Hello,

we are running idm 7.2 sp4 patch 1 and one of our client requirement is to be able to "recertify" assignments.

It means that everytime a user changes job or one expires, every assignment given directly to the user must pass through an approval process where various people approve the fact that it still needs those access rights.

Before sp4, we were creating a "false" pvo through a script and it went well in an approval workflow. Since sp4, it doesn't work this way anymore so we have to find a workaround for this.

For now, what we imagined is placing a trigger on the deletion of a job object, launching a script to change the validto date of the assignment. Then, with a trigger "Validate modify validity" placed on the repository, we can launch the approval process.

The trouble here is that the approver has to approve the fact that we changed the validto date and so approve the deprovisioning of the assignment, which is totally the contrary of every other approval process that we already made (where they approve the fact that the authorization will be given) and thus we think it may be a really confusing process for the end user. That is why we are trying to figure out another method to meet our client requirement.

Does anyone see another way to do it, staying in the standard ways of IdM, or has an idea to improve what we thought about?

Many thanks,

Clotilde