Hi Champs.

We have below requirement, 

- A user submits a request to change another user's role temporarily, specifying the target user, new role, duration, and reason.
- The request follows an approval workflow involving the direct manager, security/IT admin, and compliance officer if required.
- Upon final approval, the target user's role is updated to the temporary role, and the change is logged for auditing.
- At the expiration time, the target user's role automatically reverts to the previous role, and relevant stakeholders are notified.
- All requests, approvals, and role changes are logged for audit and compliance tracking, with reporting capabilities.

How do we cater this requirement. important part is the approval has to be one approval for all the target entitlements with new role.  

------------------------------
Supun Munasinghe
------------------------------

What you describe here is not a simple configuration but is something that requires some work and careful design.

First - you need to store the date(s) - I would recommend storing both a start and and end date. There are 2 options that I have seen used - the first is to add an extra (complex) multivalue attribute to the person in e.g. the format <RoleDN>|<startdate>|<enddate> - this can be visually displayed using a subform in the console - the ISC I would code a new JSP on its own menu item.

Alternatively you can use RoleAssignment Attributes to store the data - this is supported directly in the console - but alas the UI is only supporting text fields ootb and that limits the value as this makes it difficult to ensure data is in the right format.

To efficiently handle this you will need some advanced workflow logic that handles the data - to make the scheduling efficiently another custom attribute where the workflow can calculate a "next activity timestamp" is useful - then a LCR can efficiently e.g. every 5 minutes trigger persons that needs to be handled in the workflow.

There is already an RFE/IDEAS to have this implemented as an ootb solution - you may want to find that on the Ideas portal and vote for it.

But my advice is to have a BP or IBM Expert Labs professional service do this for you - this is something that currently requires a skills/experience that not many have.

HTH 

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs
------------------------------

Original Message:
Sent: Thu February 27, 2025 02:05 PM
From: Supun Munasinghe
Subject: Creation of workflows for Temp Role Changes (IVIG)

Hi Champs.

We have below requirement, 

- A user submits a request to change another user's role temporarily, specifying the target user, new role, duration, and reason.
- The request follows an approval workflow involving the direct manager, security/IT admin, and compliance officer if required.
- Upon final approval, the target user's role is updated to the temporary role, and the change is logged for auditing.
- At the expiration time, the target user's role automatically reverts to the previous role, and relevant stakeholders are notified.
- All requests, approvals, and role changes are logged for audit and compliance tracking, with reporting capabilities.

How do we cater this requirement. important part is the approval has to be one approval for all the target entitlements with new role.  

------------------------------
Supun Munasinghe
------------------------------