Approval flow

Defining approval flow

OpenIAM allows defining the approval flow at either the application level (managed system or manual managed system) or at the application entitlement (group, role) level. When working with applications which have hundreds or thousands of entitlements, it may be better to define the approval flow at the application level and then override that flow at the entitlement level if needed. This approach is often more maintainable than defining approvers only at the entitlement level.

You also need to define how many steps are required in the approval process and who will be the approver, as well as determine if there is a need to define reminders or escalations for situations where the approver does not respond in a timely manner.

To define approvers, follow the steps below.

Application-level approval

To configure an approval flow at the application level:

• Go to webconsole > Access Control > Resource.
• Filter by either Managed System or Manual Managed System in the Type column.
• Find the name of your application by searching in the Name column.
• Click the button in the Actions column to see the application details.
• If the approval flow will require approval by an application owner or admin, then you need to define that. On the details screen, you can select either a single owner or a group of owners in the Resource owner line. You can select a group when anyone in the group can be an approver.
• Save your changes.
• Define the approval flow:
  • Click on the Approval Associations menu from the sidebar.
  • Click on New approver step. It will open a row where you can define the approver.

Complete the fields in the approval flow as described below:

• Approver – Select the type of approver followed by the name of the approver. The table below describes each of the approval options.
• Notify on Approval – Select who should be notified after this step has been approved.
• Notify on Reject – Select who should be notified if this step is not approved.
• Request service level agreement parameters
  • 1* – Number of reminders to be sent to the approver.
  • 2* – Number of days before sending a reminder.
  • 3* – Calculated value of the maximum time allowed to complete the step.
• Save your configuration (this must be done independently of the page save operation).

To add additional approval steps, simply save the first approver and click on New approver step again.

Approver Types

Entitlement-level approval

To configure an approval flow at the entitlement level, follow the steps below:

• First enable entitlement-level approval:
  • Go to webconsole > Administration > System configuration.
  • Go to the Workflow tab.
  • Enable the checkbox labeled Use approver association or role/group instead of resource.
• Determine the type of entitlement (Role, Resource, or Group).
• Go to webconsole > Access Control > [your entitlement type].
• Filter by the managed system name in the Managed System column.
  • If your application has several types of entitlements, filter further by the Metadata type in the Type column.
• Find the name of your entitlement in the Name column.
• Click the button in the Actions column to see the entitlement details.

Global default approver

You are not required to provide an approver for each application or entitlement. There are two ways to configure the system:

• If no approver is defined, no approval is required and the request is automatically approved.
• You can set a global default approver.

A default approver at the system level can help catch misconfigurations. To configure:

1. Go to webconsole > Administration > System configuration.
2. Go to the Workflow tab. Here, system-level workflow settings are available.
3. Find the Default workflow approver property.
4. Remove the current value and search for the user you want to assign.
5. Save your changes.

More on approval flows can be found in this document.