Approving Requests via Email

This feature allows a user (an approver) to receive an email notification about a pending request and approve the request via email, without being logged into OpenIAM. OpenIAM, using its SMTP account, reads the reply in its inbox and proceeds with declining, approving, or taking any other action on the request, as per keywords.

There might be several keywords for such emails, such as accept, decline, and delegate. Hence, the following phrases are needed to be typed in the email body.

"I accept this request" to approve the pending request.

"I reject this request" to reject the pending request.

And "delegate toWhomeEmailAddress@openiam.com", to delegate the pending request.

Note that in case of delegating the request to another user, you must indicate the email address of the required user for OpenIAM to find the user and delegate the request to them.

One of the important conditions for this feature to work properly is the request ID in the subject field of the email.

Request ID

In case this line is not shown, it is not selected in your email template. This line can easily be added to the email template.

  1. Go to webconsole > Administration > Mail template editor
  2. Find the required email template from the list.
  3. Add ${req.getNotificationParam('REQUEST_ID').valueObj} to the Mail subject line field.
  4. Click Save.

Another important condition is that the email address of the approver, who is to approve, decline, or delegate the request via email, has to correspond to one and only user email in OpenIAM. This condition is usually satisfied; however, for some test cases, it might not be so.

For OpenIAM to be able to read the inbox and check it for keywords, ensure the Read inbox feature is turned on. Follow the steps below to do so.

  1. Go to webconsole > Administration > Mailbox Configuration.
  2. In the Actions column, click the edit icon.
  3. Check/uncheck the Read Inbox? checkbox.

Read email checkbox

By default, OpenIAM checks the inbox once every 15 minutes. However, this parameter can be changed as per your preferences. You can do this by adding the -Dorg.openiam.email.inbox.sweep=900000 line into JavaOpts of the email-service. Here, 900000 stands for 15 minutes and to change the time you can set the required value in l=milisec.

Note: The steps to configure an SMTP account used by OpenIAM can be found in the mail provider documents. One of the requirements for OpenIAM to access this mailbox is that it must not have MFA, as OpenIAM cannot receive the code on a cellphone or email, nor can it pick up the phone and follow instructions.

Audit Log

After the user answers to a request via email keyword, the event appears in the audit log. To access it, go to webconsole > Administration > Log Viewer. The event has a name _MAKE_DECISION_FROM_EMAIL_.

Log