Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
6 replies Latest Post - ‏2013-03-14T21:02:35Z by SystemAdmin
SystemAdmin
SystemAdmin
9855 Posts
ACCEPTED ANSWER

Pinned topic Group Approvals

‏2013-03-13T19:47:47Z |
I have multiple Groups that I assign to a user's account in ITIM 5.1 and an adapter is in place to read the added/deleted group information and perform specific operation based on the groups added or deleted.

Now with the same system, we need to upgrade to Group Approvals for add. For every add or a group, a separate Group Approval procedure needs to be followed in parallel. I can write a Account request workflow to get the changes made to the account object and get all the Groups that were added or deleted. But I am not able to figure out the following details:

1. I can get the Approval participant using a script for specific groups. If all the approval requests were to be sent in sequence, I could have written a loop node. But in my case, all the Group approval request need to go out in parallel. If you have implemented such a solution, could you please guide me with some relevant information. How can I send all the approval requests in parallel to the specif group Approvers.

2. Again, some groups will be accepted and certain groups access will be rejected. How can I remove the groups that got rejected in the approval process from being passed to the adapter for processing?

Appreciate your help.
Updated on 2013-03-14T21:02:35Z at 2013-03-14T21:02:35Z by SystemAdmin
  • yn2000
    yn2000
    1086 Posts
    ACCEPTED ANSWER

    Re: Group Approvals

    ‏2013-03-14T15:56:32Z  in response to SystemAdmin
    I am not that clear about the requirement, especially when you include the word 'adapter' which has nothing to do with approval workflow. Assuming that I read it right, maybe you can try defining the group as an 'Access', then configure the 'Access Request Workflow'.

    Rgds. YN.
    • SystemAdmin
      SystemAdmin
      9855 Posts
      ACCEPTED ANSWER

      Re: Group Approvals

      ‏2013-03-14T17:16:44Z  in response to yn2000
      Yn2000, Sorry for the confusion.
      Let me put it this with an example. I will not use the word "Group" as I do specifically mean it. Assuming that I have a LDAP service. The Account form for this service has a multivalued attribute on it. This attribute can take one or more of the 50 available values from a list. To assign any value to the user's account, before it is updated onto the LDAP End Point, I need to get an approval from a specific approver. For example, if I am adding the following values to an account for this attribute:

      value1
      value2
      value3
      value6

      An approval request is sent to Approver1, Approver2, Approver3 and Approver6.

      I have a requirement that a value should be added only if the corresponding approver approvers the request.

      Approver1 should only get a request to approver value1.
      Approver2 should only get a request to approver value2.
      Approver3 should only get a request to approver value3.
      Approver6 should only get a request to approver value6.

      Question1: This being the case, I want to make sure that all these approval requests are sent out in parallel and not in a sequence. I could not figure out a way to do this.

      I see that there is a method getChanges() that I could use on the account object to determine what all values were added in a request. Based on that I can determine the approvers. However, if one of the values(say value3) approval was rejected, I should only be adding Value1, Value2 and Value6 only and not Value3.

      Question2: How do I rebuild the list of changes made to the account so that Value3 is not in the list of changes anymore before I process the request through my adapter.

      Thanks for reviewing my questions. Appreciate it.
      • SystemAdmin
        SystemAdmin
        9855 Posts
        ACCEPTED ANSWER

        Re: Group Approvals

        ‏2013-03-14T21:02:35Z  in response to SystemAdmin
        This is tricky, but definitely not impossible to solve - basically there are two ways to solve it...

        The first is to use recursion - i.e. let a workflow with one (or more - to avoid to many recursions) approval and a parallel recursive call.

        I presented this at the European Tivoli and Security Technical Conference in London last October.

        The other is a little simpler using a loop structure - but the principle is the same - an approval per loop. I have not done this myself, but a colleague of mine prefers this and it should be simpler to setup. I will have to dig in archives to find how this was done exactly.

        Contact me by email if you want the presentation...

        Regards
        Franz Wolfhagen
  • jmdennis
    jmdennis
    52 Posts
    ACCEPTED ANSWER

    Re: Group Approvals

    ‏2013-03-14T16:56:57Z  in response to SystemAdmin
    There is a good example in the Field Guide "IBM Tivoli Identity Manager, Version 4.5 Defining and Extending Workflows with JavaScript and Application Extensions" for doing what I perceive is your requirement, (determining different approval participants based on group). The doc can be found on the IBM site by searching on the title. It is a bit dated, so you'll have to make adjustments (IBM JS vs FESI). Look at Example 3.

    jdennis
    • SystemAdmin
      SystemAdmin
      9855 Posts
      ACCEPTED ANSWER

      Re: Group Approvals

      ‏2013-03-14T18:53:38Z  in response to jmdennis
      Thanks jmdennis. The example provided is for the basic case which only covers deciding the participants dynamicaly. The example does not cover my requirement.
      • yn2000
        yn2000
        1086 Posts
        ACCEPTED ANSWER

        Re: Group Approvals

        ‏2013-03-14T19:44:53Z  in response to SystemAdmin
        The way I see it, the solution will be very ugly, it doesn't matter how you twisted, because the requirement is not within the ITIM sweet spot. Although, I would expect more and more requirement like this in the near future.

        If I were you, here is what I would do:
        Option #1: If the adapter is within your control, meaning that you are allowed to manipulate the adapter, then you treat this multi-value attribute as a group. In this option, you gain the nice interface that is available by default.
        Option #2: Build your own flagging on your own operational workflow, such as: script node >> many approval nodes >> script node. You can make a bit nicer with sub-process, but it will still ugly, especially if you have too many values.

        Rgds. YN.