Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Workflow Logic issues - separating new account and add access flow

Go to solution
BrandonLucas_BF
Regular Contributor III
Regular Contributor III

‎11/29/2023 09:55 PM

I have a situation where most application roles have role owners and need approval, but some of them do not and can be auto approved. On the auto approve application roles, I have set customproperty1 to equal 'AutoApprove'.

I need to design my workflow logic such that for add access requests, it looks for whether or not there is a role owner, and if there is then assign for approval. If there is not, check to see if it is an auto approve CP1 value. If so, grant access. If not, send to a group for an evaluation check/approval.

This workflow is working great for add access request, but when it is part of a new account request, the logic is not making sense. In the screenshot, the red box is the logic followed during add access.  The green box is followed during new account request. However, if the new account request has one of the auto approve roles as part of the request, it always gets assigned to the usergroup custom assignment step. It should instead be completely auto approved end to end and access granted. It seems that when it is a new account request, the variable for entitlement.customproperty1 is showing up as null or something. How can I achieve this use case?

BrandonLucas_BF_0-1701323684873.png

 

 

1 person had this problem.
Labels:
0 Kudos
7 REPLIES 7

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎11/30/2023 12:40 PM - edited ‎11/30/2023 12:41 PM

Hello @BrandonLucas_BF,

You can use entitlement!=null block to differentiate new account and add access items or keep SecuritySystem as entitlementsOnly if it is not an issue for you.

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Go to solution
sk
All-Star
All-Star

‎11/30/2023 03:41 PM

@BrandonLucas_BF : You can use below condition to detect new account and send it for seperate block

ars_requests.requesttype == 3 and entitlement.entitlement_value == null

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Go to solution
BrandonLucas_BF
Regular Contributor III
Regular Contributor III
In response to sk

‎11/30/2023 08:18 PM

@sk This logic works, but I need help understanding it. Here is the adjustment I made to the 'Is it a new account request' IfElse step:

BrandonLucas_BF_0-1701403927727.png

Now I am seeing the correct behavior:

  • New account request with application role where CP1 = 'AutoApprove' gets provisioned without approval. In other words, it follows the False condition, but the entitlement.customproperty1 evaluation occurs correctly for the submitted application role.
  • New account request with app role with an entitlement owner is routed to owner for approval. In other words, it follows the False condition, but the entitlement.ownerRank1 evaluation occurs correctly for the submitted application role.
  • New account request without any app role submitted will auto approve. In other words, it follows the true condition and goes straight to 'Grant Access' step.

But what is the logic here and how can this be that the simply adjustment to the IfElse condition I can now suddenly evaluate entitlement properties correctly?

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to BrandonLucas_BF

‎11/30/2023 08:22 PM

In workflow

  • Entitlement object is used to store role as well as entitlement metadata. 
  • hence role & entitlement metatdata cp1 will be found as same column in both object.
  • In case of role /Entitlement - Entitlement_value column is only exists for entitlement hence it fails and consider as new account as new account object does not have any property similr to role/ent

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
BrandonLucas_BF
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎11/30/2023 09:28 PM

@rushikeshvartak Using a new account request with included entitlements as the example request, are there multiple threads running within the add access workflow at runtime? Example - thread 1 is new account, thread2 is entitlement. How else are the entitlement metadata able to be evaluated by the workflow engine in this way?

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to BrandonLucas_BF

‎11/30/2023 09:36 PM

in parallel workflow each line item consider as separate for approval


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Go to solution
BrandonLucas_BF
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎12/01/2023 06:09 AM

Thank you both @rushikeshvartak and @sk for the helpful info

0 Kudos
Copyright © 2024 Khoros, LLC