Approval policy is a configurable entity of request management that helps associate various request types with approval processes defined in the request service only for request and operation level approvals. It associates approval workflows to be loaded at request or operation levels for a request type. You can use approval policies to associate various request types with various approval processes, which are the BPEL workflows. Approval policies control which approval process is to be invoked based on the request data evaluation.
You can define multiple approval policies for a request type. Each approval policy is associated with an approval process. When the request is submitted, in the approval initiation phase, all the approval processes associated with the request are picked up dynamically. Each approval policy decides on what process to invoke based on approval policy priority and approval policy rule.
Approval policy priorities are based on the following:
For request level, request type + request level
For operation level, request type + operation level + scope, which is the specific entity associated with the request
Each approval policy has a priority in the backend. When the request engine invokes the workflows, it picks up all the available approval policies in the order of priority. The approval policy with higher priority is called and its approval policy rule is evaluated. If the evaluation fails, then the approval policy rule of the approval policy with the next priority is evaluated. If the outcome of the evaluation is true, then the corresponding approval process associated with the approval policy is selected to be the workflow for that request. For information about creating approval policy rules, see "Creating Approval Policies".
Note:
There is only one approval policy rule per approval policy. The rules can be complex, containing multiple conditions and other rules. The rules do not exist as independent entities and cannot be reused in any other approval policy. There is no default rule for an approval policy.This chapter describes the following topics:
Note:
Only the users that are members of the APPROVAL POLICY ADMINISTRATORS role are authorized to create, search, modify, and delete approval policies. See "Approval Policy Management" on page 13-18 for more information about authorization for approval policies.Request types do not define approval. Models define the underlying methodology for approval only at the operation level. Every request goes through request level of approval, and therefore, do not require explicit configuration of methodology at the request type. The methodology picks the right approval to be used based on the approval policy configuration. An approval process selection methodology is an algorithm that selects the approval workflow to be initiated. Based on the request type, the request engine decides which methodology to be used and evaluates the approval process accordingly.
If no approvals are defined at the request level, it means that a default approval process is invoked. This default approval process is shipped with Oracle Identity Manager and is assigned to the administrator. If no approvals are defined at the operation level, it means that a default approval process is invoked. If no template-level approvals are defined, then it is assumed that no approvals are required at that level.
The following methodologies are supported:
The determination algorithm of the request-level selection methodology is as follows:
Search for all the approval policies configured for the request level and for the request type with which the request is associated in ascending order of approval policy priority. If the approval policies matching this criteria is found, then:
Evaluate the approval policy rules associated with each approval policy to determine the approval workflow. When evaluating the approval policy rules, for the first approval policy rule whose evaluation results in true, the corresponding approval workflow associated with that approval policy is selected. If automatic approval at the request level or operation level is specified, then the approval is by default.
If none of the approval policy rules are satisfied, then it is considered that no approval workflow is configured at the request level.
If no approval workflow is determined, then the default request-level approval is selected.
The determination algorithm for the organization-based selection methodology at operation level is as follows:
Search for the user's organization entity for which request is created.
Search for all the approval policies configured for the operation level, for the request type associated with the request, and for the user's organization entity in ascending order of the approval policy priority. If the approval policies matching this criteria is found, then:
Evaluate the approval policy rules associated with each approval policy to determine the approval workflow. When evaluating approval policy rules, for the first approval policy rule whose evaluation results in true, the corresponding approval workflow associated with that approval policy is selected. If automatic approval at the request level or operation level is specified, then the approval is by default.
If none of the approval policy rules are satisfied, then it is considered that no approval workflow is configured at the operation level for this organization.
If no approval workflow is configured for that organization entity, then follow the organization hierarchy till either the root node or the domain boundary, which is the root organization in the organization hierarchy. Repeat step 2 for each organization node.
If no approval workflow is determined, then the default operation-level approval is selected.
The determination algorithm for the resource-based selection methodology at operation level is as follows:
Search for the resource entity being provisioned or deprovisioned to the user.
Search for all the approval policies configured for the operation level, for the request type associated with the request, and for the resource being provisioned or deprovisioned in ascending order of the approval policy priority. If the approval policies matching this criteria is found, then:
Evaluate the approval policy rules associated with each approval policy to determine the approval workflow. When evaluating approval policy rules, for the first approval policy rule whose evaluation results in true, the corresponding approval workflow associated with that approval policy is selected. If automatic approval at the request level or operation level is specified, then the approval is by default.
If none of the approval policy rules are satisfied, then it is considered that no approval workflow is configured at the operation level for this resource.
If no approval workflow is determined, then the default operation-level approval is selected.
The determination algorithm for the role-based selection methodology at operation level is as follows:
Search for the role entity being assigned to or removed from the user.
Search for all the approval policies configured for the operation level, for the request type associated with the request, and for the role being assigned or removed in ascending order of the approval policy priority. If the approval policies matching this criteria is found, then:
Evaluate the approval policy rules associated with each approval policy to determine the approval workflow. When evaluating approval policy rules, for the first approval policy rule whose evaluation results in true, the corresponding approval workflow associated with that approval policy is selected. If automatic approval at the request level or operation level is specified, then the approval is by default.
If none of the approval policy rules are satisfied, then it is considered that no approval workflow is configured at the operation level for this role.
If no approval workflow is determined, then the default operation-level approval is selected.
Go to Oracle Identity Manager Advanced Administration.
In Oracle Identity Manager Advanced Administration, click the Policies tab, and then click Approval Policies. Alternatively, under Policies, you can click Search Approval Policies.
From the Actions menu on the left pane, select Create. You can also start the Create Approval Policy wizard by clicking the icon with the plus (+) sign on the toolbar. The Step 1. Set Approval Policy Details page of the Create Approval Policy wizard is displayed.
Enter values for the following fields, and then click Next:
Policy Name: Enter a name for the approval policy. This is a mandatory attribute.
Description: Enter the details about what this approval policy will do.
Model Name: Select the request model name by selecting from the LOV, for example, Assign Roles. This is a mandatory attribute.
Level: Select the approval level that you want to implement for this approval policy. This is a mandatory attribute. For more information about approval levels, see "Approval Levels" section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Scope Type: Select this option to the Scope Type associated with the approval policy, that is, the entity name based on the request type selected.
All Scope: Select this option to specify the approval policy associated with all entity for a particular entity type. An approval policy can be associated with All Scope based on the Scope Type.
Scope: Select this option to specify the approval policy associated with the specific entity for a particular entity type. An approval policy can be associated with a specific Scope based on the Scope Type.
Auto Approval: Select this option to specify automatic approval at the request level or operation level that you select in the Level field.
Approval Process: Select the workflow that you want to associate with this approval policy. This is a mandatory attribute.
On the Step 2. Set Approval Rule and Component page, enter the name of the approval policy rule in the Rule Name field, for example, RuleTest1.
In the Rule Components section, you can define the parameters of the approval policy rule. To do so, click the icon next to the View list. The Add Simple Rule dialog box is displayed. In this dialog box, you must select values for the following fields, and then click Add.
Entity: Entity, such as Requester, Beneficiary, or Resource, with which the approval policy rule is associated. This varies based on the selected request type.
Attribute: Attribute of the above selected entity.
Condition: Condition of the approval policy rule, such as Equals, Not Equals, or Starts With.
Value: Value of the condition.
Note:
If you use the User Login attribute in a rule expression, the corresponding User Login ID value must be entered in all uppercase letters, otherwise the expression will not evaluate to true.Parent Rule Container: The rule container with which this approval policy rule needs to be associated with.
Note:
When writing simple rule expressions, if an entity attribute has an encoded value, then create the expression by using the encoded value, not the lookup-code definition. For example, for the account status attribute, create the expression by using the encoded value 1 or 0, not the decoded value Locked or Unlocked.To add a rule container for the approval policy rule, in the Rule Components section, from the Actions menu, select Add Rule Container. The Add Rule Container dialog box is displayed. In this dialog box, enter or select values for the following fields, and then click Add.
Rule Container Name: The name of the rule container.
Parent Rule Container: The name of the rule container under which you want to create this rule container. A rule container can hold either another rule container or rule elements with the AND or OR operators in a hierarchical order.
Operator: The operators are AND and OR.
When you click Perform on the Add Simple Rule dialog box, a simple approval policy rule is created and added in the Step 2. Set Approval Rule and Component page. Click Next.
On the Step 3. Review Approval Policy Summary page, verify the information that you have specified for the approval policy. You can click the Back button to modify any information if you want. Click Finish to create the approval policy.
A message is displayed confirming that the approval policy has been created. Click OK.
To search for approval policies:
Go to Oracle Identity Manager Advanced Administration.
On the left pane of the Approval Policies tab, in the Search field, enter a search criterion to search for approval policies. You can specify the asterisk (*) wildcard character to specify the search criterion.
Note:
In simple and advanced search for approval policies, searching with translated approval policy names is not supported. Oracle Identity Manager supports only English string search for approval policies. For default approval policies, you can search with English policy names as stored in the database. However, if you create an approval policy by specifying its name in another language, then you can search it by using the same string, and not in any other language.Click the Search icon. A list of approval policies is displayed in a search results table, with the following fields:
Policy Name: The name of the approval policy
Model Name: The name of the request model associated with the approval policy
Scope: The associated resource, organization, or role name
Level: The approval level
Rule Name: The name of the approval policy rule
Approval Process: The approval process associated with the approval policy
Priority: Priority of the approval policy
You can also use the Advanced Search option in the Approval Policies tab to search for approval policies based on advanced search criteria. To do so:
On the left pane of the Approval Policies tab, click Advanced Search. The Advanced Search: Approval Policies page is displayed.
Enter values in the fields to specify a search criteria. You can specify a combination of approval policy name, name of the request type associated with the approval policy, approval level, scope type such as resource, organization, or role, and scope to specify the search criteria.
Click Search. The search result displays a list of approval policies with information about priority, policy name, model name, scope, level, rule name, and approval process.
On the search results table, select a policy.
From the Actions menu, select Open. The Approval Policy Details form is displayed.
In the Policy Details section, edit the fields to modify the approval policy.
Note:
You cannot modify the approval policy rule name and approval policy priority attribute.In the Approval Rules section, modify approval policy rules, if required. To modify an approval policy rule, you can add a simple rule, add a rule container, modify rule components, or delete a rule component. For detailed information about adding approval policy rules and rule containers, see steps 6 through 8 in "Creating Approval Policies".
To modify rule components:
Select the approval policy rule.
From the Actions menu, select Modify Rule Components. The Modify Rule Components dialog box is displayed.
Edit the values in the fields provided, and click Perform.
To delete rule components:
Select the approval policy rule that you want to delete.
From the Actions menu, select Delete Rule Components. A message box is displayed asking for confirmation.
Click OK to confirm the deletion.
Click Save to save the changes in the approval policy.
To modify the priority of an approval policy:
From the approval policies search result, select a policy whose priority you want to modify.
From the Actions menu, select Set Priority. The Modify Approval Policy priority wizard is displayed.
In the Set Policy Details page, specify values in the fields as required. For information about the fields in this page, see step 4 in "Creating Approval Policies". Then, click Next.
In the Set Policy Priorities page, enter a number to specify the priority of the approval policy. Then, click Next.
In the Review and Confirm page, the policy name and the priority that you set are displayed for your review. If you want to change the current priority, then click Back.
Otherwise, click Finish. A message is displayed stating the approval policy priority has been changed successfully.
Click OK.
Go to Oracle Identity Manager Advanced Administration.
In the search results table on the left pane or on the advanced search results, select the approval policy that you want to delete.
From the Actions menu, select Delete. A message box is displayed asking for confirmation.
Click OK to confirm the deletion.