We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Application Access Request Workflow | Role Owner Approval

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 3 2021 at 05:28 UTC

Hi Team,


Background:

1. We have created the Enterprise Role and associated the same with Endpoint.

2. The role is made up of entitlements from 3 connected endpoints

3. For Access Approval workflow, there is 3 level of approval :

   Supervisor (Based upon Role Custom Property value) > Role Owner > Governance Team approval

4. Attaching the workflow


Issues:

1. For a special scenario, the request should be auto approved , but its failing

image


2. Customer is not looking for Account Approval and should be auto approved. So we have checked the condition and auto approved the same. But the task is created inspite the access is approved. can we have a configuration where task for account should only take place once all approvals are completed.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
9 REPLIES 9

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 3 2021 at 09:16 UTC

Hello Manish, For Issue #1 will need to check issue in logs. #2. You must be using parallel workflow. In case of parallel workflow- access which is approved will move to task creation step. In serial workflow- all requested items move together in a process. Thanks, Pallavi Chaudhari Persistent Systems Ltd.
This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 3 2021 at 09:54 UTC

Hi Pallavi ,


For case 2 we are bound to use the parallel workflow also the request for account is auto approved and we have to limit the task creation until all approvals is done. Because, for customer account without access is no sense.


For Case 1, we have opened ticket with saviynt. Awaiting response. This is required expectation

image


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 3 2021 at 21:07 UTC

Hi Manish,


What do you expect in the below flow.


  • User raises a request.
  • Manager Approves the request
  • 2nd Level approver rejects th request.


From what I can understand, you want the account to be auto approved but the task not to be created, unless the access requests are completed.

Again if the entitlement request is rejected, should the task for account request (which is already approved) be created or not ?




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 4 2021 at 04:48 UTC

Hi Avinash,


As per customer Ask, they want the request for account should be auto approved.

Whereas the request for access must undergo the approval cycle.


Observation:

1. Since account request is auto approved SSM is creating task for account directly

2. Account task is not waiting for access request to be either approved or rejected


Outcome expected:

SSM should create task for Account and Access only when all the approvals are created.

As we have a scenario of request expiration and rejection, creation and provisioning of stale account is not customer is looking for.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 4 2021 at 11:10 UTC

This is possible using Serial approval workflow. But in Serial approval workflow few important variables are not available like entitlement. Thanks, Pallavi Chaudhari Persistent Systems Ltd.
This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 4 2021 at 12:06 UTC

Hi Pallavi,


As I mentioned we are bound to use parallel WF.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 9 2021 at 04:55 UTC

Hi Pallavi,


I tried using Serial Workflow, but since my request for account is auto approved, hence the complete request is going for autoapproval. It does not go for further checks.

Also, what we have noticed that when we have marked Default Ruleset as True for SoD in that case, where there is situation like Requestee== Role owner and request goes for Role Owner approval, the request is not going for Auto Approval whereas when this is marked as false,it does go for auto approval.


Kindly note we are using parallel WF. Is there any limitation or bug? 

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 3 2021 at 05:08 UTC

Hi Avinash,


We got a confirmation from Saviynt PS Team  that this is expected behavior for WF.

Please refer following statement :


As per the confirmation from the engineering team, the workflow behaviour in case of SoD violation where even if the requester and owner are same, still going for approval to owner, is as per the design and for now there is no enhancement in place as this is not marked as a defect.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 3 2021 at 20:59 UTC

Thanks Manish !!

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.