and more in a single search tool across platforms. Read the announcement here. |
02/01/2023 03:53 PM
Hello
We are revoking any entitlement not used over 90 days even if it's in-role entitlement.
But, we want to implement auto-approve when it's requested entitlement via ARS.
Here is what I am thinking
ev.customproperty will have list of role name that has this entitlement.
Dynamic Attribute will show list of role that user has .. but multi selection as default value should be available (it didn't work when I tried.. Is there a way I can achive this?)
Or
User.customproperty will have list of role that user has.
Now, in Workflow I will implement "If-Else" Block
entitlement.customproperty1.contains(Dynmaic Attr) eq true then it will be route to "Grant Access" Block
Question
What's best way to store list of roles that user has to select all (User.customproperty or dynmic attr)
In contains method, can we add dynmic attribute name as well?
Thanks
Yun Jeong
02/01/2023 03:58 PM
Or, please suggest me better way to achieve this...
02/01/2023 07:11 PM
Use custom query block and manage logic instead of maintaining roles in customproperty
02/01/2023 07:12 PM
we meet here again 🙂 could you please share idea how to make query for this?
02/01/2023 07:31 PM
Is workflow is mandatory ?
02/01/2023 07:34 PM
Yes. There could be out of role entitlements request as well which should follow standard workflow approval process
02/01/2023 07:34 PM
Only in role entitlement that user has should he auto approved
02/01/2023 07:39 PM
Does entitlement part of roles are also requestable separately ?
02/01/2023 07:40 PM
Most of roles are being assigned in birthright but we are checking inactivity and remove access for some entitlements from roles.
User may come to ARS to request it again when they need it later. I am hoping this to be auto approved
02/01/2023 07:39 PM
there could other in-role entitlements that user doesnt have the role, then it should go under standard approval aprocess
02/01/2023 07:42 PM
what do you mean by in-role entitlement , Please give example requirement is coming in bit & pieces
02/01/2023 07:45 PM
Role A assigned in birthright.
ENT a, Ent b, Ent c assigned together when role was assigned.
Now Ent b was revoked due to inactivity.
User may come to ARS again to request the ent.
In this case, since Ent b is part of the Role A. It should be auto approved
02/01/2023 08:10 PM
How Ent B will be removed. as its part of role hence validity will be same for ent a/b/c
02/01/2023 10:17 PM
Through analytics report. We are check last login date to create remove access task. Its our security requirement even if the ent is part of role
02/02/2023 02:32 PM
@rushikeshvartak gentle reminder 🙂
02/05/2023 09:43 PM
02/05/2023 10:02 PM
Hi, we are checking app access inactivity using okta audit log and it's being updated for each endpoint into last login date field. due to our security requirement, the entitlement should be revoked if user didn't access the app over 90 days for any reason even if the ent is included in enterprise role. This is also our audit requirement as well to check inactivity and revoke all relevant access in regular base.
our requirement is "NOT revoke access when ent is part of enterprise role". What we want is to revoke access and it should be auto-approved when it is requested again via ARS.
Here is sample use case.
Role_A for Finance Team.
Ent A (OKTA)
Ent B (O365)
Ent C (Salesforce)
We are getting all last login date in each last login date field of each account.
Not this user didn't access salesforce over 90days, then analytics report will make "remove access" task based on our inactivity check logic. Please let me know if you need further clarification.
02/06/2023 01:17 AM
Okay in that case currently we don't have a workflow variable which can find the condition and make it auto approval
02/06/2023 01:30 AM
I am thinking to use dynamic attr in ARS to collect all entitlement_valuekey from roles that user has. Then i am planning to compare ent valuekey for requested ent vs the keys in Roles. When its matched, it should be auto approved.
One challenge is I cant set default value for multi select query for dynamic attr.
02/06/2023 01:42 AM
Yes for multi select, user has to select the values, default values wont be set
02/06/2023 01:48 AM
Any other suggestion to identify if requested ent is part of user_roles?
I am thinking to add all role names in user.customproperty and ev.customproperty then we will compare it with if-else block..challenge here is how to append addtional role names into the cp instead of override.
02/06/2023 02:10 AM
You would need to use csv or custom query job, normally we dont recommend to do this as there maybe many roles getting newly added/created
02/06/2023 04:21 AM
No I wanted to do something in Workflow. Not csv / customquery...
02/06/2023 06:03 PM
use role_user_Account , request_Access , role_entitlements table
which should solve your issue
02/06/2023 07:04 PM
Custom query? But if i set "requested for" as approver in custom query. I will go to (admin) instead of auto approve.
I think we need to identify those ents using "if-else" block
02/06/2023 09:58 PM
I have told to use CP or csv upload to add rolenames in usercp and entcp.
Now coming to the workflow, you can write a query in custom Assignment block but it will not achieve the use case, IN if else block- sql query is not supported, hence we recommended right now there is no way to achieve this use case
02/07/2023 04:50 AM
Is there a way to check if ents are part of user roles with Groovy to be applied in If-else block?
02/07/2023 07:58 AM
No, Right now there is no way to check in if-else block
02/07/2023 07:38 PM
if it goes we can add auto esclation block to auto approve
02/07/2023 07:48 PM
Thanks. in Workflow, there will be some entitleemnt should be routed to regular approval process. Any idea how selected entitlement will go to "Qustom Query" blcok else to go "Manager Approval". I think I need "if-else" on top of that no? or can we use "Case When in Questom query" like if ent is part of role ${requestedfor} else ${user.maanger}
02/07/2023 07:56 PM
Another option using custom action block in workflow and write auto approve logic in java code
02/07/2023 08:04 PM
Yes I saw that.. do you have sample if you made this before? Then i can discuss internally
02/07/2023 08:41 PM
normal java code