cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

question about sequential approvals from privilege owners

Former Member

on ‎06-06-2013 6:20 PM

0 Kudos

Hello,

I'm in the processing of setting up sequential approvals and have a question about getting approvers from a pending value object that's not working as exepected or as I would like. I'm currently using IDM 7.2 with SP7.

Here's what I'm trying to accomplish.

Approver 1 - get approvers on task

- the first approver is setup on the task

- this is working as expected

Approver 2 - get approvers on pending value object

- the role that's being requested has a number of ABAP privileges assigned to it. (in this test just one for now)

- each privilege has an owner and all approvals need to come from the privilege owner, as there is no role owner setup.

- this is currently not working the way it's setup

- I've set this up as follows:

a) a 'to identity store' job is setup to grab the MX_OWNERs

b) on the role that was requested, visibility is set to the ABAP privilege, and on the ABAP privilege the visibility is set to the role owner.

What I was expecting to happen is for the privilege role owner be added to the pending value object and be sent an approval request. This did not happen and the approval remains in pending status. In this environment it's most important to get approvals from the ABAP privilege owners.

Judging from the most recent document on 'creating role approvals' it should be possible to get privilege owner approvals. What I'd like to understand is if it's possible to get privilege owner approvals by setting the visibility on the role to an ABAP privilege first and then setting the privilege visibility to a specific user. Did I miss something? Can you suggest a different way of getting the privileges owners?

Appreciate your help and comments.

Cheers, Paul

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎06-18-2013 11:39 PM
0 Kudos

Hi,

This is an interesting problem.  I like the idea.  I set it up in my sandbox and it's working.  I'm using the MX_APPROVERS attribute on the privilege.  If you want to use 'MX_OWNER' just change it in the query.

I'm just using a script to get the owners of the privileges.  It's a simple query.  Just pass in the MSKEY of the role.  Will return the MSKEYVALUE'S of the privilege approvers.

 

privApprovers = uSelect("select

PrivOwners.mcothermskeyvalue from idmv_link_ext RolePrivLinks, idmv_link_ext PrivOwners where RolePrivLinks.mcothermskey = " + Par + " AND RolePrivLinks.mcattrname = 'MXREF_MX_ROLE' AND RolePrivLinks.mcthismskey = PrivOwners.mcthismskey AND PrivOwners.mcAttrName = 'MX_APPROVERS'");

Show replies
Show replies
Former Member
‎06-19-2013 1:05 AM
0 Kudos

Thanks very much Chris.

I suspected a custom script was needed but I don't have any experience with this so, it's really appreciated.

A couple of questions just to make sure I'm setting it up correctly.

1) I created a new script in the 'add privilege owner' task. Is this the correct place to put it?

2) I've pasted your script into a new script template, it looks like this. Is this correct?

3) Does the approval task still need to get approvers from the Pending Value Object or from the privilege? When roles are requested there will be multiple privilege approvers.

4) Any other things to note in setup?

This really helps because it's not only roles that will be requested but also single privileges and the privilege approvers always need to be in the approval workflow. So thanks again.

Cheers,

Paul

Former Member
‎06-19-2013 3:55 PM
0 Kudos

1) Yes, that's the correct place

2) a) get rid of the return characters in that line

     b) you'll have to parse the return string, here's the pseudocode

          approver_array = privapprovers.split("!!");

         

          the loop through the array and put a "|" in between the return values.

    

          return string_you_generated_from_loop;

     c) after you've parsed it return the string which should be the list of approvers, and assign this to the PVO MX_APPROVERS

3) The approval task will get the approvers from the PVO.  This function is grabbing the approvers from the privileges and assigning it to the PVO.  Yes I understand there are multiple approvers.  The select statement I wrote will return them all.

4) Are you going to require all approvers approve it or are you going to require only 1?  I don't know of a way to dynamically determine how many approvals will be required.  Not sure it's possible (may have to be an enhancement request).

Good luck, let me know if it works out for you!

Thanks,

Chris

Former Member
‎06-11-2013 1:02 PM
0 Kudos

Hi,

You can try to add a function that logs the content of %TARGET.MX_OWNER% to see if it the list of owners is correctly retrieved. Or you can view the pending value. Also make sure that you've checked the "Retrieve values from pending value" option on the action or TARGET/SUBJECT stuff wont work.

There's a known problem that when you have grouping enabled for a repository such as ABAP you will get just one privilege in the approval workflow representing all privileges that were assigned at the same time. Which could be all of them since they were inherited from a role. Since you say you only have one privilege that should not be a problem at the moment though. Its also been fixed but I dont know in which SP/release.

Best regards,

Per Christian

Show replies
Show replies
Murali_Shanmu
Active Contributor
‎06-08-2013 2:52 AM
0 Kudos

Paul,

If the owner of the Role is a Privilege, then all the members  of this privilege should become owner's of the role. Can you check if there are any users assigned to the Privilege in the "Assigned To" tab.

Cheers

Murali

Show replies
Show replies
Former Member
‎06-11-2013 10:02 PM
0 Kudos

Thanks Murali.

After a number of tests I've found that eventhough the 'to identity store' job is asking for target.mx_owner, instead it's the users that have the role assigned that receive the approval request.

So, I'm re-thinking this approval approach and may structure it on roles for approvers and get the approvers from the task to which the approvers role is assigned.

Thanks for your help.

Paul

Former Member
‎06-12-2013 9:24 AM
0 Kudos

Hi, what you're trying to do is not possible out of box. The approvers are as you noticed the members of the owner entry/entries, not the owners of the owner entry. That would require potential endless iteration up a hierarchy of owners and that is something you can fairly simple implement in a script yourself.

Any reason you're not using the Approvers tab just next to the Owners tab (MX_APPROVERS attribute) to hold the approvers and use the "Get approvers from role/privilege" option? I believe this can also be roles or privileges, but it also has the same limitation - it gets the members from the referenced entries.

Br,

Chris

Message was edited by: Per Krabsetsve

Former Member
‎06-12-2013 7:05 PM
0 Kudos

Thanks Christian,

I had tried setting approvers on the privilege but it gets stuck in pending state. I believe this is because of the value set in the 'to identity store' pass, which is currently:

Is this the correct value needed to get the approvers for a privilege that is assigned to a role? The approval task is set to get approvers from 'role/privilege', but I'm wondering if this is one layer too deep?

Thanks for your help.

Paul

Ask a Question