Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Workflow / If/Else block condition for account and entitlement

ankitalande
New Contributor II
New Contributor II

Hi,

We have a requirement to design a two level work flow, once user requests for account and entitlement access to an application both the request (account and entitlement) should go to manager and once approved both the entitlement (account and access) request should go to the base on the entitlement category define usergroup. if (entitlement related hr team then both the request (account and entitlement) request goes to user1 and user2 and if entitlement related finance team then both the request (account and entitlement) goes to user3 and user4.

I created a parellel workflow but facing issue with account request approval for account approval request stuck with manager only not goint to forward. entitlement request are working fine.


I tried the following syntax for if else condition.

((ars_requests.requesttype==3) or (entitlement.customproperty1.contains('HR_Team')))

for this if part working fine but in else part only entitlement request go forward and account request stuck with manager approval.

I also try with this condition.

((ars_requests.requesttype==3) and (entitlement.customproperty1.contains('HR_Team'))) or (entitlement.customproperty1.contains('Finance_Team'))

Kindly provide me the solution for this. How we achieve this.

13 REPLIES 13

rushikeshvartak
All-Star
All-Star

Entitlement is related to HR is decided how ?

You don’t need to add if else use custom assignment block and create group with same naming conventions which will solve your problem


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ankitalande
New Contributor II
New Contributor II

In Entitlement custom property 1 I set the HR_Team.

I already set the custom assignment and create user group. After manager approval request goes to the HR_Team or Finance Team base on incoming entitlement type.

If use not use If/Else block then, how we identify that (account  and entitlement) request goes further which user group?

 

Share wf wiring and request form screenshot 


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

wf_SS.png

This is workflow, After manager approval it goes to If/Else block.

re_ss.png

For Add Account Request goes to Manager after manager request again goes to manger and for Add access task request goes to further user group.

For Add (Account and Entitlement) Both request go user group1.

adriencosson
Valued Contributor
Valued Contributor

Hi @ankitalande,

An easy workaround for this use case is to set the Security System's attribute called "Create Task Action" to "EntitlementsOnly".

This will provide the below scenario :

  • Manager will still be able to approve the account request along with the access.
  • Once approved, the designed User Group will perform approval of the access
  • Account will only be provisioned if one of the access has been approved by the second-level approvers.

This also eases the user experience of second-level approvers that can focus on approving access.

Hope this helps !

Regards,
Adrien COSSON

ankitalande
New Contributor II
New Contributor II

We must create the add account and add access task both as well. Our if part is working fine only issue with else part.

adriencosson
Valued Contributor
Valued Contributor

Hi @ankitalande ,

Why is the Add Account task required ?

Note that even if you see only "Add Access" tasks in the Pending Tasks list, Saviynt will provision a new account if it does not exist yet, and add the access accordingly to the created account.

Regards,
Adrien COSSON

ankitalande
New Contributor II
New Contributor II

I need both the task created. 

Please provide the solution, If you have any idea.

adriencosson
Valued Contributor
Valued Contributor

Hi @ankitalande,

Could you please develop on why the New account task is necessary since the above option will still create the account whenever there will at least an access provided ?

By any chance, does your application requires to enable end users to request for an account only ?

If so, EntitlementsOnly on "Create Task Action" is not an option for you to go with.

Regards,
Adrien COSSON

I try this solution but still facing same issue..

 

ankitalande
New Contributor II
New Contributor II

Can we achieve this using Entitlement owner rank 1 and rank2 using custom Query?

Please suggest the way how to achieve this?

 

adriencosson
Valued Contributor
Valued Contributor

Hi @ankitalande ,

Yes using Custom Assignment you can get owners based on rank following below query :

select u.userkey from users u left join entitlement_owners eo on eo.userkey=u.userkey left join entitlement_values ev on ev.ENTITLEMENT_VALUEKEY=eo.ENTITLEMENT_VALUEKEY where ev.ENTITLEMENT_VALUEKEY=${REQUESTACCESSOBJ.id} and eo.rank=1
Regards,
Adrien COSSON

ankitalande
New Contributor II
New Contributor II

For add account and add access request goes to entitlement rank1 and rank2 owner. 

Can we achieve this in custom query?     If yes then suggest the solution..