When users request access to resources, EmpowerID uses policies to determine whether those requests need to be approved before the system fulfills them. These policies include:

• Access Request Policies – These policies are used to control access requests.
• Approval Flow Policies – These policies target who can approve or reject access requests.
• Notification Policies – These policies specify who needs to be notified throughout the approval lifecycle of raised access requests.

In this model, Access Request policies are comprised of Approval Flow policies, which specify who can approve or reject requests for resources. Approval Flow policies, in turn can be comprised of Approval Steps to direct the approval process through a sequential number of approvers. Notification policies work in tandem with these to generate approval notifications whenever access requests are raised by users.

EmpowerID includes default Access, Approval Flow, and Notification policies out of the box that generate approval tasks and for those with the RBAC delegations needed to approve access requests and send email notifications to all involved parties; however, you can override this default behavior in favor of more granularity by creating or customizing these policies to specifically target designated personnel. 

The topics in this section, walk you through a scenario of creating policies to route a request for membership in a group to the manager of the request initiator for approval and then to the owner of the group for final approval. In this scenario, if either of the approvers reject the request, membership in the group is denied.