Approval flow
Define approval flow
OpenIAM allows defining the approval flow at either the application level (managed system or manual managed system) or at the application entitlement (group, role) level. When working with applications which have hundreds or thousands of entitlements, it may be better to define at the approval flow at the application level and then override that flow at the entitlement level if needed. This approach is often more maintainable than defining approvers only at the entitlement level.
You also need to define how many steps are required in the approval process and who will be the approver, as well as to determine if there is a need to define reminders or escalations for situations where the approver does not respond in a timely manner.
To define approvers follow the steps below.
Application level approval
To configure an approval flow on application level
- Go to webconsole > Access control > Resource.
- Filter by either Managed System or Manual Managed system in the
Typecolumn. - Find the name of your application by searching in the Name column.
- Click on the button in the Actions column to see the application details.
- If the approval flow will require approval by an application owner or admin, then you need to define that. On the screen you can select either a single owner or a group of owners in the Resource owner line on the details screen. You can select a group when anyone in a group can be an approver.
- Save your changes.
- Define the approval flow
- Click on the Approval Associations menu from the sidebar.
- Click on the New approver step on the screen below. It will open up a row where you can define the approver.
Complete the fields in the approval flow as described below.
- Approver - Select the type of approver followed by the name of the approver. The table below describes each of the approval options.
- Notify on Approval - Select who should be notified after this step has been approved.
- Notify on Reject - Select who should be notified if this step is not approved.
- Request service level agreement parameters
- 1* - Number of reminders which should be sent to the approver to complete their task in a timely manner.
- 2* - Number of days which should elapse before sending out a reminder.
- 3* - Calculated values from 1 and 2 which indicate the maximum amount of time allowed to complete this step.
- Save your configuration (must be done independently of the save operation on the page).
To add additional approval steps, simply save the first approver and click on the New approver step as shown above.
Approver Types
| Type of Approver | Description |
|---|---|
| Supervisor | The manager of the person for whom this request has been created. Note, if the manager has submitted the request, then approval for the manager will be skipped as it is assumed that the manager wanted to grant this access when creating the request. |
| User | Select the user that should be the approver. |
| Group | Group of people who should be the approver. Anyone in the group can claim and approve. |
| Target user | Target user is the user for whom this request was created. |
| Application owner | Owner that is defined on the managed system or manual managed system. |
| Application admin | Admin that is defined on the managed system or manual managed system. |
| Entitlement owner | Owner that is defined on the entitlement (group, role, resource). |
| Entitlement admin | Admin that is defined on the entitlement (group, role, resource). |
Entitlement level approval
To configure an approval flow on application level
- First enable entitlement level approval:
- Go to webconsole > Administration > System configuration.
- Go to the Workflow tab.
- Enable the checkbox labeled
Use approver association or role/group instead of resource. - Determine the type entitlement that you need to find - Role, Resource, or Group.
- Go to webconsole > Access control > [your entitlement type].
- Filter by the managed system name in the Managed System column.
- If your application has several types of entitlements, you can further filter by the Metadata type in the Type in column
- Find the name of your entitlement by searching in the Name column.
- Click on the button in the Actions column to see the entitlement details.
Global Default approver
You are not required to provide an approver for each application or entitlement. There are two ways to configure the system:
- An approver is not defined then it means that no approval is required in request for an application or entitlement will be automatically approved.
- To set a global default approver.
In the second case when no approver has been provided then we can use the global configuration. A default approver at the system level can be helpful in catching potential configuration issues such as a configuration that has been overlooked. These configurations are defined in the workflow section of the system configuration menu. To configure a global approver.
- Go to webconsole > Administration > System configuration.
- Then go to the Workflow tab. Here you will see a variety of system level configurations related to workflows.
- Find Default workflow approver property.
- Remove the current value and then search to find the user needed.
- Save your changes.
More on approval flow can be found in this document.