Role assignment - approval process configuration

Process of role change request approval is managed by CzechIdM standard approval workflow. The workflow can be configured.

If you are not familiar with CzechIdM configuration, read this tutorial

Enabling or disabling approval rounds of standard approval workflow (as well as the definitions of role names for the individual approving rounds) can be configured in the configuration file application.properties or by an explicit entry in the tab Settings → Configuration:

  • idm.sec.core.wf.approval.helpdesk.enabled – true/false, enabling or disabling of approval by helpdesk (approvers is defined by role),
  • idm.sec.core.wf.approval.manager.enabled – true/false, enabling or disabling of approval by manager (supervisor, guarantee of user),
  • idm.sec.core.wf.approval.usermanager.enabled – true/false, enabling or disabling of approval by user's manager department (approvers is defined by role),
  • idm.sec.core.wf.approval.security.enabled – true/false, enabling or disabling of approval by security department (approvers is defined by role).

 Configuring roles approval

Who approves the role change request in each round is configured by following properties:

  • idm.sec.core.wf.approval.helpdesk.role
  • idm.sec.core.wf.approval.usermanager.role
  • idm.sec.core.wf.approval.security.role

Value of each property is the name of the role of which the holders approve the role change request in appropriate step. e.g idm.sec.core.wf.approval.security.role = Security says that users having role Security assigned approve the role request process in step designated to security department.

Standard role approval process takes into account also role criticality. Each role can have its priority set in its definition. In application configuration there can be defined, who approves which criticality level by properties of the form idm.sec.core.wf.role.approval<0-4>. The value of each property is the name of the workflow which approves the given criticality level.

The basic workflow names are: approve-role-by-guarantee (approved by the authorizer of the role), approve-role-by-manager (approved by the manager of the user for whom the role is requested), approve-role-by-guarantee-security (approved by the authorizer of the role and then the holder of the role Security).

Defaults:

  • idm.sec.core.wf.role.approval.0 is not specified (no additional approval workflow is used)
  • idm.sec.core.wf.role.approval.1=approve-role-by-manager
  • idm.sec.core.wf.role.approval.2=approve-role-by-guarantee
  • idm.sec.core.wf.role.approval.3=approve-role-by-guarantee-security
  • idm.sec.core.wf.role.approval.4 is not specified (no additional approval workflow is used)

Other types of approval workflows can be found in the Extras module, see Modules - Extras: Workflows for approval of role assignment

  • by apeterova