Working in IIQ 8.1, we have a requirement in a self-certification scenario. See below
When a self-certification happens during a certification, the required workitem needs to be assigned to the relevant application owner based on the entitlement that is being certified.
Consider the below example:
An LDAP application which has XX entitlement and a JDBC application that has YY entitlement has been included in a targeted certification. Consider that self certification has occurred for both these entitlements (XX and YY).
Now the workitem containing the XX entitlement should be assigned to the LDAP owner and the workitem containing the YY entitlement should be assigned to the JDBC app owner.
The input arguments available for the “FallbackWorkItemForward rule” (Self-certification rule) are item (workitem object), owner, creator, certifiers, name and type. Unfortunately none of these arguments including the item argument contains the information about the entitlement being certified.
There is one hunch in the “item” argument. It contains the ID of the certification object from which we do have the access to certificationItem. But however if multiple applications are included in the certification, the data inside the certification object gets complex which makes it difficult to access the relevant certificationItem.
Without the entitlement information (or certificationItem information), it is really not possible to frame a logic to assign the workitem to the relevant application owner.
Has anyone faced this kind of scenario before? Any thoughts on this would be really helpful.
My initial thought would be to attempt using a CertificationPreDelegation Rule which inspects what is being certified and re-assigns or delegates the items accordingly.
That is a good suggestion. However “the CertificationPreDelegation rule runs for every CertificationEntity identified by the certification specification”. It does not run for every CertificationItem identified.
Having said that, when we certify the access of Identities having multiple accounts, each CertificationEntity will have multiple CertificationItems associated with it. The application and the entitlement information is stored in the CertificationItem object only.
Since the rule runs only for every Entity, you do not have the option to iterate through the list of certificationItems present inside that Entity and assign each certificationItem to application owners separately in the event of a self-certification.
See a sample CertificationEntity object that has couple of certificationItems belonging to different applications (Active Directory and SunOne LDAP)
In this case where the Self Certification has occurred, we want the item containing the SunOne application entitlement to be assigned to SunOne app owner and the other one to LDAP app owner. Any other ideas you think it would work out for this kind of scenarios?
HI, How did you fetch Application names from Certification object? Can you please suggest. I try to fetch Certificationentity from certification object , but i couldnt any function. Please help me how to get certification entity from certification object or how to get application names from certification object.