Approval Flow Engine

When a user requests access to resources, EmpowerID initiates a workflow that executes predefined operations on the target resources. For example, a user requesting membership in a Management Role triggers a workflow that updates both the user and the Management Role accordingly.

By default, if the user has the privilege to initiate but not execute all operations within the workflow, the EmpowerID Authorization Engine notifies the user of any missing access rights. This default behavior is suitable for administrative workflows that do not require approval. However, for processes that require approval, EmpowerID offers a powerful workflow engine that can be enabled on a per-workflow basis.

Workflow Approval Routing

EmpowerID allows organizations to override default behavior through its robust Workflow Approval Engine, which is configurable on a per-workflow basis. Each workflow includes a property known as "Do not generate a business request (no approval)," which is enabled by default for most workflows.

 

Figure 1: Do not generate a business request (no approval) workflow property

The approval process logic, in relation to the "Do not generate a business request (no approval)" property on a given workflow, occurs as follows:

  1. True state: EmpowerID checks if the initiating user possesses the Role-Based Access Control (RBAC) rights needed for all operations within the workflow. If access is sufficient, the workflow proceeds; if not, EmpowerID informs the user of their access insufficiency, and the workflow terminates. No approval routing happens in this case. This method reduces the number of approval tasks generated and removes unnecessary actions from the approval process.

  2. False state: The workflow is associated with a specific Business Request Type and will necessitate approval, irrespective of the user's RBAC permissions. The Business Request Type property categorizes workflows, enabling more flexible approval routing and grouping related access requests. This property, used in conjunction with EmpowerID’s Approval Flow and Access Request policies, allows the aggregation of similar access requests into a single "approval bundle," specifying who should receive approval tasks and determining the number of approvals needed before fulfillment.

Figure 2: Workflow Approval Routing based on the state of the 'Do not generate a business request' property on a given workflow

 

Approval Flow Policies: Structuring Approvals

Business Requests and Approval Flow

When users shop for resources in the IT Shop, they put resource items for which they are eligible to receive in their shopping carts. When ready, they submit the items in their cart to the EmpowerID system. These cart submissions are known as Business Requests. Each Business Request can contain one or more resource items, depending on the number of items that were in a user’s cart when submitted. The Business Request, including all the items in that request, route for approval based on the configuration of Approval Flow policies. While there are several pieces involved with how approvals flow in EmpowerID, the logic is straightforward. Approval flow begins at the Business Request level and then flows to the items in the Business Request. If the Approval Flow Policies are configured to grant approval at the Business Request level, Item level approval is not necessary as all items in the request are approved.

Key configurable components of Approval Flow Engine include:

  1. Business Request Type: A workflow property that groups workflows by the type of business request they represent, like the IT Shop Business Request Type. Approval Flow policies can stipulate multiple levels of approval for certain Business Request Types before fulfillment. Approval flow at the Business Request level is sometimes referred to as global-level approval flow.

  2. Approval Flow Steps: Define the number of approvals required for fulfillment, with each step representing a sequential stage that must be approved before progressing. Each step can be optionally configured for "step-level" fulfillment. This means that a step can run a workflow and perform some action based on the decision made at that step. Step-level fulfillment is often used to execute an action when the approver's decision results in a rejection, stopping the forward processing of the approval flow. The normal fulfillment process for an item request only executes if all steps are approved.

  3. Item Level Approval: Each step can allow Item Level approval, enabling the approver to make decisions on each item instead of a single decision for the entire Business Request.

  4. Approver Resolver Rules: Dictate who the Approval Flow Step should route for approval. These can be routed to various actors in EmpowerID including the:

    • Initiator Manager – The request routes to the manager of the person initiating the request

    • Target Person Manager – If making a request for another person, the request routes to that person’s manager for approval

    • Resource Owner – Owner of the item resource

    • Global Resource Owner – Owner of the resource specified as the subject of the Business Request. This allows items to be routed for approval to the subject of the request, such as the group, instead of to each account being added as a member.

    • RBAC Approver – Anyone with the RBAC delegations needed to approve the request

    • Static Approver – Approvers are specific users selected for the step

    • Fallback Approver – Can select someone to approve in the instance that a specified approver does not exist, such as would be the case if a Management Role was selected as a Static Approver and no one had that role

  5. Items Types and Item Type Actions: Item Types are the individual resources that can be requested, and Item Type Actions represent actions that can occur against an item. Examples of Item Type Actions include “Add Account To Group” or “Assign Azure License”.

You can configure Item Type Actions, which are useful when creating a Business Request. Suppose the Business Request has no Approval Flow Policies attached to it. How will the approval process work in this case? It will go through each item one by one and trigger the Item Type Actions associated with that particular item. The approval process will then run or take effect from there.

 

In Item Type Actions, you can see it has an Approval Flow Policy which can have one or more steps.

AddAccountToGroup: For high-security groups, we may choose not to use this Approval Flow Policy, and this can be defined elsewhere. Another important aspect is the ability to remove the approval policy from here (ITEM TYPE ACTIONS) and cascade it down to the object level, where approval policies can be defined for each group. These policies can then be configured through the Access Request Policy.

Access Request Policy

Access Request policies are used to control access to resources in EmpowerID and can be used to designate different Approval Flow policies for resources based on their Access Request policy. With this model, you create the Approval Flow policies first and then add them to the Access Request policy when you create it. EmpowerID includes a default out-of-the-box Access Request policy that meets most situations.

 

Multi-level Approval Flow Logic

EmpowerID allows for two levels of approval: Business Request level and Item level. Rejection at the Business Request level (the global level) terminates the entire process. Only items approved at the Business Request Level progress to the next step, where they can optionally be approved at the individual item level.

Business Request Level

  1. The Approval engine first looks at Business Request Type to see if the type is defined with any Approval Flow policies per Access Request policy. In other words, the engine looks to see if the target resource at the Business Request level is in a specified Access Request policy; if so, the engine then gets the Approval Flow policy specified for the Access Request policy.

  2. If the Business Request Type is not defined as specified in Step 1 above nor defined for the Access Request policy of the target resource for the type, then the engine looks at the Business Request itself to see what is specified as the Approval Flow policy.

Item Level

  1. The Approval engine first looks at the Item Type Action per the Access Request policy to see if the policy designates different Approval Flow policies for the resource of the item based on its Access Request policy.

  2. If there is not an Access Request policy defined in this way for the Item Type Action, it looks at the Item Type Action itself to see if there is a specific Approval Flow Rule set for it. For example, an action like Add Account To Group can have a different Approval Flow Rule than the Remove Account From Group action.

  3. Finally, if there is not a specific Approval Flow Rule set on the Item Type Action, the Approval engine falls back to the Approval Flow Policy for the item as specified on the item’s Access Request policy.Every resource in the system has one and only one Access Request Policy. By default, if you don't set it, it's going to be the default Access Request Policy.

 

Figure 3 above illustrates how approval flows work in EmpowerID at a high level. This example creates a new Business Request to onboard an employee. The onboarding request includes a Business Role, a group, and a Management Role. Once all levels of approval are cleared, items in a Business Request can proceed to fulfillment. This process is managed by the Business Request Item Fulfillment Job, which handles items ready for fulfillment in two ways, based on whether they are associated with Correlation IDs.

  1. Fulfill in Different Workflow (No Correlation ID): Items without Correlation IDs are directed to the fulfillment workflow specified for their related Item Action Types. For instance, if a user is to join a Management Role, the designated workflow for that action would fulfill the item. These items never return to the initial workflow operation for resumption; instead, the calling workflow exits the process.

  2. Fulfill in Initial Workflow (Correlation ID): Items bearing Correlation IDs are routed back to the originating workflow operation, where approval was a prerequisite to proceed.

The presence of Correlation IDs within a workflow is a user-controlled setting that can be enabled or disabled for any workflow within the EmpowerID UI as needed. The "Return to WF for Fulfillment" setting governs this behavior and can be adjusted on the "Edit One" page of any workflow.

The fulfillment process, according to the existence of Correlation IDs, is depicted in Figure 4.

Notification Policies

EmpowerID sends notifications to request approvers, initiators, and delegated users as part of the approval process. The approval process allows users to customize the frequency and type of notifications they receive. Here's how notifications function in EmpowerID:

  1. A Business Request Event is created each time a user submits a Business Request.

  2. Business Request Events are submitted to the Business Request Notification Policy engine.

  3. The engine determines if the event needs to be added to the Business Request Notification Inbox by first examining individual users' notification preferences and defaulting to system notifications if no personalized settings exist.

  4. Notifications are then sent to Business Request participants based on these settings.

Notification Policy Components

Several components drive the Notification policies and how the Notification Policy engine delivers notifications. These include:

  • Business Request Events: Four levels of events where notifications can be triggered: Created, Open, Approver Set, Fulfillment Ready, and Fulfillment Completed, and Completed.

  • Business Request Participant Type: Individuals associated with a specific part of a business request. These can include the Initiator, TargetPerson, InitiatorManager, TargetPersonManager, Approver, Approver Manager, Potential Approver, and Commenter.

  • Levels: Several levels can be designated for notifications, including Business Request, Business Request Item, Business Request Approval Step, and Business Request Item Approval Step.

  • Messages: Email messages delivered by the notification engine to Business Request participants.

Business Request Expiration

Setting expiration dates for business requests is important for the efficient management of the requests. It ensures that approvals are completed within specific timelines, helping organizations meet regulatory requirements. Once the business requests have expired, it doesn't appear for any approvers, thus managing the requests better. EmpowerID has two strategies based on expiration dates for handling business request expiration.

The first is a fixed 90-day policy, based on an expiration date, which automatically expires any incomplete requests after 90 days. The second strategy is more dynamic based on the inactivity expiration date, calculating the period of inactivity based on user actions. The types of expiration dates in EmpowerID are

Expiration Date - Whenever a business request is initiated, it is assigned an expiry date in the "ExpirationDate" field. If a specific number of days is not mentioned for the process, then the default expiry date will be set to 90 days from the date of creation.

Inactivity Expiration Date - The inactivity expiration date for business requests is calculated dynamically based on user activity. It is calculated by adding the number of days specified in the ExpireRequestAfterXDaysOfInactivity field to the current date. Whenever there is an activity, the inactivity expiration date shifts X days into the future.

The job “Business Request JSON Inbox Processor“ is responsible for finding expired business requests and setting their status as expired. For a business request to be considered "expired," it must meet two conditions:

  • Status: The request should be in an "Open" or "In Progress" status, indicating that it is still active and has not been completed or canceled.

  • Expiration Dates: Either the expiration date or the inactivity expiration date mentioned earlier is passed.

So, if the "Business Request JSON Inbox Processor" finds a business request that meets these two conditions, it will update the status of that request to "Expired." Consequently, the expired request will no longer show up on the list of tasks for approval by any approver, ensuring that no further actions are taken on a request that is no longer valid.

Approval Flow Demo

The following video demonstrates how to configure approvals and approval routing in EmpowerID.

Â