Identity Manager

custom approval workflow with 2 level of approvals.

I want to create a custom approval workflow with 2 levels of approvals. In first level approval i am using recepient's manager. in second level approval i want to assign the approval process to some ad group which contains recepient's manager also but he should not approve it.

  • Do you mean to some users that are in some AD group and manager can or can't be? or users that are in an AD group that also the manager is.
  • I mean users that are in some AD Group for Eg- domain users and the manager is also in the same group. now , the manager have approved the request in level 1 now in level 2 he should not be eligible to approve as he has already done that.
  • I would maybe do the following
    - 1: Create a business role and a dynamc group where you could see all employees that are members of that group.
    -2: Then, use de OR approval proccedure and select option "no automatic approval"

    For the dynamic role I would use SQL clause and should be something like this:

    EXISTS ( SELECT 1 FROM (SELECT UID_Person FROM ADSAccount WHERE (XMarkedForDeletion = 0) AND ( EXISTS ( SELECT 1 FROM (SELECT UID_ADSAccount FROM ADSAccountInADSGroup WHERE EXISTS ( SELECT 1 FROM (SELECT UID_ADSGroup FROM ADSGroup WHERE cn = N'XXXXX') as X WHERE X.UID_ADSGroup = ADSAccountInADSGroup.UID_ADSGroup ) ) as X WHERE X.UID_ADSAccount = ADSAccount.UID_ADSAccount ) )) as X WHERE X.UID_Person = Person.UID_Person )
  • Thanks for the reply.

    I have created the business role but i am not able to assign employees to it. Second , where to create dynamic group.
  • Create the role in Manager. When role is created click on Create dynamic role,.
    In object class select person. in condition select the arrow and select sqlclause. Copy and paste my previous query and replace 'xxxxx' with cn of your group. Click on save