Two-level Sign Off Approval Rule Example

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Hello,

I am seeking a rule example on how to perform a two-level sign of rule for a certification event. Below is what we have been testing with as this is the out of the box rule. It notes “Once we get to the most senior manager, approvals stop.”. We just want this rule to perform a sign off of just the certifier’s manager and then stop. Currently it is looping through all the managers and asking for a sign off which I believe it is because it is forcing a muti-level sign off and not a two-level certification.

How can a two-level certification be done?

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Certification Sign Off Approver Rule" type="CertificationSignOffApprover">
  <Description>
   This rule is run when the certification is signed off to determine who
   (if anyone) needs to approve the certification decisions.  If this returns
   a non-null identity, the certification is forwarded to the returned identity.
  </Description>
  <Signature returnType="Map">
    <Inputs>
      <Argument name='context'>
        <Description>
           A SailPointContext object used if its necessary
           to query objects from the database.
        </Description>
      </Argument>
      <Argument name="certification">
        <Description>
          The sailpoint.object.Certification that was signed.
        </Description>
      </Argument>
      <Argument name="certifier">
        <Description>
          The sailpoint.object.Identity that signed the certification.
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name='identityName'>
        <Description>
        The name of the Identity that should approve the certification.  Either
        this or 'identity' should be non-null if certification sign off approval
        is desired.
        </Description>
      </Argument>
      <Argument name='identity'>
        <Description>
        The Identity that should approve the certification.  Either this or
        'identityName' should be non-null if certification sign off approval
        is desired.
        </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>

    import sailpoint.object.Identity;

    // This requires approval all the up the manager hierarchy.  Once we get to
    // the most senior manager, approvals stop.

    Identity identity = certifier.getManager();


    Map results = new HashMap();
    results.put("identity", identity);
    return results;

  </Source>
</Rule>
2

I haven’t tested this but you do something like this:


import sailpoint.object.Certification;
import sailpoint.object.Identity;
// if cert signoff history indicates it has already been signed off by the manager's manager, do not submit to any other levels of approval
List history = certification.getSignOffHistory();
if (!history.isEmpty()){
 Identity identity = certifier.getManager();
 String mName = identity.getName();
if(!history.contains(mName)){
 Map results = new HashMap();
 results.put("identity", identity);
 return results;
 }
}
else
 return null;
}


You can use if history size is 1, then send it to manager's manager or something like  that. Hopefully, this will provide you some direction on how to do it.
1 Like