The condition through which the approvers are determined is formulated as a database query. Several queries may be combined into one condition. This adds all identities determined by single queries to the group of approvers.
To edit the condition
-
In the Manager, select the IT Shop > Basic configuration data > Approval procedures category.
-
Select an approval procedure from the result list.
-
Select Change queries for approver selection.
To create single queries
- Click Add.
This inserts a new row in the table.
- Mark this row. Enter the query properties.
- Add more queries if required.
- Save the changes.
To edit a single query
- Select the query you want to edit in the table. Edit the query's properties.
- Save the changes.
To remove single queries
- Select the query you want to remove in the table.
- Click Delete.
- Save the changes.
Table 42: Query properties
Approver selection |
Query identifier that determines the approvers. |
Query |
Database query for determining the approvers.
The database query must be formulated as a select statement. The column selected by the database query must return a UID_Person. Every query must return a value for UID_PWORulerOrigin. The query returns one or more identities to whom the request is presented for approval. If the query fails to a result, the request is canceled.
A query contains exactly one select statement. To combine several select statements, create several queries.
If a DBQueue Processor task is assigned, you cannot enter a query to determine approvers. |
Query for recalculating |
Database query for finding request procedures that require recalculation of their approvers. |
You can, for example, determine predefined approvers with the query (example 1). The approver can also be found dynamically depending on the request to approve. To do this, access the request to be approved within the database query using the @UID_PersonWantsOrg variable (example 2).
Example 1
Requests should be approved by a specific approver.
Query: |
select UID_Person, null as UID_PWORulerOrigin from Person where InternalName='User, JB' |
Example 2
Approval for requests should be granted or denied through the requester’s parent department. The approver is the cost center manager that is assigned to the requester‘s primary department. The requester is the identity that triggers a request (UID_PersonInserted when requesting for an employee, for example).
Query: |
select pc.UID_PersonHead as UID_Person, null as UID_PWORulerOrigin from PersonWantsOrg pwo
join Person p on pwo.UID_PersonInserted = p.UID_Person
join Department d on p.UID_Department = d.UID_Department
join ProfitCenter pc on d.UID_ProfitCenter = pc.UID_ProfitCenter
where pwo.UID_PersonWantsOrg = @UID_PersonWantsOrg |
Taking delegation into account
To include delegation when determining approvers, use the query to also determine the identities to whom a responsibility has been delegated. If the managers of hierarchical roles are to make the approval decision, determine the approvers from the HelperHeadOrg table. This table groups all hierarchical role managers, their deputy managers, and identities to whom a responsibility has been delegated. If the members of business or application roles are to make the approval decision, determine the approvers from the PersonInBaseTree table. This table groups all hierarchical role members and identities to whom a responsibility has been delegated.
Determine the UID_PWORulerOrigin in order to notify delegators when the recipient of the delegation has made a decision on a request and thus allow the Web Portal to show if the approver was originally delegated.
To determine the UID_PWORulerOrigin of the delegation
-
Determine the UID_PersonWantsOrg of the delegation and copy this value as UID_PWORulerOrigin to the query. Use the dbo.QER_FGIPWORulerOrigin table function to do this.
select dbo.QER_FGIPWORulerOrigin(XObjectKey) as UID_PWORulerOrigin
Modified query from example 2:
select hho.UID_PersonHead as UID_Person, dbo.QER_FGIPWORulerOrigin(hho.XObjectkey) as UID_PWORulerOrigin from PersonWantsOrg pwo join Person p on pwo.UID_PersonInserted = p.UID_Person join Department d on p.UID_Department = d.UID_Department join ProfitCenter pc on d.UID_ProfitCenter = pc.UID_ProfitCenter join HelperHeadOrg hho on hho.UID_Org = pc.UID_ProfitCenter where pwo.UID_PersonWantsOrg = @UID_PersonWantsOrg
You can copy default approval procedures in order to customize them.
To copy an approval procedure
-
In the Manager, select the IT Shop > Basic configuration data > Approval procedures category.
-
Select an approval procedure in the result list. Select the Change main data task.
-
Select the Create copy task.
- Confirm the security prompt with Yes.
-
Enter the short name for the copy.
The short name for an approval procedure consists of a maximum of two characters.
-
Click OK to start copying.
- OR -
Click Cancel to cancel copying.
To delete an approval procedure
-
Remove all assignments to approval steps.
-
On the approval procedure overview form, check which approval steps are assigned to the approval procedure.
-
Switch to the approval workflow and assign another approval procedure to the approval step.
-
In the Manager, select the IT Shop > Basic configuration data > Custom defined > Approval procedures category.
-
Select an approval procedure from the result list.
-
Click .
- Confirm the security prompt with Yes.
The DBQueue Processor calculates which identity is authorized as an approver and in which approval level. Once a request is triggered, the approvers are determined for every approval step of the approval workflow to be processed. Changes to responsibilities may lead to an identity no longer being authorized as an approver for a request that is not yet finally approved. In this case, approvers must be recalculated. The following changes can trigger a recalculation for as yet unapproved requests:
-
Approval policy, workflow, step, or procedure changes.
-
An authorized approver loses their responsibility in One Identity Manager, for example, if a change is made to the department manager, product owner, or target system manager.
-
An identity obtains responsibilities in One Identity Manager and therefore is authorized as an approver, for example as the manager of the request recipient.
-
An identity authorized as an approver is deactivated.
Once an identity's responsibilities have changed in One Identity Manager, an approver recalculation task is queued in the DBQueue. By default, all approval steps of the pending approval processes are recalculated at the same time. Approval steps that have already been approved remain approved, even if their approver has changed. Recalculating approvers may take a long time depending on the configuration of the system environment and the amount of data to be processed. To optimize this processing time, you can specify the approval steps for which the approvers are to be recalculated.
NOTE: The approver recalculation task is set for approval steps that implement default approval procedures. Approval steps with customized approval procedures are not recalculated automatically.
To configure recalculation of approvers
Detailed information about this topic
Related topics