Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/14/2024 10:02 AM
Hi
I'm struggling to get an application access workflow setup. There are 2 different approval groups based on the entitlement group selected in the Access Request. For two of the entitlements they should go to one approval group and anything else goes to another approval group and thats it. So i've started with an If Else block to check the entitlement.entitlement_valuekey. I've attached a picture of that workflow. When I get to test an Access Request and choose any entitlement it errors saying 'Request not Submitted. Please contact your administrator.' If I choose no entitlement the request goes to the group for approval. Can you explain what I'm doing wrong and get this workflow to check the selected entitlements.
Thank you
Solved! Go to Solution.
08/14/2024 10:36 AM
Use below 2 if else conditions
08/15/2024 02:16 AM
Thank you that has stopped the error message. How do I ensure both the entitlement request and account request are treated the same in the If Else block and so if the entitlement_value eq 'ABC' then both account and entitlement approvals go to the same group?
08/15/2024 04:46 AM
You need to use custom assignment block in that case
08/15/2024 05:47 AM
I've got custom assignment approval groups for the IF and ELSE outcomes. Are you saying I need to use custom assignment to replace the IF ELSE block?
What I need is: if entitlement requested is 'ABC' or '123' send entitlement and account approval to one custom assignment approval group otherwise send entitlement and account approval to a different custom assignment group.
08/15/2024 06:06 AM
Please update group key in both query
08/15/2024 09:17 AM
Thank you this makes more sense now. However I realised my groups contained Entitlements which I though might feed/create the group users dynamically but I don't think thats how it works. Instead I did a custom SQL query to find the entitlement holders for the group approval. How would I incorporate this into the queries you provided?
Select u.userkey
From users u
Join user_accounts ua on u.userkey = ua.userkey
Join accounts a on a.accountkey = ua.accountkey
Join account_entitlements1 ae1 on a.accountkey = ae1.accountkey
Join entitlement_values ev on ev.entitlement_valuekey = ae1.entitlement_valuekey
Where ev.entitlement_valuekey in (49665)
08/15/2024 09:45 AM
08/15/2024 01:54 PM
yes users who already have access to one entitlement (49665) are approver for users who request access to entitlements 50514,49923.
Users who have access to another entitlement (50514) approve all other requests.
There is no manager approval at the start, it just needs to go to one of these approver groups based on that logic. So can you help me picture the workflow please? These all have to be custom assignments and not If Else blocks?
08/15/2024 01:55 PM
Workflow wiring will still remain same update query as shared in last response
08/15/2024 02:10 PM
08/15/2024 06:37 PM
Below will be logic
08/16/2024 07:45 AM
Thank you I've given it a go but its still got the entitlement approval going to one route and the account approval going the other way. And both requests are showing assigned to (admin) which looks incorrect. Screenshots attached of workflow and access request submitted.
08/16/2024 07:55 AM
Use below if else
(entitlement != null and (entitlement.entitlement_value eq 'ABC' or entitlement.entitlement_value eq 'PQR')) or (entitlement ==null)
08/16/2024 08:23 AM
08/16/2024 08:44 AM
Do you really need account approval ? Ideally account should be auto approved
08/16/2024 08:51 AM
I'm happy to test that and evidence it to the application owner. How do I include that in this workflow?
08/16/2024 08:56 AM
Can you share final query from both custom assignments
08/16/2024 09:12 AM
yes here:
Select u.userkey
From users u
Join user_accounts ua on u.userkey = ua.userkey
Join accounts a on a.accountkey = ua.accountkey
Join account_entitlements1 ae1 on a.accountkey = ae1.accountkey
Join entitlement_values ev on ev.entitlement_valuekey = ae1.entitlement_valuekey
JOIN request_Access ra ON ev.entitlement_valuekey=ra.accesskey and ra.accesstype = 2
Where ev.entitlement_valuekey in (49665) AND ra.requestkey = ${ARSREQUEST.id}
and
Select u.userkey
From users u
Join user_accounts ua on u.userkey = ua.userkey
Join accounts a on a.accountkey = ua.accountkey
Join account_entitlements1 ae1 on a.accountkey = ae1.accountkey
Join entitlement_values ev on ev.entitlement_valuekey = ae1.entitlement_valuekey
JOIN request_Access ra ON ev.entitlement_valuekey=ra.accesskey and ra.accesstype = 2
Where ev.entitlement_valuekey in (49665) AND ra.requestkey = ${ARSREQUEST.id}
08/16/2024 09:16 AM
Hi @do12 , do you need a seperate approval for account ..you can explore one option.
Send entitlement for approval based on ondition or different rank owner.
Under security system select create action as entitlementOnly... Which will only create task once entitlement request is approved.
08/16/2024 09:16 AM
Both are same
08/16/2024 09:31 AM
Sorry the first is :
Select u.userkey
From users u
Join user_accounts ua on u.userkey = ua.userkey
Join accounts a on a.accountkey = ua.accountkey
Join account_entitlements1 ae1 on a.accountkey = ae1.accountkey
Join entitlement_values ev on ev.entitlement_valuekey = ae1.entitlement_valuekey
JOIN request_Access ra ON ev.entitlement_valuekey=ra.accesskey and ra.accesstype = 2
Where ev.entitlement_valuekey in (50514) AND ra.requestkey = ${ARSREQUEST.id}
08/16/2024 09:35 AM
Looking at both query does your requirement is changed ?
Is this new requirement ?
08/16/2024 09:50 AM
I'm happy with the account being auto approved that workflow is fine thank you.
It is when Super User or Group Approver is requested then account/user part of Senior Manager (49665) should approve.
When any other entitlement is requested then account/user part of Group Approver (50514) should approve.
08/16/2024 10:18 AM
Previous Workflow wiring should work. Let me know if you still face issue
08/16/2024 09:24 AM
08/20/2024 10:15 AM
With entitlement only selected in Security System and using this workflow it appears to be applying account and access correctly. However it is creating two accounts and then setting one as Suspended from Import Service after I run the jobs. Here's a screenshot of the two accounts. Can I prevent it doing it this way?
08/20/2024 10:25 AM
08/15/2024 03:53 AM
@do12 you can select "entitlement only" in security system to configure this use case.