OIM 11gR1 : Parallel approval for role assignment.

Similar Messages

• Approval Task for role assignment

  Hello again,
  is there any manual for approval tasks with the SAP Provisioning Framework? There is a task group called Request new business role, but if I use this, the approver approves the request, but the status of the role assignment is "in process"and never changed to "OK".
  I only found these manuals:
  - How To... Create Approval Tasks in SAP NetWeaver Identity Management
  - Implementing role approvals
  But both documents didn't show an end-to-end role-request-and-approval workflow.
  Thanks in advance.

  Hello Matt, hello Peter,
  the web-enabled task "Request New Business Role" and the including approval task are only examples.
  To create own approval processes for your projects you have to understand how approval tasks and pending values work.
  The following document shows the basics of PVOs (pending value objects).
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0d6b459-3456-2b10-209e-9e78ec9fd97b?quicklink=index&overridelayout=true
  This is documentation of the release 7.0, which is not updated to 7.1. But basics of PVOs are still the same.
  There is also a document which describes approval task for Release 7.1:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/20b67ad5-c69a-2c10-9da2-9721b1cf749c?quicklink=index&overridelayout=true
  Also a "How-To Guide" is available:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/904deabf-73b9-2c10-e8bb-8514dc3757f2?quicklink=index&overridelayout=true
  I think this is enough to learn to create workflows in SAP IdM.
  There is also a nice book available with detailed information:
  EN: http://www.sap-press.com/products/Understanding-SAP-NetWeaver-Identity-Management-.html
  DE: http://www.sap-press.de/2007
  I think this will help you.
  Best regrads,
  Christoph Reckers

• OIM 11g R1 - Container for Roles

  Hi,
  is it possible to create container for roles?
  For Example:
  Container1: RoleA, RoleB, RoleC
  Container2: RoleV, RoleY, RoleZ
  The reason is, i want to create authorization policies, which allows the user to assign specials roles. The problem is, that a lot of roles will be added during the operation. This means, if a new role will be created, i have to edit the authorization policy
  The best way is, i assign a Role-Container to the authorization policy. If i create a new role, i add the role to the special container.
  Is this possible in OIM 11g R1?
  Edited by: 960944 on Apr 3, 2013 5:18 AM

  Yes, you can do that using authorization policy.
  Try this:
  Create a Role called 'X'
  Create a Authorization Policy of Role Management Entity Type called 'X Role Authz Policy' and under the Permission tab:
  Grant Modify Role Membership, Search for ROle, View Role Detail and View Role Membership
  Under Data Constraints: Add all the roles that a user can self assign except SYS ADMIN role.
  Under Assignemnt: Add Role 'X'
  Save and apply to test it.
  You can have a look at the default Role Management All Users Policy for reference.
  Regards,
  Sunny

• GRC 10 BRM - Approve Single Role assignment in Business Roles

  Hello,
  I want to set up a workflow where any Single Role assigned to a Business Role requires an approval of the Single Role Owner.
  The thing is that my customer doesn't have a Security Administrator, so what they want is that each Single Role Owner could be aware when their roles are assigned to a Business Role, especially when the Business Role Owner is another person.
  Once the Business Role is created, the provisioning would be in charge of Business Role Owners.
  Do you know any way to configure this?
  Thanks,
  Fernando

  Hi Claudio - thanks for breaking it down
  @ Fernando - for the Role Approval Methodology you need to split your approval out to be based on request type. Claudio has shown this up above already. In continuing his example, where the business role goes to path C - you would then have Path C do a line by line approval based on the single role owners
  By using this role approval methodology your single role approvers are indirectly allowing  any user who are approved the business role via an access request and that request is approved by business role owner (which is role owner).
  As mentioned - you are using two different workflow process ids
  Role Build - using BRM to approve the single roles being part of the business role
  Access Assignment - approving the user to receive the business role which includes the single roles
  Regards
  Colleen

• Dynamic Parallel Approval for HCM Process and Forms

  Hi everyone,
  I have a scenario where I need to use the "Dynamic Parallel Approval" (or to keep it simple, initially I tried using the "Parallel Approval" wizard)for a workflow used in the HCM Process and Forms.
  The standard task for approval in process and forms is TS17900101. I have mentioned a multiline container in the Miscellaneous tab of this task. However,I was unable to use this task in the wizard. There are no results attahced to this task unlike any other standard approval task (like TS30200147). I need to use the task TS17900101 in the workflow assigned to process and forms, but not sure how to handle this scenario (parallel approval).
  If this is not the right way of doing it, Is there any workaround for "Parallel Approval" in HCM Process and Forms.
  Could anybody throw some light around this area.
  Thanks for your help.
  - MM

  Thanks Anuj. But I believe, the container element that I add in the miscellaneous tab does not necessarily have to be used in the agent assignment. The multiline container is just to instantiate the workitem 'n' number of times. Correct me if I am wrong.
  My concern is that I was unable to use this approval task (TS17900101) in the workflow wizard for dynamic paralle/parallel approval.
  Arghadip - Thanks for your suggestion. I have seen some your nice contributions in the WF forum.
  I actually tried using the 'Blocks'. But this is what I ran into. When I send multiple approval requests (say 3), if one person has approved it and the second has rejected it,I need to take out the workitem from the third person's list (because it has been rejected by someone in the group). I am not sure if this is possible using Blocks. And in my case the third person is still having the workitem, but gets a dump/error when he tries to open it.
  Also, if any one has rejected the request, I do not have to wait for the rest to take any action on the workitem and proceed further. But I guess in 'Blocks' it will not let you go out unless every workitem has been processed.
  To summarize,here's what I need - I need to come out of the block for two conditions. One, if everyone has approved, comeout of the block with an apprval flag. Two, if anyone has rejected (even if some have not processed their workitem), delete the workitems from others inbox and come out of the block with a rejection flag.
  So, any kind of input or suggestions on how this could be handled would be highly appreciated.
  Thanks
  MM

• Parallel Approval for Approval Groups

  I have a doubt in AME rules which can be created for the ‘Payables Invoice Approval’ Transaction Type. I have to configure AME rule for the particular Scenario. (Issue is the item marked in red)
  Scenario:-
  Created a Line item attribute to get the value of minor account from invoice distribution line. SQL query for same is given below.
  select glcc.segment3
  from ap_invoice_distributions_all apd, gl_code_combinations glcc
  where
  apd.dist_code_combination_id=glcc.code_combination_id and
  apd.invoice_id = :transactionId and apd.invoice_distribution_id in (select invoice_distribution_id
  from ap_invoice_distributions_all
  where invoice_id = :transactionId
  order by apd.invoice_distribution_id
  Created 2 conditions with this attribute, Minor1 - for segment3 17240 and Minor2 for segment3=44496
  Created two different rules using these conditions (used two different approval groups, with one approver each in approval group)
  I created an invoice with 2 distributions. First dist has minor 17240 (satisfying rule1) and second with minor 44496 (satisfying rule2)
  I expected both these rules to be executed at the same time and e-mail to be sent to these approvers parallely (we tried to set order num in approval group to not unique and num=1. But it didn’t work)
  However, these rules are processed serially and notification is sent to second approver after first approver approves it.
  We need to figure out a way, how notifications can be sent to both approvers (of different approval groups) at the same time also can item level approval be configured for approval groups?
  I even tried Dual Chain of authority. But Dual Chain of authority is again for supervisory hierarchy. I also tried the pre-chain-of-authority approvals (which will be an approval group) along with the main approval group. But parallel processing was not possible.
  Also tried the exception condition but could not obtain the desired functionality.
  Any pointers would be appreciated. Thanking you in anticipation.

  Did a little digging and it worked!

• Authorization for Role Assignment

  Dear Experts,
  I have a scenario whereby a user is able to assign a set of roles to end-users but should not be allowed to do so for himself. I could only think of assigning user groups to the person's authorization which restrict him to assign roles to end-users from specific user groups. However, this is not desirable in our scenario as this means we need to maintain user groups for the entire organization (which is a huge organization). I would like to enquire if anybody has implemented similar requirements via standard/alternative means. Any suggestion and advice is appreciated. Thanks.

  Louis,
  I think this is a standard security and authorizations question, and not really HR specific.  You are correct in that the standard way to achieve this is with user groups.  However, it doesn't have to be as onerous as you are thinking.  The usual way of achieving this, of having an authorizations administrator or user administrator who can manage standard end-users but not him- or herself is to assign just that user to a group, typically called SUPER, and not worry about assigning groups to all the other end-users (or at least, not for this purpose).  You might also put all other high-power basis users, like the system administrator and any other security administrators, into this SUPER group, since you don't want anyone other than the super-superuser to manage them.  Then, you assign the user administrator role the S_USER_GRP authorization with the usual activities for user group ranges 0-SUPEQ and SUPES-Z.  This allows the role to manage users in all user groups except SUPER.
  I would also only allow this role to work with authorization profiles starting with the standard T, and role names in the pattern Z.  Then make sure that this role itself is not in the Z* customer namespace, but instead in the Y* customer namespace, and this way you prevent the user administrator from getting through a loophole and being able to create or modify non-SUPER users and simply assign them to the User Administrator role as a way of bypassing the above restriction.
  You should also not allow the User Administrator role to directly modify roles or profiles, only to create users and assign them to existing roles in the Z namespace.
  I trust that this helps.
  --Matt

• Parallel approval  nest sequent approval for SC

  Dear All
       Ｉ am using SRM7.02.
  　 I can realize parallel approval for SC  as following.
       only after A1 and B1 approved. the process will end or enter next level.
     But , the customer gave me a new challege,  as the following.
  The work item is sent to A1 and B1, after A1 approved , A2 would receive the work item.   after B1 approved, B2 would receive the work item.
  Only  after both A2 and B2 approved.  the process end or enter next level.
  any experts  can give me some suggestion?
  thanks in advance
  Jesse

  Hi Jesse,
  Even our clients in my earlier project, asked for a similar workflow. But SRM workflow wont support that because there are few scenarios which makes things complex. For example, when we have a combination of type 1 and type 3 approvals in a single flow, a part of the document reaches type 1 approver and a part doesn't. And also if a cart items are distinguished into one set in approval level 1, and they can be in different sets in next level even if all approval levels are of type 3 or type 4.
  Regards,
  Karthik babu

• Role assignment to users (Change documents)

  Hi
  I was looking through the change documents for users and here i came across  "START_REPORT" under the Transaction column along with SU01 and PFCG. I was not quite sure about what this "STATUS_REPORT" was all about. I was wondering if this is a program. It certainly is not a batch coz we dont run batches here. I am trying to track down this change to the user but STATUS_REPORT is leading me nowhere....
  Any ideas?
  ravi

  Hi ravi
  Could you please explain the problem once more ?
  If you want to see the changes in the profiles of the user(which i take as one example of change documents) then you can use the transaction SUIM and there it'll give you options for change documents as below:
  1) For users
  2) For role assignment
  3) For Roles
  4) For profiles
  5) For authorizations
  and then you can choose the option you want.
  If I can help in some other way then kindly let me know.
  Cheers

• Approval Process for Role in OIM

  Experts,
  When a role is approved for a user in OIM, can we stop the user without getting assigned to the role immediately.
  We would like this scenario, user requests for role, the role owner approves it in OIM and then the role assignment happens in OIA.(or)
  User requests for the role, the approval workflow sends the request to OIA for approval from role owner , once approved it can be assigned in OIA and then automatically reflected in OIM as well.
  Which option is more feasible...and recommended?
  Thanks,
  Krish

  Thanks Kevin for the reply.
  Approval process code will be initiated in OIM and approving happens in OIA. Once approved, the role can as well be assigned in OIA. This can update OIM automatically by assigning the user with the requested role.
  (Or)
  Approval process code will be initiated in OIM, approving also happens in OIM, the role also gets assigned in OIM and an OIA updates this change accordingly.
  Which one would be recommended?
  Krish.

• Approval work flow for Role based and Resource based

  Hi All,
  We have to implement approval work flow for the following things in OIM 9.1.0.1
  Approval work flow for Functional Roles (Groups in OIM) (Approvalsrequired for users to get these roles)
  IT Roles (Resources in OIM) (Approvalsrequired for users to get these resource)
  Functional Role (Group) contains policy1,polici2. Polciy1 contains res1,res2 and Policy2 contain res3,res4.I want to create approval work flow for this Functional Role to achieve the following
  User raise a request for the functional role, then it should wait to get manager approval. then once its gets approval, that user account should create on all resources which are involved in that group.
  And, I have to define approoval work flow for all individual resources to get users account creation on target with approvals. These resources may include in the groups as well.
  After getting approval for functional role (Group), then Will OIM starts the approval flow for all resources involved in the group? becase, all resources have approval workflow at resource level also.
  My Goal: Approval work flow for Group, should not process the approval work flow for resource. can we do it in OIM 9.1.0.1?
  And can we do the same in OIM 11g also?
  Please help me and do let me know, if you need any information from my end.
  Thanks.

  Thats configurable buddy ! ! And possible in 10G and 11G both versions.
  Functional Roles : These are the groups/roles in OIM 10g/11g with access policies attached at the backend.
  - Create a dummy resource and name it Request Role or anything as you like. Attach an Object Form to it and have form field for Role Name, this would be a lookup type field linked to all OIM groups (leave system values using lookup query). So a user can select any OIM Group in this request as per configuration. Have approval workflows defined on this dummy resource Request Role and in its Provisioning Process make user/s a part of the requested group.
  - Now once the user is made a part of the group, the associated access policy would be invoked automatically and thereby provisioning. The only thing you need to keep in mind is that create the access policy without approval (there is a check box). If you do this the approvals would never be invoked even if you assign a group manually to the user coz it suppresses all the approvals in this access policy.
  IT Roles : These would be linked to the resource and you can define individual approvals on the resources as required.These approvals would be required if someone raises a request for these resources individually.
  Thanks
  Sunny

• Approver for the application role not working out

  Hi,
  I have created a role with type application and Approver A, then created a business role with the Approver B and included application role into the business role.
  When i assign this business role to a user the only request for approval goes to Approver B and after approval the both application and business roles are assigned. Strangely it seem to skip the Approver A. I did even remove the approver in business role, leaving only approver in application role, still same result - it skips Approver A.
  I'm using IDM 8.0.0.1, any ideas why it would skip the approver in the included role?
  Thanks!

  Thanks for the quick reply. I've tried optional with approval and here is what I found.
  It seems I need a combination of the two. My end goal is to have a second level approval, one group would be responsible for approving the business role and the system owners would be responsible for approving the nested application roles. When a user requests the business role, they must have approvals for the business role and all of the nested application roles for their request to be completed.
  If the app. roles are required, the workflow automatically incorporate the nested appl. roles in the request but does not require approval for them. If they are conditional with approval, the user would have to submit a second request to get all of the nested application roles. It looks like I need a combination of the two, required with approval.
  I need it to behave like it does when you have a role with approver that includes resources with an approver. The role and resources must all be approved before the request can be completed successfully.
  I'm trying to see if this is possible through the GUI before I customize the workflow.

• OIM 11g: Issue while evaluating rule for Role Membership

  Hello All,
  I have configured few General Rules using 2 of our User Defined Fields, these general rules are used to determine role membership.
  What we observed that once "Identity Status" attribute is set to "Disabled" for OIM User Profile then OIM stops evaluating these configured General Rules for Role Membership.
  Env Details:
  Product Version: Oracle Identity Manager 11.1.1.5.0
  App Server: WebLogic Server Version: 10.3.5.0
  OS: Red Hat Enterprise Linux Server release 5.5
  Database: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64 bit
  Please let me know if any of you have encounter this issue and if there is any workaround available for it.
  Thanks,
  Shyam

  Re: OIM11g: Resource not revoked if the Identity Status is DISABLED
  XL.EvaluateMembershipForInactiveUser
  Workaround:
  You can make you of Event Handler and assign that group with APIs.

• Getting roles assigned to a user in OIM

  We need to write a query to find what are the roles assigned to a particular user and when it has been assigned , is there any source where the OIM tables and their attributes have been explained? We were referring the UPA_GRP_MEMBERSHIP for getting the roles( referring UGP_KEY)  and the user with (UPA_USR_KEY), is this correct or is there some other table which has the info?

  Thanks for your reply...
  To getting the roles of a user, what is the common attribute between USR and UPA_GRP_MEMBERSHIP table? Is it usr_key from usr table and upa_usr_key from UPA_GRP_MEMBERSHIP? if not, what are the differences between the two attributes and is there any other attribute to refer ?

• ....OIM and SOA tables for new Request for Roles

  Hello OIM experts, please help me. I need the list of database tables that get updated when we submit new request for Roles. I need the tables that get updated by both SOA and OIM during request submission and approval.
  Appreciate your great help.
  thanks
  Edited by: Jyothi on Oct 23, 2012 3:52 AM

  REQUEST table stored request template related information. IN OIM 11G, you can see three level of approval, template level, request level and operation level. OIM has certain pre-defined template, that information is stored in Request table. To get information on any table:Execute below query
  select COMMENTS FROM USER_TAB_COMMENTS WHERE TABLE_NAME=<Tabel name for e.g.'REQUEST'>;
  It'll give info on all tables.
  To know more about request in 11g:
  http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/request.htm
  regards,
  GP