When users request access to resources, they initiate workflows that attempt to execute one or more EmpowerID Operations on those resources in a manner consistent with the workflow. For instanceexample, if when a user requests membership in seeks to join a Management Role, the associated corresponding workflow tries to perform initiates operations on targeting both the user and the Management Role to update the personuser's role membership. By default, if a user can initiate initiates a workflow but lacks access does not have the necessary permissions to execute one or more certain operations within it, the authorization engine returns a message stating that the issues a notification indicating the lack of required access is missing. This default mode is suitable for admin workflows that do not require approval. For processes that need needing approval, EmpowerID offers a robust workflow engine that can be enabled on a per-workflow basis.
Workflow Approval Routing
Organizations can override the default approval process for greater control over how the system generates and manages approvals. Each workflow has a property called "Do not generate a business request (no approval)," which is enabled by default for most workflows by default.
The approval process logic, in relation to the "Do not generate a business request (no approval)" property on a given workflow, occurs as follows:
True state: EmpowerID checks if the person executing the workflow possesses the necessary RBAC access to carry out the operations within the workflow. If the person does have access, the workflow proceeds; if not, EmpowerID informs the person of their access insufficiency, and the workflow is terminated. No approval routing happens in this case. This method reduces the number of approval tasks generated and removes unnecessary actions from the approval process.
False state: In this case, the workflow must be associated with a Business Request Type and will always require approval, even if the individual has the authority to execute the workflow operations. The Business Request Type property categorizes workflows, enabling more flexible approval routing and grouping related access requests. This property, coupled with new Access Request and Approval Flow policies, permits organizations to consolidate related access requests into a single "approval bundle," specifying who should receive approval tasks and determining the number of approvals needed before fulfillment.
Approval
FlowPolicies
When users shop for resources in the IAM Shop and submit their orders, these items are sent as "Business Requests" to the EmpowerID system. These requests are routed for approval based on Approval Flow policies, which can be adjusted to create multi-tiered approval processes based on the organization's requirements.
Key components of Approval Flow policies that can be configured include:
Business Request Type:
This is a workflow property that groups workflows by the type of business request they represent, like the IT Shop Business Request Type. Approval
policies can stipulate multiple levels of approval for certain Business Request Types before fulfillment. Approval flow at the Business Request level is sometimes
called global-level approval flow.
Approval Flow Steps:
These define the number of approvals required for fulfillment,
each
representing a sequential stage that must be approved before progressing. Each step can be optionally configured for "step-level" fulfillment. This means that a step can run a workflow and perform some action based on the decision made at that step. Step-level fulfillment is often used to execute an action when the approver's decision results in a rejection, stopping the forward processing of the approval flow. The normal fulfillment process for an item request only executes if all steps are approved.
Item Level Approval: Each step can allow Item Level approval, enabling the approver to make decisions on each item instead of a single decision for the entire Business Request.
Approver Resolver Rules:
These dictate who the Approval Flow Step should route for approval.
Items Types and Item Type Actions: Item Types are the individual resources that can be requested, and Item Type Actions represent actions that can occur against an item. Examples of Item Type Actions include Add Account To Group or Assign Azure License.
Approval Flow Logic
Despite its multiple components, EmpowerID's approval flow , despite the multiple components, follows a straightforward logic. Items have two opportunities to be approved: at the Business Request level and at the individual item level. If The process ends if a Business Request is rejected at any step in this approval flow, the process ends. Only items approved at the Business Request Level progress to the next step, where they can optionally be approved at the individual item level.
Business Request Level
At this level, the Approval engine looks at the Business Request Type to see if the type it is defined with any Approval Flow policies per the Access Request policy. If the Business Request Type is not defined as specified , nor defined or for the Access Request policy of the target resource for the type, then the engine checks the Business Request itself to determine the Approval Flow policy.
Item Level
At this level, the Approval engine first checks the Item Type Action per the Access Request policy to see if the policy designates different Approval Flow policies for the item based on its Access Request policy. If there isn't a specific Access Request policy defined for the Item Type Action, the engine checks the Item Type Action itself for a specific Approval Flow Rule. If there isn't a specific Approval Flow Rule set, the Approval engine falls back on the Approval Flow Policy for the item as specified on the item's Access Request policy.
Figure 4 above illustrates how approval flows work in EmpowerID at a high level. This example creates a new Business Request to onboard an employee. The onboarding request includes a Business Role, an A"” Fulfillment Process
Once all levels of approval are cleared, items in a Business Request can proceed to fulfillment. This process is managed by the Business Request Item Fulfillment Job, which handles items ready for fulfillment in two ways, based on whether they are associated with Correlation IDs.
Fulfill in Different Workflow (No Correlation ID): Items without Correlation IDs are directed to the fulfillment workflow specified for their related Item Action Types. For instance, if a user is to join a Management Role, the designated workflow for that action would fulfill the item. These items never return to the initial workflow operation for resumption; instead, the calling workflow exits the process.
Fulfill in Initial Workflow (Correlation ID): Items bearing Correlation IDs are routed back to the originating workflow operation, where approval was a prerequisite to proceed.
| Info |
|---|
The presence of Correlation IDs within a workflow is a user-controlled setting that can be enabled or disabled for any workflow within the EmpowerID UI as needed. The "Return to WF for Fulfillment" setting governs this behavior and can be adjusted on the "Edit One" page of any workflow. |
. |
Notification Policies
As part of the approval process, EmpowerID sends notifications to request approvers, initiators, and delegated users. The approval process allows users to customize the frequency and type of notifications they receive. Here's how notifications function in EmpowerID:
A Business Request Event is created each time a user submits a Business Request.
Business Request Events are submitted to the Business Request Notification Policy engine.
The engine determines if the event needs to be added to the Business Request Notification Inbox by
examining individual users' notification preferences and defaulting to system notifications if no personalized settings exist.
Notifications are then sent to Business Request participants based on these settings.
Notification Policy Components
Several components drive the Notification policies and how the Notification Policy engine delivers notifications. These include:
Business Request Events: Four There are four levels of events where notifications can be triggered: Created, Open, Approver Set, Fulfillment Ready, and Fulfillment Completed, and Completed.
Business Request Participant Type: Individuals associated with a specific part of a business request. These can include the Initiator, TargetPersonTarget Person, InitiatorManager, TargetPersonManagerInitiator Manager, Target Person Manager, Approver, Approver Manager, Potential Approver, and Commenter.
Levels: Several levels can be designated for notifications, including Business Request, Business Request Item, Business Request Approval Step, and Business Request Item Approval Step.
Messages: Email messages delivered by the notification engine to Business Request participants.
Business Request Expiration
Setting expiration dates for business requests is important crucial for the efficient request management of the requests. It This practice ensures that approvals are completed processed within specific specified timelines, helping enabling organizations meet to comply with regulatory requirements. Once After the expiration of business requests are expired, it doesn't , they no longer appear for any approvers, thus managing the requests betterstreamlining request management processes. EmpowerID has employs two strategies based on expiration dates for handling business request expiration. The first is a fixed to handle the expiration of business requests.
Fixed 90-day policy
: Automatically expires any incomplete requests after
90 days from the creation date.
Inactivity
expiration date
: Calculates the period of inactivity based on user actions, adding the number of days specified in the "ExpireRequestAfterXDaysOfInactivity" field of the Business Request Type to the current date.
This date shifts with each user interaction, extending the expiration based on ongoing activity.
| Info |
|---|
Known areas for improvement: There is room for improvement in the current expiration logic for business requests that may be implemented in the future. Known areas for improvement are
|
| Macrosuite divider macro | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The job “Business Request JSON Inbox Processor“ is responsible for finding expired business requests and setting their status as expired. For a business request to be considered "expired," it must meet two conditions:
Status: The request should be in an "Open" or "In Progress" status, indicating that it is still active and has not been completed or canceled.
Expiration Dates: Either the expiration date or the inactivity expiration date mentioned earlier is has passed.
So, if If the "Business Request JSON Inbox Processor" finds a business request that meets these two conditions, it will update the its status of that request to "Expired." Consequently, the expired request will no longer show up appear on the list of tasks for approval by any approver, ensuring that no further actions are taken on a request that is no longer valid request.
Approval Flow Demo
The following video demonstrates how to configure approvals and approval routing in EmpowerID.
| Div | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
IN THIS ARTICLE
|
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|