Approving requests via Email

This feature allows a user (an approver) to receive an email notification about a pending request and approve the request via email, without being logged into OpenIAM.
OpenIAM, using its SMTP account, reads the reply in its inbox and proceeds with approving, declining, or taking other actions on the request based on specific keywords.

The following keywords must be typed in the email body:

  • "I accept this request" to approve the pending request.
  • "I reject this request" to reject the pending request.
  • "delegate toWhomEmailAddress@openiam.com" to delegate the pending request.
Note that when delegating a request, you must specify the email address of the new approver so OpenIAM can locate and assign the request appropriately.

Request ID in subject

One critical requirement is that the request ID must be present in the email’s subject line.

Request ID

If this line is missing, it might not be selected in your email template. To add it:

  1. Go to webconsole > Administration > Mail Template Editor
  2. Locate the relevant email template.
  3. Add ${req.getNotificationParam('REQUEST_ID').valueObj} to the Mail Subject Line field.
  4. Click Save.

Approver email address

The email address of the approver (who will accept, decline, or delegate the request) must match exactly one user email in OpenIAM.
This is typically satisfied by default, though test scenarios might require additional attention.

Enabling inbox reading

For OpenIAM to monitor replies, the Read Inbox feature must be enabled.
Follow these steps:

  1. Go to webconsole > Administration > Mailbox Configuration
  2. In the Actions column, click the Edit icon
  3. Check the Read Inbox? checkbox

Read email checkbox

By default, OpenIAM checks the inbox every 15 minutes. You can adjust this frequency using the following Java option:

-Dorg.openiam.email.inbox.sweep=900000

Here, 900000 represents 15 minutes in milliseconds. Modify the value to suit your preferences.

Note: To configure the SMTP account used by OpenIAM, refer to the mail provider documentation. OpenIAM cannot authenticate mailboxes that use MFA, as it cannot receive a code via phone/email or follow voice prompts.

Audit log

After a user responds to a request via email keyword, the event is recorded in the audit log. To view it, go to webconsole > Administration > Log Viewer.

The event name is MAKE_DECISION_FROM_EMAIL.

Log