Hello,

I have made a custom approval workflow.

This workflow approves a role request and it works both when the requester is a group or a user.

I have tested it like this:

For User:

1. As user: Log into User Application - request the role from the standard GUI -> On the requested role, I have the custom approval on, as the workflow i have made.
2. The workflow is started and the approval process works and the user gets the role

For Group:

1. Hardcoded the DN of a group in the custom approval workflow -> role request is approved and group is assigned to role

Now here is the problem:

I have made a workflow, and from this workflow you choose a group that you would like to request a role for.

In this workflow i make a role request, like so:

Action grant
Roles: The role/roles i want
Target Type: group
Targets: the group DN

Now, this results in the role request just being approved. The custom approval workflow is NOT started.

The role request looks like this:

Code:
2017-12-21 12:00:35,020 [INFO] LogEvent [RBPM] [Role_Request_Submitted] Initiated by cn=stnor,ou=users,o=mfk, Process ID: 7b96d1a8f73741a28517731ae07e1ccc, Process Name: cn=usr-rolerequests01,cn=requestdefs,cn=appconfig,cn=metatree-ua01,cn=idmdriverset01,ou=idm,ou=servere,o=mfk, Activity: Activity, Recipient: cn=40529-ED7D97DACC7F90460C5DEFAE046B0B9D,ou=emps,ou=affiliations,ou=entities,o=mfk, Correlation ID:UserApp#UserStartWorkflow#a1daff38-b479-4d83-ae70-057d9c597232, Submitted Request:<?xml version="1.0" encoding="UTF-8"?><wfRoleRequest>
<attr name="sod-override-request">
<value>true</value>
</attr>
<attr name="target">
<value>cn=40529-ED7D97DACC7F90460C5DEFAE046B0B9D,ou=emps,ou=affiliations,ou=entities,o=mfk</value>
</attr>
<attr name="action">
<value>GRANT</value>
</attr>
<attr name="targetType">
<value>GROUP</value>
</attr>
<attr name="roles">
<value>cn=3A3F7BF1-5EF4-6A2A-ED14-24FC0289FF68,cn=File,cn=AdmNetRequestable,cn=Requestable,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=METATREE-UA01,cn=IDMDriverSet01,ou=idm,ou=servere,o=mfk</value>
</attr>
<attr name="correlationId">
<value>UserApp#UserStartWorkflow#a1daff38-b479-4d83-ae70-057d9c597232</value>
</attr>
<attr name="nrfRequest">
<value>cn=20171221120034-a648857bd626436d9c4f348198a7a494-0,cn=Requests,cn=RoleConfig,cn=AppConfig,cn=METATREE-UA01,cn=IDMDriverSet01,ou=idm,ou=servere,o=mfk</value>
</attr>
</wfRoleRequest>
This looks correct.

But the approval workflow is not started. It is just automatically approved.

The request object looks like this:

nrfRequester: stnor.users.mfk (the user)
nrfSourceDN: 3A3F7BF1-5EF4-6A2A-ED14-24FC0289FF68.File.AdmNetRequestable.Requestable.Le vel10.RoleDefs.RoleConfig.AppConfig.METATREE-UA01.IDMDriverSet01.idm.servere.mfk (the role)
nrfTargetDN: 40529-ED7D97DACC7F90460C5DEFAE046B0B9D.emps.affiliations .entities.mfk (the group)

It all looks right. So why does it get autoapproved?

If i change the role request to:

Action grant
Roles: The role/roles i want
Target Type: user
Targets: a user DN

The custom workflow is started.

What is going on here? Is it a bug?

Thanks in advance,

Jacob.