Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

SOD Evaluated Requests Approval Workflow Issue

SPP
New Contributor II
New Contributor II

Hi All,

We have a 2 level appproval workflow configured for an application where in the first level approval is setup for SOD Risk Owners if there are any SOD violations detected and the second level is setup for Ent Owner if the entitlement is soxcritical - Medium, High, Very High otherwise it gets autoapproved.

Issue: A request is submitted for the entitlements that have SOD violations. The request for approval is sent to first level approval to the owners. Once the request is approved at this stage, the if else block to check Entitlement soxcritical condition is failing and the entitlements are getting auto-approved. Below is the workflow configured

SPP_2-1712124124865.png

 

Request got completed after Level 1 approval, if else block EntSoxCheck condition is failed. The expected behaviour is that request approval must go to second level EntOwner approval as the entitlements are Soxcritical High

SPP_1-1712123890486.png

[This message has been edited by moderator to mask sensitive info]

8 REPLIES 8

Raghu
All-Star
All-Star

can you confirm insteadOf entimt.soxcritical>3  , try

1. entitlment.soxcritical==3

2. entitlment.soxcritical=='3'


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

SPP
New Contributor II
New Contributor II

@Raghu 

I've tried both the ways, it still doesn't go to second level approval. Also FYI, If the SODCheck & SODRiskOwner Approval blocks are removed in the workflow, entimt.soxcritical>3 condition is working as expected.

entimt.soxcritical>3 if else block chaining may be issue , pointing reject and owner block accept scenario both tagging same if block .

what is error in logs?


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

SPP
New Contributor II
New Contributor II

@Raghu It's going to EntSoxCritical If-else block but the condition is always failing. If I point both true and false scenarios to EntOwner Approval block, it goes to second level approval. 

Note: Updated EntSoxCheck condition to entitlement.soxcritical=='5' for testing purpose

SPP_0-1712168692952.png

The same condititon (entimt.soxcritical>3) is working fine when SOD blocks are removed.

It seems you are using serial workflow where entitlement object is not exposed. please use parallel workflow

rushikeshvartak_0-1712201455088.png

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SPP
New Contributor II
New Contributor II

@rushikeshvartak  

As per the documentation, SOD Owner Approval blocks are only used in Serial Workflows
 

You can use Parallel workflow with custom assignment block

https://forums.saviynt.com/t5/identity-governance/dynamic-attribute-for-risk-owner-in-workflow/td-p/...

select u.userkey
from request_exceptions RE INNER JOIN riskowners RO ON RO.RISKID=RE.EXCEPTIONKEY
INNER JOIN Users U ON U.userkey=RO.OWNERUSERKEY
where RE.REQUESTKEY=${ARSREQUEST.id}


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SPP
New Contributor II
New Contributor II

@rushikeshvartak  Yes, looks like the custom assignment block with a custom query is working as expected. However, I still don't understand the problem with SOD blocks.