cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issues with Approval Task IN IDM 7.1

Former Member

on ‎07-16-2009 10:02 AM

0 Kudos

Hi,

I have been facing issues with Approval task.

Firstly,

I have created an Approval task with 'Mskeyvalue' and 'Mxref_mx_privilege' as attributes.

I am having a problem in the Approvers workflow UI where, we see these approvals.

It not only displays the requested privilege,but also the already provisioned privileges of the enduser to the approver.

He will not be able to recognize which privilege has been requested.

Is this an already known issue which has been sorted out in recently updated patches?

If not can you suggest me a solution for this.

Secondly,

The privilege requested by the end-user is getting provisioned to the backend,even before it is Approved.

Since Provisioning tasks are mapped through repository,privileges are getting provisioned as soon as

an entry is made into the Identity Stores.

But,Ideally the requested privilege should not be proviosioned to the backend until it is approved by the Approver.

Is this an already known isuue which has been sorted out in recently updated patches?

If not can you suggest me a solution for this.

Thanks and Regards,

Joel

Edited by: Joel Sundararajan Davis on Jul 16, 2009 11:04 AM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎07-17-2009 6:29 PM
0 Kudos

Joel,

I'm afraid the approval process is not quite this simple. You are correct, if you have provisioning setup on the repository for a privilege it will be assigned immediately. The approval task as you are using it works as an 'interrupt' to a process - nothing more.

There is an entry type called pending value that you would need to leverage in order to have privileges requested route for approval. This pending value object is created by default for role requests in 7.1, but I'm not sure how to create a pending value for a privilege.

Which brings to mind a question - is there a reason you want users to request privileges instead of roles? In general I think the security model is setup so that users are assigned roles which contain one or more privileges.

If you do choose to use a role instead of privilege, simply set the attribute MX_APPROVAL_TASK to the id of the approval task you want to use and the system will do the rest. The display you referenced in the first part of your question will always display the current values of the attributes you select for the user, so don't try to display the roles there - just display the user id, name, whatever else is helpful and when the approver clicks on the user id they will get the approval details which will include the requested role.

Also, please note that if you would like to assign a role directly anywhere (bypass approvals) you can use the switch: {direct_reference=1}

-Geoff

Show replies
Show replies
srilakshmi_s2
Participant
‎10-07-2009 3:20 AM
0 Kudos

Hi,

Did anyone heard of this issue in provisioning ? -- if I raise a request (person to role ) , and if it gets rejected in GRC-CUP , I get the status in IDM as rejected . however If at all I want to raise another request , for the same role assignment , then Its not reaching GRC . any idea why this happens ?

Thanks a lot

Ask a Question