During the Identity Manager life-cycle implementation one of the most common scenarios is to define the Identity manager approval workflow or approval process.

The approval process is a very important piece due this allow to the user have an account in one or more systems connected to the IDM solution with the sponsor of the manager or IT department.

Typically on an Identity Manager Solution the user goes to the web interface for the IDM solution and submits a request access to one or many applications.

After a request is being submitted, the IDM solution will execute one or all of the next actions:

• Create a request task ( Waiting for someone approval )
• Go to the Approver Queue or Auto approve ( Base in some business rules )
• Notify the approvers
• Notify the provisioners
• Provision / Deprovision access on the application
• Notify user/manager

It is very important to consider the way that the user can submit a request, typically he can:

• Submit one user request for one application
• Submit one user request with multiple applications
• Submit multiple user request with one application
• Submit multiple user request with many application

Due the ways to submit a request, the gathering requirements phase needs clearly identify what actions or approvals are required for those scenarios. Some questions that need to be addressed are:

• What happen if the user submits one request for multiple applications?
• Does the user needs one notification per application or just one notification with all details?
• Are the same approvers for all applications?
• What happen if one approver denies one of the application requests? How does that affect the other requested applications?

Some aspects to consider when you are gathering the requirements for the approvals are:

• Approvals levels
• Escalation time
• Request time ( life time )
• Delegation
• Notifications

Approvals levels

Identify how many approvers levels are required per application, some of the possible approvals might be:

• Application Approver
• User’s Manager approval
• Manager’s manager approval

Escalation Time

Sometimes due a lot of work, vacations, holidays or the approver forget about the request, it’s necessary to remind the approver about it. Some common scenarios about the escalation time are:

• Level 1.
  • Send a reminder email to the approver
• Level 2.
  • Send a reminder email and request action to the approver’s manager
• Level 3.
  • Request is automatically closed due no response and the IDM system notify the people involved in the request – user, requester, approver, manager

Request time (life time)

After defining the escalation level you need to determine the period of time that needs a request stay alive before skip to the next level.

You can define the request life time in:

• Minutes
• Hours
• Days
• Weeks
• Months
• Years

Some of the events to consider when you define the request life time are:

• Weekend days
• Holidays
• Day off
• Training days

Delegation

Sometimes the approver needs to attend a training session, meetings, vacations or any other task and their approver queue needs to be attended. For that reason a delegation is configure on the IDM system to resolve this issue. Son considerations are:

• Delegation length
• Start date
• End Date
• Delegation Type (what kind of request)

Notification

During the request is necessary to notify the users, approvers or provisioners about the request submitted and the status.

Some of the information that needs to be included on the email is:

• Request number
• User Information
• Applications requested
• Application attributes
• Date and Time

Things to consider

Depending on your idm deployment and the application numbers implemented, you might to consider the next:

• Emails to notify or reminder the user/approver
• Request not being attended
• Approver not available ( vacations, holidays, sick, training )