by default LCM provisioning auto approve requests where the requestor is the owner of the entitlment/role requested.


when can disable the auto approval with following example which handle case of "Add" Roles.

The request will require manual approval.

NOTE: this will not prevent from the requestor which is owner to approve it, if you want also to prevent him from approval you need vadlidation scripts.


<Variable name="disableLauncherAutoApproval">

    <Script>

      <Source>

import sailpoint.object.Identity;

import sailpoint.object.Bundle;

import java.util.ArrayList;

import java.util.List;

import sailpoint.object.ProvisioningPlan;

import sailpoint.object.ProvisioningPlan.AccountRequest;

import sailpoint.object.ProvisioningPlan.AttributeRequest;

import sailpoint.object.RoleRequest;

import sailpoint.object.RoleAssignment;

import sailpoint.object.Workgroup;

import sailpoint.object.ProvisioningPlan;

import sailpoint.api.ObjectUtil;

    

// Get account requests from the plan for IIQ application, to catach changes on roles or entitlements


List accountRequests = plan.getAccountRequests("IIQ");

     for (Object acctReqObj : accountRequests)

     {

           List attrRequests = acctReqObj.getAttributeRequests();

        if (attrRequests != null)

        {

                for (Object attrReqObj : attrRequests)

                {

        // attrReqObj.getOperation() we dont have to check operation but if we want it for add only then we use it

                       if ("assignedRoles".equals(attrReqObj.getName()))

                        if ("Add".equals(attrReqObj.getOperation().toString())) 

                {

                                Bundle role = context.getObjectByName(Bundle.class, attrReqObj.getValue());

                    String roleName=role.getName();

                                if (role.getOwner() != null)

                                        {

                                    Object owner = role.getOwner();                            

                                            String ownerName = owner.getName();

                                    Identity  obj = context.getObjectByName(Identity .class, ownerName);

                                    if (obj.isWorkgroup()) 

                                    {

                          List wrkgmemnberList = new ArrayList();

                                            Iterator wrkGrpmembers = ObjectUtil.getWorkgroupMembers(context, obj, null);

                          while(wrkGrpmembers.hasNext())

                                                {

                                    Object[] object = (Object[]) wrkGrpmembers.next();

                                    Identity ids = (Identity) object[0];

                                    wrkgmemnberList.add(ids.getName());

                            }

                             Boolean approverIsBenfeciary = wrkgmemnberList.contains(identityName);

                             return approverIsBenfeciary;

                                    }

                      else 

                            {

                              Boolean approverIsBenfeciary = obj.getName().equals(identityName);

                                                            return approverIsBenfeciary;

                            }

                                }

                        }

                }

        }

            }

        

</Source>

    </Script>

  </Variable>