Business Owner Approval for entitlement changes to a Role
We have a customer that has a requirement for multi-step approval when entitlements are added to a Role. Some of the steps are generic blanket approval by the Role Owner and a central governance team. Where we run into problems is when we want the Owner of the Entitlements and/or Applications to participate in approvals. The expectation is that this step should behave exactly the same way it would if a User were requesting the entitlements -- those applications have some approval process already defined. We want the same approvals to be generated when the entitlements are being assigned to the Role.
When the entitlements from different business sources are added to a role, the workflow needs to split based on the entitlements’ application for Business Owner Approval using “group by: Business Source” setting. What we are seeing is that the context is set based on the Role’s application (Role Set) and the workflow is not splitting based on entitlements’ applications.
We are on IGL version 7.1.0 P05. Please let us know if there is a way to accomplish Business Owner Approval for entitlement changes to a Role?
- business owner approval
- Community Thread
- Forum Thread
- Identity G&L
- Identity Governance & Lifecycle
- role changes
- Role Management
- RSA Identity
- RSA Identity G&L
- RSA Identity Governance & Lifecycle
- RSA Identity Governance and Lifecycle
- RSA IGL
I can confirm part of the behaviour you see there. Here is what I did (please let me know if you did anything differently):
- Approval workflow A assigned to the Role's role set (in my case I used the Role Set Owners Approval workflow).
- Approval workflow B assigned to the two applications I will use their entitlements for testing.
- I used the Asset Business Owner approval workflow.
- This workflow is set to create on job per group, grouping by Business Source.
- Using the default "Delegation Only” Request workflow for Role changes.
- Create a Role change by adding a few entitlements from the applications in point 2 to the Role from point 1.
- During approval phase, expected behaviour:
- One instance of Approval workflow A being called to get the Role Set owner approval over the whole Role change.
- Two instances of Approval workflow B being called, each requiring the Business Owner approval over the entitlement changes from involved application.
- However what I actually see is:
- Ok: One instance of Approval workflow A being called to get the Role Set owner approval over the whole Role change.
- Not OK: Only one instance of Approval workflow B is called to get the Business Owner approvals with the context set to both application together (did not split per application).
That is exactly what I did and workflow B is not getting called twice but just once because it is splitting on the role set. Do you know if 7.1 IGL supports splitting on custom variable? I can calculate the list of entitlement's application and use that job variable for splitting?
Thank you for your help.
It can be done but not so straight forward. Honestly unless it is really necessary, I would advise against it. You would need to:
- Call one of the applications PL/SQL procedures to create categories for each change item using a custom SQL query you create.
- Change the approval workflow to do Group by Cateogry.
Take a look at Frank's response in Re: Approval Workflow Process Properties: Grouping Type for an example.
I stumbled across this link yesterday and tried grouping by category. If I put the name of the application as the CAT value, it is splitting by business source as desired. Thank you for sharing the link.