Saviynt Forums

Hi Pallavi,

Sorry by mistake i have added the application role. Its an enterprise role.

The request must go with above use case.

Check Supervisor approval reqd --> Role Owner -- Entitlement Owner approval.

Kindly help me with workflow creation.

Hi Manish,

When you have a Role, be it Enterprise or Application, the best practice is to use the Role Owner approval rather than entitlement owner approval that makes up the Role. In your example you have 3 entitlements, in a real world scenario, the count of the entitlements that makes up a role can be significantly more and would lead to much more overhead.

Regards,

Avinash Chhetri

Hi Avinash,

Customer already has a IAM solution running and is in stage to migrate to SSM.

In current solution, Customer already has multilevel approval.

Customer has requirement of Supervisor --> Role Owner --> Entitlement owner with above complexity.

We need a way if we can define the same.

Thanks and Regards,

Manish

Manish,

When a role request is created in Saviynt, the workflow has the Role Object. It may not necessarily have the direct access to all the entitlements that makes up the role. You might have to use a custom query to get all the entitlements that makes up the roles and get its owners. Now what is intriguing is that, how will you determine, the "x" number of entitlements that makes up the role, with each entitlements in the role having one/multiple owners,requires single approval or multiple approvals ?

Regards,

Avinash Chhetri

Hi Avinash,

I understand the complexity. I will surely take your suggestion to customer.

Can we have this possibility defined in workflow. If yes please share sample

Created A Role -- Say Role 1 (Composed of Custom Property . It says Manager Approval reqd yes or No)

This Role is made up of 3 entitlements.

Can we have Supervisor and Entitlement Owner Approval?

Thanks

Manish,

You could use the expression role?.customproperty1 == 'yes' in the If-Else w/f block and route your flow based on the result.

For more examples on it, please check the following documentation : 

https://saviynt.freshdesk.com/a/solutions/articles/43000619101#WorkflowComponents-Condition:If-ElseM...

Regards,

Avinash Chhetri

Hi Avinash,

My first query would be handled based on the query you shared.

How would I route the approval workflow for entitlement owner approval for that role?

Thanks

Manish

Hi Manish,

Although not recommended, as stated in my earlier response you can try custom task assignment with SQL query to get the role entitlements and associated owner information. 

Thanks,

Pallavi

Hi Pallavi,

If possible can Saviynt help us in creating that query.

 Role --> Entitlement --> Owner Query?

I would be thankful.

Thanks and Regards,

Manish

Manish,

I dont have the query handy but you could use the roles and role_entitlements table using the rolekey to get the desired data. 

Saviynt Schema documentaton is avalable at the following link for your reference.

https://saviynt.freshdesk.com/a/solutions/articles/43000521404

Note :  Depending on the version you are on , you should be utilizing the Data Analyzer feature under Admin > Admin Function to test out your queries

Regards,

Avinash Chhetri

Hi Avinash,

I came up with following query :

select
r.ROLEKEY as RoleKey,
r.ROLE_NAME as RoleName,
r.DISPLAYNAME as RoleDisplayName,
CASE WHEN r.ROLETYPE=4 THEN 'Enterprise Role'
ELSE r.ROLETYPE END AS 'ROLETYPE',
u.username as Role_Owner,
ro.rank as Role_Owner_Rank,
ev.ENTITLEMENT_VALUE as EntitlementName ,
ur  .username as Entitlement_Owner,
eo.RANK as Ent_Owner_Rank
from roles r, role_entitlements re, entitlement_values ev, role_owners ro,users u , entitlement_owners eo,users ur  where
r.ROLEKEY =re.ROLEKEY and
ev.ENTITLEMENT_VALUEKEY = re.ENTITLEMENT_VALUEKEY and
ro.rolekey = r.ROLEKEY and
ro.userkey=u.userkey and
(eo.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY and
eo.USERKEY = ur.userkey ) and
r.ROLEKEY=5;

Do let me know how can i use the same in workflow now?

Thanks

Manish

Hi Manish,
Custom Assignments in Workflow must result in having only the "userkey" column in your SELECT clause to obtain the appropriate approvers, based on the requirement (it can come from role_owners, users, entitlement_owners table).

Regards,

Adrien.