Scenario: An approver can grant or deny approval in several approval steps.
An approver may be authorized to approve several levels of an approval workflow. By default, the request is presented to the approver in each approval level. You can allow automatic approval so that the approver is not presented with a request more than once.
To allow an approver's decisions to be met automatically in several sequential approval levels
-
In the Designer, set the QER | ITShop | AutoDecision configuration parameter.
The approval decision of the first approval levels is applied to subsequent approval levels for which the approver is authorized.
The configuration parameter takes effect if the No automatic approval option is not enabled for the approval step.
To attain automatic acceptance of an approver's approval decisions for subsequent approval levels
-
In the Designer, set the QER | ITShop | ReuseDecision configuration parameter.
If the approver granted approval to this request in an earlier approval step, the approval decision is passed on irrespective of how the approval steps in between were approved. If the approver did not grant approval in an earlier approval step, the request is presented for approval again.
The configuration parameter takes effect if the No automatic approval option is not enabled for the approval step.
Important: If the approver is also an exception approver for compliance rule violations, requests that violate compliance rules will also be automatically approved without being presented for exception approval.
Scenario: Requester is also approver
Approvers can run requests for themselves. If a requester is determined to be approver for the request, their approval steps are immediately granted approval.
To prevent automatic approval for an approver's requests
-
In the Designer, disable the QER | ITShop | DecisionOnInsert configuration parameter.
If a requester is determined to be the approver of an approval step, the request is presented to the requester to be approved.
The QER | ITShop | DecisionOnInsert configuration parameter is set by default and takes effect if the No automatic approval option is not enabled in the approval step.
If the QER | ITShop | PersonInsertedNoDecide configuration parameter is set, the requester does not become an approver and cannot approve the request. Also, the request cannot be decided automatically.
Preventing automatic approval in individual cases
For single approval steps, you can configure exceptions to the general rule in the configuration parameters.
To prevent automatic approvals for particular approval steps
-
Enable the No automatic approval option in the approval step.
The QER | ITShop | DecisionOnInsert, QER | ITShop | ReuseDecision, and QER | ITShop | AutoDecision configuration parameters are not considered in this approval step. In each case, requests are to be presented to the approver of this approval step.
Related topics
Using peer group analysis, approval for requests can be granted or denied automatically. For example, a peer group might be all identities in the same department. Peer group analysis assumes that these identities require the same products. So, if a company resource has already been assigned to a majority of employees in a department, a new request for this company resource is automatically approved. This helps to accelerate approval processes.
Peer groups contain all identities with the same manager or belonging to the same primary or secondary department as the request's recipient. Configuration parameters specify which identity belong to the peer group. At least one of the following configuration parameters must be set.
-
QER | ITShop | PeerGroupAnalysis | IncludeManager: Identities that have the same manager as the request's recipient
-
QER | ITShop | PeerGroupAnalysis | IncludePrimaryDepartment: Identities that belong to the same primary department as the request's recipient
-
QER | ITShop | PeerGroupAnalysis | IncludeSecondaryDepartment: Identities whose secondary department corresponds to the primary or secondary department of the request's recipient
The proportion of identities of a peer group who must already own the company resource, is set in the QER | ITShop | PeerGroupAnalysis | ApprovalThreshold configuration parameter. The threshold specifies the ratio of the total number of identities in the peer group to the number of identities in the peer group who already own this product.
You can also specify that employees are not allowed to request cross-functional products, which means, if the requested product and the primary department of the request recipient are from different functional areas, the request should be denied. To include this check in peer group analysis, set the QER | ITShop | PeerGroupAnalysis | CheckCrossfunctionalAssignment configuration parameter.
Requests are automatically approved for fully configured peer group analysis, if both:
If this is not the case, requests are automatically denied.
To use this functionality, the One Identity Manager provides the QER_PersonWantsOrg_Peer group analysis process and the PeergroupAnalysis event. The process is run using an approval step with the EX approval procedure.
Detailed information about this topic
Related topics
A further way to accelerate the approval process by making automatic approval decisions, is with approval recommendations. This uses different criteria to determine whether it is reasonable to grant or deny approval for a request. A peer group analysis is performed to determine approval recommendations and other criteria are analyzed. Based on the recommendation, requests can be automatically granted approval. If a denying approval is recommended or a clear recommendation cannot be made, the requests must be submitted to additional approvers. These approvers are shown the approval recommendation and the details of the recommendation so that they can use this information to make an approval decision.
Detailed information about this topic