In this exercise, you will put into practice what you have learned from this course and create the appropriate Eligibility and Approval Flow policies to successfully complete the four scenarios described below. In order to complete all the scenarios, you will need to fulfill the following prerequisite tasks:
Prerequisite Tasks
Create seven Person identities and assign each to the Temporary Role in Temporary Location Business Role and Location:
User A
User B
User C
User D
A Manager for both User A and User B
A manager for both User C and User D
A person that can be chosen by the manager of User C as a delegate for approvals that require a response from User C’s manager
A Manager for User C
An Application Role Approver for the group
Assign all seven Person identities to the IT Shop, MY Tasks, and My Identity Self-Service Full Access Management Role. This grants each user the ability to access the IT Shop, My Tasks, and My Identity applications.
Create a generic group and do the following:
Assign as the Application Role Approver the person you created above for that role
Grant User A and User B the Eligible eligibility type to the group as a resource
Grant User C the PreApproved eligibility type to the group as a resource
Create two Approval Steps
The first with an Approval Resolver Rule that creates an approval task for the manager of the person initiating a business request
The second with an Approver Resolver Rule that creates an approval task for the resource owner
Create an Approval Flow Policy and add both of the above Approval Steps to the policy. Be sure the precedence for the steps is correct.
Create an Access Request Policy and add the Approval Flow Policy to it.
Configure the Item Type Action for adding someone to a group with the Access Request and Approval Flow policies created above. The name of the Item Type Action for this is ADDPersonApplicationRoleResourceRole.
Scenario 1
User A logs in to the IT Shop and submits a request for group membership and that request routes through a two-step approval that requires approval by first User A’s manager and second by the Application Role Approver for the group. Once approved by both parties, EmpowerID fulfills the request and adds the user to the group.
Scenario 2
User B logs in to the IT Shop and submits a request for membership in the same group. The request is rejected by User B’s manager, which ends the process. Approval should not route to the Application Role Approver.
Scenario 3
User C logs in to the IT Shop and submits a request for membership in the same group. EmpowerID creates an approval task for the person delegated by User C’s manager. The delegated approver approves the request, but the Application Role Approver rejects the request.
Scenario 4
User D logs in to the IT Shop and submits a request for membership in the same group. EmpowerID fulfills the request without requiring any human approval.