• State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 8133 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Approval procedure for Role entitlement assignment (system roles to Business Role)?

edi.imhof
over 7 years ago

Hello

I'd like to create an approval policy and approval workflow to be used in the standard service item "Role entitlement assignment".

an approval should be given by the owner of the entitlement, which is a System Role, eventually an AD Group.

Does anyone know a good approach to evaluate the owners of the System Roles (and AD Groups) which are assigned to a Business Role or Department by using "Role entitlement assignment"? 

It seems there is no such approval procedure OOTB.

Any help is greatly appreciated.

Kind regards, and thanks in advance for any advice.

Edi

Parents
  • 0 over 7 years ago

    As demonstrated in the thread https://www.quest.com/community/products/one-identity/f/identity-manager/20652/approval-procedure---named-approvers-of-requested-business-role-or-organization-7-1-1 create a custom approval procedure for this.

    The SQL would look like this, assuming that the owner of the ESet is determined using ESet.UID_PersonResponsible and for the AD group using the application role of the assigned service item.

    select Person.UID_Person, NULL
	from PersonWantsOrg join ESet on ObjectKeyElementUsedInAssign = Eset.XObjectKey
	join Person on ESet.UID_PersonResponsible = Person.UID_Person								
where PersonWantsOrg .UID_PersonWantsOrg = @uid_personwantsorg
UNION ALL
select PersonInAERole.UID_Person, dbo.QER_FGIPWORulerOrigin(PersonInAERole.XObjectkey) as UID_PWORulerOrigin
	from PersonWantsOrg join ADSGroup on ObjectKeyElementUsedInAssign = ADSGroup.XObjectKey
	join AccProduct on ADSGroup.UID_AccProduct = AccProduct.UID_AccProduct
	join PersonInAERole on PersonInAERole.UID_AERole = AccProduct.UID_OrgRuler AND PersonInAERole.XOrigin > 0
where PersonWantsOrg .UID_PersonWantsOrg = @uid_personwantsorg

Reply
  • 0 over 7 years ago

    As demonstrated in the thread https://www.quest.com/community/products/one-identity/f/identity-manager/20652/approval-procedure---named-approvers-of-requested-business-role-or-organization-7-1-1 create a custom approval procedure for this.

    The SQL would look like this, assuming that the owner of the ESet is determined using ESet.UID_PersonResponsible and for the AD group using the application role of the assigned service item.

    select Person.UID_Person, NULL
	from PersonWantsOrg join ESet on ObjectKeyElementUsedInAssign = Eset.XObjectKey
	join Person on ESet.UID_PersonResponsible = Person.UID_Person								
where PersonWantsOrg .UID_PersonWantsOrg = @uid_personwantsorg
UNION ALL
select PersonInAERole.UID_Person, dbo.QER_FGIPWORulerOrigin(PersonInAERole.XObjectkey) as UID_PWORulerOrigin
	from PersonWantsOrg join ADSGroup on ObjectKeyElementUsedInAssign = ADSGroup.XObjectKey
	join AccProduct on ADSGroup.UID_AccProduct = AccProduct.UID_AccProduct
	join PersonInAERole on PersonInAERole.UID_AERole = AccProduct.UID_OrgRuler AND PersonInAERole.XOrigin > 0
where PersonWantsOrg .UID_PersonWantsOrg = @uid_personwantsorg

Children
No Data