Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Auto-Approval of "Approved Teams" (ALTERNATIVE to WORKFLOW)

haardik_verma
Regular Contributor
Regular Contributor

We have the following requirement:

 

Query an AD group to determine whether an ‘access requestor’ ultimately reports into one of the listed names. (AD Group filled with names of persons who are the hierarchical head of ‘approved teams’)
 
So, simply put, there will be an ‘approved teams’ with suppose 5 people A,B,C,D,E and these are managers.
Now the requirement is, If someone requests from ARS and he/she/they has a manager which is one of A.B,C,D,E , then their request should be auto-approved.
 
We know this can be done using workflows, but We are looking to achieve this with something OTHER than WORKFLOW (due to complexity of making and maintaining workflows)
 
Is it possible? Is there any other way to do this, apart from workflows?

Thanks & Regards,
Haardik Verma
7 REPLIES 7

rushikeshvartak
All-Star
All-Star

Request approval always done via Workflow so easy way is below

- create dynamic Attribute which will check requestor/requestee manager is part of list ( you can use some customproperty of users or create user group for a b c d e) & if its satisfied then display 'No Aproval Required' else approval required using case when then sql logic

In workflow use if else block & check value of dynamic attribute if its no approval required send to auto approval else approval flow


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi Rushikesh,

Can you please help me out with Dynamic Attributes as I have never worked with those before.

I tried the below options to achieve the requirement:

1) I gave a value to one of the customproperty of one of the managers (suppose I gave "Do Auto Approve" value in customproperty43 of manager 'A'). Then I added if else block in workflow and wrote the following logic : manager.customproperty43=='Do Auto Approve' . True part of this if else block goes to auto approve and false part goes to rest of the workflow. So if the requestor's manager is 'A' , then according to the workflow, it will get auto-approved.

Now the above thing is completely manual and if new members need to be added to the proposed "Approved teams" then I will have to manually update cp43 for them with that value.

Now the maximum automation that I have thought of till now is to create a user group (suppose namely "Approved_Teams" containing managers A,B,C,D and room for more to be added in future) and create a custom query job that updates the cp43 for every user that is present in that user group , and schedule this job for like once a day. So now we just have to add new managers in the user group, and rest will be done automatically via custom query job and workflow. But it will not be instantly, it will have to wait till the schedule of the job.

 

Now, what is dynamic attribute? Where can I use it to make the above thing better? 

And also, Is there any way to bypass all this and directly write some logic related to usergroup directly in if else block of workflow? I tried few things in workflow like:

  • manager in user_groupkey(8)
  • manager.groupID=='8'
  • manager.userkey==(usergroup_users.userkey) and(user_groups.user_groupname=='approved_team') and (......

but none of these worked. If was hoping that if this works in anyway, it would be the best solution I guess. But I dont know if that even possibly works. Because if it does work, we wouldn't even have to use any customproperty or customquery job and also, this will applied instantly

Thanks in advance for you reply.


Thanks & Regards,
Haardik Verma

  • create dynamic attribute as 'GRP_WF' with below SQL query 

select case when ${REQUESTOR} in (select username from usergroup_users uu, user_groups ug where uu.user_groupkey=ug.usergroupkey and ug.user_groupname like 'Approved_Teams') then 'No Approval Required' else 'Approval Required' end as id from dual

2. use above GRP_WF in if else block of workflow 

(dynamicAttributes.get('GRP_WF') eq 'No Approval Required')

3. if true redirect to Grant else additional approval


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi Rushikesh,
Thanks for replying.

But sorry I still don't understand from where do I create dynamic attributes? Where do I see an option to create it?

And how is the above implementation different from using a customproperty instead of dynamic attribute? And if using this dynamic attribute give us any advantage in long run as compared to custom property?

 

EDIT 1:  Sorry, I got the Dynamic Attribute under Endpoint. 

I have set it up as seen below in screenshot:

haardik_verma_0-1660725459992.png

But, this is not working properly. I did the changes as you said in workflow and dynamic attribute and checked all the names correctly. 
If I request salesforce for someone, whose manager is not in approved teams user group, it goes for approval,, and also, in the final step of request page, it shows the dynamic attribute value as "Approval_Required" (I am assuming that this is because I specified the default values in dynamic attribute)

haardik_verma_3-1660726138234.png

 

Now when I request for someone whose manager is in approved teams, there is no value in dynamic attribuet in request page . It is blank.

haardik_verma_2-1660725996728.png

 

EDIT 2: 

I found the below in Saviynt documentation about workflow (Workflow Components : Customer Portal (freshdesk.com)😞

haardik_verma_4-1660727652934.png

Is this causing any issue?

 


Thanks & Regards,
Haardik Verma

It seems you are creating dynamic attribute first time. Plesse refer saviynt documentation. 

  • Attribute type should be single select sql
  • Query should be added in values  not in action string
  • In workflow you have to use attribute name not customproperty example in documentation is related to create user

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi
I made some changes in the dynamic attributes query and it is working perfectly now.

Current Query :

select case when ${REQUESTEE} in (select userkey from users where manager in (select userkey from usergroup_users uu, user_groups ug where uu.user_groupkey=ug.usergroupkey and ug.user_groupname like 'Approved_Teams')) then 'No_Approval_Required' else 'Approval_Required' end as id from dual

While implementing this, we will have to add dynamic attribute to every single endpoint and change every single workflow. Do you have anything in mind that might help us in automating this? We have 25-30 endpoints currently and more are to be added in near future. We will have to manually add a dynamic attribute for all of them individually.

This was the reason I was asking for a way to use "user group" directly in workflow.

I got this suggestion from a senior regarding user groups directly in workflow:

""As per documentation, there is no object exposed for UserGroup.

So you will have to use custom assignment object where you can fetch members from UserGroup, then in that custom assignment you will have to write logic in such a way that, IF manager is one of members of that UserGroup then assignment will be done for requester (so that it will get auto approved) ELSe assign it to user's manager.

This will solve your problem""

But I am still not sure If we will be able to achieve the requirement with this. Can you validate this please?


Thanks & Regards,
Haardik Verma

User Group Object is not exposed in workflow.

You can use same workflow for all application where it follows same logic & keep Group name dynamic ${endpointName}_Approved_Teams

 

You will get endpointname from request


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.