Version 8.2
Just wanted to know is there a way by which a user should not be able to put a request for the role he is the approver.
for eg: if a user is a member of approver safe in cyberark should not be able to place a request for the safe for which he is the approver.
Hi @Amsingh1,
I think the best way is using a RequestObjectSelector rule in quicklinks population.
In this rule you can write an exclusion logic, where the approver user can view role or entitlement of cyberark.
I think you have a workgroup with those users. So, you can create(if you dont already have) a quicklinks population with this gruop/population assingned and configure the rule.
Remeber about quicklinks, SP applies the less restrictive, so check in how many quicklink those user are present
I believe it might be pretty dangerous to use quicklinks population but instead of that I would actualy use a Policy Violation via Advanced Policy which could be evaluated by LCM Provisionins.
This allows you to interactivly inspect the provisioning plan and make decisions based on that.
Hi @Amsingh1,
It can be achieved in multiple ways. If you don’t want your requestor to see the Roles itself then you may use quicklink population logic.
If you want the user to know that the user is owner and so they should not be able to request the Role, then you can use either the custom workflow’s step itself to show a custom message or you can go head and have an advance policy with this condition where workflow itself will take care of flow.
Let us know if you need any specific help.
Thanks
Generally it should be other way . The one who own the role should be easy able to approve or mostly it should be auto approve if submit the request .
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.