Understanding Approval Routing for Applications

Owned by Phillip Hanegan
Last updated: Dec 17, 2024
4 min read

Policy-Based Access Control (PBAC) approval routing in EmpowerID provides a dynamic, context-driven framework for governing application access requests. Instead of relying on static approvers or role-based assignments alone, PBAC evaluates factors such as requested rights, field types, and selected field values to identify the most appropriate approvers for each request. This adaptive approach helps organizations maintain flexibility, streamline approval processes, and ensure that the correct stakeholders are involved based on organizational policies and real-time conditions.

Overview of EmpowerID Approval Routing

EmpowerID manages both local and global rights as Role-Based Access Control (RBAC) Resource Types. This architecture simplifies rights creation, assignment, and maintenance through Access Levels and associated operations. Central to the process is the Access Request Policy, which determines how incoming requests are processed and evaluated. The Access Request Policy specifies the Approval Policy, defining the steps required for approval and the types of approvers who must review each request.

Introducing the core concepts first establishes a foundation that helps readers understand how PBAC builds on these baseline policies. The Access Request Policy and Approval Policy form the backbone of the entire approval process, ensuring that requests flow through a structured and consistent pipeline.

Visualizing the Approval Framework

To better understand these relationships, consider the following diagram. It presents a high-level view of how requests move from resources, through the Access Request Policy and Approval Policy, and finally to the appropriate approvers.

Figure: Relationship Between Resources, Access Request Policy, Approval Policy, and Approvers



image-20240522-172422.png

In this diagram, the resources—representing the rights or data a user requests—flow into the Access Request Policy. This policy invokes the Approval Policy to determine the approval steps and logic. From there, the process identifies and routes to the appropriate approvers, ensuring that only authorized individuals evaluate and grant access.

Approval Methods for Application Rights

With the foundation established, it’s helpful to understand the spectrum of approval routing methods available:

  • Static Approvers: A fixed set of individuals, groups, or roles always review requests. This method is simple but lacks flexibility.

  • RBAC-based Approvers: Approvers are determined by organizational roles and structure, making the process more adaptive than static assignments but still relatively broad.

  • PBAC Approvers: Approvers are identified dynamically based on policies tied to field types and values. This granular approach is the recommended method for PBAC-enabled applications, as it allows organizations to tailor approvals to the unique attributes and conditions of each request.

What is PBAC Approval Routing?

PBAC approval routing refines the approval process by linking approver determination directly to the request context. When users ask for access to specific application data, they may select attributes—such as region or department—that influence who should approve that particular access. PBAC interprets these attributes and applies policy-based logic to identify the right set of approvers. For example, a request involving “North America” financial data might route to a certain team, while “Europe” directs the request to another, more appropriate group.

This approach ensures that approvals are policy-driven and context-aware, aligning closely with organizational rules, compliance requirements, and security considerations.

Key Components of PBAC Approval Routing

Several core components ensure that PBAC approval routing works effectively:

  1. Access Request Policy:
    The PBAC Approval Access Request Policy governs how requests are initially processed. It sets the stage for dynamic decision-making based on user input and request attributes.

  2. Approval Policy:
    The Approval Policy (in this case, the “PBAC Approval” Approval Policy) defines one or more approval steps and incorporates resolver rules that determine which approvers to involve.

  3. Approval Steps and Resolver Rules:
    Within the Approval Policy, specific approval steps integrate the “PBAC Approver” resolver rule. This rule evaluates the field types and values associated with the request and locates the users or groups possessing the corresponding approval rights.

These components work in tandem to deliver a flexible, adaptable approach to approval routing. Instead of a one-size-fits-all solution, PBAC approval routing empowers organizations to fine-tune their workflows according to field-level conditions and policies.

PBAC Approver Resolver Rule in Detail

The PBAC Approver Resolver rule links the conceptual framework to day-to-day practice. Consider a Field Type such as “Region” with potential values “North America,” “Europe,” and “Asia.” Each local right that requires approval corresponds to an approval right associated with these field values.

When a user requests access involving multiple Field Type values, the system splits the request into separate items—one per value. The resolver rule then identifies who holds the approval rights for each item. This method ensures that the correct approvers review requests only for the data they are responsible for, making the overall approval process both targeted and efficient.

How PBAC Approval Routing Works in Practice

The end-to-end workflow might look like this:

  1. Configuration:
    Administrators define a PBAC Access Request Policy (or use the default PBAC Access Request Policy provided by EmpowerID) and associate Application Rights with the PBAC Approval process. They specify Field Types and their values so that the system can distinguish between different scenarios (e.g., different regions, departments, or classifications).

  2. User Request Submission:
    A user requests access, selecting relevant Field Type values. The system automatically partitions the request into multiple items if more than one value is chosen.

  3. Resolver Execution:
    The PBAC Approver resolver examines each request item, matches it against the configured approval rights, and identifies the appropriate approvers for that scenario.

  4. Approval Routing:
    Each item is routed to the designated approvers. These stakeholders review the request in light of organizational policies and business needs before granting or denying access.

This intelligent routing ensures that the right people evaluate requests based on their domain expertise, compliance obligations, and security privileges. As conditions change, such as adding new regions or updating departmental structures, the system’s logic adapts without needing to rebuild static approval paths.

By integrating PBAC approval routing, organizations achieve a more flexible, context-aware approval framework. The result is a responsive and efficient access management process that aligns closely with both internal policies and external regulations—fostering a secure, compliant, and well-governed environment for all of their applications and data.

See Also

Setting up PBAC Approval Routing