Share all details related to your problem, including any error messages you may have received.
We have a need to prevent a role access request from getting to the approval step if the user has not taken required training. I am relatively new to IIQ and am trying to figure out where I can intercept the access request, call out to an external service that has the training data, and then determine whether to proceed to the approval step or pop up a message informing the user that they cannot request the role until they complete the required training course.
Any user can request this role, so I cannot exclude users in the QuickLink population. The policy violation check seems too late in the process. Can anyone give me a starting point in the IIQ code base where this should happen?
It feels like I could have a trigger that fires when the access request is submitted but I am struggling to find the code that is executed when the submit button is clicked. Thanks in advance.
Are there any permissions or attributes that indicate if the user has completed the training? If you could provide some more detail we could perhaps provide some recommendations on best practices.
The training data is kept in a separate system (Cornerstone). There is a REST service we can call to get the transcript data for the user and determine if they have completed a specific course or not. The result of that REST call will allow us to decide if the access request can move forward to the approval step or not.
My suggestion would be a policy violation. You could create a workgroup or another application entitlement that indicates they have completed the training. Assign it once training completed.
Lets call the entitlement: TrainingComplete101
With an advanced policy you can check/stop the AccessRequest for the role with corrective steps in the policy violation to say they need to complete the training if they dont have TrainingComplete101 entitlement.
Thanks for the suggestions. Won’t the policies be checked after the access request has been submitted? We are hoping to perform this check when the role request is “added to the cart” so to speak and fail out right away if the training has not been completed. We do not currently pull user training data from Cornerstone into IIQ. I believe that would be necessary in order to do what you suggest with the workgroup or application entitlement. Otherwise, we cannot know when someone has completed a training course.
That integration will be developed eventually, but it’s a phase 2 kind of thing at the moment.
Policy violations are checked while the end user is requesting the access. Before it goes for approval they will see the violation in the UI.
You could setup some entitlement or workgroup that is added to the user as part of the business process once they complete the training. Not sure on volume or feasibility here but you need a trigger for any automated process.
That is good information to have. I was mistaken about the order of operations. Thanks for the help. I will mark this as the preferred solution to the problem.