Sample workflow: sequential approval for user recertification with packaged approval node

This scenario shows an organization policy that requires user recertification to be approved by two levels of approvers. The first approver submits decisions that are reviewed by the second approver. The second approver can change the decisions made by the first approver and then submit the final decisions. The request in this scenario is for recertification approval of user resources (accounts, groups, or roles).

For the request to be approved and reach completion, the following actions must occur:
  1. A user sends the request to an IBM Verify Identity Governance user (Approver1).
  2. Approver1 has one day to approve the request.
  3. Approver1 submits decisions for the item in the To-Do list.
  4. Approver1 sends the request to the second Identity Manager user (Approver2).
  5. Approver2 can view the decisions from Approver1 in the To-Do list.
  6. Approver2 can make and submit additional decisions.
  7. Identity Manager does the recertification of the user resources based on decisions of Approver2.

The following workflow graphic demonstrates this business case. The workflow uses the two packaged approval nodes DECISION_OF_APPROVER1 and DECISION_OF_APPROVER2 in a sequence. The decisions from Approver1 are stored in the ApprovalDocument so that Approver2 can view them before submitting final decisions.

Figure 1. Sample workflow: sequential approval with packaged approval node
Sample workflow: sequential approval
Table 1 identifies the workflow node properties and values for User_Recertification_Sequential_Approval_Example.
Table 1. Node properties: sample workflow for packaged approvals
Node Feature Value
Start Activity ID START
Activity Name Start Activity
Join Type AND
Split Type AND
JavaScript RejectionAction.set('SUSPEND')
Extension Activity ID CONSTRUCT_APPROVAL_DOCUMENT
Activity Name CONSTRUCT_APPROVAL_DOCUMENT
Description Get all account and access recertification targets for person extension for recertification.
Join Type OR
Split Type AND
Extension Name constructApprovalDocument(Person person, RecertificationPolicy policy)
Packaged Approval Activity ID DECISION_OF_APPROVER1
Participant Approver1
Escalation Limit 1 day
Skip Escalation Checked
Join Type AND
Split Type AND
Postscript
if (activity.resultSummary == activity.TIMEOUT) {
   var auditMessage = "Recertification period exceeded with no action taken, all items were approved based on policy configuration.";
   activity.setResult(activity.TIMEOUT, auditMessage);

   var doc = ApprovalDocument.get();
   doc.setDecisionCodeForAllItems(activity.APPROVED);
   ApprovalDocument.set(doc);

   RecertificationWorkflow.auditTimeout(Entity.get(), Policy.get(), doc, false, true);
} else if (activity.resultSummary != activity.FAILED) {
   RecertificationWorkflow.auditCompletion(Entity.get(), Policy.get(), ApprovalDocument.get(), false, true);
}
Packaged Approval Activity ID DECISION_OF_APPROVER2
Activity Name $ITIM_RECERTIFY
Participant Approver2
Escalation Limit 10 days
Skip Escalation Checked
Join Type AND
Split Type AND
Postscript
if (activity.resultSummary == activity.TIMEOUT) {
   var auditMessage = "Recertification period exceeded with no action taken, all items were approved based on policy configuration.";
   activity.setResult(activity.TIMEOUT, auditMessage);

   var doc = ApprovalDocument.get();
   doc.setDecisionCodeForAllItems(activity.APPROVED);
   ApprovalDocument.set(doc);

   RecertificationWorkflow.auditTimeout(Entity.get(), Policy.get(), doc);
} else if (activity.resultSummary != activity.FAILED) {
   RecertificationWorkflow.auditCompletion(Entity.get(), Policy.get(), ApprovalDocument.get());
}
Mail Activity ID RECERTMAIL
Activity Name $RECERTMAIL
Recipient Requestee
Join Type AND
Split Type AND
Extension Activity ID REMEDIATE_ACCTS_GROUPS
Activity Name REMEDIATE_ACCTS_GROUPS
Description Performs account, group, and access remediation
Join Type OR
Split Type AND
Extension Name remediateAccountsAndGroups(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy, String rejectionAction)
Extension Activity ID REMEDIATE_PERSON_ROLES
Activity Name REMEDIATE_PERSON_ROLES
Description Performs role remediation, including policy enforcement for the person
Join Type OR
Split Type AND
Extension Name remediateRoleMemberships(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy, String rejectionAction)
Extension Activity ID UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED
Activity Name UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED
Description Updates recertification status
Join Type OR
Split Type AND
Extension Name updateRecertificationStatusAllApproved(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy)
Extension Activity ID UPDATE_RECERTIFICATION_STATUS_EMPTY
Activity Name UPDATE_RECERTIFICATION_STATUS_EMPTY
Description Updates recertification status
Join Type OR
Split Type AND
Extension Name updateRecertificationStatusEmptyDocument(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy)
End Activity ID END
Activity Name End Activity
Join Type OR
Split Type AND
Table 2 identifies the link properties and their values for the packaged approval sample workflow.
Table 2. Link properties: sample workflow for packaged approvals
From To Feature Value
Start

START

Extension

CONSTRUCT_APPROVAL_DOCUMENT

Name startToConstructApprovalDocumentExtension
Description Start node to construct approval document extension
Custom Condition true
Extension

CONSTRUCT_APPROVAL_DOCUMENT

Packaged Approval

DECISION_OF_APPROVER1

Name constructApprovalDocumentExtensionToApprover1Approval
Description Construct approval document extension to Approver1 approval node
Custom Condition activity.resultSummary == activity.SUCCESS
Extension

CONSTRUCT_APPROVAL_DOCUMENT

Extension

UPDATE_RECERTIFICATION_STATUS_EMPTY

Name contructApprovalDocumentExtensionToUpdateStatusEmpty
Description Construct approval document extension to update status for empty document
Custom Condition activity.resultSummary == activity.WARNING
Extension

CONSTRUCT_APPROVAL_DOCUMENT

End

END

Name constructApprovalDocumentExtensionToEnd
Description Construct approval document extension to end node
Custom Condition activity.resultSummary != activity.SUCCESS && activity.resultSummary != activity.WARNING
Packaged Approval

DECISION_OF_APPROVER1

Packaged Approval

DECISION_OF_APPROVER2

Name approver1ApprovalToApprover2Approval
Description Approver1 approval node to Approver2 approval node
Custom Condition activity.resultSummary != activity.FAILED
Packaged Approval

DECISION_OF_APPROVER2

Mail

RECERTMAIL

Name approver2ApprovalToMail
Description Approver2 approval node to mail node
Custom Condition (activity.resultSummary != activity.FAILED) && (Approvalocument.get().containsDecisionCode(activity.REJECTED))
Packaged Approval

DECISION_OF_APPROVER2

Extension

UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED

Name approver2ApprovalToUpdateStatus
Description Approver2 approval node to update recertification status
Custom Condition (activity.resultSummary != activity.FAILED) && (!ApprovalDocument.get().containsDecisionCode(activity.REJECTED))
Mail

RECERTMAIL

Extension

REMEDIATE_ACCTS_GROUPS

Name mailToRemediateAccts
Description Mail node to remediate accounts, groups, and accesses
Custom Condition true
Extension

REMEDIATE_ACCTS_GROUPS

Extension

REMEDIATE_PERSON_ROLES

Name remediateAcctsToRemediateRoles
Description Remediate accounts, groups, and accesses to remediate roles
Custom Condition true
Extension

REMEDIATE_PERSON_ROLES

End

END

Name remediateRolesToEnd
Description Remediate roles to end node
Custom Condition true
Extension

UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED

End

END

Name updateStatusToEnd
Description Update recertification status to end node
Custom Condition true
Extension

UPDATE_RECERTIFICATION_STATUS_EMPTY

End

END

Name updateStatusEmptyToEnd
Description Update status for empty document to end node
Custom Condition true