As with all EmpowerID workflows, the LDAP workflows associated with the EmpowerID LDAP Server are RBAC-trimmed. Users must have the Initiator Access Level for each workflow to initiate that workflow, as well as a Access Level with any necessary operations allowed to execute the workflow without requiring further approval.
If a user initiates one of the LDAP workflows but does not have the needed delegations to perform the task in that workflow (such as creating a new user account), the EmpowerID LDAP Server will display to that user a message indicating that the request failed and then route the request to a delegated approver via email.
The approver can then choose to approve or deny the request. If the approver approves it, the workflow resumes and the user account (in this case) is created. If the approver rejects it, the workflow terminates and the user account is not created. In either case, EmpowerID routes the results of the request to the request initiator via email.