Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOD Rejection through Workflow

NrupenM
New Contributor II
New Contributor II

‎07/21/2022 12:41 AM

HI team,

We have a requirement where we have to reject the SOD conflicting roles and allow other roles for approval. 

 

We have used SOD > 0 in the workflow and it is rejecting all other roles submitted in the same request. 

Is there a way we can reject only the conflicting entitlements and send remaining entitlements for approval. 

Example: If i have submit for role1 , role2 and role 3 if role1 and role2 have conflict , WF should reject role1 and role 2 and send role 3 for approval. 

Appreciate your response 

2 people had this problem.
0 Kudos
4 REPLIES 4

Nikitaj
Saviynt Employee
Saviynt Employee

‎07/21/2022 02:00 AM

Hi @NrupenM 

Could you please attach the complete workflow?

 


Thanks
Nikita
0 Kudos

NrupenM
New Contributor II
New Contributor II
In response to Nikitaj

‎07/21/2022 02:47 AM

Attached screenshot of the workflow. Please check 

Preview file
1448 KB
0 Kudos

umang28
Regular Contributor
Regular Contributor

‎10/14/2022 07:43 AM

Hello,

I am looking for a similar use case where in if any of the roles in the request are SOD critical should be auto rejected ELSE that are non-critical should go for the normal route of approval/approvals. But when I try to add a if block - 'SODViolation.Critical > 0' the whole request is getting auto rejected when it finds even one SOD critical role.

In the logs looks like the workflow variables irrespective of having multiple roles in a request are considered as a whole so is this scenario achievable?

[https-jsse-nio-8443-exec-24] TRACE services.WorkflowService - workflow variables= [sodevaluationstatus:12, dynamicAttributes:[:], role:Payroll Administrator, SYSCRITICALCOUNT:0, requestduedate:Mon Oct 24 14:34:17 UTC 2022, endpointMap:[:], reqid:4272, RequestAccessKeys:[5487, 5488], requestedby:iamadmin, JRMViolation:[], ars_requests:com.saviynt.ecm.workflow.ARS_Requests : 4272, SOXCRITICALCOUNT:0, requiredrequestornot:, requestedon:Fri Oct 14 14:34:17 UTC 2022, requestaccesskey:5487,5488, RequestedFor:14617, ffidpreapprovedmap:[:], endpoints:[:], entitlementslist:[5488:Payroll Administrator, 5487:MTESTNET AD Basic Azure Account Provisioning], manager:p010, securitysystem:[:], dynamicAttributesReqAccess:[:], quorum:2, SOD:1, entMap:[5488:Payroll Administrator, 5487:MTESTNET AD Basic Azure Account Provisioning], SODViolation:[Critical:1], totalsapaccounts:6, roleownerslist:[], RequestedBy:14363, requestcounts:[NEW_ACC_REQUESTS_COUNT:0, ADD_ACCESS_REQUESTS_COUNT:0, REMOVE_ACCESS_REQUESTS_COUNT:0, MODIFY_ACC_REQUESTS_COUNT:0, DELETE_ACC_REQUESTS_COUNT:0], externalSODViolation:[:], user:T-S404, role_endpoint:WorkDay]

Thanks,

Umang

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to umang28

‎10/14/2022 07:48 AM

Full Request will be auto rejected as workflow is not sure which entitlements are violating the SOD in other terms we don't have any filter to route non SOD request to other route.

However rejecting full reject is correct consider saviynt support partial reject then sod evolution should be done again which is missing here.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
Copyright © 2024 Khoros, LLC