18 Managing Approval Policies

Approval policy is a configurable entity of request management that helps associate various request types with approval processes defined in the request service only for request-level and operation-level approvals. It associates approval workflows to be initiated at request or operation levels for a request type. You can use approval policies to associate various request types with various approval processes, which are the SOA-based workflows. Approval policies control which approval process is to be invoked based on the request data evaluation.

You can define multiple approval policies for a request type. Each approval policy is associated with an approval process. When the request is submitted, in the approval initiation phase, all the approval processes associated with the request type are picked up dynamically. Each approval policy has a priority in the backend. Each approval policy decides on what process to invoke based on approval policy priority and approval policy rule.

Approval policy priorities are based on the following:

When the request engine tries to initiate the approval workflow, it picks up all the available approval policies for that request type in the order of priority. The approval policy with highest priority is taken up and its approval policy rule is evaluated. If the evaluation fails, then the approval policy rule of the approval policy with the next priority is evaluated. If the outcome of the evaluation is true, then the corresponding approval process associated with the approval policy is selected to be the workflow for that request. For information about creating approval policy rules, see "Creating Approval Policies".

Note:

There is only one approval policy rule per approval policy. The rules can be complex, containing multiple conditions and other rules. The rules do not exist as independent entities and cannot be reused in any other approval policy. There is no default rule for an approval policy.

This chapter describes the following topics:

Note:

Only the users that are members of the APPROVAL POLICY ADMINISTRATORS role are authorized to create, search, modify, and delete approval policies. See "Approval Policy Management" for more information about authorization for approval policies.

18.1 Approval Selection Methodologies

An approval process selection methodology is an algorithm that selects the approval workflow to be initiated. Based on the request type and the approval level, the request engine decides which methodology to be used and evaluates the approval process accordingly.

If no approvals are defined at the request level, it means that a default approval process is invoked. This default approval process is shipped with Oracle Identity Manager and is assigned to the administrator. If no approvals are defined at the operation level, it means that a default approval process is invoked. If no template-level approvals are defined, then it is assumed that no approvals are required at that level.

The following methodologies are used:

18.1.1 Request-Level Methodology

This methodology is used for all request types at the request level of approval. The determination algorithm of the request-level selection methodology is as follows:

  1. Search for all the approval policies configured for the request level and for the request type with which the request is associated in ascending order of approval policy priority. If the approval policies matching this criteria are found, then:

    1. Evaluate the approval policy rules associated with each approval policy to determine the approval workflow. When evaluating the approval policy rules, for the first approval policy rule whose evaluation results in true, the corresponding approval workflow associated with that approval policy is selected. If automatic approval is specified in the approval policy, then request level approval is automatically approved.

    2. If none of the approval policy rules are satisfied, then it is considered that no approval workflow is configured at the request level.

  2. If no approval workflow is determined, then the default request-level approval is selected.

18.1.2 Operation-Level Methodology: Organization-Based Selection

This methodology is used for all user-related request types, such as Create User, Modify User, Disable User, Enable User, and Delete User, at the operation level of approval. The determination algorithm for the organization-based selection methodology at operation level is as follows:

  1. Get the user's organization entity for which request is created.

  2. Search for all the approval policies configured for the operation level, for the request type associated with the request, or for all organizations in ascending order of the approval policy priority. If the approval policies matching this criteria is found, then:

    1. Evaluate the approval policy rules associated with each approval policy to determine the approval workflow. When evaluating approval policy rules, for the first approval policy rule whose evaluation results in true, the corresponding approval workflow associated with that approval policy is selected. If automatic approval is specified in the approval policy, then the request is automatically approved at the operation level.

    2. If none of the approval policy rules are satisfied, then it is considered that no approval workflow is configured at the operation level for this organization.

  3. If no approval workflow is configured for that organization entity, then follow the organization hierarchy till either the root node or the domain boundary, which is the root organization in the organization hierarchy. Repeat step 2 for each organization node.

  4. If no approval workflow is determined, then the default operation-level approval is selected.

18.1.3 Operation-Level Methodology: Resource-Based Selection

This methodology is used for all resource-related request types at the operation level of approval. The determination algorithm for the resource-based selection methodology at operation level is as follows:

  1. Get the resource entity associated with the request.

  2. Search for all the approval policies configured for the operation level, for the request type associated with the request, or for all resources associated with the request in ascending order of the approval policy priority. If the approval policies matching this criteria is found, then:

    1. Evaluate the approval policy rules associated with each approval policy to determine the approval workflow. When evaluating approval policy rules, for the first approval policy rule whose evaluation results in true, the corresponding approval workflow associated with that approval policy is selected. If automatic approval is specified in the approval policy, then the request is automatically approved at the operation level.

    2. If none of the approval policy rules are satisfied, then it is considered that no approval workflow is configured at the operation level for this resource.

  3. If no approval workflow is determined, then the default operation-level approval is selected.

18.1.4 Operation-Level Methodology: Role-Based Selection

This methodology is used for all role-related request types at the operation level of approval. The determination algorithm for the role-based selection methodology at operation level is as follows:

  1. Get the role entity being assigned to or removed from the user.

  2. Search for all the approval policies configured for the operation level, for the request type associated with the request, or for all roles being assigned or removed in ascending order of the approval policy priority. If the approval policies matching this criteria is found, then:

    1. Evaluate the approval policy rules associated with each approval policy to determine the approval workflow. When evaluating approval policy rules, for the first approval policy rule whose evaluation results in true, the corresponding approval workflow associated with that approval policy is selected. If automatic approval is specified in the approval policy, then the request is automatically approved at the operation level.

    2. If none of the approval policy rules are satisfied, then it is considered that no approval workflow is configured at the operation level for this role.

  3. If no approval workflow is determined, then the default operation-level approval is selected.

18.2 Creating Approval Policies

To create an approval policy:

  1. In Oracle Identity Manager Advanced Administration, click the Policies tab, and then click Approval Policies. Alternatively, you can click Search Approval Policies under Policies in the Welcome page.

  2. From the Actions menu on the left pane, select Create. You can also start the Create Approval Policy wizard by clicking the icon with the plus (+) sign on the toolbar. The Step 1. Set Approval Policy Details page of the Create Approval Policy wizard is displayed.

  3. Enter values for the following fields, and then click Next:

    • Policy Name: Enter a name for the approval policy. This is a mandatory attribute.

    • Description: Enter the details about what this approval policy will do.

    • Request Type: Select the request type by selecting from the LOV, for example, Assign Roles. This is a mandatory attribute.

    • Level: Select the approval level that you want to implement for this approval policy. This is a mandatory attribute. For more information about approval levels, see "Approval Levels" section in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

    • Scope Type: Set automatically based on the request type selection. For example:

      • If request type is set to Create User, then Scope Type is automatically set to Organization.

      • If request type is set to Provision Resource, then Scope Type is automatically set to Resource.

      • If request type is set to Assign Roles, then Scope Type is automatically set to Role.

      Note:

      The Scope Type, All Scope, and Scope fields are applicable only if the Level field is set to Operation Level. These fields are disabled if the Level field is set to Request Level.

    • All Scope: Select this option to specify the approval policy associated with all entities for a particular entity type. For example, for the Create User request type, Scope Type is Organization. If you select All Scope, then this approval policy is applicable to all organizations in Oracle Identity Manager. This is same for Resource and Role scopes.

    • Scope: Select this option to specify the approval policy associated with the specific entity for a particular entity type. An approval policy can be associated with a specific Scope based on the Scope Type.

      The Scope field is disabled if All Scope field is set. If All Scope field is not set, then this field becomes mandatory and must be set with some value.

    • Auto Approval: Select this option to specify automatic approval at the request level or operation level that you select in the Level field.

    • Approval Process: Select the workflow that you want to associate with this approval policy. If Auto Approval is selected, then this field is disabled and you cannot set any value. If Auto Approval is not set, then this field becomes mandatory.

  4. On the Step 2. Set Approval Rule and Component page, enter the name of the approval policy rule in the Rule Name field, for example, RuleTest1.

  5. In the Rule Components section, you can define the parameters of the approval policy rule. To do so, click the icon next to the View list. The Add Simple Rule dialog box is displayed. In this dialog box, you must select values for the following fields, and then click Save.

    • Entity: Entity, such as Requester, Beneficiary, or Resource, with which the approval policy rule is associated. This varies based on the selected request type and the approval level.

    • Attribute: Attribute of the above selected entity.

    • Condition: Condition of the approval policy rule, such as Equals, Not Equals, or Starts With.

    • Value: Value of the condition.

      Note:

      If you use the User Login attribute in a rule expression, the corresponding User Login ID value must be entered in all uppercase letters, otherwise the expression will not evaluate to true.

    • Parent Rule Container: The rule container with which this approval policy rule needs to be associated with.

      Note:

      When writing simple rule expressions, if an entity attribute has an encoded value, then create the expression by using the encoded value, not the lookup-code definition. For example, for the account status attribute, create the expression by using the encoded value 1 or 0, not the decoded value Locked or Unlocked.

  6. Rule containers can be used for modeling complex conditions with And and Or combinations. To add a rule container for the approval policy rule, in the Rule Components section, from the Actions menu, select Add Rule Container. The Add Rule Container dialog box is displayed. In this dialog box, enter or select values for the following fields, and then click Add.

    • Rule Container Name: The name of the rule container.

    • Parent Rule Container: The name of the rule container under which you want to create this rule container. A rule container can hold either another rule container or rule elements with the AND or OR operators in a hierarchical order.

    • Operator: The operators are AND and OR.

  7. After the approval rule creation is complete, click Next.

  8. On the Step 3. Review Approval Policy Summary page, verify the information that you have specified for the approval policy. You can click the Back button to modify any information if you want. Click Finish to create the approval policy.

  9. A message is displayed confirming that the approval policy has been created. Click OK.

18.3 Searching Approval Policies

To search for approval policies:

  1. In the Oracle Identity Manager Advanced Administration, on the left pane of the Approval Policies tab, in the Search field, enter a search criterion to search for approval policies. You can specify the asterisk (*) wildcard character to specify the search criterion.

    Note:

    In simple and advanced search for approval policies, searching with translated approval policy names is not supported. Oracle Identity Manager supports only English string search for approval policies. For default approval policies, you can search with English policy names as stored in the database. However, if you create an approval policy by specifying its name in another language, then you can search it by using the same string, and not in any other language.

  2. Click the Search icon. A list of approval policies is displayed in a search results table, with the following fields:

    • Policy Name: The name of the approval policy.

    • Request Type: The name of the request type associated with the approval policy.

    • Scope: The associated resource, organization, or role name. The scope is populated only for the approval policies associated with the operation level request.

    • Level: The approval level.

    • Rule Name: The name of the approval policy rule.

    • Approval Process: The approval process associated with the approval policy.

    • Priority: Priority of the approval policy.

    Figure 18-1 shows the approval policy search results:

    Figure 18-1 Approval Policy Search Results

    Description of Figure 18-1 follows
    Description of "Figure 18-1 Approval Policy Search Results"

You can also use the Advanced Search option in the Approval Policies tab to search for approval policies based on advanced search criteria. To do so:

  1. On the left pane of the Approval Policies tab, click Advanced Search. The Advanced Search: Approval Policies page is displayed.

  2. Enter values in the fields to specify a search criteria. You can specify a combination of approval policy name, name of the request type associated with the approval policy, approval level, scope type such as resource, organization, or role, and scope to specify the search criteria.

  3. Click Search. The search result displays a list of approval policies with information about priority, policy name, request type, scope, level, rule name, and approval process, as shown in Figure 18-2:

    Figure 18-2 Approval Policy Advanced Search

    Description of Figure 18-2 follows
    Description of "Figure 18-2 Approval Policy Advanced Search"

18.4 Modifying Approval Policies

To modify approval policies:

  1. On the search results table, select a policy.

  2. From the Actions menu, select Open. The Approval Policy Details form is displayed.

  3. In the Policy Details section, edit the fields to modify the approval policy.

    Note:

    You cannot modify the approval policy rule name and approval policy priority attribute.

  4. In the Approval Rules section, modify approval policy rules, if required. To modify an approval policy rule, you can add a simple rule, add a rule container, modify rule components, or delete a rule component. For detailed information about adding approval policy rules and rule containers, see steps 5 through 7 in "Creating Approval Policies".

  5. To modify rule components:

    1. Select the approval policy rule.

    2. From the Actions menu, select Modify Rule Components. The Modify Rule Components dialog box is displayed.

    3. Edit the values in the fields provided, and click Apply.

  6. To delete rule components:

    1. Select the approval policy rule that you want to delete.

    2. From the Actions menu, select Delete Rule Components. A message box is displayed asking for confirmation.

    3. Click Yes to confirm the deletion.

  7. Click Save to save the changes in the approval policy.

18.5 Modifying the Priority of an Approval Policy

To modify the priority of an approval policy:

  1. From the approval policies search result, select a policy whose priority you want to modify.

  2. From the Actions menu, select Set Priority. The Modify Approval Policy priority wizard is displayed.

  3. In the Set Policy Details page, specify values in the fields as required. For information about the fields in this page, see step 4 in "Creating Approval Policies". Then, click Next.

  4. In the Set Policy Priorities page, enter a number to specify the priority of the approval policy. Then, click Next.

  5. In the Review and Confirm page, the policy name and the priority that you set are displayed for your review. If you want to change the current priority, then click Back.

    Otherwise, click Finish. A message is displayed stating the approval policy priority has been changed successfully.

  6. Click OK.

Note:

Oracle Identity Manager does not perform any validation and allows you to set the same priority to multiple approval policies. It is not recommended to set the same priority to multiple approval policies.

18.6 Deleting Approval Policies

To delete an approval policy:

  1. From the approval policies search results, select the approval policy that you want to delete.

  2. From the Actions menu, select Delete. A message box is displayed asking for confirmation.

  3. Click Yes to confirm the deletion.