This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Approver change expiration date for role request


We want than an approver will be able to change the expiration date of a role request in custom role approval PRD.

Is it possible to do that?

I see that there are only get methods for the NrfRequest object - are there any set methods?



  • I don't think there are any setters available to call but I believe you may be able to change the request contents in directory.

  • Verified Answer

    I think what FT is suggesting is that for requests for roles, the UA makes a nrfRequest object.  It references the user and the Role and has a start and end date. 

    In theory you can change the end date via LDAP.  But there is more than just the nrfRequest object.  There is nrfAssignedRoles on the user, that has text with the expiration in them in the XML in the path component that you need to update.

    Then there is an nrfNextExpiration on the user, that needs to consider all the nrfAssignedRoles (And in principle, could be nrfGroupRoles and nrfContainerRoles since those can have expirations as well) and you need to get all the expiration times in the path nodes out of the XML, compare tyhem all, and set the nrfNextExpiration to the earliest one.

    Ever wonder why RRSD is thought to be slow? 

  • Thank you for sharing this knowledge.

  • Exactly, you want to change the nrfRequest before it is actually approved to avoid interfering with processing done by RRSD . But AFAIR this should have the effect you want as if the change was in the request in the first place. PoC will be easy - I haven't done something like that in recent versions though, so better confirm it goes smoothly first.

  • One other option is to use a workflow connected to the request form (custom made) with an approval activity before submitting the request to the role request activity. You can have a field for expiration date in the request form and take that flowdata an pass it into the approval form, possible for the approver to change or edit.

    Of course this will have some negative impact on how the actual approval workflow on the role (if you have some) is registered within the system. For instance, you could end up with an approval that looks like the original requester approved their own request.

    This is not a recommended solution because of the side effects (hence, you are not approving the role assignment itself but rather the request workflow for the role). But it resolves the requirement to change the role expiration date during the approval process.