Start Unsubscribe Approval Workflow when PersonWantsOrg request ist Aborted because of Person Deactivated

Hi community

We have some manually provisioned Systems where People can request Access to by requesting a resource in IT Shop.

Approval workflows work fine for subscribe (provision) and unsubscribe (deprivision).

However when a Person leaves and is permanently deactivated, the identity removed from the IT Shop an requests are silently aborted without notification, that a deprovisioning has to be performed.

The same is the case for attestations, if an attestation is denied, the request ist aborted, an no one is Aware, that a deprovisioning must be done.

Whats a simple Approach to address this issue?

Any ideas are appreciated,

Greetings, Edi

Top Replies

Parents

0 Markus Weiss-Ehlers over 3 years ago

Which version are you using?

Starting with 8.1, you can configure if the auto-removal for denied attestations should use either the Abort or the Unsubscribe method using the configuration parameter

QER | Attestation | AutoRemovalScope | PWOMethodName

In regards to the deactivated employee, you do have the option to change the condition of the dynamic rule for the customer nodes so that the employees will not be removed from it. You could then implement a custom process at the person table that starts the unsubscribe for the requested products if the person is deactivated permanently.

You might need an additional mechanism (a schedule perhaps) that would identify and tag all persons that are permanently deactivated and have no assigned requests (or running unsubscriptions) so that they can be removed from the IT Shop customer nodes.

HTH
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Markus Weiss-Ehlers over 3 years ago

Which version are you using?

Starting with 8.1, you can configure if the auto-removal for denied attestations should use either the Abort or the Unsubscribe method using the configuration parameter

QER | Attestation | AutoRemovalScope | PWOMethodName

In regards to the deactivated employee, you do have the option to change the condition of the dynamic rule for the customer nodes so that the employees will not be removed from it. You could then implement a custom process at the person table that starts the unsubscribe for the requested products if the person is deactivated permanently.

You might need an additional mechanism (a schedule perhaps) that would identify and tag all persons that are permanently deactivated and have no assigned requests (or running unsubscriptions) so that they can be removed from the IT Shop customer nodes.

HTH
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 edi.imhof over 3 years ago in reply to Markus Weiss-Ehlers

Thanks Markus,

Seems to be the right way. The problem with changing the PWOMethodName is, that the Unsubscribe after a Declined Attestation is done the same way as the User had unsubscribed the order himself. No indication about a denied attestation. Thats somehow not the proper way. Any ideas on this?
Regards, Edi
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
+1 Markus Weiss-Ehlers over 3 years ago in reply to edi.imhof

It is a known bug, that after a declined attestation, the user himself is shown as the one that has started the unsubscription process.

With the HF for VPR#33255 (8.1.2+) you are able to see that the attestor that has denied the attestation started the unsubscription process, and the reason is due to a denied attestation. Please see the screenshots for a sample of how it looks like after the HF.
Cancel
Up +1 Down

Reply

Verify Answer

Reject Answer

Cancel
0 edi.imhof over 3 years ago in reply to Markus Weiss-Ehlers

Great, thank you very much, I wasn't aware.

Its included in 8.1.4 according to the release notes. We'll upgrade to that version soon.
Greetings
Cancel
Up +1 Down

Reply

Verify Answer

Cancel