IBM Verify

Hello,
I have a requirement , when a user select groups , based on that the workflow should set the approval nodes dynamically,suppose user select 10 groups , then the workflow should set the 10 approval nodes, also based on the approval decision the user will get the groups , how this can be achieve in ISIM workflow.


------------------------------
krish krishna
------------------------------

Hi Krish...

This could be done in different ways, but the most elegant/efficient way would be to expose the Groups as Accesses, and then associate Access Request Workflow(s) with each Access.  This would not only get you the desired behavior above, but would make the end user's experience better (requesting the Accesses (Groups) with a "Shopping Cart" like experience, in the ISIM Service Center UI (/itim/ui).

------------------------------
Grey Thrasher
IBM
------------------------------

Original Message:
Sent: Thu November 26, 2020 05:59 AM
From: krish krishna
Subject: Approval node in ISIM workflow

Hello,
I have a requirement , when a user select groups , based on that the workflow should set the approval nodes dynamically,suppose user select 10 groups , then the workflow should set the 10 approval nodes, also based on the approval decision the user will get the groups , how this can be achieve in ISIM workflow.


------------------------------
krish krishna
------------------------------

If you are able to use accesses, Grey's methods works. If you are bound to use roles combined with services set to "correct compliance" - not so much
To handle to role use case things are alas much more complex - the needed steps are outlined below : 

1. filter roles with approvals from rest of the request
2. loop of the roles in asynchronous mode (this is a checkbox on the loop node) 
3. call you approval flow for each role

You may have the opportunity to group your approvals (e.g. by approver) - this depends very much how complex your approval flows are (i.e. multilevel approvals, ensured 4 eyes principle etc.).

There also exist an extension for role approval that can be useful - but alas that does not allow the same flexibility as outlined above.

That said - the complexity of this compared to using the Access Entitlement workflows is huge - so a common request I hear a lot is to add the ability for Access enabled Roles to be approved using Access Request Workflows - if this is what you also would like to see you can raise an RFE here : https://www.ibm.com/developerworks/rfe/execute?use_case=changeRequestLanding&BRAND_ID=301 - then IBM might implement it sometime...

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Mon November 30, 2020 08:35 AM
From: Grey Thrasher
Subject: Approval node in ISIM workflow

Hi Krish...

This could be done in different ways, but the most elegant/efficient way would be to expose the Groups as Accesses, and then associate Access Request Workflow(s) with each Access.  This would not only get you the desired behavior above, but would make the end user's experience better (requesting the Accesses (Groups) with a "Shopping Cart" like experience, in the ISIM Service Center UI (/itim/ui).

------------------------------
Grey Thrasher
IBM

Original Message:
Sent: Thu November 26, 2020 05:59 AM
From: krish krishna
Subject: Approval node in ISIM workflow

Hello,
I have a requirement , when a user select groups , based on that the workflow should set the approval nodes dynamically,suppose user select 10 groups , then the workflow should set the 10 approval nodes, also based on the approval decision the user will get the groups , how this can be achieve in ISIM workflow.


------------------------------
krish krishna
------------------------------

Hi Franz,
I have tried the same way as you said in  above , i read all the groups assigned and from the groups i got the approve list and in loop(asynchronous) i am calling the suprocess(which calls a simple approve wokflow) by passing the approve name, every thing working as expected but only issue is in sub-process for all 3 iteration ,the approver is showing as same, but in loops before calling the subprocess its printing correct approve name not sure whats might be the issue.





------------------------------
krish krishna
------------------------------

Original Message:
Sent: Mon November 30, 2020 08:57 AM
From: Franz Wolfhagen
Subject: Approval node in ISIM workflow

If you are able to use accesses, Grey's methods works. If you are bound to use roles combined with services set to "correct compliance" - not so much
To handle to role use case things are alas much more complex - the needed steps are outlined below : 

1. filter roles with approvals from rest of the request
2. loop of the roles in asynchronous mode (this is a checkbox on the loop node) 
3. call you approval flow for each role

You may have the opportunity to group your approvals (e.g. by approver) - this depends very much how complex your approval flows are (i.e. multilevel approvals, ensured 4 eyes principle etc.).

There also exist an extension for role approval that can be useful - but alas that does not allow the same flexibility as outlined above.

That said - the complexity of this compared to using the Access Entitlement workflows is huge - so a common request I hear a lot is to add the ability for Access enabled Roles to be approved using Access Request Workflows - if this is what you also would like to see you can raise an RFE here : https://www.ibm.com/developerworks/rfe/execute?use_case=changeRequestLanding&BRAND_ID=301 - then IBM might implement it sometime...

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Mon November 30, 2020 08:35 AM
From: Grey Thrasher
Subject: Approval node in ISIM workflow

Hi Krish...

This could be done in different ways, but the most elegant/efficient way would be to expose the Groups as Accesses, and then associate Access Request Workflow(s) with each Access.  This would not only get you the desired behavior above, but would make the end user's experience better (requesting the Accesses (Groups) with a "Shopping Cart" like experience, in the ISIM Service Center UI (/itim/ui).

------------------------------
Grey Thrasher
IBM

Original Message:
Sent: Thu November 26, 2020 05:59 AM
From: krish krishna
Subject: Approval node in ISIM workflow

Hello,
I have a requirement , when a user select groups , based on that the workflow should set the approval nodes dynamically,suppose user select 10 groups , then the workflow should set the 10 approval nodes, also based on the approval decision the user will get the groups , how this can be achieve in ISIM workflow.


------------------------------
krish krishna
------------------------------

Nice job so far - and thank you for sharing :-)
I cannot - from what you show here - determine the cause of the problem - but I would guess that the workflow property that contains the approver is not getting to the approval workflow correctly. This could be due to the in/out properties on the process extension/approval workflow are not aligned - or you have a an error somewhere in you script code.
I will not try to debug your workflow here - that is something that requires more time than I can put into this - so this is the level of help I can support you with here for free :-).

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Mon November 30, 2020 11:31 PM
From: krish krishna
Subject: Approval node in ISIM workflow

Hi Franz,
I have tried the same way as you said in  above , i read all the groups assigned and from the groups i got the approve list and in loop(asynchronous) i am calling the suprocess(which calls a simple approve wokflow) by passing the approve name, every thing working as expected but only issue is in sub-process for all 3 iteration ,the approver is showing as same, but in loops before calling the subprocess its printing correct approve name not sure whats might be the issue.

------------------------------
krish krishna

Original Message:
Sent: Mon November 30, 2020 08:57 AM
From: Franz Wolfhagen
Subject: Approval node in ISIM workflow

If you are able to use accesses, Grey's methods works. If you are bound to use roles combined with services set to "correct compliance" - not so much
To handle to role use case things are alas much more complex - the needed steps are outlined below : 

1. filter roles with approvals from rest of the request
2. loop of the roles in asynchronous mode (this is a checkbox on the loop node) 
3. call you approval flow for each role

You may have the opportunity to group your approvals (e.g. by approver) - this depends very much how complex your approval flows are (i.e. multilevel approvals, ensured 4 eyes principle etc.).

There also exist an extension for role approval that can be useful - but alas that does not allow the same flexibility as outlined above.

That said - the complexity of this compared to using the Access Entitlement workflows is huge - so a common request I hear a lot is to add the ability for Access enabled Roles to be approved using Access Request Workflows - if this is what you also would like to see you can raise an RFE here : https://www.ibm.com/developerworks/rfe/execute?use_case=changeRequestLanding&BRAND_ID=301 - then IBM might implement it sometime...

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Mon November 30, 2020 08:35 AM
From: Grey Thrasher
Subject: Approval node in ISIM workflow

Hi Krish...

This could be done in different ways, but the most elegant/efficient way would be to expose the Groups as Accesses, and then associate Access Request Workflow(s) with each Access.  This would not only get you the desired behavior above, but would make the end user's experience better (requesting the Accesses (Groups) with a "Shopping Cart" like experience, in the ISIM Service Center UI (/itim/ui).

------------------------------
Grey Thrasher
IBM

Original Message:
Sent: Thu November 26, 2020 05:59 AM
From: krish krishna
Subject: Approval node in ISIM workflow

Hello,
I have a requirement , when a user select groups , based on that the workflow should set the approval nodes dynamically,suppose user select 10 groups , then the workflow should set the 10 approval nodes, also based on the approval decision the user will get the groups , how this can be achieve in ISIM workflow.


------------------------------
krish krishna
------------------------------