Sample workflow: sequential approval for user recertification with packaged approval node
This scenario shows an organization policy that requires user recertification to be approved by two levels of approvers. The first approver submits decisions that are reviewed by the second approver. The second approver can change the decisions made by the first approver and then submit the final decisions. The request in this scenario is for recertification approval of user resources (accounts, groups, or roles).
- A user sends the request to an IBM Verify Identity Governance user (Approver1).
- Approver1 has one day to approve the request.
- Approver1 submits decisions for the item in the To-Do list.
- Approver1 sends the request to the second Identity Manager user (Approver2).
- Approver2 can view the decisions from Approver1 in the To-Do list.
- Approver2 can make and submit additional decisions.
- Identity Manager does the recertification of the user resources based on decisions of Approver2.
The following workflow graphic demonstrates this business case.
The workflow uses the two packaged approval nodes DECISION_OF_APPROVER1 and DECISION_OF_APPROVER2 in a sequence. The decisions from Approver1 are stored in the ApprovalDocument
so that Approver2 can view them before submitting final decisions.
Node | Feature | Value |
---|---|---|
Start | Activity ID | START |
Activity Name | Start Activity | |
Join Type | AND | |
Split Type | AND | |
JavaScript | RejectionAction.set('SUSPEND') |
|
Extension | Activity ID | CONSTRUCT_APPROVAL_DOCUMENT |
Activity Name | CONSTRUCT_APPROVAL_DOCUMENT | |
Description | Get all account and access recertification targets for person extension for recertification. | |
Join Type | OR | |
Split Type | AND | |
Extension Name | constructApprovalDocument(Person person, RecertificationPolicy policy) | |
Packaged Approval | Activity ID | DECISION_OF_APPROVER1 |
Participant | Approver1 | |
Escalation Limit | 1 day | |
Skip Escalation | Checked | |
Join Type | AND | |
Split Type | AND | |
Postscript |
|
|
Packaged Approval | Activity ID | DECISION_OF_APPROVER2 |
Activity Name | $ITIM_RECERTIFY | |
Participant | Approver2 | |
Escalation Limit | 10 days | |
Skip Escalation | Checked | |
Join Type | AND | |
Split Type | AND | |
Postscript |
|
|
Activity ID | RECERTMAIL | |
Activity Name | $RECERTMAIL | |
Recipient | Requestee | |
Join Type | AND | |
Split Type | AND | |
Extension | Activity ID | REMEDIATE_ACCTS_GROUPS |
Activity Name | REMEDIATE_ACCTS_GROUPS | |
Description | Performs account, group, and access remediation | |
Join Type | OR | |
Split Type | AND | |
Extension Name | remediateAccountsAndGroups(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy, String rejectionAction) | |
Extension | Activity ID | REMEDIATE_PERSON_ROLES |
Activity Name | REMEDIATE_PERSON_ROLES | |
Description | Performs role remediation, including policy enforcement for the person | |
Join Type | OR | |
Split Type | AND | |
Extension Name | remediateRoleMemberships(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy, String rejectionAction) | |
Extension | Activity ID | UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED |
Activity Name | UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED | |
Description | Updates recertification status | |
Join Type | OR | |
Split Type | AND | |
Extension Name | updateRecertificationStatusAllApproved(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy) | |
Extension | Activity ID | UPDATE_RECERTIFICATION_STATUS_EMPTY |
Activity Name | UPDATE_RECERTIFICATION_STATUS_EMPTY | |
Description | Updates recertification status | |
Join Type | OR | |
Split Type | AND | |
Extension Name | updateRecertificationStatusEmptyDocument(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy) | |
End | Activity ID | END |
Activity Name | End Activity | |
Join Type | OR | |
Split Type | AND |
From | To | Feature | Value |
---|---|---|---|
Start
|
Extension
|
Name | startToConstructApprovalDocumentExtension |
Description | Start node to construct approval document extension | ||
Custom Condition | true |
||
Extension
|
Packaged Approval
|
Name | constructApprovalDocumentExtensionToApprover1Approval |
Description | Construct approval document extension to Approver1 approval node | ||
Custom Condition | activity.resultSummary == activity.SUCCESS |
||
Extension
|
Extension
|
Name | contructApprovalDocumentExtensionToUpdateStatusEmpty |
Description | Construct approval document extension to update status for empty document | ||
Custom Condition | activity.resultSummary == activity.WARNING |
||
Extension
|
End
|
Name | constructApprovalDocumentExtensionToEnd |
Description | Construct approval document extension to end node | ||
Custom Condition | activity.resultSummary != activity.SUCCESS
&& activity.resultSummary != activity.WARNING |
||
Packaged Approval
|
Packaged Approval
|
Name | approver1ApprovalToApprover2Approval |
Description | Approver1 approval node to Approver2 approval node | ||
Custom Condition | activity.resultSummary != activity.FAILED |
||
Packaged Approval
|
Mail
|
Name | approver2ApprovalToMail |
Description | Approver2 approval node to mail node | ||
Custom Condition | (activity.resultSummary != activity.FAILED)
&& (Approvalocument.get().containsDecisionCode(activity.REJECTED)) |
||
Packaged Approval
|
Extension
|
Name | approver2ApprovalToUpdateStatus |
Description | Approver2 approval node to update recertification status | ||
Custom Condition | (activity.resultSummary != activity.FAILED)
&& (!ApprovalDocument.get().containsDecisionCode(activity.REJECTED)) |
||
Mail
|
Extension
|
Name | mailToRemediateAccts |
Description | Mail node to remediate accounts, groups, and accesses | ||
Custom Condition | true |
||
Extension
|
Extension
|
Name | remediateAcctsToRemediateRoles |
Description | Remediate accounts, groups, and accesses to remediate roles | ||
Custom Condition | true |
||
Extension
|
End
|
Name | remediateRolesToEnd |
Description | Remediate roles to end node | ||
Custom Condition | true |
||
Extension
|
End
|
Name | updateStatusToEnd |
Description | Update recertification status to end node | ||
Custom Condition | true |
||
Extension
|
End
|
Name | updateStatusEmptyToEnd |
Description | Update status for empty document to end node | ||
Custom Condition | true |