I have multiple Groups that I assign to a user's account in ITIM 5.1 and an adapter is in place to read the added/deleted group information and perform specific operation based on the groups added or deleted.
Now with the same system, we need to upgrade to Group Approvals for add. For every add or a group, a separate Group Approval procedure needs to be followed in parallel. I can write a Account request workflow to get the changes made to the account object and get all the Groups that were added or deleted. But I am not able to figure out the following details:
1. I can get the Approval participant using a script for specific groups. If all the approval requests were to be sent in sequence, I could have written a loop node. But in my case, all the Group approval request need to go out in parallel. If you have implemented such a solution, could you please guide me with some relevant information. How can I send all the approval requests in parallel to the specif group Approvers.
2. Again, some groups will be accepted and certain groups access will be rejected. How can I remove the groups that got rejected in the approval process from being passed to the adapter for processing?
Appreciate your help.
NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
This topic has been locked.
6 replies Latest Post - 2013-03-14T21:02:35Z by SystemAdmin
Pinned topic Group Approvals
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-03-14T21:02:35Z at 2013-03-14T21:02:35Z by SystemAdmin
yn2000 100000540S1086 PostsACCEPTED ANSWER
Re: Group Approvals2013-03-14T15:56:32Z in response to SystemAdminI am not that clear about the requirement, especially when you include the word 'adapter' which has nothing to do with approval workflow. Assuming that I read it right, maybe you can try defining the group as an 'Access', then configure the 'Access Request Workflow'.
Re: Group Approvals2013-03-14T17:16:44Z in response to yn2000Yn2000, Sorry for the confusion.
Let me put it this with an example. I will not use the word "Group" as I do specifically mean it. Assuming that I have a LDAP service. The Account form for this service has a multivalued attribute on it. This attribute can take one or more of the 50 available values from a list. To assign any value to the user's account, before it is updated onto the LDAP End Point, I need to get an approval from a specific approver. For example, if I am adding the following values to an account for this attribute:
An approval request is sent to Approver1, Approver2, Approver3 and Approver6.
I have a requirement that a value should be added only if the corresponding approver approvers the request.
Approver1 should only get a request to approver value1.
Approver2 should only get a request to approver value2.
Approver3 should only get a request to approver value3.
Approver6 should only get a request to approver value6.
Question1: This being the case, I want to make sure that all these approval requests are sent out in parallel and not in a sequence. I could not figure out a way to do this.
I see that there is a method getChanges() that I could use on the account object to determine what all values were added in a request. Based on that I can determine the approvers. However, if one of the values(say value3) approval was rejected, I should only be adding Value1, Value2 and Value6 only and not Value3.
Question2: How do I rebuild the list of changes made to the account so that Value3 is not in the list of changes anymore before I process the request through my adapter.
Thanks for reviewing my questions. Appreciate it.
Re: Group Approvals2013-03-14T21:02:35Z in response to SystemAdminThis is tricky, but definitely not impossible to solve - basically there are two ways to solve it...
The first is to use recursion - i.e. let a workflow with one (or more - to avoid to many recursions) approval and a parallel recursive call.
I presented this at the European Tivoli and Security Technical Conference in London last October.
The other is a little simpler using a loop structure - but the principle is the same - an approval per loop. I have not done this myself, but a colleague of mine prefers this and it should be simpler to setup. I will have to dig in archives to find how this was done exactly.
Contact me by email if you want the presentation...
jmdennis 1100005CEY52 PostsACCEPTED ANSWER
yn2000 100000540S1086 PostsACCEPTED ANSWER
Re: Group Approvals2013-03-14T19:44:53Z in response to SystemAdminThe way I see it, the solution will be very ugly, it doesn't matter how you twisted, because the requirement is not within the ITIM sweet spot. Although, I would expect more and more requirement like this in the near future.
If I were you, here is what I would do:
Option #1: If the adapter is within your control, meaning that you are allowed to manipulate the adapter, then you treat this multi-value attribute as a group. In this option, you gain the nice interface that is available by default.
Option #2: Build your own flagging on your own operational workflow, such as: script node >> many approval nodes >> script node. You can make a bit nicer with sub-process, but it will still ugly, especially if you have too many values.