cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

No Master Process on privilege is triggered before Approval

Go to solution
clotilde_martinez
Participant

on ‎09-15-2015 11:40 AM

0 Kudos

Hi experts,

I just want to check something because it's driving me crazy since the beginning of the week... I cannot figure if it was (or not) working before or if i lost, changed sometihng on my configuration that make it not working anymore.

I'm running IDM 8 SP1 latest patches.

I have a repository DEV600 which is an ABAP and a GRC10 (DEVGRC) repository.

I use the standard provisioning workflow.

I have a no master process task that generates a password then assign the priv only to the user (thus triggers the user creation process).

I have to approvals processes, one for business roles and one for privileges. Note that the 2nd approval on the business role workflow is configured Not to approve inherited assignments. My privileges workflow starts with a conditional task to check if it's a privilege that has been directly assigned (in that case it goes through another IDM approval process) or indirectly assigned (== via a business role) and it then goes to a GRC AC Validation Task.

My ABAP repository is configured with no add validate task, the provisioning task and the no master process is configured.

My GRC10 repository is configured with the privileges approval workflow as validate add task, no provisioning task or no master process.

My Business Roles have everything as "Unherited" except for the validate add task, set to the BR approval workflow. (they're not linked to a repository).

My privileges (except priv only) have everything as unherited, DEVGRC as repository for validation, the priv only as master priv, inherited task for no master process, repository name DEV600.

When requesting a business role, my approval workflow for business roles triggers the approval workflow only. When approving the business role, it triggers the no master process then the approval for the privilege.

I tried giving a privilege directly and unsetting the no master process, as long as the priv only is not given, no approval for a privilege is triggered.

I know that this was the standard behavior in 7.2 a few patches ago, but i'm not sure if that didn't change.

Can someone confirm that this is the standard behavior and that i should put another approval workflow on my priv only to avoid user account creation with no privileges? Or can you point me towards the right way to configure it so that the add master priv is triggered on the approval of a privilege (so on the triggering of a add member task and not validate add task).

Thanks a lot,

Clotilde

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

normann
Advisor
Advisor
‎09-15-2015 2:30 PM
0 Kudos

Hi Clotilde,

you absolutely right - you need to have the account privilege assigned (execstate=1) in order to start the validation task for the assigned privileges. I don't think it makes a difference, whether the privileges are assigned directly or inherited. But as you mentioned already, the validation task on the Business Role starts immediately.

I know this is not so nice from process perspective - since the user gets created even though the requested assignment might be declined - but I did not find a way to avoid that.

Maybe something for the idea place.

Regards

Show replies
Show replies
clotilde_martinez
Participant
‎09-16-2015 10:30 AM
0 Kudos

thank you Norman, I really thought i had seen it work once so i got really confused

Have a great day,

Clotilde

Answers (0)

Ask a Question