Adding member to a group (excluding the owner by not going into approval process)
Hi everyone;We have the following policy:Requestors: All PeopleOperation: Add a value to a multivalued attributePermissions: GrantedTarget Resource Definition before Request: All groupsTarget Resource Definition after Request: All groupsResource Attributes: Manually-managed MembershipAuthorization Workflow: Requestors manager --> group owner approvalWhat i want to do is when the owner of the group request to add member to his group, no workflow is triggered.What i did is creating another MPR with the following details:Requestors (Relative to resource): OwnerOperation: Add a value to a multivalued attributePermissions: GrantedTarget Resource Definition before Request: All groupsTarget Resource Definition after Request: All groupsResource Attributes: Manually-managed MembershipNo workflow is attachedAfter creating the MPR when the owner request to add a member, it still trigger the workflow.I understand that this is normal and the owner is a member of the All people Set, but is there a way to exclude him from the approval??Thanks in advanceEihab Isaac
March 2nd, 2010 10:49pm

Hi Eihab,Request can be auto approved if Approver and Requestor are the same. If you add owner as approver in the group owner approval in addition to Requestors Manager than this can be request can be auto approved.Thanks,Sri
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2010 3:49am

Another option is to wrap the approval process in a custom workflow that will determine if the added resource is the owner and skip the approval step no matter who the requestor is. Since it is not likely to be that common that another person will add the owner, it may not be that interesting of a case but there are many cases where putting logic in front of the approval process is desireable. For example, my customer wants to be able to define a "delegate" for some approvers so I need to look up the approver's person object and see if there is a delegate set. If there is, I have to update the request object with that fact (the approval is delegated and who the origional approver was) and then send the approval to that delegate.Eric
March 3rd, 2010 5:38am

Thanks Guys for the reply;Sri i'm not sure about the point you mentioned. When the owner add a member to his own group, its auto approved by him but his manager approval is not auto approved. and this is the workflow design that we have to get to approvals.Eric, Custom workflows will work in our case if we could check the requester, is there a predefiend activity or we should use a custom workflow to do that, if so could you please provide an example of how to do thatThanks in Advance
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2010 7:30pm

Eihab,I assumed the approval threshold for your approval wf is 1. If that is the case then Manager Approval is not needed as approval threshold is reached when owner makes the request.Thanks,Sri
March 3rd, 2010 9:12pm

Thanks Sri;You are correct about the auto approve if the threshold is one. that works if the owner and manager are in the same approval list.But it seems that i didn't make my case clear enough.the policy again is:Requestors: All PeopleOperation: Add a value to a multivalued attributePermissions: GrantedTarget Resource Definition before Request: All groupsTarget Resource Definition after Request: All groupsResource Attributes: Manually-managed MembershipAuthorization Workflow: Activity 1(Requestors manager approval) --> Activity 2 (group owner approval)if any user that belong to All People Set request to join or add a user to a group:1) ask for approval from his manager2) if approved by manager ask for approval from group owner (if requester is the owner this will be auto approved)3) if approved he is a member now of that groupso its like a two layer approvalNow by creating another MPR only for Owner, it doesn't solve my issue since it will still consider him as a member of All People, the best solution i see is as Eric suggested.
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2010 12:49am

In this scenario , yes using custom activity as Eric suggested is the best solution.
March 4th, 2010 1:34am

Eihab,On second thought,You can have owner as approver in addition to Requestor's manager in activity1. This will cause approval to be auto approved and second approval is generated. In the second activity also since Owner is approver, second approval will alos be autoapproved.You don't need any new MPR for Owner.Thanks.Sri
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2010 10:27pm

Hi Eihab, How did you do this two level approval. Did you create any custom activity.or please explain me in detail
August 23rd, 2010 6:37am

Hi Saisree, To create a two level approval you need to create a new authorization workflow. when the creation wizard show up, under Activities tab add the first approval activity, this requires you to add the approvers, threshold, email template, etc. After you finish from the first activity click save. Again click Add Activity and add the second approval activity. Add the approvers and all the other inforamation and click save. Now you have a two level approval. You don't need to create a custom activity unless there is a special condition that you need to meet and the default approval activity doesn't provide such feature. Regards Eihab Isaac
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2010 5:11pm

Hi Eihab, Need help urgent. Thank you for the reply.I am able to do the two level approval process. It is my understanding If anybody enters the portal and add himself as a member to the particular applications which are in the security groups.I have created two activity approver field-Requestor/Manager and in the second activity of approver field I have put approver-Target/owner of the application Requestors: All People Operation: Add a value to a multivalued attribute/remove Multivalued attribute Permissions: Granted Target Resource Definition before Request: Owner Approved Groups Target Resource Definition after Request: Owner Approved Groups Resource Attributes: Manually-managed Membership Authorization Workflow: Activity 1 (Requestors manager approval) --> Activity 2 (Application owner approval) if any user that belong to All People Set request to join or add a user to a group: 1) ask for approval from his manager( ihave a condition to check the added members have the same manager or not. 2) if approved by manager ask for approval from Application owner (if requester is the owner this will be auto approved) do I have to go for custom activity .Please explain me even if it is custom activity Txs Saisree
August 27th, 2010 7:07am

You would need a custom activity since there isn't a "IF" condition built in to FIM. So the total workflow would have two steps: 1) A built-in approval for application Owner (if the requestor is the application owner then it will auto approve) 2) A Custom Activity that will do the following: A. Read Current Request B. Read the target group from the Request Target value using the ReadResource Activity C. Get the Group Owners from the group object that you read D. Loop through the Owners to determine if any of them are the Creator of the Current Request E. If the Request Creator is not the Request Creator then call an Aproval Activity The only pain on this is that the object picker isn't exposed publicly so you need need to supply the Resource IDs for the values for the Approval Activity (Email Tenplate, etc). Eric
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2010 1:48pm

Hi Eric, Thanks for the quick reply. I have researched to do with the built in approval but of no use.So I have to develop custom activity for this.Do you have any custom activity similar to it. If I have to check the conditions like if the members have same manager it is done only through the custom activity only .If any other option from built in approval activity please let me know.It is urgent. thanks, Saisree
August 27th, 2010 5:32pm

Saisree, You definitely need to develop a custom WF activity to achieve this. I have developed a similar custom WF activity. My activity actually checks two conditions before asking for approval. If you want we can work together offline. Yours Eihab Isaac eihab@zevainc.com
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2010 5:54pm

But This actually creates two approval requests to Owner when user submits the join membership request. So custom workflow is required to achieve this 2 level approvals.Prakash
August 29th, 2010 9:13am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics