Approval Task for role assignment

Hello again,
is there any manual for approval tasks with the SAP Provisioning Framework? There is a task group called Request new business role, but if I use this, the approver approves the request, but the status of the role assignment is "in process"and never changed to "OK".
I only found these manuals:
- How To... Create Approval Tasks in SAP NetWeaver Identity Management
- Implementing role approvals
But both documents didn't show an end-to-end role-request-and-approval workflow.
Thanks in advance.

Hello Matt, hello Peter,
the web-enabled task "Request New Business Role" and the including approval task are only examples.
To create own approval processes for your projects you have to understand how approval tasks and pending values work.
The following document shows the basics of PVOs (pending value objects).
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0d6b459-3456-2b10-209e-9e78ec9fd97b?quicklink=index&overridelayout=true
This is documentation of the release 7.0, which is not updated to 7.1. But basics of PVOs are still the same.
There is also a document which describes approval task for Release 7.1:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20b67ad5-c69a-2c10-9da2-9721b1cf749c?quicklink=index&overridelayout=true
Also a "How-To Guide" is available:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/904deabf-73b9-2c10-e8bb-8514dc3757f2?quicklink=index&overridelayout=true
I think this is enough to learn to create workflows in SAP IdM.
There is also a nice book available with detailed information:
EN: http://www.sap-press.com/products/Understanding-SAP-NetWeaver-Identity-Management-.html
DE: http://www.sap-press.de/2007
I think this will help you.
Best regrads,
Christoph Reckers

Similar Messages

  • OIM 11gR1 : Parallel approval for role assignment.

    Hi,
    I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
    When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.
    Also, Is it possible to assign a Role instead of the users in the custom attributes ?
    Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".
    Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
    Thanks,
    Meni,

    Bikash Bagaria wrote:
    Meni wrote:
    Hi,
    I'd like to add custom attributes to a role : "District security officer" and "Department security officer" (Can those be used for searching users? -- i.e. users lookup)
    When the role is to be assigned to a user, I'd like the workflow engine to open tasks for the members entered on those custom attributes.Try modifying the dataset. But I think there was an issue which someone reported here which said that you cannot add additional attributes to the role dataset. Logically it makes sense because there is no custom attribute for role in OIM so dataset should not allow it either.
    I've noticed that the design console allows adding custom attributes to roles.
    This can be done via Administration --> User Defined Field Definitions --> UGP (Table name).
    Once a field is added, you'll need to choose "Properties" and add a "Visible Field = true" prop to the attribute chosen.
    This will add a custom attributes section where your attributes will be shown.
    Question is how you can add a "search users" lookup instead of plain string for this custom attribute,
    and how those attributes will find their ways into the BPEL composite where business decisions based on those attributes may be taken (assign task per this attribute for an example).
    Also, Is it possible to assign a Role instead of the users in the custom attributes ?
    Meaning, Approving user assignment of a role named "Role A" will be done by users that belong to "Role_A_Approvers".You can create request for multiple roles in a single request and in your approval process you need to dynamically set the human task assignee based on the role selected. You also need to attach the approval process to orchestration level so that it generates a separate child request for each role selected.
    I'm not sure I understand how the proposed approach helps avoid the decoupling of users to role admins attribute.
    The intention was to have two roles, "Role_A" and "Role_A_Approver" where people that belong to "Role_A_Approver" will be assigned workflow tasks whenever Role_A is to be granted to end-users.
    Currently, each role has a "Role Admin" attribute, this attribute however holds a user and not a container of users (role)..
    Will appreciate pointers to the online docs, I've search and didn't find information related to the usecase I've described.
    All about requests
    Thanks,
    Meni,-Bikash

  • Approval Process for Role in OIM

    Experts,
    When a role is approved for a user in OIM, can we stop the user without getting assigned to the role immediately.
    We would like this scenario, user requests for role, the role owner approves it in OIM and then the role assignment happens in OIA.(or)
    User requests for the role, the approval workflow sends the request to OIA for approval from role owner , once approved it can be assigned in OIA and then automatically reflected in OIM as well.
    Which option is more feasible...and recommended?
    Thanks,
    Krish

    Thanks Kevin for the reply.
    Approval process code will be initiated in OIM and approving happens in OIA. Once approved, the role can as well be assigned in OIA. This can update OIM automatically by assigning the user with the requested role.
    (Or)
    Approval process code will be initiated in OIM, approving also happens in OIM, the role also gets assigned in OIM and an OIA updates this change accordingly.
    Which one would be recommended?
    Krish.

  • CUP 5.3: Mass approver update for roles

    Hello all,
    Is there any way to do mass approvers update for roles in CUP? For instance mass change ApproverA to ApproverB for all roles. Or add ApproberC to all roles in process "Basis"?
    Thanks, Anton.

    That's actually quite easy to do:
    - go to roles / serach
    - do an empty search
    - export
    - open the excel file and do a search/replace on the approver
    - save the excel file
    - upload the excel file with overwrite option turned on
    Done.
    Frank.

  • Authorization for Role Assignment

    Dear Experts,
    I have a scenario whereby a user is able to assign a set of roles to end-users but should not be allowed to do so for himself. I could only think of assigning user groups to the person's authorization which restrict him to assign roles to end-users from specific user groups. However, this is not desirable in our scenario as this means we need to maintain user groups for the entire organization (which is a huge organization). I would like to enquire if anybody has implemented similar requirements via standard/alternative means. Any suggestion and advice is appreciated. Thanks.

    Louis,
    I think this is a standard security and authorizations question, and not really HR specific.  You are correct in that the standard way to achieve this is with user groups.  However, it doesn't have to be as onerous as you are thinking.  The usual way of achieving this, of having an authorizations administrator or user administrator who can manage standard end-users but not him- or herself is to assign just that user to a group, typically called SUPER, and not worry about assigning groups to all the other end-users (or at least, not for this purpose).  You might also put all other high-power basis users, like the system administrator and any other security administrators, into this SUPER group, since you don't want anyone other than the super-superuser to manage them.  Then, you assign the user administrator role the S_USER_GRP authorization with the usual activities for user group ranges 0-SUPEQ and SUPES-Z.  This allows the role to manage users in all user groups except SUPER.
    I would also only allow this role to work with authorization profiles starting with the standard T, and role names in the pattern Z.  Then make sure that this role itself is not in the Z* customer namespace, but instead in the Y* customer namespace, and this way you prevent the user administrator from getting through a loophole and being able to create or modify non-SUPER users and simply assign them to the User Administrator role as a way of bypassing the above restriction.
    You should also not allow the User Administrator role to directly modify roles or profiles, only to create users and assign them to existing roles in the Z namespace.
    I trust that this helps.
    --Matt

  • 'No Details' error when tying to appen approval task from oim page -11GR2

    Hi all,
    I am using RequestService service of oim API for triggering Remove Role request. Request is being triggered succesfuly, and approval task is being assigned to the right person. But when I try to open the task I get 'No Details Available For the Task' message in apopup. I tried to open it from the worklist application but there is the same error. What may be wrong? Any Help is strongly appreciated...
    Code snipped I use is below:
    OIMApiHelper helper = new OIMApiHelper();
    User user = helper.findUserByReconKey(userReconKey);
    String userKey =user.getEntityId();
    RoleManager roleManager = Platform.getService(RoleManager.class);
    RequestData requestData = new RequestData();
    RequestService reqsrvc = Platform.getService(RequestService.class);
    requestData.setJustification(" Remove Roles");
    ArrayList<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>();
    List<Role> userRoles = roleManager.getUserMemberships(userKey,true);
    for(int i=0; userRoles!=null && i<userRoles.size();i++){
    Role role = userRoles.get(i);
    String roleKey = role.getEntityId();
    String roleName = role.getName();
    if(roleName.endsWith("ALL USERS")){
    continue;
    log.info("Benificiary Key (Role ID) ->"+roleKey);
    log.info("Benificiary Name (Role Name) ->"+roleName);
    RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
    ent1.setRequestEntityType(oracle.iam.platform.utils.vo.OIMType.Role);
    ent1.setOperation(RequestConstants.MODEL_REMOVE_ROLES_OPERATION);
    ent1.setEntitySubType(roleName);
    ent1.setEntityKey(roleKey);
    entities.add(ent1);
    if(entities.size()==0){
    return;
    Beneficiary beneficiary = new Beneficiary();
    beneficiary.setBeneficiaryKey(userKey);
    beneficiary.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
    beneficiary.setTargetEntities(entities);
    List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
    beneficiaries.add(beneficiary);
    requestData.setBeneficiaries(beneficiaries);
    //submit request
    String reqId = reqsrvc.submitRequest(requestData);
    BR,
    Aliye

    He is talking about the configuration which you did at the time of OIM Installation.
    Verify:
    Login into EM > System Mbean Browser > Application Defined Mbean > oracle.iam > oim_server1 > oim >Config > XML Config.Discovery > Discovery

  • Approval task SP09: Evaluation of approvalid failed with Exception: while trying to invoke the method java.lang.String.length() of an object loaded from local variable 'aValue'

    Hi everyone,
    I just installed SP09 and i was testing the solution. And I found a problem with the approvals tasks.
    I configured a simple ROLE approval task for validate add event. And when the runtime executes the task, the dispatcher log shows a error:
    ERROR: Evaluation of approvalid failed with Exception: while trying to invoke the method java.lang.String.length() of an object loaded from local variable 'aValue'
    And the notifications configured on approval task does not start either.
    The approval goes to the ToDO tab of the approver, but when approved, also the ROLE stays in "Pending" State.
    I downgraded the Runtime components to SP08 to test, and the approvals tasks works correctly.
    Has anyone passed trough this situation in SP09?
    I think there is an issue with the runtime components delivered with this initial package of SP09.
    Suggestions?

    Hi Kelvin,2016081
    The issue is caused by a program error in the Dispatcher component. A fix will be provided in Identity Management SP9 Patch 2 for the Runtime component. I expect the patch will be delivered within a week or two.
    For more info about the issue and the patch please refer to SAPNote 2016081.
    @Michael Penn - I might be able to assist if you provide the ticket number
    Cheers,
    Kristiyan
    IdM Development

  • Spawning multiple approval tasks in parallel in OIM11g SOA Composite

    Hi,
    We are trying to implement the following scenario.
    1) We are trying to develop a SOA composite for AD Group Access
    2) The request dataset contains a child table for AD User Group Details which is as follows.
    <AttributeReference name="AD User Group Details" attr-ref="UD_ADUSRC" type="String" length="20" widget="text" available-in-bulk="true">
    <AttributeReference name="Group Name" attr-ref="Group Name" type="String" length="400" widget="lookup" available-in-bulk="true" lookup-code="Lookup.ADReconciliation.GroupLookup" primary="true"/>
    </AttributeReference>
    3) Consider the user is already provisioned to AD.
    4) User now tries to request for AD Group Access by using a request template
    5) The request dataSet for the resource "AD Group Access" will be displayed where the user would "Add" the group(s) to which (s)he want access.
    6) Once the request is sumbitted the associated SOA composite would be executed.
    7) Now, in the SOA composite the logic should be as follows:
    a. For each group selected, there is a corresponding dataApprover who should approve the request.
    b. Once the dataApprover approves the request it goes to the next approver who is securityApprover.
    c. Once the securityApprover approves the request, the request should go thru and the user should get the membership in the AD Group.
    d. Since "AD User Group Details" is a child form in the request dataset, the user can add multiple groups in the same request.
    e. If there are muliple groups selected in the same request, then the same request should spawn parallel approval tasks for all corresponding dataApprovers and securityApprovers.
    f. Then the user should get membership to those AD Groups for which the corresponding dataApprover and securityApprover had approved the request.
    e. If a dataApprover or securityApprover rejects the request then the user shouldn't get membership to the respective group. However, this shouldn't prevent the user from getting membership to other groups for which dataApprover-securityApprover approval was done.
    The dataApprover and securityApprover for the groups are stored in a db table mapping to the corresponding group name.
    We have implemented a SOA composite for which the logic is fine if we add only one group in the child table of request dataset. As per the current implementation, when a user submits the request, the dataApprover and securityApprover for the selected group are fetched from the table and the global variables in SOA composite are set with the ID of dataApprover and securityApprove using setVariableData. These are sting variables. These variables are used in the approval task. The approval task has two "Single Type" participants - dataApprover and securityApprover. These participants fetch the value of dataOwner and securityOwner from the global variables set using setVariableData.
    Now, as mentioned above, if mutiple groups are added like group1, group 2 etc. then there should be multiple approval tasks spawned in parallel that will be approved/rejected by dataApprover1-securityApprover1, dataApprover2-securityApprover2 etc. Depending on the output (approve/reject) the user should get membership to appropriate groups.
    Any inputs on how to modify the current composite to spawn multiple approval tasks in parallel depending on the number of groups added from the requestDataSet would be helpful.
    Regards,
    Swaroop

    Single request id then you are bit safe. The way to do it would be:
    1. Set the dataApprovers as a comma separated list of all the data approvers for all the groups.
    2. Set the securityApprovers as a command separated list of all the security approvers for all the groups.
    3. In Human Task assign the first stage to all the dataApprovers and second stage to securityApprovers.
    Cons of this approach are:
    1. All the approvers would see all the data and they might be confused what they are approving.
    2. securityAppprovers for say group1 won't get the item untill all the dataApprovers approve the request even though dataApprover has approved the request for group1.
    3. Would be hard to implement the rejection cases; depending upon how you want to handle the rejections. For e.g. what if any dataApprover rejects the request? Should the whole request be rejected? If so what would happen to those which have already been approved by dataApprovers? Same case goes for securityApprovers. Again since you cannot modify the requested data once the request is submitted; thus you cannot remove the rejected groups from the request.
    4. You provisioning won't trigger untill all dataApprovers and all securityApprovers have approved the request.
    5. Any one approve from comma separated list of approvers would approve the request. Thus you cannot make sure that all the approvers should approve the request. The workaround would be to create parallel stages in human task and assign one group/approver to one parallel stage. This would mean that you will have to hard code the number of parallel approvals which can be generated in your BPEL human task (This would again depend upon the number of groups requested). To workaround this you could use BPEL extenal routing program where you can pragmatically assign tasks but again since there is no entitlement based request engine in OIM, thus there would be issues there too.
    As a workaround, make sure that you allow only one group to be requested per request and reject the request outright if multiple groups are requested in a single request. You will need to buy in the business on this one.
    Have heard the grapevine that 12G which is in the pipeline would have entitlement based request engine and also would allow for modification of request data once the request is submitted.
    HTH,
    BB

  • Add approval task through API call

    Hello, I am attempting to solve the following problem.
    I have a UDF defined on the Resource Objects form (OBJ table), this filed contains a comma delimited list of OIM groups which is of size n (based on the resource object).
    I would like to create an approval task for each group in this list. In addition i would like the name of each task to show up as the group name. so when a user logs into the UI and looks at the approval details the see the approval task as the group name.
    I have been able to add a task using tcProvisioningOperationsIntf.addProcessTaskInstance API however this API does not allow me to modify 1) the group to assign the request to and 2) the name of the task.
    thanks

    Hey Kevin, thanks for responding.
    This query will allow me to get the process task key, so i can be added to the approval task via. tcProvisioningOperationsIntf.addProcessTaskInstance. However the issue is, no task currently exists. So before i can add an instance of the task i have to actually create a new task. but i was un-sure how to accomplish this through api calls.
    The goal here is to allow a list of groups to be configurable at the resource level without having to modify the approval process.
    thanks

  • Reject Pending Approval Tasks when Manager changes

    Folks,
    I have a requirement , when the user's manager change , i need to reject all the pending approval tasks for that particular user whose manager has changed , not others pending tasks .
    Please let me know if anyone has implemented such a requirement .
    I'm thinking of writing the logic in Change Manager task in xellearte user prov process , so when manager will change this task will trigger and in this task i will get all the pending approvals by using the 'getPendingApprovalTasksAssignedToUser' but i'm not sure how to identify the user who was the beneficiary of the task .
    Thnx
    Sid

    We are using 11.1.1.5 with BP03.
    Question - An OIM user can raise requests which can be routed to its manager for approval. The manager may manage more than one subordinate and will have approval tasks for requests raised by all his subordinates. If one of the subordinate's manager changes, tasks assigned to old manager for that subordinate should be rejected. All other tasks assigned to this manager by other subordniates should still be active. Can we fetch tasks assigned to a manager for a particular subordinate?
    APIs do give me all the tasks assigned to a user but can we filter them to fetch tasks related to only one beneficiary without fetching all and then iterating through all to get desired result?

  • Role assignment to users (Change documents)

    Hi
    I was looking through the change documents for users and here i came across  "START_REPORT" under the Transaction column along with SU01 and PFCG. I was not quite sure about what this "STATUS_REPORT" was all about. I was wondering if this is a program. It certainly is not a batch coz we dont run batches here. I am trying to track down this change to the user but STATUS_REPORT is leading me nowhere....
    Any ideas?
    ravi

    Hi ravi
    Could you please explain the problem once more ?
    If you want to see the changes in the profiles of the user(which i take as one example of change documents) then you can use the transaction SUIM and there it'll give you options for change documents as below:
    1) For users
    2) For role assignment
    3) For Roles
    4) For profiles
    5) For authorizations
    and then you can choose the option you want.
    If I can help in some other way then kindly let me know.
    Cheers

  • Creation of auto approval process for assigning role for a user in oim11g

    currently i'm doing a scenario like a user must be automatically assigned to a role by using approval policy where the user is already there in oim and then we use csv file in that we take 2 columns like userlogin and role name so by running this scheduled task user must be automatically approved to that role.But i have to use the default auto approve policy in oim without creating any bpel process for that so can any one suggest me how to proceed with this scenario.
    Thanks in Advance for quick response.

    If I understand correctly, You have users and their respective roles in csv file. Users are present in OIM. You want to assign those roles in csv file to respective users?
    If this is the scenario, you need to write a custom code for schedule task which will read data from your csv file, create roles and assign them to respective users.
    to create custom schedule task in OIM 11g, you may refer to:
    http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/scheduler.htm
    regards,
    GP

  • Specify duration for each assignment stage in an approval task - sharepoint designer workflow

    HI
    I am trying to create an approval workflow in sharepoint designer. How do I configure different duration for each participant in a approval task .?

    I had a similar issue. Best way I found was to go into the 'Before a Task is Assigned' of the task and then Set Task Field Due Date - to the date needed.  If you need to get into specific time of the day, it presents additional issues.  First the
    workflow doesn't have a 'current time' function.  If the task is being created at the start of the workflow, you can use Workflow Context Date/Time started and calculate from there.  If you are adding a task, or the
    task is occurring after a previous task, you can make a workflow field and on the 'When a Task Completes - assign it the value of Current Task Last Modified.  Also, it seems their is bug where it doesn't recognize the
    time-zone correctly when you update the Due Date in the workflow process.  So if you see unexpected results for the time in the duedate value, may have to adjust for however many number of hours your timezone is from GMT.

  • How to trigger approval request for resources after assigning role

    Hi,
    We have a use case where we need to assign resources to user via assigning roles.
    In order to achive this use case
    1. we have created a role and assigned the access policy to it which contain the resources to be provisioned once the role is assigned to the user.
    2. Created a SOA composite having manager approval and assigned this composite to a approval policy of type 'Assign Role'.
    3. I am already having the approval policy for the resources which are present in roles. The approval policy of resources is of type "Provision Resource".
    4. Also the SOA composite for resource apporal is deployed in OIM and assigned to the approval policy.
    5. Now when I am raising the request from OIM of type "Assign Role" the approval defined in the SOA composite for Role approval gets triggered. After approving the role request the role is assigned to the user and also the resources defined in the access policy gets provisioned to teh user account.
    Now I want to trigger the resource approval process after the role approval instead of directly provisioning the resources. So that once the role is approved the individual Approval Process of resources part of roles should also gets invoked. Based on the approval or rejection of resources approval, the resource gets assigned to the user.
    Please let me know how to achieve the above use case.
    Thanks in advance

    Access policy is saying whoever gets xyz role, will get this abc resource. Now once a user gets xyz role, you are stopping to get abc resource? both are contradictory. Don't go through access policy. User is anyway going to request for roles. Modify your flow and make user request for resource. Have your composite and approval policy attached. User will get resource once it is approved.
    regards,
    GP

  • Approval required for assignment of more than one Role+AccessPolicy

    Hi,
    we noticed the following behavior with OIM11gR2 (11.1.2.0.0):
    2 Role each one with it own Access Policy to provision AD resource
    case 1: if we request one Role at time by Catalog, no approval is required
    case 2 if we assign both Roles at same time by Catalog, one Request that requires approval il generated
    Questions:
    1. Is it default behavior?
    2. Is it possibile to avoid approval step for case 2? If yes, is there any side-effects removing the approval step?
    Thanks

    kumarsubhrata wrote:
    Dear friends,
    >
    > I have a depot plant and there Excise Registration No is 12. Excise Registration 12 have a single Series group 121 this time, where all entries (RG23D) are entered.
    > But, my customer needs one more Series Group to be assigned with Excise Registration 12 i.e. 122.
    > Actually they want separate Series Group for Depot Sales and Inventory Posting i.e. 121 for Depot Sales and 122 for Inventory Posting.
    >
    > Please suggest me that is it possible to assign 2 Series Group for single Excise Registration for Depot Plant?
    >
    >
    >
    > Thanks in advance.
    > Kumar Subhrata
    Hi,
    It is very much possible. Configure that settings in the IMG path
    SPRO -> Logistics - General -> Tax on Goods Movements -> India -> Basic Settings -> Maintain Series Groups
    Click on new entries and enter 122 and assign excise registration 12 to it.

Maybe you are looking for