The Workflow in our environment that is configured for AD & Azure AD systems is not working as expected.
In the beginning of the workflow, there is an If-Else block, that ensures that for the case of self access removal (if the requestor and beneficiary are same and the request is for access removal only), then request should be auto-approved. In all other cases like access addition or even access removal done on behalf will go for respective approvals.
The approval type is decided by the entitlement's cp20.
(user.username == requestedby.username) and (requestcounts.ADD_ACCESS_REQUESTS_COUNT == 0)
Now we are testing and planning for Disconnected Systems. We used ENDPOINTS_FILTER of AD connection to create logical endpoints for every disconnected system. These endpoints, as they come under AD security system, also follow the same workflow.
The requirement is that for every case of request made for disonnected systems endpoints, the request should go for respective approvals and should not be auto-approved.
All the self-removal access requests for normal AD and Azure AD endpoints should still be getting auto-approved as before.
We tried the below logic in the same If-Else block
(user.username == requestedby.username) and (requestcounts.ADD_ACCESS_REQUESTS_COUNT == 0) and (endpoints.endpointname.toLowerCase().contains('disconnected') == false) and (entitlement.entitlement_value.toLowerCase().contains('disconnected') == false)
This was tested and was working as expected last week. But this week all the self-removal of accesses for disconnected systms endpoints started getting auto-approved.
We tried variations in logic, tried to split the logic in 2 different If-Else Blocks, tried keeping the Expression Language as Groovy and also leaving it on 'Select', But nothing worked... All the self removal requestes for disconnected systems were still getting auto-approved.
To test if there was something wrong with our logic or with the workflow, we added a manager's block.
Now there is NO LOGICAL WAY for requests to get autoapproved. But they still are getting auto-approved.
Please check this. If the workflow is corrupted (is this possible?)
Haardik Verma
I tried that as well.. kept the expression language on 'select'.
But still it is behaving that way.
I raised a ticket on freshdesk, we had a call where I explained everything and they agreed that this is something that should have worked, they also captured logs . But they directed me towards forums for expert consultation.
PFA latest workflow export zip file
----------------------------------------------------------------------
Endpoint Name: Disconnected-X
Entitlement_Value: CN=Disconnected System X Access B,OU=Disconnected System X,OU=Disconnected,OU=****,OU=****,DC=****,DC=****
Entitlement Display Name(because the request considers the display name as entielemtn_value): Disconnected System X - Access B
--------------------------------------------------------------------------
Hi @rushikeshvartak ,
Any luck on this? I tried in my environment but still getting auto-approved.. Can you please check in your system.. I have added the workflow extract in previous comment.
Hi @vikasjv ,
There were NO upgrade/migration process done recently.
Can you please suggest some method to achieve the requirement using the existing single workflow?
There are 2 main endpoints already using this workflow..
