Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 2

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Workflows and Default Approval routing

At a high level, when When users request access to resources, they initiate workflows that attempt to execute one or more EmpowerID Operations against on those resources in a manner consistent with the workflow. For exampleinstance, if a user requests membership in a Management Role, the associated workflow related to that request attempts to execute operations against tries to perform operations on both the user and the Management Role to update the person’s person's role membership. In a default configuration of the EmpowerID approval flow engineBy default, if a user has access to can initiate a workflow but does not have lacks access to execute one or more operations in the workflowwithin it, the authorization engine returns a message stating that the user does not have the required access is missing. This default mode is the default suitable for workflows used by admins where approval is not desiredadmin workflows that do not require approval. For processes requiring that need approval, EmpowerID offers a powerful robust workflow engine that can be enabled on a workflowper-by-workflow levelbasis.

Workflow Approval Routing

This Organizations can override the default approval process can be overridden to give organizations more for greater control over how the system generates and flows manages approvals. Each workflow has a property called "Do not gererate generate a business request (no approval) and most have that property enabledout of the box," which is enabled for most workflows by default.

Image Modified

The logic that occurs in the approval process logic, in relation to the "Do not generate a business request (no approval)" property on a given workflow is , occurs as follows:

When “Do not generate a business request (no approval)” is True (selected in the UI)
When Do not generate a business request is set on a workflow (as shown in Figure 2), EmpowerID verifies whether

  1. True state: EmpowerID checks if the person executing the workflow

has

  1. possesses the necessary RBAC access

needed

  1. to

perform

  1. carry out the

workflow’s

  1. operations within the workflow. If the person

has

  1. does have access, the workflow

continues

  1. proceeds; if

the person does

  1. not

have access

  1. , EmpowerID

notifies

  1. informs the person

that they do not have access

  1. of their access insufficiency, and the workflow

exits. Approval routing never occurs. There are several benefits to removing

  1. is terminated. No approval routing happens in this

way, including the following:This significantly

  1. case. This method reduces the number of approval tasks generated

by the system

  1. and removes unnecessary actions from the approval process

that should not be there in the first place.The workflows and the operation base do not generate Business Process Tasks (Business Process is a workflow and all the operations in it are Business Process Tasks) when a person does not have the RBAC delegations to execute the workflowIf the setting is false

  1. .

When “Do not generate a business request (no approval)” is False (not selected in the UI)

  1. False state: In this case, the workflow must be

configured

  1. associated with a Business Request Type and

it

  1. will always

go for

  1. require approval, even if the

person

  1. individual has

access

  1. the authority to execute the workflow operations. The Business Request Type property

allows workflows to be classified for the purpose of providing greater flexibility in

  1. categorizes workflows, enabling more flexible approval routing and

the

  1. grouping

together of

  1. related access requests.

Rather than having a default approval routing that simply routes unrelated approvals to all users with the delegations to approve requests, organizations can this property along

  1. This property, coupled with new Access Request and Approval Flow policies, permits organizations to

group together

  1. consolidate related access requests into a single

consolidated “approval

  1. "approval bundle,

“ specify to whom

  1. " specifying who should receive approval tasks

should go, and how many approvals need to occur before fulfillment occurs.
Image Removed

  1. and determining the number of approvals needed before fulfillment.

Image Added

Approval Flow Policies

When users shop for resources in the IT IAM Shop , they put resource items for which they are eligible to receive in their shopping carts. When ready, they submit the items in their cart and submit their orders, these items are sent as "Business Requests" to the EmpowerID system. These cart submissions are known as “Business Requests.” Each Business Request can contain one or more resource items, depending on the number of items that were in a user’s cart when submitted. The Business Request, including all the items in that request, route requests are routed for approval based on the configuration of Approval Flow policies. Approval Flow policies are user-defined policies that organizations can create to direct Business Requests through an approval process that can involve multiple levels of approval from numerous designated approvers before users receive the items in a Business Request, known as “fulfillment.” Organizations can create Approval Flow policies that are as simple or as complex as their needs dictate. Approval Flow policies have a number of key components that can be configured to specify how this occurs:

Business Request Type – As mentioned above, a Business Request Type is a workflow property used to group

, which can be adjusted to create multi-tiered approval processes based on the organization's requirements.

Key components of Approval Flow policies that can be configured include:

  1. Business Request Type: A workflow property that groups workflows by the type of business request they represent

. An example of a Business Request Type is

  1. , like the IT Shop Business Request Type.

This type represents anything that is published to the IT Shop, such as Application and Business Roles, Management Roles, and Azure Licenses.

  1. Approval Flow policies can

be configured to specify that requests of a certain Business Request Type must go through

  1. stipulate multiple levels of approval

, for example,

  1. for certain Business Request Types before fulfillment

occurs

  1. . Approval flow at the Business Request level is sometimes referred to as global

level, versus item

  1. level

,

  1. approval flow.

  2. Approval Flow Steps

– Approval Flow Steps are added to Approval Flow policies to specify how many approvals are required for fulfillment. Approval Flow policies can have as many Approval Flow Steps as needed. Each step is a sequential step that must be approved at that level to proceed to the next step. Each step can have its own approver resolver logic, and steps can optionally be configured for “step-level”

  1. : Define the number of approvals required for fulfillment, with each step representing a sequential stage that must be approved before progressing. Each step can be optionally configured for "step-level" fulfillment. This means that a step can run a workflow and perform some action based on the decision made

for the

  1. at that step. Step-level fulfillment is

most

  1. often used to

perform

  1. execute an action when the

approver’s decision was one that was a rejection that stopped

  1. approver's decision results in a rejection, stopping the forward processing of the approval flow. The normal fulfillment process for an item request only executes if all steps are approved.

  2. Item Level Approval

  1. : Each step can

be configured to

  1. allow

for

  1. Item Level approval

. This setting is specific to the global or Business Request level approval and allows

  1. , enabling the approver to make decisions on each item instead of a single decision for the entire

Business Request. Item Level refers to the individual items in a business request, such as requesting an Office 365 mailbox or an Application Role. With Item Level approval enabled for a Business Request level step, the step approver can elect to make item-by-item approvals. Only those items not rejected at an approval step in the Business Request level for a

  1. Business Request

that is approved, move forward for item-level approval evaluation

  1. .

  2. Approver Resolver Rules

– Approver Resolver rules specify to whom

  1. : Dictate who the Approval Flow Step

needs to route for approval. These can be routed to various actors in EmpowerID to include those listed below:

  • Custom Approver Code – Custom code generated by the

  • Global Resource Owner – Owner of the resource specified as the subject of the Business Request. This allows items to be routed for approval to the subject of the request such as the group instead of to each account being added as a member.

  • Global Risk Owner – If the request would violate a risk policy, approval routes the step to the owner of the global risk for approval.

  • Initiator – The request to the person initiating the request

  • Initiator Manager – The request routes to the manager of the person initiating the request

  • Local Risk Owner –

  • PBAC Approver –

  • RBAC Approver – Anyone with the RBAC delegations needed to approve the request

  • Resource Allowed Nation –

  • Resource Owner – Owner of the item resource

  • Static Approver – Approvers are specific users selected for the step

  • Target Person –

  • Target Person Manager – If making a request for another person, the request routes to that person’s manager for approval

  • Target Resource Line Manager –

  • Fallback Approver – Can select someone to approve in the instance that a specified approver does not exist, such as would be the case if a Management Role was selected as a Static Approver and no one had that role. Fallback Approver options include those listed above for Approver Resolver Rules.

    • Items Types

    1. should route for approval.

    2. Items Types and Item Type Actions: Item Types are the individual resources that can be requested,

    such as membership in an Application Role or access to an Office 365 mailbox. The Item Type is where the template for viewing an item is defined to specify which properties to show.Item Type Actions – Item Type Actions are in essence EmpowerID Operations and

    1. and Item Type Actions represent actions that can occur against an item

    (resource)

    1. . Examples of Item Type Actions include Add Account To Group or Assign Azure License

    . Item Type Actions are where the final fulfillment workflow is defined which knows how to complete the requested action

    1. .


    Image Removed

    Approval Flow

    While there are several pieces involved with how approvals flow in EmpowerID, the logic is straightforwardEmpowerID's approval flow, despite the multiple components, follows a straightforward logic. Items have two opportunities to go for approval. first optionally at the Business Request or global level. Not all requests will be routed for approval be approved: at the Business Request level. Business Request Level approval is best explained as order- level approval. Business Requests contain multiple items, and the Business Request Type can be configured to have a global or order level approval flow. If the and at the individual item level. If a Business Request is rejected at any of the steps step in this approval flow, the process ends. Only items approved at the Business Request Level pass on progress to the next step, where they can optionally go for approval flow be approved at the individual item level.

    Business Request Level

    The

    At this level, the Approval engine

    first

    looks at the Business Request Type to see if the type is defined with any Approval Flow policies per Access Request policy.

    In other words, the engine looks to see if the target resource at the Business Request level is in a specified Access Request policy; if so, the engine then gets the Approval Flow policy specified for the Access Request policy.

    If the Business Request Type is not defined as specified

    in Step 1 above

    , nor defined for the Access Request policy of the target resource for the type, then the engine

    looks at

    checks the Business Request itself to

    see what is specified as

    determine the Approval Flow policy.

    Item Level

    The

    At this level, the Approval engine first

    looks at

    checks the Item Type Action per the Access Request policy to see if the policy designates different Approval Flow policies for the

    resource of the

    item based on its Access Request policy.

    If there

    is not an

    isn't a specific Access Request policy defined

    in this way

    for the Item Type Action, the engine

    looks at

    checks the Item Type Action itself

    to see if there is

    for a specific Approval Flow Rule

    set for it. For example, an action like Add Account To Group can have a different Approval Flow Rule than the Remove Account From Group action.Finally, if there is not

    . If there isn't a specific Approval Flow Rule set

    on the Item Type Action

    , the Approval engine falls back

    to

    on the Approval Flow Policy for the item as specified on the item’s Access Request policy.

    If the Approval Flow Policy does not belong to a specific Access Request policy, the Default Access Request Policy is used.

     

    Figure 4 above depicts from a high level illustrates how approval flows work in EmpowerID at a high level. In the figurethis example, a new Business Request is created to onboard an employee. As part of the The onboarding request , includes several items are requested, : a Business Role, an Application Role, and a Management Role. The Approval Policy for the Business Request is configured with has two Approval Steps. The first step requires approval by the manager of the employee and the employee's manager's approval, while the second step requires approval by the finance department's approval. In each of the both steps, Item Level approval is configured, meaning that allowing the manager and the finance department can to approve individual items and reject others. Items approved by all steps are then fulfilled by the system, while rejected items rejected within any of the steps are not.

    Access Request Policies

    Access Request policies are used to control access to resources in EmpowerID and can be used to designate different Approval Flow policies for resources based on their Access Request policy. With this model, you create the Approval Flow policies first and then add them to the Access Request policy when you create it. EmpowerID includes a default out-of-the-box Access Request policy that meets most situations.  In the order of priority to determine the proper approval flow policy for an item, the approval flow policy set on the Access Request Policy is evaluated last.

    Fulfillment

    Fulfillment is the process by which EmpowerID fulfills describes how EmpowerID concludes approved Business Requests. Fulfillment is the completing action of “adding , such as "adding a user to an Application Role” Role" or “provisioning "provisioning a mailbox in Azure”, etc. When the items in a Business Request pass through Azure". Once all levels of approval are cleared, the items are then ready for fulfillment. Fulfillment is handled items in a Business Request can proceed to fulfillment. This process is managed by the Business Request Item Fulfillment Job. This job claims , which handles items ready for fulfillment and does one of two things, depending on whether those items have Correlation IDs associated with themin two ways, based on whether they are associated with Correlation IDs.

    1. Fulfill in Different Workflow (No Correlation ID)

    – Sends items

    1. : Items without Correlation IDs are directed to the fulfillment workflow specified for

    the

    1. their related Item Action Types. For

    example

    1. instance, if a user is to

    be added to

    1. join a Management Role, the

    item would be fulfilled by the workflow specified

    1. designated workflow for that action would fulfill the item. These items

    are

    1. never

    sent back

    1. return to the

    calling

    1. initial workflow operation for resumption

    . The

    1. ; instead, the calling workflow exits the process.

    2. Fulfill in Initial Workflow (Correlation ID)

    – Returns items with

    1. : Items bearing Correlation IDs are routed back to the

    calling

    1. originating workflow operation, where approval was

    required

    1. a prerequisite to proceed.

    Info

    The presence of Correlation IDs within a workflow is a user-controlled setting that can be enabled or disabled for any workflow within the EmpowerID UI as needed. The setting that controls this behavior is the "Return to WF for Fulfillment setting, which " setting governs this behavior and can be edited adjusted on the "Edit One" page of any workflow. For further information, see Configure Workflow Approval Options.

    Figure 5 below visually depicts from a high level how fulfillment occurs based on whether Correlation IDs exist for an executed workflow

    .

    The fulfillment process, according to the existence of Correlation IDs, is depicted in Figure 5.

    Notification Policies

    As mentioned earlier, part of the approval process involves notifications. Approvers and initiators of requests, as well as all delegated users, received notifications of these events. As part of the redesign of the approval process, EmpowerID has reconfigured how notification occurs, giving users the ability to tailor the amount , EmpowerID sends notifications to request approvers, initiators, and delegated users. The approval process allows users to customize the frequency and type of notifications they receive to their personal preferences.  How notifications now work in EmpowerID is as follows:

    Each

    . Here's how notifications function in EmpowerID:

    1. A Business Request Event is created each time a user submits

    a Business Request

    1. a Business Request

    Event is raised

    1. .

    2. Business Request Events are submitted to the Business Request Notification Policy engine.

    3. The

    Business Request Notification Policy

    1. engine determines if the event needs to be added to the Business Request Notification Inbox

    . To determine this, the engine first performs a granular scan of each person’s

    1. , by first examining individual user's notification preferences,

    then falls back to the default

    1. and defaulting to system notifications if

    there are no personal notification preferences set

    1. no personalized settings exist.

    2. Notifications are then sent to Business Request participants based on

    those notification

    1. these settings.

    Notification Policy Components

    There are several components to Several components drive the Notification policies and how the Notification Policy engine delivers notifications. These include the following:

    • Business Request Events

    – There are four

    • : Four levels of

    Business Request Events

    • events where notifications can be

    raised.

  • Created – Occurs when a Business Request is created. This can be used to, for example, create a policy that sends an email notification to managers of users creating a Business Request.

  • Open – This is used in Approval Flow Policies with more than one Approval Flow Step to notify progressive approvers that the item is ready for them to review once a previous step has been approved by the person delegated for that step. If the previous step is rejected, then this notification would not be sent out.

  • Approver Set – Raised when someone manually assigns an approver to a step.

  • Fulfillment Ready and Fulfillment Completed – These are only available at the item level. They are relative to a specific item that has been approved are is now ready to be fulfilled, which creates a notification at that level. Additional notifications occur when fulfillment completes, such as happens when a user is added to a group in response to a Business Request.

    • Completed – Completed can be used at the step level and the Business Request Level to send notifications that a particular step is completed and when the Business Request itself is completed

    • triggered: Created, Open, Approver Set, Fulfillment Ready and Fulfillment Completed, and Completed.

    • Business Request Participant Type

    • : Individuals

    related to

    • associated with a specific part of a business request.

    are fields in the BusinessRequestParticipantType table.

    • Initiator – Person requesting the resource

    • TargetPerson – Person receiving the resource assignments

    • InitiatorManager – Manager of the request initiator

    • TargetPersonManager – Manager of the person receiving the resource

    • Approver – Person who approves or rejects a step

    • Approver Manager – Manager of the person who approves or rejects a step

    • Potential Approver – Selected people who could approve or reject a step (delegated)

    • Commenter – Person who adds comments to a request

    Levels

    Business Request– Shopping cart submissionBusiness Request Item– Individual items submittedBusiness Request Approval Step – TheBusiness request is approved or rejected globally. The decision here is final.Business Request Item Approval Step– Each item in the business request can be approved or rejected on a case-by-case basis.Messages

    • These can include the Initiator, TargetPerson, InitiatorManager, TargetPersonManager, Approver, Approver Manager, Potential Approver, and Commenter.

    • Levels: Several levels can be designated for notifications, including Business Request, Business Request Item, Business Request Approval Step, and Business Request Item Approval Step.

    • Messages: Email messages delivered by the notification engine to Business Request participants.

    Approval Flow Demo

    The following video demonstrates how to configure approvals and approval routing in EmpowerID.

    Approval Flow Demo.mp4
    Div
    stylefloat:left; position:fixed;
    idarticleNav

    IN THIS ARTICLE

    Table of Contents
    maxLevel4
    minLevel2
    stylenone
    printablefalse

    Insert excerpt
    IL:External Stylesheet
    IL:External Stylesheet
    nopaneltrue