Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.
100% helpful (2/2)
Darshanjain
Saviynt Employee
Saviynt Employee

Use Case

The use case is to configure a workflow to support creation of tasks after all approval requests are complete. 

In an ARS request process, when the user requests for more than one entitlements or role in the same request and the business requirement is that all tasks type account and access gets created only after all level of approvals are competed. Refer below example for more clarity on the use case.

 Scenarios  :  

  • Application Name: App1
  • Requestable Entitlements : 
    1. E1: Risk rating medium
    2. E2: Risk rating high
    3. E3: Risk rating critical
  • Approval Process Risk-based where 
    1. Medium risk-rated entitlements: Level 1 approval only 
    2. High risk-rated entitlements: Level 1, and Level 2 approvals
    3. Critical risk-rated entitlements: Level 1,  Level 2, and Level3 approvals

 

  • User U1 request for App1 with all entitlements in the request (E, E2, and E3)

 Level 1 Approver: Approves E1, E2, and E3 

The request goes to Level 2 Approver 

<< System should not create a task for E1 entitlement as E2 and E3 approval are still in progress >>

 

Level 2 Approver: Approves E2 and E3 

The request goes to Level 3 Approver 

<< System should not create a task for E2 entitlement as E3 approval is still in progress >>

Level 3 Approver: Approves E3 

<< System should create a task for E1, E2, and E3 entitlement  along with account task >>

 

Pre-requisites

  • Workflow Type: Parallel 
  • Approval Process: Multiple levels 
  • ARS Request Type: More than one entitlements or roles in the request 
  • Provisioning Type: Both automated or manual


Applicable Version(s)


3.x and EIC versions

Solution

Saviynt provides a solution that holds the entire tasks creation process during workflow approval until all approval completes. 

Method Name: "All Approvals Complete Check"

This solution won’t support via standard Workflow editor UI version.  Hence we need to make the required changes within workflow XML and reimport it into the system. 

Solution Details : 

Step1: Download the targetted workflow through Saviynt provided “Transport Service” and opens workflow XML file in notepad++ editor. Don’t make any changes in the Saviynt Workflow editor XML  as you may lose the entire UI object flow as it saves into XML

 

Step2: Look  for the to = “grantaccess” in your workflow and replace it with “All Approvals Complete Check”

 

e.g. 

After Level 1 approval, 

 

Before Change : 

<transition name="Approved By Level1" to="grantaccess"/>

 

After change : 

<transition name="Approved By Level1" to="All Approvals Complete Check"/>

 

Repeat the above steps for all level of approvals such as level2 and level3 wherever you send the request to = “grantaccess”. 

 

Step3:  Add the below code snippet within “grantacccess” and also check for the method in 

“com.saviynt.workflowmgt.grantaccess”, it needs to change from createAccess to createAccessForApproved


 <java class="com.saviynt.workflowmgt.grantaccess"

         method="createAccessForApproved" name="grantaccess">

         <arg>

             <object expr="#{requestaccesskey}"/>

         </arg>

         <transition to="End Request"/>

    </java>

    <java class="com.saviynt.workflowmgt.rejectaccess"

         method="denyAccess" name="rejectaccess">

         <arg>

             <object expr="#{requestaccesskey}"/>

         </arg>

         <transition to="End Request"/>

    </java>

    <join multiplicity="#{quorum}" name="All Approvals Complete Check">

        <transition to="grantaccess"/>

    </join>

    <java class="com.saviynt.workflowmgt.endrequest"

         method="arsendrequest" name="End Request">

         <arg>

             <object expr="#{reqid}"/>

         </arg>

        <transition to="endRequest"/>

    </java>

    <end name="endRequest"/>

 

Step4: Before loading the changed XML workflow into the Saviynt system, update the following entries in ‘workflowhistory’ table.

  1. Set the status of this workflow in workflowhistory = 3.
  2. Update the xmldata col with this workflow.
  3. update ‘workflowhistory’ set WFLOADED=0 where WORKFLOWKEY = ;
  4. Saviynt UI approves the workload So that it is approved and loaded successfully

 

Note: You can use the above case for the below requirement as well

In Parallel workflow, if you want to delay task creation till all the items in the request is completed, For example – in SNOW applications, the ticket gets created as per the tasks in service now target application. However, if there are multiple tasks in a single request and the customer does not want multiple tickets for each task in a single request and requirement is One ticket should get created for one request.

Note - once the workflow is changed to xml view it can not be changed back to pictorial view with drag and drop options.

 

Comments
BG_IAM
New Contributor
New Contributor

Hello @Darshanjain,
Testing has shown that the solution functions effectively for requests with accepted entitlements. However, challenges emerge in relation to the 'Reject' action. Specifically, Saviynt doesn't promptly reject a task during the initial click in the rejection process; the decision needs to be repeated. Furthermore, tasks for creating an account and adding access do not generate after all decisions have been made, including at least one 'reject' decision. It appears that there might be a missing component or step in terms of the 'Reject' action. Do you have any insights or ideas on this matter?

Darshanjain
Saviynt Employee
Saviynt Employee

Hi @BG_IAM 

I saw this issue raised by you in one of the tickets and concerned team is checking, ideally it shouldn't work as you said above, there may be a issue with edited xml. Please check it thoroughly and our team will reply on the ticket you raised. 

Shamal19
New Contributor
New Contributor

Hi @Darshanjain 

We tried the above solution for one of our similar use case but facing the below error

org.jbpm.pvm.internal.wire.WireException: method createAccessForApproved(java.lang.Long) is not available on object com.saviynt.workflowmgt.grantaccess

Saviynt Version : 23.8

can you please guide on this?

Thanks

Olesia
Regular Contributor
Regular Contributor

Hi,

 

should it work also for "revoke access" tasks?

We have Access Requests created to add accesses and revoke accesses in the same access request. Our requirements are to have tasks created only if the full access request is approved. 

We followed the above recommendation but still see if "Revoke access" is approved but "Add access" is still pending approval the "Remove access" tasks are created.

Version history
Last update:
‎03/30/2023 10:12 AM
Updated by:
Contributors