Saviynt Forums

we meet here again 🙂 could you please share idea how to make query for this?

Is workflow is mandatory ?

Yes. There could be out of role entitlements request as well which should follow standard workflow approval process

Only in role entitlement that user has should he auto approved

Does entitlement part of roles are also requestable separately ?

Most of roles are being assigned in birthright but we are checking inactivity and remove access for some entitlements from roles.

User may come to ARS to request it again when they need it later. I am hoping this to be auto approved

there could other in-role entitlements that user doesnt have the role, then it should go under standard approval aprocess

what do you mean by in-role entitlement , Please give example requirement is coming in bit & pieces 

Role A assigned in birthright.

ENT a, Ent b, Ent c assigned together when role was assigned.

Now Ent b  was revoked due to inactivity.

User may come to ARS again to request the ent.

In this case, since Ent b is part of the Role A. It should be auto approved

How Ent B will be removed. as its part of role hence validity will be same for ent a/b/c

Through analytics report. We are check last login date to create remove access task. Its our security requirement even if the ent is part of role

@rushikeshvartak gentle reminder 🙂 

@Darshanjain  

Hi, we are checking app access inactivity using okta audit log and it's being updated for each endpoint into last login date field. due to our security requirement, the entitlement should be revoked if user didn't access the app over 90 days for any reason even if the ent is included in enterprise role. This is also our audit requirement as well to check inactivity and revoke all relevant access in regular base. 

our requirement is "NOT revoke access when ent is part of enterprise role". What we want is to revoke access and it should be auto-approved when it is requested again via ARS. 

Here is sample use case. 

Role_A for Finance Team. 

Ent A (OKTA)

Ent B (O365)

Ent C (Salesforce) 

We are getting all last login date in each last login date field of each account. 

Not this user didn't access salesforce over 90days, then analytics report will make "remove access" task based on our inactivity check logic. Please let me know if you need further clarification.

Okay in that case currently we don't have a workflow variable which can find the condition and make it auto approval

@Darshanjain 

I am thinking to use dynamic attr in ARS to collect all entitlement_valuekey from roles that user has. Then i am planning to compare ent valuekey for requested ent vs the keys in Roles. When its matched, it should be auto approved.

One challenge is I cant set default value for multi select query for dynamic attr.

Yes for multi select, user has to select the values, default values wont be set

@Darshanjain 

Any other suggestion to identify if requested ent is part of user_roles?

I am thinking to add all role names in user.customproperty and ev.customproperty then we will compare it with if-else block..challenge here is how to append addtional role names into the cp instead of override.

You would need to use csv or custom query job, normally we dont recommend to do this as there maybe many roles getting newly added/created

No I wanted to do something in Workflow. Not csv / customquery... 

use role_user_Account , request_Access , role_entitlements table 

which should solve your issue

Custom query? But if i set "requested for" as approver in custom query. I will go to (admin) instead of auto approve.

I think we need to identify those ents using "if-else" block

I have told to use CP or csv upload to add rolenames in usercp and entcp.

Now coming to the workflow, you can write a query in custom Assignment block but it will not achieve the use case, IN if else block-  sql query is not supported, hence we recommended right now there is no way to achieve this use case

@Darshanjain 

Is there a way to check if ents are part of user roles with Groovy to be applied in If-else block?

No, Right now there is no way to check in if-else block

if it goes we can add auto esclation block to auto approve

Thanks.  in Workflow, there will be some entitleemnt should be routed to regular approval process.  Any idea how selected entitlement will go to "Qustom Query" blcok else to go "Manager Approval". I think I need "if-else" on top of that no? or can we use  "Case When in Questom query" like if ent is part of role ${requestedfor} else ${user.maanger} 

Another option using custom action block in workflow and write auto approve logic in java code

Yes I saw that.. do you have sample if you made this before? Then i can discuss internally 

normal java code