• State Suggested Answer
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 96 subscribers
  • Views 632 views
  • Users 0 members are here
Options
Related

How to allow manager to renew an access request?

mateusz szymanski
1 month ago

Hi.

I need to allow managers of identities to submit a renewal request on their behalf. Currently, out of the box, they can only do it for the requests they created so where they are set as UID_PersonInserted, I think.

I tried creating a custom Permission Group with full permissions for View, Edit, Insert and Delete for PersonWantsOrg with viewing condition: UID_Personwantsorg in (select UID_Personwantsorg from dbo.QER_FTPWOVisibleForPerson('%UserUID%', 1)) but it didn't help.

Do you have an idea how to allow it?

Thank you in advance.

Regards.

Mateusz.

  • 0 1 month ago

    P.s. you need to be on v92 for this to work: Web portal - Unsubscribing on behalf of others

    I can confirm that on v9.3 the Unsubscribe and Renew works with these added rights (see below)

    Create role based permission group: CCC_4_ALLMANAGER_UNSUBSCRIBE_RENEW
    Assign to VI_4_ALLMANAGER as child group

    Assign permissions
    CCC_4_ALLMANAGER_UNSUBSCRIBE_RENEW
    PersonWantsOrg View [v] Edit [v]
    XTouched       View [v] Edit [v]

    Edit & Viewing condition: UID_Personwantsorg in (select UID_Personwantsorg from dbo.QER_FTPWOVisibleForPerson('%UserUID%', 1))

  • 0 1 month ago in reply to Niels de Groot

    Hi Niels,

    These are the settings I currently set up.

    Niels de Groot said:
    PersonWantsOrg View [v] Edit [v]
    XTouched       View [v] Edit [v]

    It allows managers to unsubscribe an assigned product of their direct reports.

    However, when it is about renewal,  managers can only renew the request they submitted themselves. They cannot renew a request that was raised by their direct report.

    Do you know what settings grant permission to renew as well?

    Regards,

    Mateusz Szymanski

  • 0 1 month ago in reply to mateusz szymanski

    Hello Mateusz,

    If you look in the HTML application code you can see: 
    imxweb\projects\qer\src\lib\request-history\itshop-request.ts

    9.3 Line 60:
     // If the user can unsubscribe, we consider that the user can also renew
        this.canProlongate = this.UnsubscribeRequestAllowed.value;

    9.2 line 61
    imxweb\projects\qer\src\lib\request-history\itshop-request.ts
       // If the user can unsubscribe, we consider that the user can also renew
        this.canProlongate = this.UiOrderState.value === 'Assigned' && this.UnsubscribeRequestAllowed.value;

    So from that we can conclude the if you can unsubscribe you can also renew.

    - First off does he manager see all the assigned requests of his employee?
    - Is the [Actions] button on the request selectable?
    - What happens when you select 'Renew' and Save?

    Maybe call support as it should work or install a new OOTB instance just to make sure this isn't caused by some custom config in your environment.

  • 0 1 month ago in reply to Niels de Groot

    Hi Niels,

    Niels de Groot said:
    - First off does he manager see all the assigned requests of his employee?

    Yes, assigned and also other statuses like cancelled or unsubscribed.

    Niels de Groot said:
    - Is the [Actions] button on the request selectable?

    Actions button is available for requests in Requested status and I can Cancel these.

    The actions button is greyed out for requests in the assigned status, however, when I open particular request I can see Renew product, Unsubscribe product and Submit again buttons for the requests I am the requestor of.

    When there is an assigned request that my direct report submitted, the buttons are not available.

    Niels de Groot said:
    - What happens when you select 'Renew' and Save

    This option is not always available, as described above. When it is available, I can Renew and Save and then it follows the relevant approval workflow and is processed properly.

    Regards,

    Mateusz Szymański

  • 0 1 month ago in reply to mateusz szymanski

    First you must be sure the permissions are set correcty.
    So temporarily add the following  'Program functions' to the custom 'role based' permission group you created for the managers to edit the XTouched@PersonWantsOrg entries of there reports.
    - ApplicationStart_ObjectBrowser
    - ObjectBrowser_SQLEditor

    After that start the 'Object Browser' log in as a manager identity (auth method = Identity (role-based))
    Go to the PersonWantsOrg table and find the product entry for which in the portal the 'Actions' button is greyed out.
    Now you should be able to Edit the 'XTouched' properties on the entry and Save it.

    If not then you need to recheck the premissions you assigned.
    P.s. there is a great video series about this:
    Identity Manager | Permission Management #1 | General Thoughts

    If it does work then I would install a new OOTB instance just to make sure this isn't caused by some custom config in your environment or contact support.

  • 0 1 month ago in reply to Niels de Groot

    Hi Niels,

    I applied the same changes and custom permission group in a fresh OIM installation, basically without any additional configuration than the out of the box one.

    Adding Edit option for PersonWantsOrg and XTouched and adding Editing condition made the Unsubscribe button available, but still the renew is not available for a request submitted by my direct report, when I login as the identity's manager.

    I added the custom permission group to the mentioned Program functions and logged in as this manager to the DB.

    I can see those requests in PWO and XTouched column is not greyed out, like the rest. I was able to change it to 1 and save the record.

    Do you have any idea what should be checked next?

    Regards,

    Mateusz Szymanski

  • 0 1 month ago in reply to mateusz szymanski

    Hello Mateusz,

    I'm out of ideas, would call support at this point.

    Regards,
    Niels