Approval flow

Define approval flow

OpenIAM allows defining the approval flow at either the application level (managed system or manual managed system) or at the application entitlement (group, role) level. When working with applications which have hundreds or thousands of entitlements, it may be better to define at the approval flow at the application level and then override that flow at the entitlement level if needed. This approach is often more maintainable than defining approvers only at the entitlement level.

You also need to define how many steps are required in the approval process and who will be the approver, as well as to determine if there is a need to define reminders or escalations for situations where the approver does not respond in a timely manner.

To define approvers follow the steps below.

Application level approval

To configure an approval flow on application level

  • Go to webconsole > Access control > Resource.
  • Filter by either Managed System or Manual Managed system in the Type column.
  • Find the name of your application by searching in the Name column.
  • Click on the button in the Actions column to see the application details.
  • If the approval flow will require approval by an application owner or admin, then you need to define that. On the screen you can select either a single owner or a group of owners in the Resource owner line on the details screen. You can select a group when anyone in a group can be an approver.
  • Save your changes.
  • Define the approval flow
    • Click on the Approval Associations menu from the sidebar.
    • Click on the New approver step on the screen below. It will open up a row where you can define the approver.

Add approver - step1

Complete the fields in the approval flow as described below.

  • Approver - Select the type of approver followed by the name of the approver. The table below describes each of the approval options.
  • Notify on Approval - Select who should be notified after this step has been approved.
  • Notify on Reject - Select who should be notified if this step is not approved.
  • Request service level agreement parameters
    • 1* - Number of reminders which should be sent to the approver to complete their task in a timely manner.
    • 2* - Number of days which should elapse before sending out a reminder.
    • 3* - Calculated values from 1 and 2 which indicate the maximum amount of time allowed to complete this step.
  • Save your configuration (must be done independently of the save operation on the page).

To add additional approval steps, simply save the first approver and click on the New approver step as shown above.

Approver Types

Type of ApproverDescription
SupervisorThe manager of the person for whom this request has been created. Note, if the manager has submitted the request, then approval for the manager will be skipped as it is assumed that the manager wanted to grant this access when creating the request.
UserSelect the user that should be the approver.
GroupGroup of people who should be the approver. Anyone in the group can claim and approve.
Target userTarget user is the user for whom this request was created.
Application ownerOwner that is defined on the managed system or manual managed system.
Application adminAdmin that is defined on the managed system or manual managed system.
Entitlement ownerOwner that is defined on the entitlement (group, role, resource).
Entitlement adminAdmin that is defined on the entitlement (group, role, resource).

Entitlement level approval

To configure an approval flow on application level

  • First enable entitlement level approval:
    • Go to webconsole > Administration > System configuration.
    • Go to the Workflow tab.
    • Enable the checkbox labeled Use approver association or role/group instead of resource.
    • Determine the type entitlement that you need to find - Role, Resource, or Group.
    • Go to webconsole > Access control > [your entitlement type].
    • Filter by the managed system name in the Managed System column.
      • If your application has several types of entitlements, you can further filter by the Metadata type in the Type in column
    • Find the name of your entitlement by searching in the Name column.
    • Click on the button in the Actions column to see the entitlement details.

Global Default approver

You are not required to provide an approver for each application or entitlement. There are two ways to configure the system:

  • An approver is not defined then it means that no approval is required in request for an application or entitlement will be automatically approved.
  • To set a global default approver.

In the second case when no approver has been provided then we can use the global configuration. A default approver at the system level can be helpful in catching potential configuration issues such as a configuration that has been overlooked. These configurations are defined in the workflow section of the system configuration menu. To configure a global approver.

  1. Go to webconsole > Administration > System configuration.
  2. Then go to the Workflow tab. Here you will see a variety of system level configurations related to workflows.
  3. Find Default workflow approver property.
  4. Remove the current value and then search to find the user needed.
  5. Save your changes.

More on approval flow can be found in this document.