

*8.2
Please find the below logic from the approver assignment rule, which I am trying to put to skip the launcher. The logic ids.remove(approverIdentity) is working, but it is removing the user from the workgroup as well, which we do not want. We simply want to skip it.

          if(isWorkGroup){
          ObjectUtil obj = new ObjectUtil();
          Iterator members = obj.getWorkgroupMembers(context, approverIdentity, null);
          if (null != members){
      
      			while(members.hasNext()){
        			Object[] object = (Object[]) members.next();
					Identity ids = (Identity) object[0];
        			String membername = ids.getName();
        
        				if(membername.equalsIgnoreCase(launcher)){
                         ids.remove(approverIdentity);
        				}				
      			}              
        	}
        }
2

Hi @naveenkumar3,

To skip the approval for workgroup members request, you can use the below logic in your approval scheme.

import java.util.List;
import sailpoint.api.ObjectUtil;
import sailpoint.object.*;
  
  String identityName=identity.getName();
  Identity workgroup = context.getObjectByName(Identity.class,"WorkGroupName");
  log.error("workgroup :"+workgroup);
  List wrkgmemnberList = new ArrayList();
  if(workgroup.isWorkgroup()){

    Iterator wrkGrpmembers = ObjectUtil.getWorkgroupMembers(context, workgroup, null);
    while(wrkGrpmembers.hasNext()){
    Object[] object = (Object[]) wrkGrpmembers.next();
    Identity ids = (Identity) object[0];
    wrkgmemnberList.add(ids.getName());     
}
  }
       if(wrkgmemnberList.contains(identityName)  || wrkgmemnberList.contains(launcher)){
      
      return "none";
    }
    else{
      return "manager";
    }
3

hi @Arun-Kumar ,

I have the code in the approver assignment rule, where If the launcher is part of the workgroup, the approval should skip him and should go to the other approver in the workgroup.

Our approval scheme is set as “Identity”, The above code you have shared will not work.

I want to set it via approver assignment rule, I am able to remove the member from the list, but i am not able to pass the list, so that approval should go to only members, which are there in the list

4

Hi @naveenkumar3,

If you wish to achieve this using an Approval assignment rule, you can create a temporary workgroup and add all members in that workgroup except the launcher. Once the approval decision is made by workgroup member, you can then remove the temporary workgroup.

An alternative approach is to add the following validation script to the “Approval” step within the Provisioning Approval Subprocess workflow. This validation script will generate an error message if the requester or requestee attempts to approve the work item form.

	   <ValidationScript>
        <Source>
        import org.apache.commons.logging.Log;
		import org.apache.commons.logging.LogFactory;
	
		import sailpoint.tools.GeneralException;
          
		String completer = item.getCompleter();
		Identity wiRequestor = item.getRequester();		
		try {
		
		    Identity requesteeId = context.getObjectByName(Identity.class, identityName);
		    if (null != requesteeId @and null != completer @and null != wiRequestor) {		
		        if (completer.equalsIgnoreCase(requesteeId.getDisplayName()) || completer.equalsIgnoreCase(wiRequestor.getDisplayName())) {
		            return "Self approval is not allowed!";
		        }
		    }		
		} catch (Exception e) {
		    log.error("Error Validation Script.." + e.getMessage());
		}				
				
      			</Source>
      </ValidationScript>

Regards,
Arun

5

Hi @Arun-Kumar,

I am trying to do it via approver assignment rule. Please find the below code, where i am trying the add the user in the list where the launcher is not part of the group. However, I am not able to set it back in the approverIdentity( approverIdentity contains the identitesfrom a workgroup).

Can you please suggest.

            if(isWorkGroup){
          
          ObjectUtil obj = new ObjectUtil();
          Iterator members = obj.getWorkgroupMembers(context, approverIdentity, null);
		  List newIdentityList = new ArrayList();
		  //Attributes workgroupmembers = new Attributes();
		  
		  
          if (null != members){
      
      			while(members.hasNext()){
        			Object[] object = (Object[]) members.next();
					Identity ids = (Identity) object[0];
					
				     
        			String membername = ids.getName();
        
        				if(!membername.equalsIgnoreCase(launcher)){
							newIdentityList.add(ids);
                  

							
                                }                           							 
                       }              

        	}
        }
6

Hi @naveenkumar3,

You need to create a temporary workgroup and add the identity in it. This temporary workgroup should be created without a launcher. Ensure that you clean up this temporary workgroup once the approval decision has been made.

Refer the code.

if(isWorkGroup){
          
          ObjectUtil obj = new ObjectUtil();
          Iterator members = obj.getWorkgroupMembers(context, approverIdentity, null);		  
          if (null != members){
		  Identity temp_workgroup = new Identity();
          temp_workgroup.setName("temp_workgroup1");
      
      			while(members.hasNext()){
        			Object[] object = (Object[]) members.next();
					Identity ids = (Identity) object[0];				     
        			String membername = ids.getName();       
        				if(!membername.equalsIgnoreCase(launcher)){
							temp_workgroup.add(ids);
                  

							
                                }                           							 
                       }              

        	}
			temp_workgroup.setWorkgroup(true);
            context.saveObject(temp_workgroup);
            context.commitTransaction();
        }
7

Hi @Arun-Kumar, I don’t think this solution, will be feasible, as it will create so many temporary workgroup in SailPoint, till the time request is open?? and If some request will be open for say 10 days, that temporary workgroup will be there, as it will be only cleared off, once the request is completed.

I have solved this Issue, with validation putting in the provisioning sub process workflow.

8

Yes, if you want to achieve by approver assignement rule, creating the temporary workgroup is the only option. Creating the temporary workgroup is not a fessible solution for this. That is the reason, i have mentioned the alternative approach to add the validation script to provisioning sub process workflow.

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.