Approval procedure for Role entitlement assignment (system roles to Business Role)?

Hello

I'd like to create an approval policy and approval workflow to be used in the standard service item "Role entitlement assignment".

an approval should be given by the owner of the entitlement, which is a System Role, eventually an AD Group.

Does anyone know a good approach to evaluate the owners of the System Roles (and AD Groups) which are assigned to a Business Role or Department by using "Role entitlement assignment"? 

It seems there is no such approval procedure OOTB.

Any help is greatly appreciated.

Kind regards, and thanks in advance for any advice.

Edi

  • Just as reminder, only identities (Persons) can be used as approvers. So, referring to an AD group is not getting you far.
  • In reply to Markus Weiss-Ehlers:

    Hi Markus,
    Thanks, I'm sorry to be unclear:

    If a manager of a Businessrole is using "Role entitlement assignment" to assign entitlements:
    - If a system role is assigned to a business role the owner/manager of the system role has to approve.
    - If an AD Group is assigned to a business role the owner of the AD Group has to approve.

    Best regards.
    Edi
  • In reply to edi.imhof:

    Okay, now which version are you using?
  • In reply to Markus Weiss-Ehlers:

    Hi Markus,
    Its v7.1.1
  • In reply to edi.imhof:

    As demonstrated in the thread https://www.quest.com/community/products/one-identity/f/identity-manager/20652/approval-procedure---named-approvers-of-requested-business-role-or-organization-7-1-1 create a custom approval procedure for this.

    The SQL would look like this, assuming that the owner of the ESet is determined using ESet.UID_PersonResponsible and for the AD group using the application role of the assigned service item.

    select Person.UID_Person, NULL
    	from PersonWantsOrg join ESet on ObjectKeyElementUsedInAssign = Eset.XObjectKey
    	join Person on ESet.UID_PersonResponsible = Person.UID_Person								
    where PersonWantsOrg .UID_PersonWantsOrg = @uid_personwantsorg
    UNION ALL
    select PersonInAERole.UID_Person, dbo.QER_FGIPWORulerOrigin(PersonInAERole.XObjectkey) as UID_PWORulerOrigin
    	from PersonWantsOrg join ADSGroup on ObjectKeyElementUsedInAssign = ADSGroup.XObjectKey
    	join AccProduct on ADSGroup.UID_AccProduct = AccProduct.UID_AccProduct
    	join PersonInAERole on PersonInAERole.UID_AERole = AccProduct.UID_OrgRuler AND PersonInAERole.XOrigin > 0
    where PersonWantsOrg .UID_PersonWantsOrg = @uid_personwantsorg
    

  • In reply to Markus Weiss-Ehlers:

    Hello Markus
    Thanks for your Reply.
    I tried teh solution as you suggested above, but it seems I have no luck.
    If I run the Query in Object Browser it returns the correct result.
    But when I create a custom approval procedure and add the query above as the selection criteria (I focused on the first part on ESet, Line 1 - 4, but I tried also the entire script),
    as well create a custom approval Policy and assign that to the Service Item "Role entitlement assignment" things seem to go wrong.
    The effect is that no approver can be determined.
    When the Business Role manager orders an entitlement (system Role) then the decision workflow is aborted an will tell me there is no approver available in this shop.
    Of course I checked that the owner of the System role is the shop "Identity and access Lifecycle".
    Do you have any suggestion, where I could look?

    Thanks a lot
    Edi
  • In reply to edi.imhof:

    I would check the configuration parameters. Especially if either QER\ITShop\PersonInsertedNoDecide or QER\ITShop\PersonOrderedNoDecide is enabled and your owner is the same person as the requester.