Let me put a different perspective on this request....
I think it is wrong from a process POV - the approvers should not care about this in the approval flow - the entitlements that a Role represents should be handled in the Role Governance lifecycle - and the Role Owner should be aware of the content of a role (if not you REALLY have a problem...). I would recommend ensuring that Roles has a good description that makes this readily available.
The solution that Grey is outlining is to calculate the resulting Role -> Entitlements - now this you COULD do in LCR (or outside process) and then store the result on your Roles - I believe that would be a better process. One thing you should be aware of is that this process will include ALL attributes that your provisioning policies will calculate - you may want to filter this for attributes that are defined as group attributes - this is defined on the service profile level...
Now for the the real world complexity of implementing something like this....
One thing is what a Role change is entitling a user to - another thing is what the user really gets - if you have other outstanding changes to the person the resulting account changes may include other things - or none if the entitlements are already given through another role. These are things you need to understand/discuss - end user process are notorious difficult to get right :-)
HTH
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------
Original Message:
Sent: Thu November 21, 2019 09:31 AM
From: Grey Thrasher
Subject: ISIM - How to identify the Entitlements(accounts) in advance when any role is added or removed from user in Person add/modify workflow?
Hi Prashant...
You could do this, but would likely require a custom (script/workflow) extension.
It's easy to find the new Roles being requested in the Person add/modify Operations...using
var personObj = person.get();var newRoles = personObj.getNewRoles();
But there's no built-in JavaScript method to determine what Entitlements those Roles would provide.
You could find this out by passing each Role (returned by .getNewRoles()), to a custom extension using the com.ibm.itim.policy.analysis.ProvisioningPolicyAnalysis.getProvisioningPolicies() to get a list of Policies associated with each new Role. Then call .getEntitlements() on each PPAProvisioningPolicy Object returned from the previous call.
Here's a quick example:
RoleSearch rs = new RoleSearch();RoleEntity roleE = rs.lookup(new DistinguishedName(roleDN));Collection<PPAProvisioningPolicy> policies = ProvisioningPolicyAnalysis.getProvisioningPolicies(roleE, true);Iterator<PPAProvisioningPolicy> policiesIt = policies.iterator(); while (policiesIt.hasNext()){ Collection<PPAEntitlement> entitlements = policiesIt.next().getEntitlements(); Iterator<PPAEntitlement> entitlementsIt = entitlements.iterator(); while (entitlementsIt.hasNext()){ String name = entitlementsIt.next().getTargetName(); }}
------------------------------
Grey Thrasher
IBM
Original Message:
Sent: Thu November 21, 2019 02:01 AM
From: Prashant Narkhede
Subject: ISIM - How to identify the Entitlements(accounts) in advance when any role is added or removed from user in Person add/modify workflow?
Hi All,
I have a requirement where if any role change happening to person in ISIM should go through role owner approval process. Additionally, I have a requirement that the request sent to role owner should be shown with the different accounts will be provisioned because of new role.
In order to do this, I wanted to find out the entitlements in advance in workflow.
So Is there any way to identify the entitlements by using userDN and roleDN?
Thanks and Regards,
Prashant Narkhede
------------------------------
Prashant Narkhede
------------------------------