AnsweredAssumed Answered

Skipping an approval in change request triggered from rule type "Role missing entitlements"

Question asked by Volodymyr Melnyk on Jan 24, 2019
Latest reply on Jan 28, 2019 by Volodymyr Melnyk



We use a WF linked to a Directory, according to it all groups have their own owner and an access should be approved by this owner if a user requests a directory group as an access in RSA IGL.

I am trying to configure a process for automatic access rights approval based on Business Roles. All works well, entitlements are being assigned automatically to user based on membership rule defined without any approval.

However a rule type "Role missing entitlements" triggers a new change request to entitlement owner for an approval for the same Business role. It doesn't make any sense to send such request for an approval as it is a common set of right that should be assigned to all role members by default. It means when a new user joins a team all entitlements linked to the Role should be assigned to the user automatically without any approval.

Rules BusinessRoleName_UINC (to add entitlements) and BusinessRoleName_UOOC (to remove entitlements) those were automatically created during the Business role creation doesn't trigger any approval process. But when a user doesn't have an account in Directory to which the group belongs + an AFX fails to provision access (as "create account" capability is disabled on AFX) and as a result change request is closed with the user added to the Business role and not being added to the group. In the end a rule of missing entitlements is triggered (as now we have a difference between business role assigned and entitlements linked to the user.

Is there any way to skip approval in that particular case? It seems that an approval change request is created because of a default approval WF linked to the Active Directory and that it is triggered by Rule type "Role missing entitlements"