Skip to Content
avatar image
Former Member

Issues with Approval Task IN IDM 7.1


I have been facing issues with Approval task.


I have created an Approval task with 'Mskeyvalue' and 'Mxref_mx_privilege' as attributes.

I am having a problem in the Approvers workflow UI where, we see these approvals.

It not only displays the requested privilege,but also the already provisioned privileges of the enduser to the approver.

He will not be able to recognize which privilege has been requested.

Is this an already known issue which has been sorted out in recently updated patches?

If not can you suggest me a solution for this.


The privilege requested by the end-user is getting provisioned to the backend,even before it is Approved.

Since Provisioning tasks are mapped through repository,privileges are getting provisioned as soon as

an entry is made into the Identity Stores.

But,Ideally the requested privilege should not be proviosioned to the backend until it is approved by the Approver.

Is this an already known isuue which has been sorted out in recently updated patches?

If not can you suggest me a solution for this.

Thanks and Regards,


Edited by: Joel Sundararajan Davis on Jul 16, 2009 11:04 AM

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Jul 17, 2009 at 05:29 PM


    I'm afraid the approval process is not quite this simple. You are correct, if you have provisioning setup on the repository for a privilege it will be assigned immediately. The approval task as you are using it works as an 'interrupt' to a process - nothing more.

    There is an entry type called pending value that you would need to leverage in order to have privileges requested route for approval. This pending value object is created by default for role requests in 7.1, but I'm not sure how to create a pending value for a privilege.

    Which brings to mind a question - is there a reason you want users to request privileges instead of roles? In general I think the security model is setup so that users are assigned roles which contain one or more privileges.

    If you do choose to use a role instead of privilege, simply set the attribute MX_APPROVAL_TASK to the id of the approval task you want to use and the system will do the rest. The display you referenced in the first part of your question will always display the current values of the attributes you select for the user, so don't try to display the roles there - just display the user id, name, whatever else is helpful and when the approver clicks on the user id they will get the approval details which will include the requested role.

    Also, please note that if you would like to assign a role directly anywhere (bypass approvals) you can use the switch: {direct_reference=1}


    Add comment
    10|10000 characters needed characters exceeded

    • Hi,

      Did anyone heard of this issue in provisioning ? -- if I raise a request (person to role ) , and if it gets rejected in GRC-CUP , I get the status in IDM as rejected . however If at all I want to raise another request , for the same role assignment , then Its not reaching GRC . any idea why this happens ?

      Thanks a lot