The policy based workflow seems to be the logical solution for this use case, but we seem to have an issue with it.
It seems that the same issue we had before in Identity Policies where due race conditions only one policy executes, is now showing up in policy-based workflows. The fix back then was to redesign and separate policies in o individual policy sets. That fix apparently apparently was never ported to policy-based workflows.
I tried to resolve this requirement, and when I submit a request for a single group, each request gets routed to the appropriate approver (dynamically resolved from the Notes attribute of the AD group which stores the approver name).
However, when I submit a single request for multiple AD groups, only one request gets routed to the appropriate approver. The other groups will be automatically assigned (and there is no specific order to which group gets sent to workflow and which ones get automatically provisioned - it is random and this is exactly the same behavior we've seen in the past with Identity Policies).
I will escalate to development and make them aware of the issue, but if anyone has a fix for this please share with the rest of the community members.
Here is what I did:
1)
Groups in AD:
3)
Approval Policies:
4)
Two-Stage Approval Policy details:
5)
Single-stage approval policy details:
6)
When each AD group request is submitted separately (everything works fine):
7)
When 2 or more groups are part of a single request (only one gets routed for approval, the others are automatically assigned):
And it also seems to have an effect on the primary approver (of the in-progress assignment) since it immediately goes to the default approver.
Original Message:
Sent: 08-20-2019 02:55 PM
From: Lynn McMorrow
Subject: Identity Portal - multiple target permission either 1 or 2 stage approval
Haha, I can't answer your question because you're asking my question back in different words :) Without knowing how you are identifying who the appropriate approvers are on a particular AD group, I can't tell you how to dynamically resolve. I can only give you an idea. But, my plan does not have 1000 tasks for 1000 AD groups. It's 1 task with a policy-based workflow associated. A rough example below, makes some assumptions:
1. Somewhere between AD and IM, the appropriate approver/s exist in a field - either an OOTB field or a custom attribute.
2. That attribute is mapped to the IM Prov store.
3. There are only a handful of possible workflows (i.e. single step, two-step, etc.) approval processes that could be chosen.
4. each provisioning role that would assign the account template has a custom attribute indicating which workflow that should be followed (e.g. reporting manager only, owner only, reporting manager and owner only).
Then, you create one task, that has a policy-based workflow; one policy for each potential workflow.
As for the workflows, I'm thinking something like the below, with the custom attributes indicated being placeholders for wherever on the account template or prov role you are storing the appropriate approvers.
Original Message------
Hi Lynn,
I aware of the method u mentioned using policy-based workflow at assign provisioning role event.
The area am interested is "IM is aware of the owners of AD Groups and can dynamically resolve those", how do we handle this dynamic resolving ?
Right now my method, is based on "hardcore the owner" example.
AdminTask_ForADGroup1 with Policy workflow(Reporting Manager)
AdminTask_ForADGroup2 with Policy workflow(Report Mgr + Owner) and etc..
In Execution Plan, i detect based on TargetPermission and route to the AdminTask accordingly.
If i have 1000 AD groups, i have to defined 1000 admin tasks...that why am looking at the dynamic resolve method...