Saviynt Forums

No, I'm using the Access Approval node. I will swap that out with Resource Owner and give it a try.

This did not work. It looks like the Resource Owners is the Endpoint Owner, not the entitlement owner.

Hello,

Yes, Access Approval is the correct node to be used. We would request you to raise a support ticket for this as the behaviour is not as expected. Each individual entitlement should go to approval for their respective owner. We can select if one owner approval or all owner approval is required, but different owner approval should not approve the approval for other entitlements.

Maybe Request Approval details page or Task History showing all owners name but ideally it should go as per workflow config. Please provide wiring screenshot so that it will easy to identify further

I don't have an issue with the Request Approval page showing all entitlements in the request but it lets any approver/owner approve ALL entitlements, even entitlements they do not own. I have opened a ticket and waiting for support to respond.

Wiring is large but here is the XML:

<?xml version="1.0" encoding="UTF-8"?>
<process key="ADGroupManagementApproval"
name="ADGroupManagementApproval" xmlns="http://jbpm.org/4.4/jpdl">
<start name="Start">
<transition to="foreachAccessRequest"/>
</start>
<foreach in="#{RequestAccessKeys}" name="foreachAccessRequest" var="requestaccesskey">
<transition to="CheckAccountExists"/>
</foreach>
<decision name="CheckConfidentialityCritical">
<transition to="RejectAccessCritical">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 5) eq true }"/>
</transition>
<transition to="CheckConfidentialityHigh">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 5) ne true }"/>
</transition>
</decision>
<decision name="CheckConfidentialityHigh">
<transition to="CheckRequestTypeAdd">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == null) or (entitlementslist.get(requestaccesskey).confidentiality == 4) or (entitlementslist.get(requestaccesskey).confidentiality == 0)) eq true }"/>
</transition>
<transition to="CheckConfidentialityMedium">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == null) or (entitlementslist.get(requestaccesskey).confidentiality == 4) or (entitlementslist.get(requestaccesskey).confidentiality == 0)) ne true }"/>
</transition>
</decision>
<decision name="CheckConfidentialityMedium">
<transition to="CheckOwnerSize2">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 3) eq true }"/>
</transition>
<transition to="CheckConfidentialityLowVeryLow">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 3) ne true }"/>
</transition>
</decision>
<decision name="CheckConfidentialityLowVeryLow">
<transition to="GrantAccessLow">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == 2) or (entitlementslist.get(requestaccesskey).confidentiality == 1)) eq true }"/>
</transition>
<transition to="RejectAccessNoConfidentiality">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == 2) or (entitlementslist.get(requestaccesskey).confidentiality == 1)) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.grantaccess"
method="createAccess" name="GrantAccessMedium">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Alert Notification___GrantAccessMedium"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccess">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected___RejectAccess"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<java class="com.saviynt.workflowmgt.grantaccess"
method="createAccess" name="GrantAccessLow">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<java class="com.saviynt.workflowmgt.grantaccess"
method="createAccess" name="GrantAccessHigh">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<task name="DefaultOwnerApproval">
<transition name="Esclated By DefaultOwnerApproval" to="DefaultOwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<assignment-handler class="com.saviynt.workflowmgt.ArsCustomAssignmentHandler">
<field name="fieldname">
<string value="UserGroup___Default AD Group Approvers___Any Owner Approval Required"/>
</field>
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Approved By DefaultOwnerApproval" to="GrantAccessHigh"/>
<transition name="Rejected By DefaultOwnerApproval" to="RejectAccess"/>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required - Default Owner"/>
</field>
<field name="nottemplate2">
<string value="Access Request - Request Submitted"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
</task>
<decision name="CheckOwnerSize">
<transition to="OwnerApproval">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) eq true }"/>
</transition>
<transition to="DefaultOwnerApproval">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccessNoConfidentiality">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected - No Confidentiality___RejectAccessNoConfidentiality"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<decision name="CheckAccountExists">
<transition to="RejectAccessNoAccount">
<condition expr="#{(requestcounts.NEW_ACC_REQUESTS_COUNT > 0) eq true }"/>
</transition>
<transition to="CheckConfidentialityCritical">
<condition expr="#{(requestcounts.NEW_ACC_REQUESTS_COUNT > 0) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccessNoAccount">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected - No Account___RejectAccessNoAccount"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<decision name="CheckOwnerSize2">
<transition to="GrantAccessMedium">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) eq true }"/>
</transition>
<transition to="DefaultOwnerApproval">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) ne true }"/>
</transition>
</decision>
<decision name="CheckRequestTypeAdd">
<transition to="CheckOwnerSize">
<condition expr="#{(ars_requests.requesttype == 1) eq true }"/>
</transition>
<transition to="CheckRequestTypeRemove">
<condition expr="#{(ars_requests.requesttype == 1) ne true }"/>
</transition>
</decision>
<decision name="CheckRequestTypeRemove">
<transition to="GrantAccessHigh">
<condition expr="#{((ars_requests.requesttype == 2) and (requestedby.username == user.username)) eq true }"/>
</transition>
<transition to="CheckOwnerSize">
<condition expr="#{((ars_requests.requesttype == 2) and (requestedby.username == user.username)) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccessCritical">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected - Closed Group___RejectAccessCritical"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<task name="DefaultOwnerApprovalEscalation">
<transition name="Esclated By DefaultOwnerApprovalEscalation" to="DefaultOwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<assignment-handler class="com.saviynt.workflowmgt.ArsCustomAssignmentHandler">
<field name="fieldname">
<string value="UserGroup___Default AD Group Approvers___Any Owner Approval Required"/>
</field>
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Approved By DefaultOwnerApprovalEscalation" to="GrantAccessHigh"/>
<transition name="Rejected By DefaultOwnerApprovalEscalation" to="RejectAccess"/>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required - Default Owner"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
</task>
<task name="OwnerApprovalEscalation">
<assignment-handler class="com.saviynt.workflowmgt.RoleOwnerAssignHandlerAllRankApprByOne">
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Esclated By OwnerApprovalEscalation" to="OwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
<transition name="Approved By OwnerApprovalEscalation" to="GrantAccessHigh"/>
<transition name="Rejected By OwnerApprovalEscalation" to="RejectAccess"/>
</task>
<task name="OwnerApproval">
<assignment-handler class="com.saviynt.workflowmgt.RoleOwnerAssignHandlerAllRankApprByOne">
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Esclated By OwnerApproval" to="OwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required"/>
</field>
<field name="nottemplate2">
<string value="Access Request - Request Submitted"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
<transition name="Approved By OwnerApproval" to="GrantAccessHigh"/>
<transition name="Rejected By OwnerApproval" to="RejectAccess"/>
</task>
<join multiplicity="#{quorum}" name="All Approvals Complete Check">
<transition to="End Request"/>
</join>
<java class="com.saviynt.workflowmgt.endrequest"
method="arsendrequest" name="End Request">
<arg>
<object expr="#{reqid}"/>
</arg>
<transition to="endRequest"/>
</java>
<end name="endRequest"/>
</process>