and more in a single search tool across platforms. Read the announcement here. |
04/12/2022 01:13 PM
Hi Team,
We have a following requirement for creating a workflow and need assistance from Saviynt.
Background :
1) We have created an Application Role (Say Role A). This role has 3 Owners configured.
2) 2 owners are configured at Rank 1 and 1 owner at Rank 2.
3) This particular Role is composed of 3 entitlement (Ent1, Ent2, Ent3).
These 3 entitlements are also configured with owner.
4) Ent 1 --> 2 owners are configured at Rank 1 and 1 owner at Rank 2
Ent 2 --> 1 owners are configured at Rank 1 and 1 owner at Rank 2
Ent 3 --> No Owner Configured
Requirement:
1. Once the request is submitted for this role, it first need to check if it requires supervisor Approval. (Approval reqd. is stored in Role Custom Property1) else got to 2
2. Once Manager approver, Role must go to Role Owner approval. Approval is required from all the approvers. i.e. first both owners from Rank 1 must approve then Rank 2 owner must approve.
3. Once Role owners approve it, the approval must go to Entitlement Owner configured.
For Ent 1 : Any owner from Rank 1 can approve and then mandatory goes to Rank 2 approver
For Ent 2: Any owner either from Rank 1 or Rank 2 can approve
For Ent 3: No Approver
4. In either case of rejection, the request must be rejected.
5. Once all approval is done, grant must be done.
Please assist.
Solved! Go to Solution.
04/12/2022 02:36 PM
04/12/2022 02:36 PM
Hi Pallavi,
Sorry by mistake i have added the application role. Its an enterprise role.
The request must go with above use case.
Check Supervisor approval reqd --> Role Owner -- Entitlement Owner approval.
Kindly help me with workflow creation.
04/12/2022 02:36 PM
Hi Manish,
When you have a Role, be it Enterprise or Application, the best practice is to use the Role Owner approval rather than entitlement owner approval that makes up the Role. In your example you have 3 entitlements, in a real world scenario, the count of the entitlements that makes up a role can be significantly more and would lead to much more overhead.
Regards,
Avinash Chhetri
04/12/2022 02:36 PM
Hi Avinash,
Customer already has a IAM solution running and is in stage to migrate to SSM.
In current solution, Customer already has multilevel approval.
Customer has requirement of Supervisor --> Role Owner --> Entitlement owner with above complexity.
We need a way if we can define the same.
Thanks and Regards,
Manish
04/12/2022 02:36 PM
Manish,
When a role request is created in Saviynt, the workflow has the Role Object. It may not necessarily have the direct access to all the entitlements that makes up the role. You might have to use a custom query to get all the entitlements that makes up the roles and get its owners. Now what is intriguing is that, how will you determine, the "x" number of entitlements that makes up the role, with each entitlements in the role having one/multiple owners,requires single approval or multiple approvals ?
Regards,
Avinash Chhetri
04/12/2022 02:37 PM
Hi Avinash,
I understand the complexity. I will surely take your suggestion to customer.
Can we have this possibility defined in workflow. If yes please share sample
Created A Role -- Say Role 1 (Composed of Custom Property . It says Manager Approval reqd yes or No)
This Role is made up of 3 entitlements.
Can we have Supervisor and Entitlement Owner Approval?
Thanks
04/12/2022 02:37 PM
Manish,
You could use the expression role?.customproperty1 == 'yes' in the If-Else w/f block and route your flow based on the result.
For more examples on it, please check the following documentation :
Regards,
Avinash Chhetri
04/12/2022 02:37 PM
Hi Avinash,
My first query would be handled based on the query you shared.
How would I route the approval workflow for entitlement owner approval for that role?
Thanks
Manish
04/12/2022 02:37 PM
Hi Manish,
Although not recommended, as stated in my earlier response you can try custom task assignment with SQL query to get the role entitlements and associated owner information.
Thanks,
Pallavi
04/12/2022 02:37 PM
Hi Pallavi,
If possible can Saviynt help us in creating that query.
Role --> Entitlement --> Owner Query?
I would be thankful.
Thanks and Regards,
Manish
04/12/2022 02:37 PM
Manish,
I dont have the query handy but you could use the roles and role_entitlements table using the rolekey to get the desired data.
Saviynt Schema documentaton is avalable at the following link for your reference.
https://saviynt.freshdesk.com/a/solutions/articles/43000521404
Note : Depending on the version you are on , you should be utilizing the Data Analyzer feature under Admin > Admin Function to test out your queries
Regards,
Avinash Chhetri
04/12/2022 02:37 PM
Hi Avinash,
I came up with following query :
select
r.ROLEKEY as RoleKey,
r.ROLE_NAME as RoleName,
r.DISPLAYNAME as RoleDisplayName,
CASE WHEN r.ROLETYPE=4 THEN 'Enterprise Role'
ELSE r.ROLETYPE END AS 'ROLETYPE',
u.username as Role_Owner,
ro.rank as Role_Owner_Rank,
ev.ENTITLEMENT_VALUE as EntitlementName ,
ur .username as Entitlement_Owner,
eo.RANK as Ent_Owner_Rank
from roles r, role_entitlements re, entitlement_values ev, role_owners ro,users u , entitlement_owners eo,users ur where
r.ROLEKEY =re.ROLEKEY and
ev.ENTITLEMENT_VALUEKEY = re.ENTITLEMENT_VALUEKEY and
ro.rolekey = r.ROLEKEY and
ro.userkey=u.userkey and
(eo.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY and
eo.USERKEY = ur.userkey ) and
r.ROLEKEY=5;
Do let me know how can i use the same in workflow now?
Thanks
Manish
04/12/2022 02:37 PM
Hi Manish,
Custom Assignments in Workflow must result in having only the "userkey" column in your SELECT clause to obtain the appropriate approvers, based on the requirement (it can come from role_owners, users, entitlement_owners table).
Regards,
Adrien.
04/12/2022 02:37 PM
Thanks Adrien,
Manish, Please check the documentation for using custom queries for the custom assignment block : https://saviynt.freshdesk.com/a/solutions/articles/43000619101#WorkflowComponents-WorkflowComponents
Regards,
Avinash Chhetri