Saviynt Forums

Thank you that has stopped the error message. How do I ensure both the entitlement request and account request are treated the same in the If Else block and so if the entitlement_value eq 'ABC' then both account and entitlement approvals go to the same group?

You need to use custom assignment block in that case 

I've got custom assignment approval groups for the IF and ELSE outcomes. Are you saying I need to use custom assignment to replace the IF ELSE block?

What I need is: if entitlement requested is 'ABC' or '123' send entitlement and account approval to one custom assignment approval group otherwise send entitlement and account approval to a different custom assignment group.

• Block 1 query /Senior Manager 
  • SELECT ra.accesskey, ugu.userkey FROM ars_requests ar JOIN request_Access ra ON ar.requestkey = ra.requestkey JOIN usergroup_users ugu ON ra.accesskey in ( 50514,49923)AND ugu.user_groupkey = 1 WHERE ra.accesstype = 2 AND ar.requestkey = ${ARSREQUEST.id}
• Block 2 Group approver
  • SELECT ra.accesskey, ugu.userkey FROM ars_requests ar JOIN request_Access ra ON ar.requestkey = ra.requestkey JOIN usergroup_users ugu ON ra.accesskey  not in ( 50514,49923)AND ugu.user_groupkey = 100 WHERE ra.accesstype = 2 AND ar.requestkey = ${ARSREQUEST.id}

Please update group key in both query

Thank you this makes more sense now. However I realised my groups contained Entitlements which I though might feed/create the group users dynamically but I don't think thats how it works. Instead I did a custom SQL query to find the entitlement holders for the group approval. How would I incorporate this into the queries you provided?

Select u.userkey
From users u
Join user_accounts ua on u.userkey = ua.userkey
Join accounts a on a.accountkey = ua.accountkey
Join account_entitlements1 ae1 on a.accountkey = ae1.accountkey
Join entitlement_values ev on ev.entitlement_valuekey = ae1.entitlement_valuekey
Where ev.entitlement_valuekey in (49665)

• So User who already have access to entitlement should be approver ?
  • Select u.userkey
    From users u
    Join user_accounts ua on u.userkey = ua.userkey
    Join accounts a on a.accountkey = ua.accountkey
    Join account_entitlements1 ae1 on a.accountkey = ae1.accountkey
    Join entitlement_values ev on ev.entitlement_valuekey = ae1.entitlement_valuekey
    JOIN request_Access ra ON ev.entitlement_valuekey=ra.accesskey and ra.accesstype = 2
    Where ev.entitlement_valuekey in (49665) AND ra.requestkey = ${ARSREQUEST.id}

yes users who already have access to one entitlement (49665) are approver for users who request access to entitlements 50514,49923. 

Users who have access to another entitlement (50514) approve all other requests. 

There is no manager approval at the start, it just needs to go to one of these approver groups based on that logic. So can you help me picture the workflow please?  These all have to be custom assignments and not If Else blocks?

Workflow wiring will still remain same update query as shared in last response

yeah like I said I can't visualise things well. I've attached my workflow idea with each group assignment. but now I don't know how to start the workflow to look at the entitlements request.  What do I start it with? 1 block or 2?

Below will be logic

• Start 
• if else 
• true -->  Senior manager
• False = User Group [Select User field - should be custom query its user Group you have selected ]
• Custom Assignment block = Accept >> Grant
• Custom Assignment block = Reject >> Rejected Block
• Grant & Reject >> End

Thank you I've given it a go but its still got the entitlement approval going to one route and the account approval going the other way. And both requests are showing assigned to (admin) which looks incorrect. Screenshots attached of workflow and access request submitted. 

Use below if else
(entitlement != null and (entitlement.entitlement_value eq 'ABC' or  entitlement.entitlement_value eq 'PQR')) or (entitlement ==null)

that works for the Senior Manager Group as both account and entitlement go there but if theres something for the other group the Account approval is still going to the Senior Manager Group as pictured.

Do you really need account approval ? Ideally account should be auto approved

I'm happy to test that and evidence it to the application owner. How do I include that in this workflow?

Can you share final query from both custom assignments 

yes here:

Select u.userkey
From users u
Join user_accounts ua on u.userkey = ua.userkey
Join accounts a on a.accountkey = ua.accountkey
Join account_entitlements1 ae1 on a.accountkey = ae1.accountkey
Join entitlement_values ev on ev.entitlement_valuekey = ae1.entitlement_valuekey
JOIN request_Access ra ON ev.entitlement_valuekey=ra.accesskey and ra.accesstype = 2
Where ev.entitlement_valuekey in (49665) AND ra.requestkey = ${ARSREQUEST.id}

and

Select u.userkey
From users u
Join user_accounts ua on u.userkey = ua.userkey
Join accounts a on a.accountkey = ua.accountkey
Join account_entitlements1 ae1 on a.accountkey = ae1.accountkey
Join entitlement_values ev on ev.entitlement_valuekey = ae1.entitlement_valuekey
JOIN request_Access ra ON ev.entitlement_valuekey=ra.accesskey and ra.accesstype = 2
Where ev.entitlement_valuekey in (49665) AND ra.requestkey = ${ARSREQUEST.id}

Hi @do12 , do you need a seperate approval for account ..you can explore one option.

Send entitlement for approval based on  ondition or different rank owner.

Under security system select create action as entitlementOnly... Which will only create task once entitlement request is approved.

Both are same

Sorry the first is :

Select u.userkey
From users u
Join user_accounts ua on u.userkey = ua.userkey
Join accounts a on a.accountkey = ua.accountkey
Join account_entitlements1 ae1 on a.accountkey = ae1.accountkey
Join entitlement_values ev on ev.entitlement_valuekey = ae1.entitlement_valuekey
JOIN request_Access ra ON ev.entitlement_valuekey=ra.accesskey and ra.accesstype = 2
Where ev.entitlement_valuekey in (50514) AND ra.requestkey = ${ARSREQUEST.id}

Looking at both query does your requirement is changed ?

• When Super User  then - Accounts /user part of Super user should approve
• When group_Approver then   Accounts /user part of Group Approver should approve

Is this new requirement ?

I'm happy with the account being auto approved that workflow is fine thank you.

It is when Super User or Group Approver is requested then account/user part of Senior Manager (49665) should approve.

When any other entitlement is requested then account/user part of Group Approver (50514) should approve.

Previous Workflow wiring should work. Let me know if you still face issue

With entitlement only selected in Security System and using this workflow it appears to be applying account and access correctly. However it is creating two accounts and then setting one as Suspended from Import Service after I run the jobs. Here's a screenshot of the two accounts. Can I prevent it doing it this way?

• 2 accounts is not an issue with workflow
• This is issue with your JSON.
• Maybe you have not mapped accountid in JSON
• compare both accounts metadata in data analyzer to find data issue