Which IIQ version are you inquiring about?
8.4p2
Please share any images or screenshots, if relevant.
[Please insert images here, otherwise delete this section]
Please share any other relevant files that may be required (for example, logs).
[Please insert files here, otherwise delete this section]
Share all details about your problem, including any error messages you may have received.
Problem Summary:
I’m working on an LCM provisioning scenario with a custom Approval Rule that checks for role classifications like "privileged" or "sensitive". The logic works well for mixed cases, but I run into a problem when a RoleOwner requests a single role without classification for someone else.
Setup:
- A custom Approval Rule checks for classifications on roles.
- Roles with classification trigger approval by the identity’s manager.
- Roles without classification are meant to be automatically assigned (no approval).
approvalScheme = defaultis set on LCM Provisioning
Expected Behavior:
- When anyone (even RoleOwner) requests a role without classification, it should be assigned immediately, with no approval or WorkItem.
- If the role has a classification, then the manager must approve.
- This works when the requester is not the RoleOwner.
- When a classified and non-classified role are requested together, everything works fine.
Actual Behavior:
- When a RoleOwner requests a single role without classification for another identity:
- No approval is triggered (correct),
- But the role is not assigned at all — the request completes successfully, but nothing happens (no WorkItem, no provisioning).
- If I request the same role as a non-RoleOwner → it gets provisioned immediately (correct behavior).
- If I request one role with and one without classification → the classified one goes to approval, and the other gets provisioned correctly.
What I’ve tried:
- Tried using
NoneinapprovalScheme, which causes all roles to skip approval (not desired). - Checked the workflow logs – no error, the request just “ends” without assigning the role when RoleOwner is requester.
the code below is my method that used in the approvalAssignmentRule:
public static List generateDSadminApprovals(ProvisioningPlan plan, SailPointContext context,String identityName, WorkflowContext wfcontext) throws GeneralException {
List approvals = new ArrayList();
// Intern definierte Klassifikationen, die Approval auslösen
List<String> sensitiveClassifications = Arrays.asList("privileged", "sensitive");
if (plan != null && plan.getAccountRequests() != null) {
for (AccountRequest accountReq : plan.getAccountRequests()) {
if (accountReq.getAttributeRequests() != null) {
for (AttributeRequest attrReq : accountReq.getAttributeRequests()) {
Object value = attrReq.getValue(context);
String roleName = (value != null) ? value.toString() : null;
if (roleName != null) {
Bundle role = context.getObjectByName(Bundle.class, roleName);
if (role != null) {
List classifications = role.getClassificationNames();
if (classifications != null) {
for (String type : sensitiveClassifications) {
if (classifications.contains(type)) {
log.debug("Sensitive/privileged role detected: " + roleName);
ApprovalSet newSet = new ApprovalSet();
Identity targetUser = context.getObjectByName(Identity.class, identityName);
// Note: We do not clone AttributeRequest here. Normally ApprovalItems would come from the workflow context.
String managerId = targetUser.getManager() != null ? targetUser.getManager().getId() : null;
if (managerId != null) {
Identity dsManager = context.getObjectById(Identity.class, managerId);
String dsManagerName = dsManager.getName();
Map approvalMap = new HashMap();
approvalMap.put(dsManagerName, newSet);
IdentityApprovalGenerator iag = new IdentityApprovalGenerator(wfcontext);
List approvalsForItem = iag.buildApprovalsFromMap(approvalMap, "Regional Manager");
approvals.addAll(approvalsForItem);
for (Object approval : approvalsForItem) {
log.debug("New approval: " + approval.toString());
}
} else {
log.warn("No manager found for targetUser: " + targetUser.getName());
}
} else {
log.debug("No sensitive/privileged role detected for: " + roleName);
}
}
}
} else {
log.warn("Role not found: " + roleName);
}
}
}
} else {
log.warn("No attribute requests found for account request: " + accountReq.getApplication());
}
}
}
else {
log.warn("Provisioning plan or account requests are null.");
}
return approvals;
}
Question:
I’am thinking the issue is due to my return approvals(empty) in my code when the role has no classifications (else) and that’s why the worktiem receive no item for provisoning?
Has anyone experienced this behavior before?
Is this a known issue with approvalScheme = default and RoleOwners?
How can I ensure roles without classification automaticaly always get provisioned, even when the RoleOwner is the requester?
Any insights would be appreciated!