I am looking for a way to get all role assignments, even the ones which will be executed in the future. There is RoleVault.getRolesUserIn() but this only retrieves current active assignments. But I also have role assignments which have a future effective date. How to retrieve them?
Summary, I tried 2 solutions:
1. use REST API
Works well, you have to look at the idmappsdoc for the best methods to use. Also canceling is implemented. But I feared the authentication process. You have to request a token from OSP first. This makes implementation a bit tricky. But should work.
2. use Entity Activity
I created a DAL query with filtering user (via parameter) and requests with status 25. Setting the status to 70 via Entity Activity did the trick and looked liked the easier implementation.
Edit: would have selected both posts as solution. But as this is not possible I accepted this summary as solution.
Yeah, I've already thought about but hoped there is a "build in" method.
The request object also has attribut nrfStatus set to 25. Can anyone confirm that this meens "pending"?
I don’t believe the nrfStatus values have ever been publicly documented for roles. So I wouldn’t make any assumptions about those.
There is a table in the Sentinel Collector for IDM:
|~~Status Codes~~||~~Status Property~~||~~Description~~|
|0||NEW_REQUEST||Set by the User Application on a newly created nrfRequest object.|
|2||SOD_APPROVAL_START_PENDING||The Role Service driver attempts to start the SoD workflow again. This is used for requests in the SOD_APPROVAL_START_SUSPENDED mode.|
|3||SOD_APPROVAL_START_SUSPENDED||Occurs when the Role Service driver is not able to start an SoD workflow. A driver task then resets these requests to SOD_WORKFLOW_START_PENDING to retry the starting of the workflow.|
|5||SOD_EXCEPTION_APPROVAL_PENDING||Set by the Role Service driver after successfully initiating an SoD exception workflow.|
|10||SOD_EXCEPTION_APPROVED||Set by the SoD exception workflow when approved.|
|12||APPROVAL_START_PENDING||The Role Service driver attempts to start the workflow. The request must be in APPROVAL_START_SUSPENDED mode.|
|13||APPROVAL_START_SUSPENDED||Occurs when the Role Service driver is not able to start the approval workflow. A driver task then resets these requests to APPROVAL_START_PENDING to try to start the workflow again.|
|15||APPROVAL_PENDING||Set by the Role Service driver after successfully starting role assignment workflow.|
|20||APPROVED||Set by the role assignment workflow when approved.|
|25||ACTIVATION_TIME_PENDING||Set by the Role Service driver after obtaining all necessary approvals and the activation time has not yet been reached.|
|30||PROVISION||Set by the Role Service driver after all the necessary approvals have been approved and the role activation time has been reached.|
|50||PROVISIONED||Set by the Role Service driver after a role has been provisioned.|
|75||CANCELLED||Cancellation request completed|
|80||PROVISIONING_ERROR||Set by the Role Service driver when an error occurred during provisioning/deprovisioning|
|90||SOD_EXCEPTION_DENIED||Set by SoD exception workflow when denied.|
|95||DENIED||Set by role assignment workflow when approved.|
|100||CLEANUP||Set when nrfRequest workflow should be cleaned up (deleted). This is intended to be triggered by a batch process some configurable amount of time after the request has either been fulfilled or denied.|
Oh sorry, thought you were referencing the GUI. I had a look at it. The methods Post /requests/historyForUser and Delete /requests/history are exactly what I am looking for. I have tested this in JAVA so far but is there a nice an smooth way to include REST calls to this interface into your workflow? Yes, there is the REST activity but I see some troubles getting the authentication information. Any ideas?