One Identity Manager can make approvals automatically in an
If there are several people are determined as approvers by an approval procedure, the number given in the approval step specifies how many people must approve the step. The
One Identity Manager provides approval procedures by default. You can also define your own approval procedures.
The DBQueue Processor calculates which person has the authority to grant approval at which level. Take into account the special cases for each approval procedure when setting up the approval workflows to determine those authorized to grant approval.
To display default approval procedures
The following approval procedures are defined to select the responsible attestors, by default.
|AA||Attestor for the role to attest||
Attestor of the organization (department, cost center, location), business role or IT Shop if assignments of system entitlements or system roles to roles are attested.
|AD||Recipient‘s department attestor||
Attestor of the department to which the attestation object is primarily assigned.
|AL||Attestor for recipient‘s location||
Attestor of the location to which the attestation object is primarily assigned.
|AN||Attestor for the system entitlement to attest||
Attestor of the system entitlement or system role if assignments of system entitlements or system roles to roles are attested. Attestors are determined through the assigned service item.
|AO||Recipient‘s primary role attestor||
Attestor of the business role to which the attestation object is primarily assigned.
Attestors for business roles must be assigned to the application role Identity Management | Business roles | Attestors.
|AP||Recipient‘s cost center attestor||
Attestor of the cost center to which the attestation object is primarily assigned.
|AR||Attestation compliance rule attestor||
Attestor for the compliance rule to be attested.
|AS||Approver for attestation policy||All employees assigned to the attestation policy as approver.|
|AT||Attestation organization attestor||
Attestor of the organization (department, cost center, location), business role or IT Shop to be attested.
|AY||Attestor for attestation company policy||
Attestor of the company policy to be attested.
|CM||Recipient's manager||Manager of the employee to be attested.|
|DM||Manager of recipient's department||Department manager/deputy if employees of secondary memberships are attested in departments.|
|ED||Department manager for permission attestation||Employee’s department manager whose system entitlements are to be attested.|
|EM||Employee manager for permission attestation||Employee’s manager whose system entitlements are to be attested.|
|EN||Target system manager of the permission for attestation||Target system manager of the system entitlements to be attested.|
|EO||Product owner of the permission for attestation||Product owner whose system entitlements or system roles are to be attested.|
|EX||Approvals to be made externally||-|
|LM||Location manager||Location manager/deputy if employees of secondary memberships are attested in locations.|
|MO||Role owner||Business role manager/deputy if employees of secondary memberships are attested in roles.|
|OA||Product owners||All members of the assigned application role if service items or system entitlements are attested.|
|OM||Specific role Manager||Manager of the role selected in the approval workflow.|
|OR||Members of a certain role||All employees that are assigned to a secondary business role.|
|PA||Additional owner of Active Directory group||All employees to be found through the additional owner of the requested Active Directory group.|
|PM||Manager of recipient's cost center||Cost center manager/deputy if secondary memberships in cost centers are attested.|
|RE||Manager of system roles to be attested||System role manager to be attested.|
|RM||Role manager for attesting memberships||Manager of role to be attested if secondary memberships in roles are attested.|
|RR||Role manager for attesting roles||Manager of role to be attested.|
|SO||Target system manager of the permission for attestation||Target system manager of system entitlement or user account to be attested.|
|WC||Waiting for further approval||-|
Use the approval procedure "AS" if you want to fix attestors for any object to an attestation policy. This approval procedure finds all employees that are assigned to the attestation procedure as approvers.
Use this procedure to allow any objects to be attested by any of the specified employees. These employees must be assigned to the attestation policy as approvers. The attestor can also be entered when you create attestation policies in the Web Portal. For more detailed information, see the .One Identity Manager Web Portal User Guide
|Installed Module:||Business Roles Module (for approval procedure "AO").|
If you want to attest company resource assignments to employees or your staff‘s requests, use the approval procedures "AD", "AL", "AO" or "AP". The attestors found are members of the application role Attestor.
Attestation objects are employees (table: Person) or request recipients (table: PersonWantsOrg). These approval procedures determine the role (department, location, business role, cost center) for each attestation object to which the attestation object is primarily assigned. If the primarily assigned role is not directly assigned an attestor, the approval procedure finds the the attestator's parents roles. If still no attestor can be determined, the attestation case is presented to the attestor of the associated role class for approval.
NOTE: When attestors are found using the approval procedures "AO" and "bottom-up" inheritance is defined for business roles, note the following:
If there is no Attestor given for the primary business role, attestors are taken from the child business role.