Understanding approval workflow
The approval workflow system included with Active Roles provides:
- A point-and-click interface to configure approval rules, available from the Active Roles console. The approval rules are stored and performed by the Active Roles Administration Service.
- The directory management section of the Web Interface for submitting operation requests for approval. For example, approval rules could be configured so that creation of a user account starts an approval workflow instead of immediately executing the user creation operation. For information on how to use the directory management section, see Managing Active Directory objects earlier in this document.
- The Approval area of the Web Interface to manage operation requests and approvals. This area includes a “to-do” list of the approval tasks the designated user has to carry out, allowing the user to approve or reject operation requests.
The Approval area provides a way to perform change approval actions, allowing you to control changes to directory data that require your approval and monitor your operations that require approval by other persons. You can use the Approval area to:
- Perform approval tasks—approve or reject operations so as to allow or deny the requested changes to directory data. Examples of operations include (but not limited to) creation and modification of user accounts or groups.
- Check the status of your operations—examine whether the changes to directory data you requested are approved and applied, or rejected.
When a Web Interface user makes changes to directory data that require permission from other individuals in an organization, the changes are not applied immediately. Instead, an operation is initiated and submitted for approval. This starts a workflow that coordinates the approvals needed to complete the operation. The operation is performed and the requested changes are applied only after approval. An operation may require approval from one person or from multiple persons.
When an operation is submitted for approval, Active Roles tracks the initiator and the approver or approvers. The initiator is the person who requested the changes. Approvers are those who are authorized to allow or deny the changes. An operation that requires approval generates one or more approval tasks, with each approval task assigned to the appropriate approver. Active Roles administrators configure approval workflow by creating approval rules to specify what changes require approval and who is authorized to approve or deny change requests.
In the Approval area, you can work with the operations for which you are assigned to the approver role. As an approver, you are expected to take appropriate actions on your approval tasks.
To access the Approval area
- On the Web Interface Home page, click in the Approval box.
Locating approval items
The Approval area provides a number of views to help you locate approval items—tasks and operations:
- My Tasks Contains detailed entries representing the approval tasks assigned to you. Depending on their status, the approval tasks are distributed into two views. The Pending view allows you to manage the approval tasks awaiting your response. The Completed view lists your approval tasks that have been completed.
- My Operations The Recent view lists your recent operations that required approval, and allows you to examine the status and details pertinent to each operation.
In addition to using the predefined views, you can locate operations and tasks by using the search function.
To search for an operation or task by ID
- In the right pane of the Web Interface page, under the Search label, type the ID number of the operation or task in the Search by ID box.
- Click the button next to the Search by ID box to start the search.
You can also search for approval items (operations and tasks) by properties other than ID. For instance, you can find the operations that were initiated by a specific user. Another example is the ability to locate approval tasks generated within a specific time period. To access the advanced search function, click Advanced Search under the Search label. Then, use the Advanced Search page to configure your search settings and start a search.
Advanced search is the most comprehensive way to search for approval items such as operations and tasks. Use it to find approval items based on their properties. You do this by creating queries, which are sets of one or more rules that must be true for an item to be found. An example of a query for operations is “Initiator is (exactly) John Smith.” This specifies that you are searching for operations that have the Initiator property set to John Smith’s use account.
With advanced search, you can use conditions and values to search for approval items based on item properties (referred to as “fields” on the search page). Conditions are limitations you set on the value of a field to make the search more specific. Each type of item has a set of relevant fields and each type of field has a set of relevant conditions that advanced search displays automatically.
Some fields, such as “Target object property,” require that you select a property to further define your search. In this case, you configure a query to search for operations or tasks specific to the approval of changes to the objects based on a certain property of those objects. For example, to find the operations that request any changes to the “Description” property, you could select the “Target object property” field, select the “Description” property, and then choose the “Modified” condition.
Some conditions require a value. For example, if you select a Date field, the “Is between” condition requires a date range value so you have to select a start date and an end date to specify a date range. Another example is the Initiator field, which requires that you select a user account of the Initiator role holder.
In some cases, a value is not required. For example, if you select the “Modified” condition, value is not necessary since this condition means that you want your search to be based on any changes to a certain property, without considering what changes were actually requested or made to the property value.
The following topics cover the predefined views of the Approval section.
Using “My Tasks”
You can use the My Tasks area to work with the approval tasks assigned to you as an approver. According to their status, the tasks are distributed into two views: Pending and Completed.
For information about the Pending view, see Pending tasks.
For information about the Completed view, see Completed tasks.
The Pending view contains a list of your approval tasks to be completed. Each task in the list is identified by a header area that provides basic information about the task such as a unique ID number of the task, who requested the operation that is subject to approval, when the task was created, the time limit of the task (if any), and the target object of the operation. In the middle of a task’s header area is a section that contains the title of the task (Approve operation by default), a label indicating the status of the task, and summary information about the operation that is subject to approval.
The task’s header area contains the action buttons you can use to apply the appropriate resolution to the approval task. The action buttons are displayed at the bottom of the header area. Which buttons are displayed depends upon configuration of the approval rule. You may encounter the following action buttons there:
- Approve Click this button to allow the requested operation.
Depending on configuration of the approval and policy rules, the Web Interface may request you to enter additional information that must be added to the operation request. For example, when you approve the operation of creating a user account, you may have to supply certain properties of the user account in addition to those supplied by the administrator who requested creation of that user account. If additional information is required, clicking Approve displays a page where you can supply the required information. You can also access that page by clicking the Examine task button.
- Reject Click this button to deny the requested operation.
- Escalate Click this button to assign the approval task to an approver of a higher level.
This button is displayed if the approval rule has one or more approver levels (referred to as escalation levels) configured in addition to the initial approver level. Escalation levels are normally used to assign (escalate) the approval task automatically to the approver of a higher level if the task is not completed in time. The approval rule may be configured to allow approvers to escalate approval tasks as needed, in which case the task’s header area contains the Escalate button.
- Delegate Click this button to assign the approval task to a different person. You can select the user account of the person to whom you want to assign the task.
This button is displayed if the approval rule is configured with the option to allow approvers to reassign (delegate) their approval tasks to others.
- Custom buttons The approval rule may add custom buttons to the task’s header area. The action that Active Roles performs when you click a custom button depends upon configuration of the workflow containing the approval rule. The administrator who configures the workflow should normally supply an instruction on the use of custom action buttons. To view the instruction, click the Examine task button. This opens a page containing the same action buttons that you see in the task’s header area. The instruction text is displayed above the action buttons on that page.
The task’s header area contains the Examine task button allowing you to get detailed information about the task, review the object properties submitted for approval, and supply or change additional properties. Clicking the Examine task button displays a page containing a replica of the task’s header area, the action buttons, and a number of information sections. Review the information on the page, supply or change the object properties for which the task requests your input, and then click the appropriate action button.
The page that appears when you click the Examine task button includes the following information sections:
- Object properties
The contents of this section heavily depends upon configuration of the approval rule. Thus the approval rule may request you to enter additional information that must be added to the operation request. For example, when you approve the operation of creating a user account, you may have to supply certain properties of the user account in addition to those supplied by the administrator who requested creation of that user account. In this case, enter the requested properties in the fields under Supply or change the following properties.
Normally, the approval rule is configured so that the approver is allowed to review the values of the object properties that were supplied or changed by the operation that is subject to approval. The approval rule may also be configured to allow the approver to change those property values. In either case, you can view or change them in the fields under Review the properties submitted for approval.
This section displays a list of the user accounts or groups to which the approval task is currently assigned. Any of the listed users or members of the listed groups can act as an approver on the task in question.
- Approval progress
This section provides information on the date and time that the task was created and whether the task was escalated to a higher approver level or reassigned (delegated) to other persons. If the task was escalated, you can view when escalation occurred and what caused escalation. If the task was reassigned (delegated), you can view who and when delegated the task and to whom the task was delegated.
In this section you can view aggregated information about the approval task properties and configuration, and some details of the operation that the task is intended to allow or deny. The Operation ID filed provides a link to a page where you can examine the operation in more detail.
To complete a pending task
- Click Examine task in the task’s header area.
- On the Object properties page, review, supply or change the object properties for which the task requests your input, and then click the appropriate action button.
You can also complete a task by clicking the appropriate action button in the task’s header area. However, if the current policy and approval rules require the approver to supply some additional information, the Web Interface would open the Object properties page, prompting you to configure the required properties.