• State Verified Answer
  • Replies 4 replies
  • Subscribers 99 subscribers
  • Views 263 views
  • Users 0 members are here
Options
Related

Attestation of system role assignments to business roles cannot find approver

rick smit

We are trying to implement the attestation policy 'Attestation of system role assignments to business roles'. Out goal is to run a attestation where systemroles assigments to business roles are check by the attestors of the service item linked to the system role. However, we are running into the issue that when the attestation is ran, no attestors can be found and the attestation case is closed. Our current setup is as follows:

(Im not able to upload images. Issue is logged to site administrators)  

  • AERole created:
    • Parent application role 'Request & Fulfillment\IT Shop\Attestors'
    • Role class: 'Application role'
    • Certification stats: 'Certified'
  • Attestors group (AERole) is linked in service item of the system roles 
  • Employee is linked to AERoles
  • Attetation policy 'Attestation of system role assignments to business roles' is all default values besides the below changes:
    • Approval policy: 'Attestation by attestor system role assignment to business role'
    • Approbal workflow: Approval level set to'OT Attestor of the assigned service item'
    • We implemented a where clause to only start attestation one selected system roles: 
      •  EXISTS
(
	SELECT 1 FROM 
	(SELECT UID_ESet FROM ESet WHERE DisplayName like N'%-AVA-%') as X 
	WHERE X.UID_ESet = OrgHasESet.UID_ESet
 )

We are stumped on why no attestors can be found. We have tried setting different approval levels such as AA and AN, but to no avail. 

Anybody got an idea or tips on how to implement this attestation properly?

  • 0

    I propose using the approval policy AN - Attestor of the system entitlement or system role to attest as it contains the necessary approval calculation definitions for system role assignments to business roles (OrgHasESet). The approval policy OT does not.

    But this depends on the version you are using.

  • 0 in reply to Markus Weiss-Ehlers

    Hi Markus, 

    Thank you for the quick response. So i tried your suggestion. Approvers are now selected as i can see in the approval sequence on a attestation case. It, however, does not select the approvers we set in the UID_OrgAttestator@ AccProduct but instead selects approvers from the linked UID_OrgRuler @ Accproduct. Is there a way way we can make sure that persons in the linked OrgAttestator@ AccProduct are selected as attestors? 


    We are using 9.0lts with CU4 installed. 

  • +1 in reply to rick smit

    Okay. It looks like the detection rule AN is fixed with #459614, but not in 9.0. 

    But you can create a copy of the approval procedure AN in the Manager and change the query for approver selection named "System Roles Modules". In the SQL replace UID_OrgRuler with UID_OrgAttestor.

    And you need to provide the Recalculation Query for the "query for approver selection" manually from the original approval procedure AN. The copy wizard does not copy this condition. Of course you need to replace UID_OrgRuler with UID_OrgAttestor as well.

    If you just need AN for the System Roles attestation, I would remove all the other queries for approver selection and remove the assignments for any table other than XXXHasEset (OrgHasEset, DepartmentHasEset, ...). You need to keep those.

    HTH

  • 0 in reply to Markus Weiss-Ehlers

    Thank you. This fixed our issue. Great help as always