NOTE: Only one approval step can be defined with the WC approval procedure per approval level.
If you want to ensure that a specific data state exists in One Identity Manager before an attestation case is finally approved, then use the WC approval procedure. Use a condition to specify which prerequisites have to be fulfilled so that attestation can take place. The condition is evaluated as a function call, which must accept the attestation case UID as a parameter (AttestationCase.UID_AttestationCase). You use this UID to reference the attestation object. The function must define three return values as integer values. One of the following actions is carried out depending on the function’s return value.
Table 26: Return value for deferred approval
|
Return value > 0 |
The condition is fulfilled. Deferred approval has completed successfully. The next approval step (in case of success) is carried out. |
|
Return value = 0 |
The condition is not yet fulfilled. Approval is rolled back and is retested the next time DBQueue Processor runs. |
|
Return value < 0 |
The condition is not fulfilled. Deferred approval has failed. The next approval step (in case of failure) is carried out. |
To use an approval procedure
-
Create a database function which tests the condition for the attestation.
-
Create an approval step with the WC approval procedure. Enter the function call in Condition.
Syntax: dbo.<function name>
-
Specify an approval step in the case of success. Use the approval procedure with which One Identity Manager can determine the attestors.
-
Specify an approval step in the case of failure.
You can create your own approval procedures if the default approval procedures for finding the responsible attestors do not meet your requirements. The condition through which the attestors are determined is formulated as a database query. Several queries may be combined into one condition.
To set up an approval procedure
-
In the Manager, select the Attestation > Basic configuration data > Approval procedures category.
-
Select an approval procedure in the result list and run the Change main data task.
- OR -
Click 
in the result list.
-
Edit the approval procedure main data.
- Save the changes.
To edit the condition
-
In the Manager, select the Attestation > Basic configuration data > Approval procedures category.
-
Select an approval procedure from the result list.
-
Select Change queries for approver selection.
Detailed information about this topic
Enter the following main data of an approval procedure.
Table 27: General main data of an approval procedure
|
Approval procedure |
Descriptor for the approval procedure (maximum two characters). |
|
Description |
Approval procedure identifier. |
|
DBQueue Processor task |
Approvals can either be made automatically through a DBQueue Processor calculation task or by specified approvers. Assign a custom DBQueue Processor task if the approval procedure should make an automatic approval decision.
You cannot assign a DBQueue Processor task if a query is entered for determining the attestors. |
|
Max. number approvers |
Maximum number of attestors to be determined by the approval procedure. Specify how many employees must really make approval decisions in the approval steps used by this approval procedure. |
|
Sort order |
Value for sorting approval procedures in the menu.
Specify the value 10 to display this approval procedure at the top of the menu when you set up an approval step. |
Related topics
The condition through which the attestors are determined is formulated as a database query. Several queries may be combined into one condition. This adds all employees determined by single queries to the group of attestors.
To edit the condition
-
In the Manager, select the Attestation > Basic configuration data > Approval procedures category.
-
Select an approval procedure from the result list.
-
Select Change queries for approver selection.
To create single queries
- Click Add.
This inserts a new row in the table.
- Mark this row. Enter the query properties.
- Add more queries if required.
- Save the changes.
To edit a single query
- Select the query you want to edit in the table. Edit the query's properties.
- Save the changes.
To remove single queries
- Select the query you want to remove in the table.
- Click Delete.
- Save the changes.
Table 28: Query properties
|
Approver selection |
Query identifier that determines the attestors. |
|
Query |
Database query for determining the attestors.
The database query must be formulated as a select statement. The column selected by the database query must return a UID_Person. Every query must return a value for UID_PWORulerOrigin. The query returns one or more employees to whom the attestation case is presented for approval. If the query fails to return a result, the attestation procedure is canceled.
A query contains exactly one select statement. To combine several select statements, create several queries.
If a DBQueue Processor task is assigned, you cannot enter a query to determine attestors. |
You can, for example, determine predefined attestors with the query (example 1). The attestor can also be found dynamically depending on the attestation case to approve. To do this, within the database query, using the @UID_AttestationCase variable to access the attestation case (example 2).
Example 1
The attestation cases should be approved by a specific attestor.
|
Query: |
select UID_Person, null as UID_PWORulerOrigin from Person where InternalName='Bloggs, Jan' |
Example 2
All active compliance rules should be attested by the respective rule supervisor.
| Query: |
select pia.UID_Person, null as UID_PWORulerOrigin from AttestationCase ac
join ComplianceRule cr on cr.XObjectKey = ac.ObjectKeyBase and cr.IsWorkingCopy = '0'
join PersonInBaseTree pia on pia.UID_Org = cr.UID_OrgResponsible and pia.XOrigin > 0
where ac.UID_AttestationCase = @UID_AttestationCase |
Taking delegation into account
To include delegation when determining attestors, use the query to also determine the employees to whom a responsibility has been delegated. If the managers of hierarchical roles are to make the attestation decision, determine the attestors from the HelperHeadOrg table. This table groups all hierarchical role managers, their deputy managers, and employees to whom a responsibility has been delegated. If the members of business or application roles are to make the approval decision, determine the approvers from the PersonInBaseTree table. This table groups all hierarchical role members and employees to whom a responsibility has been delegated.
Determine the UID_PWORulerOrigin in order to notify delegators when the recipient of the delegation has made a decision on an attestation case and thus allow the Web Portal to show if the attestor was originally delegated.
To determine the UID_PWORulerOrigin of the delegation
-
Determine the UID_PersonWantsOrg of the delegation and copy this value as UID_PWORulerOrigin to the query. Use the dbo.QER_FGIPWORulerOrigin table function to do this.
select dbo.QER_FGIPWORulerOrigin(XObjectKey) as UID_PWORulerOrigin
Modified query from example 2:
select pia.UID_Person, dbo.QER_FGIPWORulerOrigin(pia.XObjectKey) as UID_PWORulerOrigin from AttestationCase ac join ComplianceRule cr on cr.XObjectKey = ac.ObjectKeyBase and cr.IsWorkingCopy = '0' join PersonInBaseTree pia on pia.UID_Org = cr.UID_OrgResponsible and pia.XOrigin > 0 where ac.UID_AttestationCase = @UID_AttestationCase
