Topic
  • 6 replies
  • Latest Post - ‏2013-03-14T21:02:35Z by SystemAdmin
SystemAdmin
SystemAdmin
9855 Posts

Pinned topic Group Approvals

‏2013-03-13T19:47:47Z |
I have multiple Groups that I assign to a user's account in ITIM 5.1 and an adapter is in place to read the added/deleted group information and perform specific operation based on the groups added or deleted.

Now with the same system, we need to upgrade to Group Approvals for add. For every add or a group, a separate Group Approval procedure needs to be followed in parallel. I can write a Account request workflow to get the changes made to the account object and get all the Groups that were added or deleted. But I am not able to figure out the following details:

1. I can get the Approval participant using a script for specific groups. If all the approval requests were to be sent in sequence, I could have written a loop node. But in my case, all the Group approval request need to go out in parallel. If you have implemented such a solution, could you please guide me with some relevant information. How can I send all the approval requests in parallel to the specif group Approvers.

2. Again, some groups will be accepted and certain groups access will be rejected. How can I remove the groups that got rejected in the approval process from being passed to the adapter for processing?

Appreciate your help.
Updated on 2013-03-14T21:02:35Z at 2013-03-14T21:02:35Z by SystemAdmin
  • yn2000
    yn2000
    1112 Posts

    Re: Group Approvals

    ‏2013-03-14T15:56:32Z  
    I am not that clear about the requirement, especially when you include the word 'adapter' which has nothing to do with approval workflow. Assuming that I read it right, maybe you can try defining the group as an 'Access', then configure the 'Access Request Workflow'.

    Rgds. YN.
  • jmdennis
    jmdennis
    52 Posts

    Re: Group Approvals

    ‏2013-03-14T16:56:57Z  
    There is a good example in the Field Guide "IBM Tivoli Identity Manager, Version 4.5 Defining and Extending Workflows with JavaScript and Application Extensions" for doing what I perceive is your requirement, (determining different approval participants based on group). The doc can be found on the IBM site by searching on the title. It is a bit dated, so you'll have to make adjustments (IBM JS vs FESI). Look at Example 3.

    jdennis
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Group Approvals

    ‏2013-03-14T17:16:44Z  
    • yn2000
    • ‏2013-03-14T15:56:32Z
    I am not that clear about the requirement, especially when you include the word 'adapter' which has nothing to do with approval workflow. Assuming that I read it right, maybe you can try defining the group as an 'Access', then configure the 'Access Request Workflow'.

    Rgds. YN.
    Yn2000, Sorry for the confusion.
    Let me put it this with an example. I will not use the word "Group" as I do specifically mean it. Assuming that I have a LDAP service. The Account form for this service has a multivalued attribute on it. This attribute can take one or more of the 50 available values from a list. To assign any value to the user's account, before it is updated onto the LDAP End Point, I need to get an approval from a specific approver. For example, if I am adding the following values to an account for this attribute:

    value1
    value2
    value3
    value6

    An approval request is sent to Approver1, Approver2, Approver3 and Approver6.

    I have a requirement that a value should be added only if the corresponding approver approvers the request.

    Approver1 should only get a request to approver value1.
    Approver2 should only get a request to approver value2.
    Approver3 should only get a request to approver value3.
    Approver6 should only get a request to approver value6.

    Question1: This being the case, I want to make sure that all these approval requests are sent out in parallel and not in a sequence. I could not figure out a way to do this.

    I see that there is a method getChanges() that I could use on the account object to determine what all values were added in a request. Based on that I can determine the approvers. However, if one of the values(say value3) approval was rejected, I should only be adding Value1, Value2 and Value6 only and not Value3.

    Question2: How do I rebuild the list of changes made to the account so that Value3 is not in the list of changes anymore before I process the request through my adapter.

    Thanks for reviewing my questions. Appreciate it.
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Group Approvals

    ‏2013-03-14T18:53:38Z  
    • jmdennis
    • ‏2013-03-14T16:56:57Z
    There is a good example in the Field Guide "IBM Tivoli Identity Manager, Version 4.5 Defining and Extending Workflows with JavaScript and Application Extensions" for doing what I perceive is your requirement, (determining different approval participants based on group). The doc can be found on the IBM site by searching on the title. It is a bit dated, so you'll have to make adjustments (IBM JS vs FESI). Look at Example 3.

    jdennis
    Thanks jmdennis. The example provided is for the basic case which only covers deciding the participants dynamicaly. The example does not cover my requirement.
  • yn2000
    yn2000
    1112 Posts

    Re: Group Approvals

    ‏2013-03-14T19:44:53Z  
    Thanks jmdennis. The example provided is for the basic case which only covers deciding the participants dynamicaly. The example does not cover my requirement.
    The way I see it, the solution will be very ugly, it doesn't matter how you twisted, because the requirement is not within the ITIM sweet spot. Although, I would expect more and more requirement like this in the near future.

    If I were you, here is what I would do:
    Option #1: If the adapter is within your control, meaning that you are allowed to manipulate the adapter, then you treat this multi-value attribute as a group. In this option, you gain the nice interface that is available by default.
    Option #2: Build your own flagging on your own operational workflow, such as: script node >> many approval nodes >> script node. You can make a bit nicer with sub-process, but it will still ugly, especially if you have too many values.

    Rgds. YN.
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Group Approvals

    ‏2013-03-14T21:02:35Z  
    Yn2000, Sorry for the confusion.
    Let me put it this with an example. I will not use the word "Group" as I do specifically mean it. Assuming that I have a LDAP service. The Account form for this service has a multivalued attribute on it. This attribute can take one or more of the 50 available values from a list. To assign any value to the user's account, before it is updated onto the LDAP End Point, I need to get an approval from a specific approver. For example, if I am adding the following values to an account for this attribute:

    value1
    value2
    value3
    value6

    An approval request is sent to Approver1, Approver2, Approver3 and Approver6.

    I have a requirement that a value should be added only if the corresponding approver approvers the request.

    Approver1 should only get a request to approver value1.
    Approver2 should only get a request to approver value2.
    Approver3 should only get a request to approver value3.
    Approver6 should only get a request to approver value6.

    Question1: This being the case, I want to make sure that all these approval requests are sent out in parallel and not in a sequence. I could not figure out a way to do this.

    I see that there is a method getChanges() that I could use on the account object to determine what all values were added in a request. Based on that I can determine the approvers. However, if one of the values(say value3) approval was rejected, I should only be adding Value1, Value2 and Value6 only and not Value3.

    Question2: How do I rebuild the list of changes made to the account so that Value3 is not in the list of changes anymore before I process the request through my adapter.

    Thanks for reviewing my questions. Appreciate it.
    This is tricky, but definitely not impossible to solve - basically there are two ways to solve it...

    The first is to use recursion - i.e. let a workflow with one (or more - to avoid to many recursions) approval and a parallel recursive call.

    I presented this at the European Tivoli and Security Technical Conference in London last October.

    The other is a little simpler using a loop structure - but the principle is the same - an approval per loop. I have not done this myself, but a colleague of mine prefers this and it should be simpler to setup. I will have to dig in archives to find how this was done exactly.

    Contact me by email if you want the presentation...

    Regards
    Franz Wolfhagen