AnsweredAssumed Answered

How do I make Group access supervisor approvals work as Entitlement access supervisor approvals?

Question asked by r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= on May 17, 2016
Latest reply on May 23, 2016 by r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0=

Like • Show 0 Likes0
Comment • 10

I'll be very embarrassed (probably a given) if this is a custom configuration issue, but I'm stumped...

Here is the scenario:

User A reports to Supervisor 1

User B reports to Supervisor 2

If I request an Entitlement or Application Role for User A and User B, Supervisor 1 must approve User A's request, and Supervisor 2 must approve User B's request - this is exactly what is expected and needed.

However, if I request a Group for User A and User B, Supervisor 1 must approve for both. This is a compliance issue for us.

Help! Thanks in advance.

No one else has this question

Outcomes

10 Replies

Boris Lekumovich May 17, 2016 2:34 PM
Mark Correct
Correct Answer
Few questions to better understand your use case
Is the following scenario can happen in your environment?
One request which contains:
- 2 approles for User A
- 2 entitlements for User B
- 1 Group Z for User A and User B
- 1 Group Y for User A and User B
If the answer is yes, can you describe how the approvals should be grouped?

I understand your example, however what is the real logic for Group approvals?
A group "Owner" needs to approve if access is requested to his group?
Like • Show 0 Likes0
Actions
r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= May 17, 2016 2:42 PM
Mark Correct
Correct Answer
Yes, this request could happen in our environment and is causing this very issue. What is happening in your example is that The User A supervisor is being asked to approve the 2 approles for User A (good) and the two Groups for Users A (good) and B (bad), and the User B supervisor is being asked only to approve the 2 entitlements for User B. So the User B Supervisor is not being asked to approve the User B Group request, being sent to the User A Supervisor instead.
Like • Show 0 Likes0
Actions
- r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= @ r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= on May 17, 2016 2:45 PM
  Mark Correct
  Correct Answer
  I may have misunderstood your question - I just re-read it. This is the supervisor approval, so we are only looking to have each user's supervisor only approve for them. Since the same workflows are being called and executed for both Groups and entitlements/approles, I was surprised the assignment of approvals was unique.
  Like • Show 0 Likes0
  Actions
  - Boris Lekumovich @ r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= on May 17, 2016 2:52 PM
    Mark Correct
    Correct Answer
    I'm a bit confused.
    In your last reply, you mentioned that you want the approval to be done by the user's supervisor but in your description you mentioned that you want the Supervisor #1 to approve the group for both of the users.
    
    How is your approval configured to group change items?
    Like • Show 0 Likes0
    Actions
    - r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= @ Boris Lekumovich on May 18, 2016 6:42 AM
      Mark Correct
      Correct Answer
      "In your last reply, you mentioned that you want the approval to be done by the user's supervisor but in your description you mentioned that you want the Supervisor #1 to approve the group for both of the users."
      
      Sorry for the confusion - We actually want the approval to be done by each user's supervisor. What is actually happening is that the Supervisor #1 is approving for both users instead, which is not what we want.
      Like • Show 0 Likes0
      Actions
r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= May 17, 2016 3:09 PM
Mark Correct
Correct Answer
Sorry - might be a confusion around the term "group" - I'm not talking about a user group but an Active Directory group.

So in this case, I have supervisor approval assignment issues with the CyberArk Safe group, but the DART Database approle will work fine.
Like • Show 0 Likes0
Actions
- Boris Lekumovich @ r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= on May 19, 2016 10:03 AM
  Mark Correct
  Correct Answer
  I've attempted to perform the scenario which you described on 6.9.1 P9.
  Adding 1 group to 2 different users (with different supervisor)
  The approval workflow is configured to be grouped by supervisor
  
  The change request was assigned to 2 different supervisors. Each of the supervisors had to approve his subordinate.
  
  Rick, can you share some relevant screenshots of how is the problem presented on your end?
  Like • Show 0 Likes0
  Actions
r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= May 19, 2016 12:53 PM
Mark Correct
Correct Answer
Glad to! I thought these screenshots would be a good starting point.
First, the WORKING EXAMPLE: Four users with different supervisors, one application role and one entitlement requested.
The Request:
The "Form Approvals" node in the workflow, Runtime Data:
As expected, all four Supervisors are required to Approve:
Now, the one that is NOT working: The same four users with different supervisors, one group requested.
The Request:
The "Form Approvals" node in the workflow, Runtime Data:
But in this case, only one Supervisor is required to Approve:
Both examples are executing the same workflow and node path, so the Form Approvals nodes are the same.
Please let me know what else would be helpful, and thank you so much for looking into this!!!
Like • Show 0 Likes0
Actions
Daniel Cinnamon May 20, 2016 4:44 PM
Mark Correct
Correct Answer
I think we need to look carefully at your REQUEST workflow, and, in particular, the Business Approvals/Resource Approvals nodes (assuming you're request workflow is pretty close to out of the box). I wonder if perhaps we're somehow inadvertently going to the wrong approval on the first "business approvals" node. I would think you're first node should look like:

Also, if you open up your Active Directory business source (directory in this case probably), and you look at the request tab (so Resources > Directories > Active Directory > Requests)- is there a special approval process specified?

I'm just wondering if perhaps for AD, we're inadvertently using a different approval workflow, that's grouped differently.
Like • Show 0 Likes0
Actions
- r5mYnHvbFMvafs6B5JnNe7JIVXz9H9sS6rNBEPjsoB0= @ Daniel Cinnamon on May 23, 2016 9:42 AM
  Mark Correct
  Correct Answer
  The Business Approvals Behavior is set to execute the same workflow for both types of requests:
  
  The issue we’re having is before the “Supervisor User Approval –
  FINAL” workflow which is before the “Resource Approvals” node so I did not drill down into that node. The "Supervisor User Approval - FINAL" workflow should be called four times (one for each supervisor), not just once as shown here. So, the issue seems to not be the workflow, but how the workflow is being called.
  
  The working example does call the workflow four times (both examples are requests for the same four users, each with a different supervisor, as noted in a prior post):
  
  No workflow called out for AD:
  Like • Show 0 Likes0
  Actions

How do I make Group access supervisor approvals work as Entitlement access supervisor approvals?

Outcomes

Related Content

Recommended Content