cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Non Employee Onboarding With Approval

Go to solution
Former Member

on ‎10-23-2009 12:51 PM

0 Kudos

Hi,

Iam working with SAP NWIDM 7.1

Iam facing one issue while working with the below described usecase.Could anyone please help me in this?

In the usecase,Requestor logs in to UI and he executes the task for Creating Non-Employee.He provides data for all the required attributes including HireDate and FireDate.Then it should go for the approval of requestors Manager.After the approval only the Non-Employee should be created in the IDM,and if the HireDate is current date then status should be Active else Inactive.

But whats the problem iam facing is,after providing all the details for creating Non Employee when the Requestor clicks on OK the account is being created even without Approvers approval.But I want it to be created after approval.

Could anyone help me in doing it in the required way?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-04-2009 7:43 PM
0 Kudos

Hi Jagu,

What entry type is the request task? MX_PENDING_VALUE should be used for approvals. Using MX_PERSON directly, for example, will result in the behaivor you describe.

Best Regards,

Matt

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎11-06-2009 7:33 AM
0 Kudos

Hi Matt,

Thanks for the reply.

But I need some more clarifications in this.

As you suggested I created the User Creation Task using "MX_PENDING_VALUE" entrytype.But here also the user is getting created before approval.But iam unable to view the user in UI(under Person) unless providing the MX_PENDING_VALUE entrytype under show(dropdown in UI Manage tab) .

So,I created one Job and one To IdentityStore pass within that Job.In that pass I specified the MX_PENDING_VALUE as Source and MX_PERSON as Destination and iam mapping the attributes from source to destination.Its giving error( Not allowed to modify EntryType)

Is this the right way to do it?

Could you please help me in doing this?

Regards,

Mounika

Show replies
Show replies
Former Member
‎11-10-2009 5:03 PM
0 Kudos

Hi Monuika,

Compare your configuration to the sample configuration in the guide [SAP NetWeaver Identity Management Identity Center - Implementing Role Approvals|http://www.sdn.sap.com/irj/scn/index;jsessionid=(J2EE3414800)ID2006311450DB11579937946596012804End?rid=/library/uuid/20b67ad5-c69a-2c10-9da2-9721b1cf749c]. In the next few weeks, I will also be publishing a How To Guide on approval workflows with further examples.

Best Regards,

Matt

Former Member
‎11-11-2009 8:48 AM
0 Kudos

> 

> Compare your configuration to the sample configuration in the guide [SAP NetWeaver Identity Management Identity Center - Implementing Role Approvals|http://www.sdn.sap.com/irj/scn/index;jsessionid=(J2EE3414800)ID2006311450DB11579937946596012804End?rid=/library/uuid/20b67ad5-c69a-2c10-9da2-9721b1cf749c].  In the next few weeks, I will also be publishing a How To Guide on approval workflows with further examples.

So Matt, what you're saying is that it is possible to have approvals based on MX_PENDING_VALUE on other events besides linking end users to business roles? Or did I misunderstood? I have thought that the standard pending approvals functionality in the product was only meant for approving user to role linkages..

It would be great to be able to approve incoming new users before any actions like role assigment could take place or approve changed user information etc etc.

Edited by: pasikuikka on Nov 11, 2009 9:50 AM

Former Member
‎11-11-2009 2:48 PM
0 Kudos

Hi Mounika,

>It would be great to be able to approve incoming new users before any actions like role assigment could take place or approve changed user information etc etc.

What makes you think you cannot have an approval task for any change? Approval tasks can be inserted at any point in the workflow.

Although primarily used for role and privilege assignments, the pending value functionality can work with any (reference) attribute.

Best Regards,

Matt

Former Member
‎11-12-2009 11:13 AM
0 Kudos

Hi Matt,

So,you mean that we can have this pending value functionality for any changes besides Role and Privilege assignmenst,right?

Role assignment comes when the user is already existed.But in my case the user is notyet created and i need the same pending value approval functionality in the creation task.

And pasikuikka,you got my point.

Is it possible to suspend the user creation in IC till approver approves?If yes then for which attribute i need to link that approval task?

I tried by adding the eventtask for one attribute which i'm using in the creation task,but even without approval also the user is getting created(again back to square 1).

Thanks

Mounika

Former Member
‎11-12-2009 7:07 PM
0 Kudos

> 

> Although primarily used for role and privilege assignments, the pending value functionality can work with any (reference) attribute.

Matt, it would be great if you could provide an example out of that.

Since what version and service pack has the MX_PENDING_VALUE supported other actions than linkage between MX_PERSON and MX_ROLE?

Edited by: pasikuikka on Nov 12, 2009 8:07 PM

Former Member
‎11-12-2009 7:13 PM
0 Kudos

Hi Monuika,

Interesting example...I have not tested approvals that way, but I have some ideas and I will post them here.

Regarding Pending Value Objects, see the following from the help:

About pending value objects
Related topics
A pending value object is an entry with entry type MX_PENDING_VALUE. It holds an attribute value which will be set (or removed) on the entry in the future. It always belongs to another entry (of any type) within the identity store. A single pending value object holds only one attribute/value pair.
Pending value objects can be used for:
Time limited attributes (primarily for roles). In this case the pending value object holds the valid from and valid to dates.
Several time schedules for a time limited attributes (i.e. January 1 - January 15 and February 1 - February 14). This is achieved by having multiple pending value objects for the same attribute.
General disabling of attributes.
Approval of role and privilege assignments. In this case the pending value object holds the approvers and also the approval information. The approvers are automatically copied from the MX_OWNER attribute of the role or privilege.
A pending value object is created in the following cases:
Add and remove member events. The event task is executed on the pending value object.
If setting a valid from constraint on a role or privilege assignment.
The function uApplyPending is used to approve or decline a pending value.
For details about the attributes of the pending value object (MX_PENDING_VALUE entry type), see the document SAP NetWeaver Identity Management Identity Center Identity store schema available on the SDN.

Best Regards,

Matt

Former Member
‎11-13-2009 5:51 AM
0 Kudos

Hi ,

I created the user creation task with MX_PERSON entrytype and for MSKEYVALUE I added one Eventtask and that task is the approval task.And it is going for the approval before the user is getting created.

In the approval task,under approve case i took one to identity store pass-> and the Source is MX_PENDING VALUE and the Destination is->MX_PERSON as iam coying the attributes from MX_PENDING VALUE to MX_PERSON.

But iam getting one error Modification of MX_ENTRYTYPE from MX_PENDINGVALUE to MX_PERSON is not possible.

Am I doing in the right way?If so how to complete the user creation successfully?

Could anyone help me?

Regards,

Mounika

Former Member
‎11-13-2009 1:25 PM
0 Kudos

> 

> Am I doing in the right way?If so how to complete the user creation successfully?
> Could anyone help me?

I would say it is impossible via MX_PENDING_VALUE. As if you take a look at IdM schema the MX_APPROVAL_TASK is not assigned to MX_PERSON entry type to begin with.

If you would be able to raise MX_PENDING_VALUE from modifying MX_PERSON then it would fail as MX_ATTRIBUTE_NAME/MX_ATTRIBUTE_VALUE are single value attributes and would work only approving any single attribute change. Multiple changes like changing both last name and first name would generate two MX_PENDING_VALUES.

Edited by: pasikuikka on Nov 13, 2009 2:25 PM

Edited by: pasikuikka on Nov 13, 2009 2:27 PM

Former Member
‎11-13-2009 2:37 PM
0 Kudos

Hi Mounika,

Your method is the way I was going to test this, but I have not had a chance yet.

>In the approval task,under approve case i took one to identity store pass-> and the Source is MX_PENDING VALUE and the Destination is->MX_PERSON as iam coying the attributes from MX_PENDING VALUE to MX_PERSON.

This will not work, and it is why your pass is failing. See the Guide I mentioned, the script uApplyPending is used to apply pending values, not a direct mapping as you attempted.

Best Regards,

Matt

Ask a Question