16.3 Checking the Status of Your Requests

The View Request Status action allows you to see the status of your role requests, including requests you’ve made directly as well as role assignment requests for groups for containers to which you belong. It lets you see the current state of each request. In addition, it gives you the option to retract a request that has not been completed or terminated if you have changed your mind and do not need to have the request fulfilled.

The View Request Status action shows all role assignment requests, including those that are running, pending approval, approved, completed, denied, or terminated. The View Request Status action also shows requests made to create role relationships through the Manage Role Relationships action.

What you can see and do on the View Request Status page depends on your security role, as described below:

Table 16-1 Capabilities of Each Security Role

Security Role

Capabilities

Roles Module Administrator

A Roles Module Administrator can perform these functions on the View Request Status page:

  • View all role assignment requests.

  • Filter requests based on status, as well as User. When the Roles Module Administrator filters requests on User, the results show requests where the specified user is requester or recipient. The controls for filtering requests based on requester or recipient are not available to the Roles Module Administrator.

  • Retract any role assignment requests, provided these requests are still in a retractable state (not yet approved, denied, completed, or terminated).

Roles Manager

A Roles Manager can perform these functions on the View Request Status page:

  • View the status of requests for which the user has browse rights to the role, and for which the user is either the requester or recipient.

  • Filter requests based on status, as well as User. When the Roles Manager filters requests on User, the results show requests where the specified user is requester or recipient. The controls for filtering requests based on requester or recipient are not available to the Roles Manager.

  • Retract requests for users, groups, and containers for which the user has directory browse rights for the role and target (user, group, or container) objects. The requests must still be in a retractable state (not yet approved, denied, completed, or terminated).

Authenticated user

A typical user logged in to the User Application who is not a member of a system role can perform any of the following functions on the View Request Status page:

  • View the status of requests for which the user is either a requester or recipient.

  • Filter the requests based on status, as well as requester or recipient. The control for filtering requests based on User is not available to the authenticated user, since the authenticated user can see only requests for himself.

  • Retract requests for which the user is both requester and recipient. The requests must still be in a retractable state (not yet approved, denied, completed, or terminated), and the user must have browse rights to the role as well.

Large result sets By default, the View Request Status page retrieves up to 10,000 request objects. If you attempt to retrieve a larger result set, you will see a message indicating that you have reached the limit. In this case, you should narrow your search (by specifying a particular user or status, for example) to limit the number of objects returned in the result set. Note that when you apply a filter to a role name, the filter limits what you see and its order, not the number of objects returned.

To look at your role requests:

  1. Click View Request Status in the list of Role Assignments actions.

    The User Application displays the current status of role requests for the currently authenticated user.

    The columns in the role request list are described below:

    • The Role Name column provides the name of the role specified for the request.

    • The Requester column identifies the user who made the request.

    • The Recipient column identifies the user, group, or container that will receive the role, if the request is approved. In the case of role relationships, the Recipient column shows the name of the role related to the role named in the Role Name column.

    • The Status column shows a detailed status for the request as well as an icon that indicates the status summary. The status summary shows the general status of the request and can be selected from the Filter menu to narrow the results when searching for requests with a particular status:

      Status summary icon

      Detailed Status

      Description

      New Request

      Indicates that this is a new request that is currently being processed.

      A request with this status can be retracted.

      SoD Approval Start - Pending

      Indicates that the Role Service driver is attempting to restart a separation of duties approval process for the request following an SoD Approval Start - Suspended condition.

      A request with this status can be retracted.

      SoD Approval Start - Suspended

      Indicates that the Role Service driver is unable to start a separation of duties approval process and the process has been suspended temporarily.

      When the Role Service driver tries to start a workflow and cannot (for example, when the User Application is down or unreachable), the request transitions to a pending retry state to wait for up to a minute before transitioning to a retry state (SoD Approval Start - Pending state) that triggers the driver to try and start the workflow again. These states prevent requests that don't depend on workflows from being backed up behind requests that are blocked by a workflow that can't be started.

      If a request shows this status for an extended period of time, make sure the User Application is running. If it is running, check the connection parameters given to the Role Service driver to be sure they are correct.

      A request with this status can be retracted.

      Approval Start - Pending

      Indicates that the Role Service driver is attempting to restart an approval process for the request following an Approval Start - Suspended condition.

      A request with this status can be retracted.

      Approval Start - Suspended

      Indicates that an approval process has been initiated for the request, but the process has been suspended temporarily.

      When the Role Service driver tries to start a workflow and cannot (for example, when the User Application is down or unreachable), the request transitions to a pending retry state to wait for up to a minute before transitioning to a retry state (Approval Start - Pending state) that triggers the driver to try and start the workflow again. These states prevent requests that don't depend on workflows from being backed up behind requests that are blocked by a workflow that can't be started.

      If a request shows this status for an extended period of time, make sure the User Application is running. If it is running, check the connection parameters given to the Role Service driver to be sure they are correct.

      A request with this status can be retracted.

      SoD Exception - Approval Pending

      Indicates that a separation of duties approval process has been started and is waiting for one or more approvals.

      A request with this status can be retracted.

      Approval Pending

      Indicates that an approval process has been started for the request and is waiting for one or more approvals.

      A request with this status can be retracted.

      SoD Exception - Approved

      Indicates that a separation of duties exception has been approved for this request.

      A request with this status can be retracted.

      Approved

      Indicates that the request has been approved.

      A request with this status can be retracted.

      Provisioning

      Indicates that the request has been approved (if approvals were required), and the activation time for the role assignment has been reached. The Role Service driver is in the process of granting the role assignment.

      You are not permitted to retract a request with this status.

      Pending Activation

      Indicates that the request has been approved, but the activation time for the role assignment has not yet been reached. The Pending Activation does not have a roll-up category, or summary status icon. This means that you cannot filter the list of requests by the Pending Activation status.

      A request with this status can be retracted.

      SoD Exception - Denied

      Indicates that a separation of duties exception has been denied for this request.

      You are not permitted to retract a request with this status.

      Denied

      Indicates that the request has been denied.

      You are not permitted to retract a request with this status.

      Provisioned

      Indicates the request has been approved (if approvals were required), and the role assignment has been granted.

      You are not permitted to retract a request with this status.

      Cleanup

      Indicates that the request has been processed and the Role Service driver is in the process removing the internal objects created for the request.

      You are not permitted to retract a request with this status.

      Canceling

      Indicates that the Role Service driver is canceling the request because of a user action.

      You are not permitted to retract a request with this status.

      Canceled

      Indicates that the request has been canceled by a user action.

      You are not permitted to retract a request with this status.

      Provisioning Error

      Indicates that an error occurred during the course of provisioning (granting) or deprovisioning (revoking) the role assignment.

      The precise error message for a provisioning error is written to the trace or audit log, if either is active. If a provisioning error occurs, check your trace or audit log to see if the error message indicates a serious problem that must be fixed.

      You are not permitted to retract a request with this status.

      NOTE:If the system clock on the server where the Role Service driver resides is not synchronized with the system clock on the server where the User Application is running, the request status might appear to be different on the View Request Status and Role Assignments pages. For example, if you request a role assignment that does not require approval, you might see the status as Provisioned on the View Request Status page, but the status on the Role Assignments page shows Pending Activation. If you wait for a minute or so, you might then see the status on the Role Assignments page changes to Provisioned. To ensure that the status is shown correctly throughout the User Application, check your system clocks to be sure they are synchronized appropriately.

    • The Request Date column shows the date when the request was made.

    • The Initial Request Description column shows the description provided by the requester at the time the request was made.

  2. You can filter the list of requests, as follows:

    1. To view only those assignments that start with a particular string of characters, see Filtering Data for information about what to type in the Role Name box.

    2. To view only those requests that apply to a particular user, use the Object Selector or the Show History tool to select the user. To see your own requests, you need to select yourself from the User list. For details on using the Object Selector and Show History tools, see Using the Object Selector Button for Searching.

      NOTE:The User control is not available if the logged in user is not a Role Module Administrator or Role Manager.

    3. To view those role requests that have a particular status summary, select the status in the Status drop-down list.

      Status

      Description

      All

      Includes all requests.

      Running

      Includes requests that have been started and are currently being processed.

      Pending Approval

      Includes requests that are awaiting approval, either for a separation of duties exception or for the role assignment itself.

      Approved

      Includes requests that have been approved, as well as requests for which a separation of duties exception was detected and approved.

      Completed

      Includes requests that have been approved and where the role has been assigned to the recipient (user, group, or container).

      Denied

      Includes requests that have been denied, as well as requests for which a separation of duties exception was detected and denied.

      Terminated

      Includes requests that have terminated before reaching completion, either because the user cancelled the action or because an error occurred during the course of processing.

    4. To view only those requests for which you are a requester, select the Requester box.

      NOTE:The Requester control is not available if the current user is a Role Module Administrator or Role Manager.

    5. To view only those requests for which you are a recipient, select the Recipient box.

      NOTE:The Recipient control is not available if the logged in user is a Role Module Administrator or Role Manager.

    6. To apply the filter criteria you’ve specified to the display, click Filter.

    7. To clear the currently specified filter criteria, click Reset.

  3. To set the maximum number of requests displayed on each page, select a number in the Maximum rows per page drop-down list.

  4. To sort the list of requests, click on the column heading that contains the data you want to sort.

    If several role assignment requests share a Common Requests ID, you might want to sort the data by the Initial Request Description to see the set of related requests together. The Common Requests ID is an internal identifier (shown only in the Request Details group box) that correlates a set of role assignments that were requested at the same time. Here are some situations in which a set of role assignments will share a Common Requests ID:

    • A single request assigns multiple roles to a single user.

    • A single request assigns a single role to multiple users. This might occur when a requester assigns a role to a group or container.

    When a set of role assignments share a Common Requests ID, a user can retract each assignment individually. In addition, each role assignment can be approved or denied separately.

  5. To see the details for a particular request, click on the status in the Status column and scroll down until you see the Request Details group box.

    The Status field shows the status for the request, along with the status summary icon and text describing the icon. The icon (and the associated text) provides a convenient way to see the status at a glance. The table below shows how the various status codes are mapped to the status icons:

    Status Icon

    Associated Status Codes

    Running:Processing

    • New Request

    • SoD Approval Start - Pending

    • SoD Approval Start - Suspended

    • Approval Start - Pending

    • Approval Start - Suspended

    Pending Approval

    • SoD Exception - Approval Pending

    • Approval Pending

    Approved

    • SoD Exception - Approved

    • Approved

    • Pending Activation

    • Provisioning

    Pending Activation

    • Pending Activation

    Denied

    • SoD Exception - Denied

    • Denied

    Completed: Provisioned

    • Provisioned

    • Cleanup

    Terminated

    • Canceling

    • Canceled

    • Provisioning Error

  6. To retract a request, click Retract Request.

    The Retract Request button is disabled if the request has been completed or terminated.

    If a request shares a Common Requests ID with a set of related requests, you can retract each of the role assignments individually.