• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 6 replies
  • Subscribers 95 subscribers
  • Views 2430 views
  • Users 0 members are here
Options
Related

Start Unsubscribe Approval Workflow when PersonWantsOrg request ist Aborted because of Person Deactivated

edi.imhof
over 3 years ago

Hi community

We have some manually provisioned Systems where People can request Access to by requesting a resource in IT Shop.

Approval workflows work fine for subscribe (provision) and unsubscribe (deprivision).

However when a Person leaves and is permanently deactivated, the identity removed from the IT Shop an requests are silently aborted without notification, that a deprovisioning has to be performed.

The same is the case for attestations, if an attestation is denied, the request ist aborted, an no one is Aware, that a deprovisioning must be done.

Whats a simple Approach to address this issue?

Any ideas are appreciated,

Greetings, Edi

  • 0 over 3 years ago

    I think you can achieve this by creating a custom process which send email to the owner of the resource (application administrator). In generating condition you can limit the process to trigger only when PWO request is aborted and limit the product/resource request by having UID_org from PWO request in the condition.

  • 0 over 3 years ago

    Which version are you using?

    Starting with 8.1, you can configure if the auto-removal for denied attestations should use either the Abort or the Unsubscribe method using the configuration parameter

    QER | Attestation | AutoRemovalScope | PWOMethodName

    In regards to the deactivated employee, you do have the option to change the condition of the dynamic rule for the customer nodes so that the employees will not be removed from it. You could then implement a custom process at the person table that starts the unsubscribe for the requested products if the person is deactivated permanently. 

    You might need an additional mechanism (a schedule perhaps) that would identify and tag all persons that are permanently deactivated and have no assigned requests (or running unsubscriptions) so that they can be removed from the IT Shop customer nodes.

    HTH

  • 0 over 3 years ago in reply to dani.uet12

    Thanks for your Input, apreciate it. The Problem ist, its loosly coupled, no workflow or approvals involved.

  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Thanks Markus,

    Seems to be the right way. The problem with changing the PWOMethodName is, that the Unsubscribe after a Declined Attestation is done the same way as the User had  unsubscribed the order himself. No indication about a denied attestation. Thats somehow not the proper way. Any ideas on this?
    Regards, Edi

  • +1 over 3 years ago in reply to edi.imhof

    It is a known bug, that after a declined attestation, the user himself is shown as the one that has started the unsubscription process.

    With the HF for VPR#33255 (8.1.2+) you are able to see that the attestor that has denied the attestation started the unsubscription process, and the reason is due to a denied attestation. Please see the screenshots for a sample of how it looks like after the HF.

  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Great, thank you very much, I wasn't aware.

    Its included in 8.1.4 according to the release notes. We'll upgrade to that version soon.
    Greetings