IBM Security Verify

 View Only
Expand all | Collapse all

IGI different approver on different entitlements using "no_required_approvers"

  • 1.  IGI different approver on different entitlements using "no_required_approvers"

    Posted Thu April 29, 2021 06:26 PM
    Hi,

    I'm trying to create a IGI workflow to enable the users to request a new entitlement on the same application (Ex: GroupA and GroupB) each entitlement must have a different role for approval (Eg: GroupA -> Manager, GroupB -> Security Chief), during the process I found a TechNote where they talk about "no_required_approvers" entitlement param,

    I manage to configure the param on each entitlement and run this test when i request the both entitlements at the same time:

    Branch one shot Authorization Enabled on Both Activities:

    During the test i found that both activities are generated but when I approve any of the activities the other activity cant be completed and both entitlements are assigned to the user.

    Branch one shot Authorization Disabled on Both Activities:

    During the test i found that only the first approval process is executed, the second approval is never executed and the Entitlement is assigned to the user directly.


    Workflow:

    GroupA Entitlement Prop:


    GroupB Entitlement Prop:



    ------------------------------
    Gabriel Labarrera
    ------------------------------


  • 2.  RE: IGI different approver on different entitlements using "no_required_approvers"

    Posted Wed May 05, 2021 02:03 AM
    Gabriel, 

    What are the Role Assignments for the Auth nodes? 

    Thx, 

    David

    ------------------------------
    [David] [Kuehr-McLaren] [
    Security Expert Labs]
    [Senior Security Architect - STSM]
    [IBM]
    [dkuehrmc@us.ibm.com]
    ------------------------------



  • 3.  RE: IGI different approver on different entitlements using "no_required_approvers"

    Posted Wed May 05, 2021 10:25 AM
    Hi David,

    The "Auth Request" is assigned to the UM and the "VSN Auth Req" to the Security Chief, a couple of days ago I open a support case and they replicated the described behavior on theirs lab environment, because when we request GroupA and GroupB as separated requests the workflow works as expected but requesting both entitlements at the same time the workflow ignores the second approval every time.

    ------------------------------
    Gabriel Labarrera
    ------------------------------