When changes are made to a role, the role owners can receive a change-approval email, a change-notification email, or no email. When a role is assigned to a user, role approvers receive role approval emails.
By default, role owners are sent change-approval emails whenever the roles they own are changed. This behavior is configurable, however, on a role-type by role-type basis. For example, you could choose to enable change-approvals for Business Roles and IT Roles, and enable change-notifications for Application and Asset roles.
For instructions on enabling and disabling change-approval and change-notification email, see Configuring Role Types.
This is how change-approvals and change-notifications work:
If change-approvals are enabled, when an administrator changes a role, a work item is generated and an approval email is sent to the role owner. A role owner must approve the work item in order for the change to be made. Change-approval work items can be delegated. See Approving User Accounts for more information.
If change-approvals are disabled, no work item is generated and no change approval email is sent to the role owner.
If change-notifications are enabled, when an administrator changes a role, the change is made immediately, and a notification email is sent to the role owner.
If change-notifications are disabled, no notifications are sent to the role owner.
When a role is assigned to a user, role approvers receive role approval emails. Role approval emails cannot be disabled in Identity Manager.
For role approvals, when a user is assigned a role, a work item is generated and an approval email is sent to the role approver. A role approver must approve the work item in order for the role to be assigned to the user.
Change-approval and approval work items can be delegated. For more information on delegating work items, see Delegating Work Items.