Approval levels

By Default 4 levels of approval 

There are a few cases where approvals are not necessary:
  • Password change workflows (resets, forgot password, expired password)
  • Workflow approvalScheme set to “none”
  • Requester = approver

The LCM Workflows build their approvals by calling the Provisioning Approval Subprocess workflow.  This workflow in turn relies on a workflow library method to create the approvals; the method passes the appropriate approvalSet into each approval and therefore to each approval work item.

The simplest approach is to modify the variable "approvalScheme" in  LCM Provisioning Workflow to have the values: manager, owner


The first level of approval is security officer first and then  the manager.
Variable initializer="serial" input="true" name="approvalMode"

Variable initializer="securityOfficer,manager" input="true" name="approvalScheme"

But irrespective of the order , the first approval always goes to manager.
Irrespective of the order specify in approvalScheme, if your approval workflow is "Identity Request Approve Identity Changes", by default, approval order will be

  1. owner
  2. manager
  3. security officer

If you change your approval workflow to "Identity Request Approve", by default, approval order will be

  1. manager
  2. owner
  3. security officer


To change the order of approval, you need to customize the workflow and sequence the steps as required; you can utilize the associated steps of "Manager Approval" and "Build Security Officer ApprovalSet" from the workflow "Identity Request Approve" to build your own customized workflow


Note :  OR can write approval assignment rule. for that can find variable with name in "approvalAssignmentRule"  in workflow. can use this approval logic in this rule. 

Note : to remove approval completely, please set  this in default LCM Provisioning workflow -   

Variable initializer="none" input="true" name="approvalMode". It will not send for any approval when you request an access.
We can enable two levels of approval from out of the box, just by providing approval scheme as "manager,owner" in LCM Provisioning WF.


In LCM Provisioning workflow

1. Change approvalScheme as

Variable initializer="manager,owner" input="true" name="approvalScheme"..Variable

2. Add extra variable..

  Variable name="superManager"

Write the logic get the managers Manager .

Identity identity=context.getObjectIdentity.class,identityName;

Identity manager=identity.getManager;

ifmanager!=null

{

Identity supManager=manager.getManager;

ifsupManager!=null

return superManager.getName;

else

return "spadmin";

}

3. update approving identities in Approve step.

  Step condition="script:flow == null ||  !"UnlockAccount".equalsflow" configForm="Provisioning Approval Step Form" icon="Task" name="Approve" posX="492" posY="6"

    Arg name="approvalMode" value="ref:approvalMode"

    Arg name="approvalScheme" value="ref:approvalScheme"

    Arg name="approvalSet" value="ref:approvalSet"

    Arg name="approvalAssignmentRule"

    Arg name="approvingIdentities" value="ref:superManager"


By default we can have 4 levels of approvals. 

If  want one more level of approval or any customizations of existing approval, then  can go for  custom ApprovalAssignmentRule for this. 

and passing this rule as argument in two workflows: LCM Provisioning and Approve and Provision Subprocess.


Note :::       Approval Assignment Rules  are  not  available  in the Approval Framework.

The Approval Framework is not part of the IdentityIQ product, but it is available in the Services Standard Deployment (SSD).  If you are not using that you can use the Approval Assignment Rule.  The rule can be passed as an argument in the Approval and Provision (and also Approve and Provision Split) step of the LCM Provisioning workflow.


Question ::: 1)  
An approval assignment rule and how to attach it with Provisioning Approval Subprocess workflow?  wanted to disable SailPoint auto-approval when requester and approver both are the same.   tried to use "disableLauncherAutoApproval" variable setting to true and passing to Provisioning Approval Subprocess workflow but it did not work out. So, thinking approval assignment can do the trick?

Also, question is if approvalassignmentrule will be executed by workflow at all if requester=approver?


Ans ::: 

will have to pass the argument
in Approve step of Approve and Provision Subprocess.

Yes, approvalassignment rule will e executed when requester=approver.

Question ::: 2.1)  

How to add a workgroup as approver in LCM Provisioning workflow

if there is a way to add another approver in LCM Provisioning, besides the manager and the Owner.

The needed behaviour is: once the identity creation is requested, the approval goes to the manager and then (if the manager accepts it) goes to a second approver (Owner) and then to (a workgroup  created for this requirement).

Flow-->User Request-->Manager Approval--> Owner Approval---->Workgroup Approval-->End

Ans ::: 

In  lcm provisioning workflow add the below variable,

  

After this add the argument in the Approve step,

approvingIdentities" value="ref:identity"/>

Question ::: 2.2) 

In a requirement if want to skip owner approval then
 manager approval --> workgroup (here  want to skip the owner approval step)

Ans ::: 

when do it is required to skip owner approval , then have approvalAssignment rule to achieve this.





Subscribe to: Posts (Atom)