Topic
  • 7 replies
  • Latest Post - ‏2014-08-27T06:59:58Z by franzw
Shailesh Malkar
Shailesh Malkar
58 Posts

Pinned topic ITIM Group Search in ISIM

‏2014-08-22T12:31:43Z |

Hi All,

How to search for ITIM Groups. Actually the requirement is to send an email to all group members, but there are many groups out of which I need to select only few based on some criteria while provisioning an account. So how to achieve that.

e.g. Account XYZ is to be provisioned, but in that there is an attribute A which is list box with multiple selections, so when user selects any value from List A, then mail should be sent to all those groups.

Thanks,

Shailesh S. Malkar

  • jManigandan
    jManigandan
    9 Posts

    Re: ITIM Group Search in ISIM

    ‏2014-08-25T06:49:04Z  

    You can achieve it adding mail node on ADD operation while  provisioning

  • yn2000
    yn2000
    1112 Posts

    Re: ITIM Group Search in ISIM

    ‏2014-08-25T15:09:21Z  

    This is an interesting requirement. I wonder I am witnessing a turning point in ISIM Group membership design to become as messy as AD Group membership design.

    If I were you, I would try to design it in more conservative way. First, ISIM Group is designed tor ISIM related access right, not for Email distribution group. Second, maybe you should use group membership in person entity, which is Role group membership. Many people would object that, because Role would be fit to represent business role, instead of Email distribution group. So, considering that AD is already hosting the Email distribution group, and having a principal to let 'the messy place be the messy place', then I would configure ISIM to send email to one email account, where the distribution of that email is managed/controlled by AD.

    Rgds. YN.

  • Shailesh Malkar
    Shailesh Malkar
    58 Posts

    Re: ITIM Group Search in ISIM

    ‏2014-08-26T04:25:45Z  
    • yn2000
    • ‏2014-08-25T15:09:21Z

    This is an interesting requirement. I wonder I am witnessing a turning point in ISIM Group membership design to become as messy as AD Group membership design.

    If I were you, I would try to design it in more conservative way. First, ISIM Group is designed tor ISIM related access right, not for Email distribution group. Second, maybe you should use group membership in person entity, which is Role group membership. Many people would object that, because Role would be fit to represent business role, instead of Email distribution group. So, considering that AD is already hosting the Email distribution group, and having a principal to let 'the messy place be the messy place', then I would configure ISIM to send email to one email account, where the distribution of that email is managed/controlled by AD.

    Rgds. YN.

    Hi YN,

    Sorry to put question in a wrong way. It is not at all about Mail DG, we have created all Mail DGs in AD only. The requirement is for SAP ERP provisioning. As you must be aware that there are various modules in SAP ERP (e.g. MM,SD,WM etc), and we have Module Owners for all such sap modules. So when person asks for an account in SAP ERP, he/she has to provide for which module they want access, so that appropriate SAP ROLES can be given to them. In order to do that he/she needs approval from Module Owner. In that case I assume mail need to be send to Module Owner, so that they can approve the request. We are thinking of creating ISIM Groups for all such SAP Module Owners. Is it a valid case?

    Thanks,

    Shailesh S. Malkar

  • yn2000
    yn2000
    1112 Posts

    Re: ITIM Group Search in ISIM

    ‏2014-08-26T05:06:00Z  

    Hi YN,

    Sorry to put question in a wrong way. It is not at all about Mail DG, we have created all Mail DGs in AD only. The requirement is for SAP ERP provisioning. As you must be aware that there are various modules in SAP ERP (e.g. MM,SD,WM etc), and we have Module Owners for all such sap modules. So when person asks for an account in SAP ERP, he/she has to provide for which module they want access, so that appropriate SAP ROLES can be given to them. In order to do that he/she needs approval from Module Owner. In that case I assume mail need to be send to Module Owner, so that they can approve the request. We are thinking of creating ISIM Groups for all such SAP Module Owners. Is it a valid case?

    Thanks,

    Shailesh S. Malkar

    Yup. it is a valid case and I see many approach to fulfill this requirement.

    Here is what you have to set in mind when designing the solution. First, there is only one user assigned as the module owner. (If there are more than one users then you need to have another trick, but let's assume there is only one user.) This means that ISIM will send one email only to one user, not a group. That means ISIM Group is not a good idea. Not only that, ISIM Group is design for ISIM access only. So, please do not use it for any other purpose. If you want some sort of group membership, please do it on the person entity, like a Role, and not in the ISIM Group. Second, the user (the owner of the SAP Module) is an ISIM user who has email address. (Of course you have it already). Third, you need a flag to indicate that the user is the owner of the SAP Module. This can be a Role, attribute value, or any other. Basically, ISIM needs to know which user to send the notification. Fourth, you build ISIM Operational Workflow with Approval node where the participant is a custom participant that is populated from the logic from the flag that you build.

    There could be some variant on how to do it exactly, but I hope it point you out to the right direction.

    Rgds. YN.

  • Shailesh Malkar
    Shailesh Malkar
    58 Posts

    Re: ITIM Group Search in ISIM

    ‏2014-08-26T05:21:41Z  
    • yn2000
    • ‏2014-08-26T05:06:00Z

    Yup. it is a valid case and I see many approach to fulfill this requirement.

    Here is what you have to set in mind when designing the solution. First, there is only one user assigned as the module owner. (If there are more than one users then you need to have another trick, but let's assume there is only one user.) This means that ISIM will send one email only to one user, not a group. That means ISIM Group is not a good idea. Not only that, ISIM Group is design for ISIM access only. So, please do not use it for any other purpose. If you want some sort of group membership, please do it on the person entity, like a Role, and not in the ISIM Group. Second, the user (the owner of the SAP Module) is an ISIM user who has email address. (Of course you have it already). Third, you need a flag to indicate that the user is the owner of the SAP Module. This can be a Role, attribute value, or any other. Basically, ISIM needs to know which user to send the notification. Fourth, you build ISIM Operational Workflow with Approval node where the participant is a custom participant that is populated from the logic from the flag that you build.

    There could be some variant on how to do it exactly, but I hope it point you out to the right direction.

    Rgds. YN.

    Hi YN,

    Thanks for the prompt reply. Yes, there is a possibility of multiple SAP Module Owners. How can we deal with it.

    Thanks,

    Shailesh S. Malkar

  • Sanjay Sutar
    Sanjay Sutar
    152 Posts

    Re: ITIM Group Search in ISIM

    ‏2014-08-27T03:40:17Z  

    Hi YN,

    Thanks for the prompt reply. Yes, there is a possibility of multiple SAP Module Owners. How can we deal with it.

    Thanks,

    Shailesh S. Malkar

    If I have understood it correctly, you want to implement a workflow where provisioning request can trigger multiple approval (not just mails) and will complete (assign the requested SAP modules/roles based on approval/rejection  received)

    ISIM approval node stops the activity until any action (approval/rejection) is taken on it. This might be a challenge if you would like to trigger these approvals in parallel. Even if you use loop in workflow , the approvals will be triggered one after another.

     

  • franzw
    franzw
    390 Posts

    Re: ITIM Group Search in ISIM

    ‏2014-08-27T06:59:58Z  

    If I have understood it correctly, you want to implement a workflow where provisioning request can trigger multiple approval (not just mails) and will complete (assign the requested SAP modules/roles based on approval/rejection  received)

    ISIM approval node stops the activity until any action (approval/rejection) is taken on it. This might be a challenge if you would like to trigger these approvals in parallel. Even if you use loop in workflow , the approvals will be triggered one after another.

     

    Parallel execution of e.g. approvals  is a general challenge in ISIM Workflow design.

    Here is how I generally solve that problem :

    Build a list of participants (approvers) and save that to properties

    Call a workflow recursively that :

    • calls the real approval workflow (I normally have a number of these e.g. 5-10 so that the nesting is not getting too deep)
    • removes the called approvals from the list of participants
    • calls itself with reduced list or exits if the list is empty'

    As always - recursive logic requires a great deal of carefulness - if you do not exit out of the loop you system will basically stop working very quickly as it gradually runs out of resources...

    HTH

    Regards

    Franz Wolfhagen