• State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 8145 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Approval procedure for Role entitlement assignment (system roles to Business Role)?

edi.imhof
over 7 years ago

Hello

I'd like to create an approval policy and approval workflow to be used in the standard service item "Role entitlement assignment".

an approval should be given by the owner of the entitlement, which is a System Role, eventually an AD Group.

Does anyone know a good approach to evaluate the owners of the System Roles (and AD Groups) which are assigned to a Business Role or Department by using "Role entitlement assignment"? 

It seems there is no such approval procedure OOTB.

Any help is greatly appreciated.

Kind regards, and thanks in advance for any advice.

Edi

  • 0 over 7 years ago
    Just as reminder, only identities (Persons) can be used as approvers. So, referring to an AD group is not getting you far.
  • 0 over 7 years ago
    Hi Markus,
    Thanks, I'm sorry to be unclear:

    If a manager of a Businessrole is using "Role entitlement assignment" to assign entitlements:
    - If a system role is assigned to a business role the owner/manager of the system role has to approve.
    - If an AD Group is assigned to a business role the owner of the AD Group has to approve.

    Best regards.
    Edi
  • 0 over 7 years ago
    Okay, now which version are you using?
  • 0 over 7 years ago

    As demonstrated in the thread https://www.quest.com/community/products/one-identity/f/identity-manager/20652/approval-procedure---named-approvers-of-requested-business-role-or-organization-7-1-1 create a custom approval procedure for this.

    The SQL would look like this, assuming that the owner of the ESet is determined using ESet.UID_PersonResponsible and for the AD group using the application role of the assigned service item.

    select Person.UID_Person, NULL
	from PersonWantsOrg join ESet on ObjectKeyElementUsedInAssign = Eset.XObjectKey
	join Person on ESet.UID_PersonResponsible = Person.UID_Person								
where PersonWantsOrg .UID_PersonWantsOrg = @uid_personwantsorg
UNION ALL
select PersonInAERole.UID_Person, dbo.QER_FGIPWORulerOrigin(PersonInAERole.XObjectkey) as UID_PWORulerOrigin
	from PersonWantsOrg join ADSGroup on ObjectKeyElementUsedInAssign = ADSGroup.XObjectKey
	join AccProduct on ADSGroup.UID_AccProduct = AccProduct.UID_AccProduct
	join PersonInAERole on PersonInAERole.UID_AERole = AccProduct.UID_OrgRuler AND PersonInAERole.XOrigin > 0
where PersonWantsOrg .UID_PersonWantsOrg = @uid_personwantsorg

  • 0 over 6 years ago
    Hello Markus
    Thanks for your Reply.
    I tried teh solution as you suggested above, but it seems I have no luck.
    If I run the Query in Object Browser it returns the correct result.
    But when I create a custom approval procedure and add the query above as the selection criteria (I focused on the first part on ESet, Line 1 - 4, but I tried also the entire script),
    as well create a custom approval Policy and assign that to the Service Item "Role entitlement assignment" things seem to go wrong.
    The effect is that no approver can be determined.
    When the Business Role manager orders an entitlement (system Role) then the decision workflow is aborted an will tell me there is no approver available in this shop.
    Of course I checked that the owner of the System role is the shop "Identity and access Lifecycle".
    Do you have any suggestion, where I could look?

    Thanks a lot
    Edi
  • 0 over 6 years ago
    I would check the configuration parameters. Especially if either QER\ITShop\PersonInsertedNoDecide or QER\ITShop\PersonOrderedNoDecide is enabled and your owner is the same person as the requester.