Hi all is there a way to purge CLM requests which are in a Approved state but not executable ? My Workflow is simple : I've 1 approver on my Enroll Policy, and I'm not the initiator of the request. So it looks like only the target user can Abort such kind of request !! Is it really true ? Regards Anthony

You should be able to call RequestOperations.Abandon method: http://msdn.microsoft.com/en-us/library/microsoft.clm.provision.requestoperations.abandon.aspx

Hi Anton I already know this... but it's not working due to right problems...but my user is domain admin and I've given him all the ILM rights. It looks like there's a real issue in CM.. My scenario is the following : 1) Domain Admin is the initiator of the request and there's 1 approver 2) Domain Admin is the "Approve Enroll Request" list 3) Then the target user receives an OTP to finish the workflow Now, If I want to abort this request after Approval, it's impossible if I'm not connected as the target user. I need a solution please Regards Anthony

Hi Anthony, Unfortunately, once a request has been approved, only users with Execute permissions on that request can perform an Abandon. This can be verified by making a call to the PermissionOperations.AccessCheck function, i.e. PermissionOperations.AccessCheck(request, RequestPermission.Execute). You may want to try making the Abandon call in the context for the CM Service account; it may have permission to execute an Abandon on the request. If that doesn't work, short of hacking the CM database, you will not be able to abandon those requests. Note, if the policy is set up to allow an Enrollment Agent to execute the request, you would be able to Abandon the request as the target user or the enrollment agent. However, once a request has been issued, its security/permissions policy is set on the request according to the policy definition at the time of the request, so modifying a profile template policy to allow an enrollment agent after the request has been issued will not work. Cheers, MarcMarc Mac Donell, ILM MVP, VP Identity and Access Solutions, Avaleris Inc.

This is a very interesting topic, especially when you compare the CM workflow engine to the FIM workflow engine. As a side note: This is the benefit of the ClmUtils class if you're using the CM MA. It will try to prevent dead requests before allowing a new one to get provisioned.CraigMartin Edgile, Inc. http://identitytrench.com

Hi Craig, It would be very nice to see a Windows Workflow Foundation engine, like the one in the FIM Service, built into the CM component. Unfortunately, that's not the case at the moment, so we're limited to CM's internal workflows. Hopefully, we'll see more flexibility in the future. In terms of ClmUtils class, I know the Create* request calls look for an existing Pending request and blocks if it finds one; in your experience, does the same behaviour occur with if a existing request is an Approved state? Cheers, Marc Marc Mac Donell, ILM MVP, VP Identity and Access Solutions, Avaleris Inc.

Hi Marc, your're right on the pending request check. Regarding an existing request in the Approved state, I think this would be handled when ClmUtils checks the state of the Profile. There might be a window between Request.Approved and Profile.Status getting updated, but Sync running on a regular basis would arrive at the right Request (or no Request) as soon as the Profile.Status was updated.CraigMartin Edgile, Inc. http://identitytrench.com