Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

How to create a workflow for Different types of approval for each entitlement of a single endpoint

Mahendran
New Contributor III
New Contributor III

Hi Everyone we need a requirement of Access request workflow which should work for below conditions

we have endpoints A,B,C
and we have entitlements - in Endpoint A - Ent A1, Ent A2, Ent A3
in Endpoint B - Ent B1, Ent B2, Ent B3
in Endpoint C - Ent C1, Ent C2, Ent C3

And each entitlements will follow different levels of approval with different types of approvers

Single level:
i) Manager
ii) Entitlement Owner
iii) Resource Owner
iv) Usergroup


Two Levels of Approval
i) Manager and EntitlementOwner
ii) Manager and AppOwner
iii) Manager and UserGroup
iv) EntitlementOwner and UserGroup
v) AppOwner and UserGroup
vi) AppOwner and EntitlementOwner

Three Levels of Approval:
i) Manager and AppOwner and EntitlementOwner
ii) Manager and AppOwner and UserGroup
iii) Manager and EntitlementOwner and UserGroup
iv) AppOwner and EntitlementOwner and UserGroup

example: in Endpoint A we have : Ent A1 will have one level of Manager approval and Ent A2 will have two level of Entitlementowner and usergroup approval

another example in Endpoint B we have Ent B1 will have three level (Manager and AppOwner and EntitlementOwner) - Ent B2 will have three level ( AppOwner and EntitlementOwner and UserGroup)

how can we achieve this in Saviynt is any way to approach this that each entitlement of single endpoint will have different levels of approval and different types of approvers.

can someone guide us and whether this can be achievable in Saviynt?

8 REPLIES 8

dgandhi
All-Star
All-Star

Have 1 to 1 mapping between your Security System and Endpoint.

This way each endpoint will follow its own set of workflow.

Then to have different flow at entitlement level, use some custom property of entitlement and add some identifier and based on that identifier redirect your workflow (using if-else operator)

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

rushikeshvartak
All-Star
All-Star
  • Use entitlement and Endpoint customproperty based on custom property value you can defined approval workflow 

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi rushikeshvartak,
we tried of using one customproperty in entitlement and based on which we are our workflow will take a path eg: customproperty40 ='Manager,EntitlementOwner' then our workflow will follow the path of 1st level as Manager and secondlevel as Entitlement Owner we used customassignment in which we used a query and reading the entitlement value key  from which reading this custom property we are able to assign the correct assignee for the entitlement request

But problem arises when user rises two or more entitlements of same or different endpoints together at that we are not able to assign the request to correct user as the query is taking only one entitlement key it keeps same assignee for the other entitlements also.

I attached the workflow and details how we approached  for this requirement could you please help us in this requirements 

 

 

Can you elaborate use cases tested and working vs what is expected in table format 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

we have endpoints A,B,C
and we have entitlements - in Endpoint A - Ent A1, Ent A2, Ent A3
in Endpoint B - Ent B1, Ent B2, Ent B3
in Endpoint C - Ent C1, Ent C2, Ent C3

 

Entitlements

Levels

Approvers

A1

One level

Manager

A2

Two Level

Manager & Entitlement owner

A3

Three Level

Manager and AppOwner and EntitlementOwner

B1

One Level

Entitlement Owner

B2

Two Level

Manager and User Group

B3

Three Level

Manager and EntitlementOwner and User Group

C1

One Level

App Owner

C2

Two Level

EntitlementOwner and User Group

C3

Three Level

AppOwner and EntitlementOwner and User Group

 

 

 

Request

 Approvers

A1 & A2

For A1: Manager

For A2: Manager & Entitlement Owner

A1 & B3

For A1: Manager
For B3: Manager & Entitlement Owner & User Group

New Account & C1

For c1: App Owner

New Account & C3 & New account B2

New Acc. C3: AppOwner and EntitlementOwner and User Group

 

New Acc.B2: Manager and User Group

for all these testcases are failed we are not able to map the correct assignee to the request


You can achieve same by storing keywords on each entitlement 

rushikeshvartak_0-1714960820637.png

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Yes rushikeshvartak, we can do this for Entitlements alone request this will work but when raise a new account + entitlement together Saviynt is not able to read the Entitlement Custom Property so we are not able to assign the correct approvers .
could you help us to read the Entitlement's Custom Property in workflow IF ELSE CONDITION when user request for new account  + Entitlement request  ?

we limiting user's not to request to only account so that is not a test case.
we are doing this for AD based applications 
AD Security system we create Endpoints by adding Endpoint filters. 

keep account as auto approve.

ars_requests.requesttype == 3 and entitlement.entitlement_value == null
Refer https://forums.saviynt.com/t5/identity-governance/workflow-logic-issues-separating-new-account-and-a...

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.