How to show Fulfillment/Revocation date to Approver
We are trying to set revocation date for an access of a user for eg. raising a request to add a user to a group in AD (Add access) and set the revocation date (Remove access) in the same request.
This generates two requests one for adding the access and other for removing the access.
Can someone help to figure out how can we show the duration of the access requested by the user to his approver for eg. from date - to date or at least revocation date.
- Access Request Manager
- Community Thread
- Forum Thread
- fufillmentrevocation date
- Identity G&L
- Identity Governance & Lifecycle
- RSA Identity
- RSA Identity G&L
- RSA Identity Governance & Lifecycle
- RSA Identity Governance and Lifecycle
- RSA IGL
We want to show the duration of the request (for eg. Fulfillment date i.e from date and Revocation date i.e remove date) to the supervisor or the person who is approving the request on GUI.
In case you specify a revocation date, the system will create 2 independent change requests (one for adding access and the other is to remove the same access in a future date).
As far as I know, to present the revocation date to the approver (of the 1st request) you will have to query the DB (in the approval workflow of the first request find the DELAY_DATE of the 2nd request) and then present it to the approver
I think what Boris mentioned is the correct way to do it. The problem however is that the add request does not maintain any relation to revocation request. it can probably be assumed that the ID of revocation request will be 1 higher than add request and there will be specific notes on it. Based on such assumptions, below query can be used to get the dates. (28 at end needs to be replaced with add request id)
select cr1.DELAY_DATE as fulfillment_date, cr2.delay_date as revocation_date from t_av_change_requests cr1
left join t_av_change_requests cr2 on cr2.id = (cr1.id + 1)and cr2.NOTES LIKE '%automatically generated revocation request%' where cr1.id = 28
I guess the approval form will need to be changed to show these values after they are set on the job data.
neeraja mahajan you should take into account different scenarios.
For example: What will happen when the approver will reject the 1st change request?
You still have the second change request which is pending to revoke the access right...
My 2 cents...
The first request is for 'Adding' user, and second will be for 'Removing' user (for eg. Group access adding and removing)
If an approver rejects first request, the second should also get rejected or cancelled, as the request to add the user is rejected, so no point to remove it from the group and hence the second request should get canceled or rejected.