Hi Muthu,
Thanks for taking your time in clarifying my issue.
1. I already have a routing rule here and my workflow splits in to two paths. Default role will go to a path with no stages. Main path will follow all the 3 stages as defined.
Workflow is for creating new user:
1. Default role will go to path with no stages and will wait until end of request then it will provision once my main path gets approved at all stages. For this my provisioning settings should be "END OF REQUEST". If i maintain them as "END OF PATH", default role, since it is in a path with no stages it directly tries to provision and fails as the user is not yet created. [User creation will happen through main path]. Hence i used END OF REQUEST setting and then issue was resolved for this scenario.
2. At security stage i want my workflow to take a detour path if the request has a role say "X". For this scenario, detour path will have a stage and need to be approved. So at security stage if routing rule is satisfied, main path will create user and assign all roles except role "X". This role X will go to detour path and will be provisioned later after approval.
Example:
User raised a access request for New User creation with roles X and Y. Based on the request attributes and default role settings a role Z is added to request.
Stage 1: Manager
Process:
Manager approved the request. Roles X and Y will go in main path to next stage [Role Owner] for approval.
Role Z will go to detour path with no stages. For this scenario to work, provisioning setting should be "END OF REQUEST", so that default role waits until main path also completes its approvals. Once done this default role will be provisioned.
If provisioning settings are END OF PATH, detour path with no stages will try to provision immediately and since that user is not yet created, throws error and fails.
Hence i went for END OF REQUEST setting.
Stage 2: Role Owner
Process:
Role owner approves both roles X and Y and these roles go to next path GRC admin.
Stage 3: GRC Admin
Process:
This stage has a routing rule. If a new user request has role Y, go to detour path with one stage. Since this request has role Y, request will split where role Y goes to detour path and in main path since all stages are approved, user will be created and role X is assigned. [This user creation and assignment of role X will happen only if provisioning setting is maintained as END OF PATH]
Role Y will be in detour path and once approved there this role will be assigned to user.
Issue
My issue is i want scenarios at stage 1 and stage 2 to work together with common provisioning setting.
Let me know if i am doing something wrong here or If any workaround available for my scenario.
Regards,
Madhu.