and more in a single search tool across platforms. Read the announcement here. |
07/14/2022 01:05 AM
Hi,
In the workflow If/Else condition, how do I check if the requestedBy user is part of a specific usergroup and if the requesting entitlement is part of that usergroup entitlement?
Solved! Go to Solution.
07/14/2022 05:39 AM - edited 07/14/2022 05:41 AM
You can not check usergroup members in if else block however below are workaround
Can we add entitlements under usergroup ?
07/14/2022 07:29 AM - edited 07/14/2022 07:59 AM
Thanks @rushikeshvartak for the response.. But isnt the 'Custom Assignment' block delegates the approval, rather then doing an if-else condition?
Yes, entitlements can be added in the usergroup.
My usecase is as below:
1. There are usergroups with a list of users and entitlements
2. If a user belonging to the usergroup requests access to any of the entitlements in the usergroup, then it has one workflow approval path and if not, it takes a different workflow approval path
3. A user can belong to one or more usergroups and likewise, an entitlement as well can belong to multiple user groups. So its difficult to use one dynamic attribute...
I would like to be able to use a query like below. If this return records, then one approval path and if not another approval path..
select count(ug.user_groupname)
from
user_groups ug,
usergroup_users ugu,
usergroup_entitlements uge
where
ugu.user_groupkey = ug.usergroupkey and
ug.usergroupkey = uge.user_groupkey and
ug.user_groupname like 'groupnameprefix_%' and
ugu.userkey = RequestedFor.userkey and
uge.entitlement_valuekey = entitlement.id
Any suggestion on how to achieve this in the ARS approval workflow?
07/14/2022 07:47 AM
You can use Custom assignment Block with Custom Query
Sample query- you need to make complex query with ${ARSREQUEST.Requestor}
select ug.USER_GROUPNAME,u.username from usergroup_users ua,users u ,user_groups ug where ug.USERGROUPKEY=ua.USER_GROUPKEY and u.userkey=ua.userkey
07/15/2022 05:35 AM - edited 07/15/2022 05:36 AM
Thanks @rushikeshvartak . What attribute should I use to get the requestee details in the workflow?
Only '${requestedby.username}' works. but then this gives the 'Requestor' details. But I need the 'Requestee' details
I'm trying to reference the requestee in the custom query using multiple ways.. but not able to get the requestee value from the ARS Request. What attribute should I use?
select userkey from users where username = '${RequestedFor.username}'
select userkey from users where userkey = '${RequestedFor.userkey}'
select userkey from users where username = '${ARSRequest.REQUESTOR}'
Cant find much in Saivynt documentation as well.
07/15/2022 05:41 AM
${ARSREQUEST.requestor}
07/15/2022 06:20 AM
${ARSREQUEST.requestor} seems to give only the 'Requestor' details and not the Requestee details.. Eg. if a user (Requestor) is requesting for another user (Requestee), then the above attribute is giving only the details of the person who is requesting and not the details for whom he is requesting..
Is there any other attribute in ARSREQUEST object that I can use?
07/15/2022 06:28 AM
join table with request_Access based on ${ARSREQUEST.id} & get requestee from userkey column of request_access table
select ra.userkey from request_Access ra,ars_requests ar where ra.requestkey=ar.requestkey and ar.requestkey= ${ARSREQUEST.id}
07/15/2022 11:22 AM
Thanks @rushikeshvartak. The above solution worked. I'm using this custom query to check if the requestee is part of a usergroup having entitlement that he is requesting. If so, it should be auto approved (which I'm able to achieve), If the query doesn't find any records, then it should transfer the approval to Mgr and Ent Owner. But when there is no result, the custom query returns null and 'Custom Assignment' object sends the approval to Saviynt 'Admin' for approval. I can alter the query itself to return the Mgr and Ent Owner records so the approval is transferred to them. The 'Custom Assignment' object has 'Approve', 'Reject' and 'Escalate' outputs only. Is there a simple way to capture the null record from the 'Custom Assignment' object and then pass on to 'Mgr Approval' object?
07/15/2022 01:21 PM
Please share query. else you can use case when then logic in case if its null assign to manager/ent owner
07/16/2022 09:15 AM - edited 07/16/2022 09:17 AM
hi @rushikeshvartak, thanks for the reply. When I was checking I noticed that the ${user.id} returns the Requestee details. So I'm directly using this ${user.id} attribute itself.
I have the below query. It works fine in Data Analyzer, but is not returning data in the workflow. The if condition returns the 'Requestor' itself if the requestee/entitlement combination exists in usergroup so that it is auto-approved and in the else condition, when no such combination exists, it returns the manager and ent owner for approval.
Am I missing anything here?
SELECT u.userkey
FROM
users u
WHERE
CASE WHEN
EXISTS (SELECT ugu.userkey
FROM
user_groups ug,
usergroup_users ugu,
usergroup_entitlements uge
WHERE
ug.usergroupkey = ugu.user_groupkey and
uge.user_groupkey = ug.usergroupkey and
ug.user_groupname like '<usergroupprefix>_%' and
uge.entitlement_valuekey = ${REQUESTACCESSOBJ.id} and
ugu.userkey = ${user.id})
THEN u.userkey = ${ARSREQUEST.REQUESTOR}
ELSE
u.userkey IN (
select manager from users where userkey = ${user.id}
UNION
select userkey from entitlement_owners where entitlement_valuekey=${REQUESTACCESSOBJ.id} and rank = 1
)
END
07/16/2022 05:40 PM - edited 07/16/2022 05:40 PM
In workflow Customquery always use alias as userkey
SELECT u.userkey
FROM
users u
WHERE
CASE WHEN
EXISTS (SELECT ugu.userkey
FROM
user_groups ug,
usergroup_users ugu,
usergroup_entitlements uge
WHERE
ug.usergroupkey = ugu.user_groupkey and
uge.user_groupkey = ug.usergroupkey and
ug.user_groupname like '<usergroupprefix>_%' and
uge.entitlement_valuekey = ${REQUESTACCESSOBJ.id} and
ugu.userkey = ${user.id})
THEN u.userkey = ${ARSREQUEST.REQUESTOR}
ELSE
u.userkey IN (
select manager as userkey from users where userkey = ${user.id}
UNION
select userkey from entitlement_owners where entitlement_valuekey=${REQUESTACCESSOBJ.id} and rank = 1
)
END
07/17/2022 01:44 AM - edited 07/17/2022 01:50 AM
Thanks @rushikeshvartak . Tried the above and also tried different ways.. All of these works fine in Data Analyzer.. but is not fetching records in workflow custom query. Any idea why its not working? Is there any special characters that I shouldnt use or query length restrictions?? But the app log doesnt give any error, but only returns null.
07/17/2022 09:45 PM
SELECT case when(select ugu.userkey from user_groups ug,usergroup_users ugu,usergroup_entitlements uge WHERE ug.usergroupkey = ugu.user_groupkey and uge.user_groupkey = ug.usergroupkey and ug.user_groupname like 'PREAPPR_%' and uge.entitlement_valuekey = 1 and ugu.userkey = ${user.id} )is null then ${ARSREQUEST.REQUESTOR} else (select ${user.manager} as userkey from dual union select userkey from entitlement_owners where entitlement_valuekey=${REQUESTACCESSOBJ.id} and rank = 1) end as userkey from dual
07/18/2022 12:48 AM
Thanks @rushikeshvartak .. Tried this as well... but no luck ☹️ No records are returning.. In the meantime, I've raised Saviynt ticket.
07/26/2022 02:53 AM
Hi @rushikeshvartak ,
While my ticket is still pending with Saviynt, I want to know how I can get the auto-approval work when the 'requestee-entitlement that he is requesting' is part of a specific user group? Basically the user-entitlement combination in the usergroup should get auto-approved.
In the above query, I'm checking if the user-entitlement combination exists in a usergroup and if yes, I'm returning the 'requestor' itself so it can get auto-approved. But requestor-requestee can be the same person which might trigger an SOD condition.
In such situation, how can I get the auto-approval working? Any thoughts?
08/03/2022 05:23 AM
Hi Asha,
Did you find a way to handle auto approval?
08/03/2022 06:19 AM - edited 08/05/2022 04:24 AM
.
08/05/2022 12:46 AM
@rushikeshvartak ... I modified the ${ARSREQUEST.REQUESTOR} to ${requestedby.id} and it worked.. The entitlements in the usergroup are getting autoapproved.
08/05/2022 04:11 AM
Did you validated request for self
Since requestor and requested for will be same what will happen with and without sod
08/05/2022 05:38 AM
Yes... I did for self and also tried 'Request for Others'... both worked..
08/05/2022 12:45 AM
Yes.. I was able to get this working. I used the below Custom Query and it worked..
SELECT u.userkey
FROM
users u
WHERE
CASE WHEN
EXISTS (SELECT ugu.userkey
FROM
user_groups ug,
usergroup_users ugu,
usergroup_entitlements uge
WHERE
ug.usergroupkey = ugu.user_groupkey and
uge.user_groupkey = ug.usergroupkey and
ug.user_groupname like '<usergroupprefix>_%' and
uge.entitlement_valuekey = ${REQUESTACCESSOBJ.id} and
ugu.userkey = ${user.id})
THEN u.userkey = ${requestedby.id}
ELSE
u.userkey IN (
select manager from users where userkey = ${user.id}
UNION
select userkey from entitlement_owners where entitlement_valuekey=${REQUESTACCESSOBJ.id} and rank = 1
)
END
09/09/2022 02:49 AM
Hi @Asha Could you please share a screenshot of the workflow editor?