IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this community and its apps will no longer be available. More details available on our FAQ.
Topic
  • 4 replies
  • Latest Post - ‏2018-04-17T15:04:54Z by Giri_Daks
Giri_Daks
Giri_Daks
132 Posts

Pinned topic Multiple Approval Workflow

‏2018-04-11T11:46:04Z |

Hi,  We have a requirement to implement approval for AD groups, I have modified the existing  AD modify workflow to invoke a custom function which will return the Approver DN, I am unable to build a workflow to loop the approval node if there are multiple AD groups submitted for approval in a single request, any suggestion for the above requirement?

  • franzw
    franzw
    519 Posts
    ACCEPTED ANSWER

    Re: Multiple Approval Workflow

    ‏2018-04-13T07:41:02Z  
    • Giri_Daks
    • ‏2018-04-13T06:52:27Z

    Hi Franz, thanks for your e-mail, the problem is the Global policy enforcement/service level policy enforcement is set to Mark, so when i use access request work post approval its showing the account as non-complaint with the request group as the non-complaint value. Business is not very comfortable to change the enforcement action to 

    This is exactly the reason you need to use Access Entitlements. They are not subject to the enforcement logic.

    Basically Access Entitlements need an "allow" provisioning policy and then that the AD Group is exposed as an Entitlement (done per group). You also the assign an Access Entitlement workflow (basically this should contain your approval flow) - you can have different workflows depending on your needs.

    Take a deep dive into the documentation as pointed to and do some testing - you can just select a dummy group in AD, provide a test role and associated "allow" policy and start testing :-)

    HTH

    Regards

    Franz Wolfhagen 

    PS - I forgot - this is request based. Automation needs the service to set to "correct compliance" unless you want to get into some very advanced workflow scripting using API - and you do not really want that - trust me :-)
     

    Updated on 2018-04-13T07:42:38Z at 2018-04-13T07:42:38Z by franzw
  • franzw
    franzw
    519 Posts

    Re: Multiple Approval Workflow

    ‏2018-04-12T07:19:38Z  

    You are implementing this the wrong place which will end in a pain for you.

    Take a look at the Access Entitlement functionality here : https://www.ibm.com/support/knowledgecenter/en/SSRMWJ_7.0.1.8/com.ibm.isim.doc/scenarios/cpt/cpt_ic_scenar_owner.htm - I believe the scenario you should follow is the third one...

    HTH

    Regards

    Franz Wolfhagen

  • Giri_Daks
    Giri_Daks
    132 Posts

    Re: Multiple Approval Workflow

    ‏2018-04-13T06:52:27Z  
    • franzw
    • ‏2018-04-12T07:19:38Z

    You are implementing this the wrong place which will end in a pain for you.

    Take a look at the Access Entitlement functionality here : https://www.ibm.com/support/knowledgecenter/en/SSRMWJ_7.0.1.8/com.ibm.isim.doc/scenarios/cpt/cpt_ic_scenar_owner.htm - I believe the scenario you should follow is the third one...

    HTH

    Regards

    Franz Wolfhagen

    Hi Franz, thanks for your e-mail, the problem is the Global policy enforcement/service level policy enforcement is set to Mark, so when i use access request work post approval its showing the account as non-complaint with the request group as the non-complaint value. Business is not very comfortable to change the enforcement action to 

  • franzw
    franzw
    519 Posts

    Re: Multiple Approval Workflow

    ‏2018-04-13T07:41:02Z  
    • Giri_Daks
    • ‏2018-04-13T06:52:27Z

    Hi Franz, thanks for your e-mail, the problem is the Global policy enforcement/service level policy enforcement is set to Mark, so when i use access request work post approval its showing the account as non-complaint with the request group as the non-complaint value. Business is not very comfortable to change the enforcement action to 

    This is exactly the reason you need to use Access Entitlements. They are not subject to the enforcement logic.

    Basically Access Entitlements need an "allow" provisioning policy and then that the AD Group is exposed as an Entitlement (done per group). You also the assign an Access Entitlement workflow (basically this should contain your approval flow) - you can have different workflows depending on your needs.

    Take a deep dive into the documentation as pointed to and do some testing - you can just select a dummy group in AD, provide a test role and associated "allow" policy and start testing :-)

    HTH

    Regards

    Franz Wolfhagen 

    PS - I forgot - this is request based. Automation needs the service to set to "correct compliance" unless you want to get into some very advanced workflow scripting using API - and you do not really want that - trust me :-)
     

    Updated on 2018-04-13T07:42:38Z at 2018-04-13T07:42:38Z by franzw
  • Giri_Daks
    Giri_Daks
    132 Posts

    Re: Multiple Approval Workflow

    ‏2018-04-17T15:04:54Z  
    • franzw
    • ‏2018-04-13T07:41:02Z

    This is exactly the reason you need to use Access Entitlements. They are not subject to the enforcement logic.

    Basically Access Entitlements need an "allow" provisioning policy and then that the AD Group is exposed as an Entitlement (done per group). You also the assign an Access Entitlement workflow (basically this should contain your approval flow) - you can have different workflows depending on your needs.

    Take a deep dive into the documentation as pointed to and do some testing - you can just select a dummy group in AD, provide a test role and associated "allow" policy and start testing :-)

    HTH

    Regards

    Franz Wolfhagen 

    PS - I forgot - this is request based. Automation needs the service to set to "correct compliance" unless you want to get into some very advanced workflow scripting using API - and you do not really want that - trust me :-)
     

    Thank you very much Franz, I was able to add the group to the user via Access entitlement.