Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/01/2022 07:03 AM
It seems when an access request is submitted for multiple entitlements, each with different owners, an owner for any ONE of the entitlements can approve the request for ALL entitlements, even those for which they are not an owner. How can we prevent this?
This is NOT a scenario with multiple owners for one entitlement where the Type of Approval dropdown drives approval behavior. This is multiple entitlements with different owners.
This is v2020.
Thanks in advance for your help!
06/01/2022 07:30 AM
Hello,
This is not the expected behavior because if there are different owners for different entitlements, those should be approved by the respective owners only. Are you using the Resource Owner Approval node in the workflow?
06/01/2022 07:45 AM
No, I'm using the Access Approval node. I will swap that out with Resource Owner and give it a try.
06/01/2022 07:58 AM
This did not work. It looks like the Resource Owners is the Endpoint Owner, not the entitlement owner.
06/01/2022 08:01 AM
Hello,
Yes, Access Approval is the correct node to be used. We would request you to raise a support ticket for this as the behaviour is not as expected. Each individual entitlement should go to approval for their respective owner. We can select if one owner approval or all owner approval is required, but different owner approval should not approve the approval for other entitlements.
06/01/2022 09:34 PM
Maybe Request Approval details page or Task History showing all owners name but ideally it should go as per workflow config. Please provide wiring screenshot so that it will easy to identify further
06/02/2022 04:33 AM
I don't have an issue with the Request Approval page showing all entitlements in the request but it lets any approver/owner approve ALL entitlements, even entitlements they do not own. I have opened a ticket and waiting for support to respond.
Wiring is large but here is the XML:
<?xml version="1.0" encoding="UTF-8"?>
<process key="ADGroupManagementApproval"
name="ADGroupManagementApproval" xmlns="http://jbpm.org/4.4/jpdl">
<start name="Start">
<transition to="foreachAccessRequest"/>
</start>
<foreach in="#{RequestAccessKeys}" name="foreachAccessRequest" var="requestaccesskey">
<transition to="CheckAccountExists"/>
</foreach>
<decision name="CheckConfidentialityCritical">
<transition to="RejectAccessCritical">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 5) eq true }"/>
</transition>
<transition to="CheckConfidentialityHigh">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 5) ne true }"/>
</transition>
</decision>
<decision name="CheckConfidentialityHigh">
<transition to="CheckRequestTypeAdd">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == null) or (entitlementslist.get(requestaccesskey).confidentiality == 4) or (entitlementslist.get(requestaccesskey).confidentiality == 0)) eq true }"/>
</transition>
<transition to="CheckConfidentialityMedium">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == null) or (entitlementslist.get(requestaccesskey).confidentiality == 4) or (entitlementslist.get(requestaccesskey).confidentiality == 0)) ne true }"/>
</transition>
</decision>
<decision name="CheckConfidentialityMedium">
<transition to="CheckOwnerSize2">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 3) eq true }"/>
</transition>
<transition to="CheckConfidentialityLowVeryLow">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 3) ne true }"/>
</transition>
</decision>
<decision name="CheckConfidentialityLowVeryLow">
<transition to="GrantAccessLow">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == 2) or (entitlementslist.get(requestaccesskey).confidentiality == 1)) eq true }"/>
</transition>
<transition to="RejectAccessNoConfidentiality">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == 2) or (entitlementslist.get(requestaccesskey).confidentiality == 1)) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.grantaccess"
method="createAccess" name="GrantAccessMedium">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Alert Notification___GrantAccessMedium"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccess">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected___RejectAccess"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<java class="com.saviynt.workflowmgt.grantaccess"
method="createAccess" name="GrantAccessLow">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<java class="com.saviynt.workflowmgt.grantaccess"
method="createAccess" name="GrantAccessHigh">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<task name="DefaultOwnerApproval">
<transition name="Esclated By DefaultOwnerApproval" to="DefaultOwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<assignment-handler class="com.saviynt.workflowmgt.ArsCustomAssignmentHandler">
<field name="fieldname">
<string value="UserGroup___Default AD Group Approvers___Any Owner Approval Required"/>
</field>
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Approved By DefaultOwnerApproval" to="GrantAccessHigh"/>
<transition name="Rejected By DefaultOwnerApproval" to="RejectAccess"/>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required - Default Owner"/>
</field>
<field name="nottemplate2">
<string value="Access Request - Request Submitted"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
</task>
<decision name="CheckOwnerSize">
<transition to="OwnerApproval">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) eq true }"/>
</transition>
<transition to="DefaultOwnerApproval">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccessNoConfidentiality">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected - No Confidentiality___RejectAccessNoConfidentiality"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<decision name="CheckAccountExists">
<transition to="RejectAccessNoAccount">
<condition expr="#{(requestcounts.NEW_ACC_REQUESTS_COUNT > 0) eq true }"/>
</transition>
<transition to="CheckConfidentialityCritical">
<condition expr="#{(requestcounts.NEW_ACC_REQUESTS_COUNT > 0) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccessNoAccount">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected - No Account___RejectAccessNoAccount"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<decision name="CheckOwnerSize2">
<transition to="GrantAccessMedium">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) eq true }"/>
</transition>
<transition to="DefaultOwnerApproval">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) ne true }"/>
</transition>
</decision>
<decision name="CheckRequestTypeAdd">
<transition to="CheckOwnerSize">
<condition expr="#{(ars_requests.requesttype == 1) eq true }"/>
</transition>
<transition to="CheckRequestTypeRemove">
<condition expr="#{(ars_requests.requesttype == 1) ne true }"/>
</transition>
</decision>
<decision name="CheckRequestTypeRemove">
<transition to="GrantAccessHigh">
<condition expr="#{((ars_requests.requesttype == 2) and (requestedby.username == user.username)) eq true }"/>
</transition>
<transition to="CheckOwnerSize">
<condition expr="#{((ars_requests.requesttype == 2) and (requestedby.username == user.username)) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccessCritical">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected - Closed Group___RejectAccessCritical"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<task name="DefaultOwnerApprovalEscalation">
<transition name="Esclated By DefaultOwnerApprovalEscalation" to="DefaultOwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<assignment-handler class="com.saviynt.workflowmgt.ArsCustomAssignmentHandler">
<field name="fieldname">
<string value="UserGroup___Default AD Group Approvers___Any Owner Approval Required"/>
</field>
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Approved By DefaultOwnerApprovalEscalation" to="GrantAccessHigh"/>
<transition name="Rejected By DefaultOwnerApprovalEscalation" to="RejectAccess"/>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required - Default Owner"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
</task>
<task name="OwnerApprovalEscalation">
<assignment-handler class="com.saviynt.workflowmgt.RoleOwnerAssignHandlerAllRankApprByOne">
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Esclated By OwnerApprovalEscalation" to="OwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
<transition name="Approved By OwnerApprovalEscalation" to="GrantAccessHigh"/>
<transition name="Rejected By OwnerApprovalEscalation" to="RejectAccess"/>
</task>
<task name="OwnerApproval">
<assignment-handler class="com.saviynt.workflowmgt.RoleOwnerAssignHandlerAllRankApprByOne">
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Esclated By OwnerApproval" to="OwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required"/>
</field>
<field name="nottemplate2">
<string value="Access Request - Request Submitted"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
<transition name="Approved By OwnerApproval" to="GrantAccessHigh"/>
<transition name="Rejected By OwnerApproval" to="RejectAccess"/>
</task>
<join multiplicity="#{quorum}" name="All Approvals Complete Check">
<transition to="End Request"/>
</join>
<java class="com.saviynt.workflowmgt.endrequest"
method="arsendrequest" name="End Request">
<arg>
<object expr="#{reqid}"/>
</arg>
<transition to="endRequest"/>
</java>
<end name="endRequest"/>
</process>