Showing results for 
Search instead for 
Did you mean: 

Auto approve if service account owner is submitting a request either for creation or modification


Hi All,

We are planning to implement service account management and our requirement is during creation/modification if service account owner himself is submitting the request we need to skip the approval.

To pick the service account owner from request attributes we are using custom assignment block and using the same query which is mentioned in document

select userkey from users where FIND_IN_SET(users.userkey,(select distinct REPLACE(raa.attribute_value," ","")
from request_access_attrs raa , ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and

But, if the owner himself is raising a request then approval is going to admin using above logic. Is there anyway we can handle this scenario and make it auto approve?



Thanks @rushikeshvartak for referring the thread.

From the above thread I picked this below format

com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).employeeType == 'Employee'

and modified to our requirement accordingly as below and trying to use it in if-else block

com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)

But still I believe this condition will work only if there is only owner. What if there are multiple owners added of same Rank or of different rank? In that case how can we handle this?

What we are trying to achieve is we only want to auto approve the request if Rank 1 owner is submitting the request if any others are submitting it still has to go through regular approval.

Add one more if-else block before auto approve check to check rank of requestor

Yeah problem is how to pull the rank of the owner? Anyway I will try to figure it out. First let me try above condition and see if that works

You need to use substring in that case column name : USERRANKJSON

Get Service Account Owner using Custom query

select owneruserkey as 'userkey' from accountowners where accountkey = (select distinct REPLACE(raa.attribute_value,' ','') from request_access_attrs raa, ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY and ar.requestkey =${} and raa.ATTRIBUTE_NAME='Accountkey') and owneruserkey is not null

I can use query only if account already exists, But during creation of service account I need to pull USERRANKJSON data as you mentioned but not sure if substring is supported in if-else block. But I will give it a try.

Before that I am not able to use the parameter as below

com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)

Getting below error:

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - gotoapproveonly - false, leftItemlist - 0\n","stream":"stdout","time":"2022-11-21T16:58:16.292754269Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - 4c8306fd-aa6c-4346-8a50-3551f4b7f057\n","stream":"stdout","time":"2022-11-21T16:58:16.292779864Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - REMOVING Current AE - false\n","stream":"stdout","time":"2022-11-21T16:58:16.292783205Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - leftItemlist Size = 0 CurTask=Task(Manager_Approval)\n","stream":"stdout","time":"2022-11-21T16:58:16.292785712Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - Action taken on all items in request approval. proceed.\n","stream":"stdout","time":"2022-11-21T16:58:16.292788339Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - 0\n","stream":"stdout","time":"2022-11-21T16:58:16.292790925Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,298 [http-nio-8080-exec-17] DEBUG println.PrintlnToLogger - Println :: listofEntitlement new= []\n","stream":"stdout","time":"2022-11-21T16:58:16.298447634Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,300 [http-nio-8080-exec-17] DEBUG services.WorkflowService - Before Approving Task Approved By Manager_Approvaladmin curTask=Task(Manager_Approval)Params[xtaskid:1610266, xAccessApproverKey:1745898, xstatus:2, roleHistoryId:0, xcomments:, usertoapprove:admin]\n","stream":"stdout","time":"2022-11-21T16:58:16.300335329Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,307 [http-nio-8080-exec-17] DEBUG services.WorkflowService - ERROR Approving Task Approved By Manager_Approvaladmin curTask=Task(Manager_Approval)Params[xtaskid:1610266, xAccessApproverKey:1745898, xstatus:2, roleHistoryId:0, xcomments:, usertoapprove:admin]\n","stream":"stdout","time":"2022-11-21T16:58:16.308013091Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,308 [http-nio-8080-exec-17] ERROR services.WorkflowService - Error while completing task - 1610266 storing it in JBPM Retry Table\n","stream":"stdout","time":"2022-11-21T16:58:16.308915512Z"

2022-11-21T11:58:17-05:00-ecm-"log":"javax.el.PropertyNotFoundException: Cannot resolve identifier 'com'\n","stream":"stdout","time":"2022-11-21T16:58:16.308928599Z"

Attached full logs

Hope you selected language as groovy (from select expression)

Yeah @rushikeshvartak I did. Nevermind about above error looks like I picked old instance of logs. I can confirm that above expression is working. Let me introduce now Rank condition and see how it works.


Able to achieve the requirement with below two conditions. For my use case used 2nd option to achieve it which will check if requested by user is Rank 1 Owner in list of available owners

com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)