of 60 /60
SAP NetWeaver® Identity Management Implementation guide - Creating role approvals SAP NetWeaver® Identity Management 7.2 Document Revision: 4 SAP NetWeaver How-To Guide

SAP NetWeaver® Identity Management Implementation guidea248.g.akamai.net/n/248/420835/577040fda0b7355da... · SAP NetWeaver® Identity Management Implementation guide - Creating

  • Author
    vocong

  • View
    288

  • Download
    9

Embed Size (px)

Text of SAP NetWeaver® Identity Management Implementation...

  • SAP NetWeaver Identity Management

    Implementation guide - Creating role approvals

    SAP NetWeaver Identity Management 7.2

    Document Revision: 4

    SAP NetWeaver How-To Guide

  • 2013 SAP AG or an SAP affiliate company. All rights reserved.

    No part of this publication may be reproduced or transmitted in any

    form or for any purpose without the express permission of SAP AG. The

    information contained herein may be changed without prior notice.

    Some software products marketed by SAP AG and its distributors

    contain proprietary software components of other software vendors.

    Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks

    or registered trademarks of Adobe Systems Incorporated in the United

    States and other countries.

    Apple, App Store, FaceTime, iBooks, iPad, iPhone, iPhoto, iPod, iTunes,

    Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks

    or registered trademarks of Apple Inc.

    Bluetooth is a registered trademark of Bluetooth SIG Inc.

    Citrix, ICA, Program Neighborhood, MetaFrame now XenApp,

    WinFrame, VideoFrame, and MultiWin are trademarks or registered

    trademarks of Citrix Systems Inc.

    Computop is a registered trademark of Computop Wirtschaftsinformatik

    GmbH.

    Edgar Online is a registered trademark of EDGAR Online Inc., an R.R.

    Donnelley & Sons Company.

    Facebook, the Facebook and F logo, FB, Face, Poke, Wall, and 32665 are

    trademarks of Facebook.

    Google App Engine, Google Apps, Google Checkout, Google Data API,

    Google Maps, Google Mobile Ads, Google Mobile Updater, Google

    Mobile, Google Store, Google Sync, Google Updater, Google Voice,

    Google Mail, Gmail, YouTube, Dalvik, and Android are trademarks or

    registered trademarks of Google Inc.

    HP is a registered trademark of the Hewlett-Packard Development

    Company L.P.

    HTML, XML, XHTML, and W3C are trademarks, registered trademarks,

    or claimed as generic terms by the Massachusetts Institute of

    Technology (MIT), European Research Consortium for Informatics and

    Mathematics (ERCIM), or Keio University.

    IBM, DB2, DB2 Universal Database, System i, System i5, System p,

    System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390,

    zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7,

    POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC,

    BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN,

    DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner,

    WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or

    registered trademarks of IBM Corporation.

    Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual

    Studio are registered trademarks of Microsoft Corporation.

    INTERMEC is a registered trademark of Intermec Technologies

    Corporation.

    IOS is a registered trademark of Cisco Systems Inc.

    The Klout name and logos are trademarks of Klout Inc.

    Linux is the registered trademark of Linus Torvalds in the United States

    and other countries.

    Motorola is a registered trademark of Motorola Trademark

    Holdings LLC.

    Mozilla and Firefox and their logos are registered trademarks of

    the Mozilla Foundation.

    Novell and SUSE Linux Enterprise Server are registered

    trademarks of Novell Inc.

    OpenText is a registered trademark of OpenText Corporation.

    Oracle and Java are registered trademarks of Oracle and its

    affiliates.

    QR Code is a registered trademark of Denso Wave Incorporated.

    RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold,

    BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm,

    BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry

    AppWorld are trademarks or registered trademarks of Research

    in Motion Limited.

    SAVO is a registered trademark of The Savo Group Ltd.

    The Skype name is a trademark of Skype or related entities.

    Twitter and Tweet are trademarks or registered trademarks of

    Twitter.

    UNIX, X/Open, OSF/1, and Motif are registered trademarks of

    the Open Group.

    Wi-Fi is a registered trademark of Wi-Fi Alliance.

    SAP, R/3, ABAP, BAPI, SAP NetWeaver, Duet, PartnerEdge,

    ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP

    HANA, the Business Objects logo, BusinessObjects, Crystal

    Reports, Crystal Decisions, Web Intelligence, Xcelsius, Sybase,

    Adaptive Server, Adaptive Server Enterprise, iAnywhere, Sybase

    365, SQL Anywhere, Crossgate, B2B 360 and B2B 360 Services,

    [email protected] EDDY, Ariba, the Ariba logo, Quadrem, b-process, Ariba

    Discovery, SuccessFactors, Execution is the Difference, BizX

    Mobile Touchbase, It's time to love work again, SuccessFactors

    Jam and BadAss SaaS, and other SAP products and services

    mentioned herein as well as their respective logos are trademarks

    or registered trademarks of SAP AG in Germany or an SAP

    affiliate company.

    All other product and service names mentioned are the

    trademarks of their respective companies. Data contained in this

    document serves informational purposes only. National product

    specifications may vary.

    These materials are subject to change without notice. These

    materials are provided by SAP AG and its affiliated companies

    ("SAP Group") for informational purposes only, without

    representation or warranty of any kind, and SAP Group shall not

    be liable for errors or omissions with respect to the materials.

    The only warranties for SAP Group products and services are

    those that are set forth in the express warranty statements

    accompanying such products and services, if any. Nothing herein

    should be construed as constituting an additional warranty.

  • Preface

    The product SAP NetWeaver Identity Management Identity Center is the primary component for identity management. The Identity Center includes functions for identity provisioning, workflow, password management, logging and reporting. It uses a centralized repository, called the identity store, to provide a uniformed view of the data, regardless of the data's original source.

    The reader This manual is written for people who want information about role approvals (using pending value objects).

    Prerequisites To get the most benefit from this manual, you should have the following knowledge:

    General knowledge about the Identity Center, including roles. The following software and configuration is required:

    SAP NetWeaver Identity Management Identity Center 7.2 SP8 or later with the 7.2 approval mechanism enabled.

    An identity store that is enabled for the Identity Management User Interface. Person entries in the identity store that can be given role assignments. An Identity Management User Interface (running on Enhancement Package 1 for SAP

    NetWeaver Composition Environment 7.1, SAP NetWeaver Composition Environment 7.2 or SAP NetWeaver 7.3) that is correctly configured for the identity store.

    Role definitions.

    The manual This guide describes how an approval of a pending role assignment can be implemented.

    Related documents You can find useful information in the following documents:

    SAP NetWeaver Identity Management Identity Center help file SAP NetWeaver Identity Management Identity Center Tutorial: Working with roles and privileges

  • Document History Document Version Description

    4 Added sections about re-authentication and approval management

    3 Added sections about manual delegation, automatic delegation, conditional and using uIS_Approval

    2 Added information about enabling the 7.2 approval mechanism. Added section about multi-step approvals Added links to referenced documents

    1 First official release of this guide.

  • Typographic Conventions Type Style Description

    Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation

    Example text Emphasized words or phrases in body text, graphic titles, and table titles Example text File and directory names and their paths, messages, names of variables and

    parameters, source text, and names of installation, upgrade and database tools.

    Example text User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation.

    Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

    EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

    Icons Icon Description

    Caution

    Important

    Note

    Recommendation or Tip

    Example

  • Table of contents 1 Introduction .....................................................................................................................1

    1.1 The Validate Event Tasks .........................................................................................1 1.2 The Pending Value Object ........................................................................................1 1.3 The Approver(s) ........................................................................................................2 1.4 Use Cases ................................................................................................................2

    2 Configuring Simple Approvals ........................................................................................3 2.1 The Member Event Task ...........................................................................................3 2.2 The Sample Roles ....................................................................................................4 2.3 Configuring the Approver on the Role........................................................................5 2.4 Configuring the Approvers on the Task .....................................................................9 2.5 Configuring the Approvers on the Pending Value Object (Manager Approval/Role

    Owner Approval) ..................................................................................................... 10

    3 Configuring Escalations ................................................................................................ 14 3.1 Configuring the Escalation Approvers on the Task .................................................. 14 3.2 Configuring the Escalation Approvers on the Role ................................................... 15 3.3 Configuring the Escalation Approvers on the Pending Value Object ........................ 16

    4 Configuring Parallel (Multiple) Approvals .................................................................... 17 4.1 Configuring the Approval Task ................................................................................ 17 4.2 Processing the Approval ......................................................................................... 18

    5 Using the Notification Task ........................................................................................... 19 5.1 Configuring the Approval Task ................................................................................ 19 5.2 Receiving a Notification Message............................................................................ 20

    6 Configuring Sequential (Multi-Level) Approvals .......................................................... 21 6.1 Manager/Role Owner Approval ............................................................................... 21

    7 Delegating (Forwarding) an Approval Manually ........................................................... 25 7.1 Configuring the Approval Task ................................................................................ 25 7.2 Forwarding the Approval ......................................................................................... 26 7.3 Processing the Approval ......................................................................................... 27 7.4 Viewing Request Details ......................................................................................... 28

    8 Configuring Automatic Delegation ............................................................................... 29 8.1 Enabling Automatic Delegation from the "To Do" Tab .............................................. 29 8.2 Disabling Automatic Delegation from the "To Do" tab .............................................. 30 8.3 Enabling Automatic Delegation from a Task ............................................................ 31 8.4 Disabling Automatic Delegation from a Task ........................................................... 32

    9 Configuring a Conditional Approval ............................................................................. 33 9.1 Specifying the Criteria ............................................................................................. 33 9.2 The Switch Task ..................................................................................................... 34 9.3 Configuring the Role ............................................................................................... 37 9.4 Configuring the User ............................................................................................... 37 9.5 Processing an Approval .......................................................................................... 38 9.6 The "DefineApprovalType" Script ............................................................................ 39

    10 Using uIS_Approval to Remove an Approver .............................................................. 42 10.1 Configuring the Job ................................................................................................. 42 10.2 Running the Job ...................................................................................................... 45

  • 11 Requiring Re-Authentication ........................................................................................ 47 11.1 Processing the Approval ......................................................................................... 47

    12 Managing Approvals ..................................................................................................... 48 12.1 Listing Pending Approvals ....................................................................................... 48 12.2 Finding Approvals Using Advanced Search ............................................................. 49 12.3 Declining a Pending Approval ................................................................................. 50 12.4 Escalating a Pending Approval ................................................................................ 51

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 1

    1 Introduction The purpose of this document is to describe how to configure approval of role/privilege assignments. It does not describe how to configure basic approvals (any other approval than for assignments, for instance approving an attribute modification). This document is based on the 7.2 approval mechanism introduced with SAP NetWeaver Identity Management 7.2 SP4. For an overview of approval processing using this mechanism, see the topic "About approval processing" in the help file for the Identity Center Management Console. If the 7.2 approval mechanism is not already enabled for the Identity Center, it must be enabled. See SAP NetWeaver Identity Management Identity Center: Installing the database (Microsoft SQL Server) or SAP NetWeaver Identity Management Identity Center: Installing the database (Oracle). The documents are available from the Service Marketplace.

    1.1 The Validate Event Tasks An approval is normally configured as part of a Validate Add, Validate Remove or Validate Modify validity task for a role or privilege. The task references can either be defined directly on the role/privilege, or on the repository referenced from the privilege (or role). Defining it on the repository is used to prevent setting this on each and every role or privilege. The most normal configuration is to have the Validate tasks configured on the role, and that privileges are assigned to the users based on the role assignments. The privileges will then have the Add and Remove member tasks. The Validate task is used to verify whether the assignment is allowed or not, it does not perform the assignment. For more information, see the topic "About member event handling" in the help file for the Identity Center Management Console. The task referenced as a Validate task can be the top task of a task hierarchy, including an approval task. An approval task can also be referenced directly. It is also possible to have a Validate task without a manual approval. The validation can for instance be an automatic process that verifies certain values in other systems before the role is approved or declined. The parties involved in a typical approval processing are the following:

    User/Approvee: the person getting the role assignment after it is approved. Requester: the person requesting the assignment. This may be the user him-/herself. Approver: the person(s) responsible for approving or declining the approval of the requested

    role assignment (from the approvee), e.g. a manager, a role owner etc. A role may also be defined as the approver, which then means that any member of the given role is allowed to perform the approval.

    1.2 The Pending Value Object When an event task is started, an object of the entry type MX_PENDING_VALUE is created. The pending value object is used to store some information about the assignment being validated, the most important being the MX_LINK_REFERENCE, which points to the assignment. With some exceptions described in this document, all attributes on this MX_PENDING_VALUE entry are read only, and should not be changed. In most cases, changing the attributes does not have any effect.

    Never delete a pending value object, as that will leave the system in an inconsistent state.

    For more details about the pending value object and the attributes, see the document SAP NetWeaver Identity Management Identity Center Identity store schema.

    https://service.sap.com/~sapidb/011000358700001223002010Ehttp://help.sap.com/saphelp_nwidmic72/en/mc/dse_about_approval_processing.htmhttp://scn.sap.com/docs/DOC-8397http://scn.sap.com/docs/DOC-8397

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 2

    1.3 The Approver(s) Where the approvers are found, depends on the configuration of the approval task. The approvers can be defined on one of the following objects:

    The role/privilege The context (in case of context based assignments) The pending value object The approval task itself

    Where the approvers are defined, depends on the scenario: If the same approvers are used to approve many different assignments, it makes sense to

    define the approvers on the task itself. If the approvers vary from role to role, the approvers should be defined on each role. For context based assignments, the approver could be defined on the context object itself. If you need to do manual preprocessing of the approver list before the approval task is started,

    you can do that on the pending value object. Also if you have an approval task that is upgraded from a previous version, the approvers are found on the pending value object.

    1.4 Use Cases This document covers the following use cases:

    Simple approvals (involving only a single approval): Configuring the approvers on the role Configuring the approvers on the approval task Configuring the approvers on the pending value object

    Manager approval in this scenario the manager of a role requestor is required to approve the role request.

    Role owner approval where the role owner (MX_OWNER of entry type MX_ROLE) is required to approve the role request.

    Escalations Parallel (multiple) approvals Using the notification task Sequential (multi-level) approvals Manual forwarding (delegation) of approvals Automatic forwarding (delegation) of approvals System approval

    For information about using Business Objects Access Enforcer to process the approval, see the document SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration Guide.

    http://scn.sap.com/docs/DOC-8397http://scn.sap.com/docs/DOC-8397

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 3

    2 Configuring Simple Approvals This section describes the basic setup for role approvals. We will look at the role configuration and the configuration of the necessary tasks to perform the approval. We will show the following scenarios:

    The approver is defined on the role itself. The approver defined on the approval task. The approver defined on the pending value object (role owner and manager approval)

    2.1 The Member Event Task The member event task called from the roles is an ordered task group containing the approval task:

    The "Role approval" task is defined as a public ordered task group, with only the default configuration:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 4

    2.2 The Sample Roles We use two roles:

    ROLE:User (Role assigned to regular users/employees) ROLE:Manager (Role assigned to managers)

    The ordered task group "Role approval" is defined as Validate add task for both roles:

    The value in the "Execute" list indicates when the Validate add task is called, and is only relevant is the assignment has Valid from defined (i.e is not effective immediately). In this case, the "Execute" setting can be either:

    Immediately The Validate add task is executed immediately, regardless of the Valid from value of the assignment.

    When valid The Validate add task is not executed until the Valid from is reached.

    Inherited The value defined on the repository will be used.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 5

    2.3 Configuring the Approver on the Role In the first example, the approver is defined on the role.

    2.3.1 Configuring the Role The approver is configured on the "Approvers" tab of the role properties:

    In this case one specific user is defined as approver for this role. This could have been a reference to another role, and all members of this role would have received the approval request. The approvers are stored on the attribute MX_APPROVERS on the role. It can also be added by executing a task in the Identity Management User Interface or from a job.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 6

    2.3.2 Configuring the Approval Task The configuration of the approval task may look like this:

    The following fields are filled in: Approval type Select "Assignment" as this is an approval for an assignment. Get approvers from Select "Role/Privilege" as the approver is defined on the role itself. Keep the default values for the other settings:

    No specific timeout for the approval. If the request is not approved within 90 days it will time out. The timeout rule is set to "Decline", meaning that if the approval request times out, it is

    automatically declined. No escalation in case of timeout. Only one approval is required for the request to be approved. No notification task is configured.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 7

    2.3.3 Processing the Approval When a role assignment is requested, the approval is displayed in the "To Do" tab of the approver:

    2.3.3.1 Displaying Information about the Approval In the "Entry data" area you can see details about the approval:

    Select the "Request Information" tab to display details about the request:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 8

    Select the "Approval Information" tab to see information about other approvers:

    2.3.3.2 Approving the Assignment Select the request and choose "Approve":

    Enter a reason (optional) and choose "Confirm".

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 9

    2.4 Configuring the Approvers on the Task In this example, the approver is defined on the approval task itself:

    The following fields are filled in: Get approvers from Select "Task" in the list. The "Approvers" field is enabled. Approvers Enter the MSKEYVALUE of an entry in the identity store. This can either be a user (as in this example) or a role or privilege. In this case, all members of the role or users assigned to the privilege will receive the approval. You can only define one approver on the task itself. If you need multiple approvers, you can reference a role or privilege that you assign to the approvers and reference that role or privilege here. You also can define the approvers on the role or privilege itself.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 10

    2.5 Configuring the Approvers on the Pending Value Object (Manager Approval/Role Owner Approval)

    In this case, the approvers are found on the pending value object. If there are any approvers defined on the role, they are copied to the MX_APPROVERS attribute of the pending value object when this is created. Additionally, there can be a task that is executed before the approval task that can modify the approvers defined on the pending value object. We introduce a task before the approval task that preprocesses the approvers:

    2.5.1 Configuring the Approval Task The approval task is configured in the following way:

    The following fields are filled in: Get approvers from Select "Pending Value Object" in the list.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 11

    2.5.2 Configuring a Role Owner Approval In this case, we use the owner defined on the role as approver.

    2.5.2.1 Configuring the Role The role owner is configured on the "Visibility" tab of the role properties:

    The role owner can be one or more user entries, roles or privileges.

    2.5.2.2 Configuring the "Preprocessing approvers" task The "Preprocessing approvers" task is an ordered task group containing an action task, "Add approvers", with a "To identity store" pass that works with the MX_PENDING_VALUE entry type:

    The approvers are defined with the attribute MX_APPROVERS on the pending value object. We use the syntax TARGET.MX_OWNER to reference the value of the attribute MX_OWNER of the role. For more information about this syntax, see the topic "Including attributes from referenced entries when processing pending value objects" in the help file for the Identity Center Management Console. Changing this attribute after the approval task has started has no effect on the approvers for this specific approval, but will take effect for approvals created after the change.

    http://help.sap.com/saphelp_nwidmic72/en/managing_passes/to_passes/dse_process_pvo.htmhttp://help.sap.com/saphelp_nwidmic72/en/managing_passes/to_passes/dse_process_pvo.htm

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 12

    2.5.2.3 Processing the Approval The approval request is displayed on the "To Do" tab of the role owner:

    2.5.3 Configuring a Manager Approval In this example, the manager of the user who is assigned the role will be the approver of the assignment request.

    2.5.3.1 Configuring the User The user must have a manager defined:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 13

    2.5.3.2 Configuring the "Preprocessing approvers" task The "To identity store" pass of the "Add approvers" task will look like this:

    We use the syntax SUBJECT.MX_MANAGER to add the manager of the user to the attribute MX_APPROVERS of the pending value object. For more information about this syntax, see the topic "Including attributes from referenced entries when processing pending value objects" in the help file for the Identity Center Management Console.

    2.5.3.3 Processing the Approval The approval is displayed in the "To Do" tab of the user defined as manager:

    http://help.sap.com/saphelp_nwidmic72/en/managing_passes/to_passes/dse_process_pvo.htmhttp://help.sap.com/saphelp_nwidmic72/en/managing_passes/to_passes/dse_process_pvo.htm

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 14

    3 Configuring Escalations In this section, we describe how to configure escalations if the assignment request is not processed within the defined time limit.

    3.1 Configuring the Escalation Approvers on the Task Escalations are defined on the approval task:

    In this example all configuration is on the task itself. Timeout This is set to one week. Timeout rule If the assignment request is not approved within the given time limit, the approval is escalated to a new list of approvers. Max no of escalations The approval will only be escalated once. If it is not approved within the given escalation timeout it will be declined. Escalation timeout The escalation timeout is defined to three days. Escalation approvers As "Task" is selected in "Get approvers from", also the escalation approvers are configured on the task itself.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 15

    3.2 Configuring the Escalation Approvers on the Role In this example the approvers are defined on the role. The timeouts are defined on the approval task:

    The fields "Timeout", "Timeout rule", "Max no of escalations" and "Escalation timeout" are filled in in the same way as in the previous example. But as the approvers are defined on the role, the escalation approvers have to be added there, using the attributes MX_ESCALATION_APPROVERS_1/2/3. Here we have defined a task to configure the role:

    The escalation approver is defined on the attribute "Escalation approvers, level 1".

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 16

    3.3 Configuring the Escalation Approvers on the Pending Value Object

    In this case, the escalation approvers are defined on the pending value object. The configuration of the approval task looks like this:

    The escalation approvers are added by the preprocessing task:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 17

    4 Configuring Parallel (Multiple) Approvals You can require that several approvers have to approve the assignment request before it is carried out. The approvers can be defined on all possible objects (role/privilege, pending value object, task or context). The approvers should be defined to ensure that the approval request is distributed to enough approvers. If too few approvers are found when the approval is initiated, the approval request is automatically declined.

    4.1 Configuring the Approval Task The number of required approvals is configured on the approval task:

    The following fields are filled in: Required approvals In this case we have defined that we need the approvers to approve the assignment request. Approvers In this example, the approvers are defined on the approval task itself. To be able to define more than one approver, we use a role that is assigned to several users.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 18

    4.2 Processing the Approval All users assigned to the referenced role will be identified as approvers when the approval task is initiated. The approval request is displayed on the "To Do" tab of all these approvers. The approval will be active until two approvers have approved the assignment request or one approver has declined it. If only one approval is received before the defined timeout, the approval will be escalated. In this case the "Timeout rule" is set to "Decline", which means that the assignment request will be declined if not enough approvals have occurred before the defined timeout. If the "Timeout rule" is set to "Escalate to new list" or "Escalate to manager", the approval will be escalated to the new set of approvers. If one approver has approved the request before the timeout, only one more approval is required from the escalation approvers. All approvals are cumulated, independent of when in the process the approval happens. All approvers will receive the approval on their "To Do" tab. If one approver already has approved the request, the other approvers can see the following information on the "Approval Information" tab in the "Entry data" area:

    Number of required approvals is 2 and 1 approval is already received. On the "Approval History" tab, the approver can see information about the approvals already done:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 19

    5 Using the Notification Task You can use the notification task to send messages to those involved of the approval process. Configure the notification repository and message templates, then load the templates into the database and import the notification task as described in the topic "Configuring the notification templates" in the help file for the Identity Center Management Console.

    5.1 Configuring the Approval Task Add the reference to the notification task from the approval task:

    The following fields are filled in: Notification task Select the notification task that you imported as part of the configuration. Initial message Select the message you want to send when the approval is initiated. Reminder message Select the message you want to send as a reminder to the approvers. Escalation message Select the message you want to send to the escalation approvers. Completion message Select the message you want to send when the approval is approved or declined.

    http://help.sap.com/saphelp_nwidmic72/en/mc/dse_task_group_prop_approval_notification_config.htmhttp://help.sap.com/saphelp_nwidmic72/en/mc/dse_task_group_prop_approval_notification_config.htm

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 20

    5.2 Receiving a Notification Message When an approval is initiated, the approvers will receive an e-mail which may look something like this:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 21

    6 Configuring Sequential (Multi-Level) Approvals In this section we will create a sequence of approvals. After one approver has approved the assignment request, the approval continues to the next group of approvers. We are showing the following use case:

    Manager/Role owner approval The assignment request is approved first by the manager and then by the role owner.

    6.1 Manager/Role Owner Approval In this scenario, we create an ordered task group that contains the approval task structure. First, the "Manager approval" is executed. A "Role owner approval" is added below the "Approval" node of the "Manager approval". When the first approval is completed, the task below the "Approval" node is executed:

    In the first approval, the manager is added as an approver by the action task before the approval task is executed. In the second approval, the role owner is added before the approval task is called. If the first approval is declined, the whole assignment request is declined.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 22

    Both these tasks use a To identity store pass in the same way as in section 2.5.2 and 2.5.3:

    Both approval tasks are configured to get approvers from the pending value object:

    You could add any timeout/escalation handling to the approval task as well.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 23

    6.1.1 Configuring the Role This approval process is defined as a Validate add task for the "ROLE:User" role:

    The role also has a role owner:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 24

    6.1.2 Processing the Approval When a user is assigned the role, the manager receives the approval:

    When the manager approves the assignment request, the role owner receives the approval:

    The role owner can see that the manager already approved the request.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 25

    7 Delegating (Forwarding) an Approval Manually When configuring the approval task, you can define that the approver(s) can delegate (forward) the approval to another user when processing the approval in the Identity Management User Interface. Delegation can be done independently of how the user was identified as approver. The approver can forward the approval to another user, but not a role or privilege. The following users are not accepted as new approvers:

    The user getting the assignment. The user requesting the assignment. Any user that already has been involved in the approval process. A user that is not allowed to see the role or privilege due to visibility constraints.

    7.1 Configuring the Approval Task To allow delegation of an approval, this must be specified on the approval task:

    Allow manual delegation Select this check box to specify that the "Delegate" button should be enabled in the Identity Management User Interface. Delegation message If you are using the Notification task to send e-mail messages to the involved parties, select a message in the "Delegation message" drop-down to specify which message template to use.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 26

    7.2 Forwarding the Approval The approver receives the approval:

    Choose "Delegate" to open the "Delegate selected approvals" dialog box:

    Show Select the entry type of the user. The default value is "Person". Only entry types defined as "Identity entry type" are shown in the list. and find Enter (parts of) a user name and choose "Go". The matching entries are shown in the list below. You can view details about the user by clicking the user's unique ID. Select the user you want to delegate the approval to. Reason for delegation Enter a reason why the approval is delegated. This reason will be included in the notification message that is sent to the new approver. Reason is optional. Choose "Delegate" to forward the approval.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 27

    7.3 Processing the Approval The user who receives the forwarded approval will get a notification message (if the notification task is defined) and the approval will appear on the "To Do" tab:

    The approval details show that the approval is forwarded:

    The approver processes the approval as usual. He can also delegate the approval further to another approver.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 28

    7.4 Viewing Request Details Information about approval processing, including delegations can be found by using a "View assignment request task":

    You can also see the details by viewing the properties of the assignment from the display task:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 29

    8 Configuring Automatic Delegation You can specify that all approvals should be forwarded automatically to another user. This can be used if a user is absent for a period of time, or in any other situation where all approvals should automatically be forwarded to someone else. Automatic delegation is done in the following cases:

    For any new approvals If an existing approval is escalated If someone performs a manual delegation to a person with automatic delegation enabled In any other circumstance where this user is added as approver

    The approver can configure this from the "To Do" tab, or it can be done by updating the attributes MX_AUTODELEGATE_MSKEY and MX_AUTODELEGATE_MESSAGE of a user from a task or job. If an automatic delegation fails, the approver is removed from the approval, and if there are not enough approvers left to handle the approval, it is declined. Some reasons why an automatic delegation fails are:

    The user getting the assignment. The user requesting the assignment. Any user that already has been involved in the approval process. A user that is not allowed to see the role or privilege due to visibility constraints. There is a loop of automatic delegations.

    The processing of automatic delegations is done asynchronously, which means that if for example an approver performs a manual delegation to another user, the approver will get an immediate response that the delegation is performed. Automatic delegation is processed afterwards, which means that if the approval later is automatically delegated, it may result in the approval being declined.

    8.1 Enabling Automatic Delegation from the "To Do" Tab

    An approver can specify that all approvals will be forwarded to another user from the "To Do" tab.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 30

    Choose "Enable automatic delegation" to open the "Configure automatic delegation" dialog box:

    Show Select the entry type of the user. The default value is "Person". Only entry types defined as "Identity entry type" are shown in the list. and find Enter (parts of) a user name and choose "Go". The matching entries are shown in the list below. You can view details about the user by clicking the user's unique ID. Select the user you want to delegate approvals to. Reason for delegation Enter a reason why the approvals are delegated. This reason will be included in the notification message that is sent to the new approver. Reason is optional. Choose "Enable" to start forwarding approvals to the given user. When automatic delegation is enabled, the "Enable automatic delegation" check box is enabled.

    8.2 Disabling Automatic Delegation from the "To Do" tab

    To disable automatic delegation, select "Enable automatic delegation" to open the "Configure automatic delegation" dialog box. Choose "Disable" to close the dialog box.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 31

    8.3 Enabling Automatic Delegation from a Task You can configure a task for the User Interface with the attributes "MX_AUTODELEGATE_MSKEY" and "MX_AUTODELEGATE_MESSAGE":

    This can either be a self-service or a manager task:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 32

    Automatic delegation to Choose "Select" to open the "Add" dialog box:

    Make sure to select "Person" or another entry type defined as "Identity entry type" in the "Show" field and enter a text to search for in the "and Find" field. Choose "Search". All matching entries are displayed in the list. Select a user and choose "Add". Automatic delegation reason Enter a reason why the approvals are delegated. This reason will be included in the notification message that is sent to the new approver. Reason is optional. Choose "Save" to complete the task.

    8.4 Disabling Automatic Delegation from a Task To disable automatic delegation, open the task for the given user:

    Automatic delegation to Choose "Remove" to the right of the field to remove the user. Choose "Save" to complete the task.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 33

    9 Configuring a Conditional Approval There are cases where you can programmatically decide whether the assignment is allowed or not. In this scenario, when handling a role request, we can decide if a manual approval is required or not based on the presence of a privilege. If the user has a specific privilege, s/he is regarded as pre-approved and the request is automatically approved by the system. If not, a manual approval is started. The task structure (high-level) for doing this looks as follows:

    First, we specify the criteria for doing a system approval. Then, based on these criteria, the corresponding node of the switch task is executed. You can either do a system approve or decline, or start the regular approval task.

    9.1 Specifying the Criteria The criteria for doing a system approval (or decline) are specified in the task "Criteria for approval type":

    The definition of the "To Generic" pass looks like this:

    In this example, we check for the presence of the privilege "IsOK". If the user has this privilege, the role request is automatically approved.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 34

    You could also specify roles that that will result in a system approval, or privileges/roles that result in a system decline. The script DefineApprovalType is used to decide which action to take:

    If the user has one of the roles/privileges defined as PRIVILEGES_TO_HAVE/ROLES_TO_HAVE, the assignment request is approved by the system. The context variable IDMAPPROVALTYPE is set to 0.

    If the user has one of the roles/privileges defined as PRIVILEGES_NOT_TO_HAVE/ROLES_NOT_TO_HAVE the assignment request is declined by the system. The context variable IDMAPPROVALTYPE is set to 1.

    If none of these criteria is fulfilled, the assignment request enters the normal approval process. The context variable IDMAPPROVALTYPE is set to 3.

    For the complete script, see section 9.6.

    9.2 The Switch Task The switch task "Check for approval type" uses an SQL query to decide which case node to execute based on the outcome of the script:

    The SQL query checks the value of the context variable that was set by the script and executes the corresponding case node. The switch task has three case nodes:

    0 (System decline) 1 (System approve) 2 (Regular approval)

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 35

    9.2.1 The System Decline Task The "System decline" node consists of an ordered task group with an action task that has a "To identity store" pass.

    The pass has the following definition:

    The attribute "MX_ATTR_STATE" is set to 3 to indicate that the approval is declined.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 36

    9.2.2 The System Approve Task The "System approve" node is similar to the "System decline" node:

    The "To identity store" pass is defined in the following way:

    The attribute "MX_ATTR_STATE" is set to 1 to indicate that the assignment request is approved.

    9.2.3 The Regular Approval Task If none of the other criteria is fulfilled, the assignment request will be handled by the normal approval process. Here, the already existing approval task is linked:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 37

    9.3 Configuring the Role The "Selective approval" task is defined as "Validate add" task for the role "ROLE:User":

    When this role is requested, the task checks if the user has the privilege "IsOK" and assignes the role without an approval. If not, the approval task is started in the normal way.

    9.4 Configuring the User We add the privilege "IsOK" to one of the users in the identity store that does not have the role yet:

    This user is then regarded as "pre-approved", and will be assigned the role without approval.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 38

    9.5 Processing an Approval When assigning the role to this user, it is assigned without any approval:

    If a user without the privilege is assigned the role, an approval is required:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 39

    9.6 The "DefineApprovalType" Script Below you find the script used in the "Criteria for approval type" job. This script reads the roles/privileges defined in the pass and compares them to the roles/privileges of the user and sets a context variable based on the outcome of that comparison. // Main function: DefineApprovalType

    function DefineApprovalType(Par){

    CurrentEntryID = uGetEntryID();

    CurrentIDStore = uGetIDStore();

    AuditID = uGetAuditID();

    var PendingUserMSKEY = CurrentEntryID;

    uInfo("PendingUserMSKEY : " + PendingUserMSKEY );

    OutString = uSetContextVar("PENDINGUSERMSKEY", PendingUserMSKEY );

    var PendingUserName = Par.get("MSKEYVALUE");

    uInfo("PendingUserName : " + PendingUserName );

    OutString = uSetContextVar("PENDINGUSERNAME", PendingUserName );

    var ParentMSKEY = uIS_GetValue(CurrentEntryID, CurrentIDStore, "MX_ENTRY_REFERENCE" );

    uInfo("ParentMSKEY : " + ParentMSKEY );

    OutString = uSetContextVar("PARENTMSKEY", ParentMSKEY );

    var ParentName = uIS_GetValue(ParentMSKEY , CurrentIDStore , "MSKEYVALUE");

    uInfo("ParentName : " + ParentName );

    OutString = uSetContextVar("PARENTNAME", ParentName );

    var PendingMSKEY = uIS_GetValue(CurrentEntryID, CurrentIDStore, "MX_ATTRIBUTE_VALUE" );

    OutString = uSetContextVar("PENDINGPRIVROLEMSKEY", PendingMSKEY );

    uInfo("Pending privilege/role MSKEY : " + PendingMSKEY );

    var PendingName = uIS_GetValue(PendingMSKEY , CurrentIDStore , "MSKEYVALUE");

    OutString = uSetContextVar("PENDINGPNAME", PendingName );

    uInfo("PendingName : " + PendingName );

    validAssignments = uSelect("select mcOtherMSKEYVALUE from idmv_link_ext where" +

    " mcThisMsKey = " + ParentMSKEY +

    " and mcAttrName in ('MXREF_MX_PRIVILEGE', 'MXREF_MX_ROLE')" +

    " and mcLinkState = 0 and mcExecState = 1");

    validAssignments = validAssignments + "!!";

    uInfo("validAssignments = " + validAssignments);

    // ----- NOT TO HAVE LIST -------------------------------------------------------

    // -- Privileges not to have

    var privsNotToHave = Par.get("PRIVILEGES_NOT_TO_HAVE");

    if(privsNotToHave == null)

    privsNotToHave = "";

    // -- Roles not to have

    var rolesNotToHave = Par.get("ROLES_NOT_TO_HAVE");

    if(rolesNotToHave == null)

    rolesNotToHave = "";

    var notToHave = privsNotToHave + "|" + rolesNotToHave;

    uInfo("notToHave = " + notToHave);

    var MsKeyList = notToHave.split("|");

    var okToSystemDecline = "false";

    for(var ndx=0; ndx < MsKeyList.length; ndx++){

    if(MsKeyList[ndx].length < 2)

    continue;

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 40

    var priv = MsKeyList[ndx].substr(1, MsKeyList[ndx].length-2) +"!!";

    uInfo("priv = " + priv);

    if(validAssignments.indexOf(priv) >= 0){

    okToSystemDecline = "true";

    }

    else {

    okToSystemDecline = "false";

    break;

    }

    }

    uInfo("okToSystemDecline = " + okToSystemDecline);

    // ----- TO HAVE LIST -------------------------------------------------------

    // If okToSystemDecline is true, then we system decline it regardless of any other criteria.

    if(okToSystemDecline == "false"){

    // -- Privileges to have

    var privsToHave = Par.get("PRIVILEGES_TO_HAVE");

    if(privsToHave == null)

    privsToHave = "";

    // -- Roles to have

    var rolesToHave = Par.get("ROLES_TO_HAVE");

    if(rolesToHave == null)

    rolesToHave = "";

    var toHave = privsToHave + "|" + rolesToHave;

    var MsKeyList = toHave.split("|");

    var okToSystemApprove = "false";

    for(var ndx=0; ndx < MsKeyList.length; ndx++){

    if(MsKeyList[ndx].length < 2)

    continue;

    var priv = MsKeyList[ndx].substr(1, MsKeyList[ndx].length-2) +"!!";

    if(validAssignments.indexOf(priv) >= 0){

    okToSystemApprove = "true";

    }

    else {

    okToSystemApprove = "false";

    break;

    }

    }

    uInfo("okToSystemApprove = " + okToSystemApprove );

    }

    // -- System Decline

    if(okToSystemDecline == "true"){

    OutString = uSetContextVar("IDMAPPROVALTYPE", "0");

    }

    else {

    if(okToSystemApprove == "true"){

    // -- System Approve

    OutString = uSetContextVar("IDMAPPROVALTYPE", "1");

    }

    else{

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 41

    // -- Normal Approval

    OutString = uSetContextVar("IDMAPPROVALTYPE", "2");

    }

    }

    }

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 42

    10 Using uIS_Approval to Remove an Approver In some situations, it can be necessary to process approvals from the system. For instance, in a situation where an approver is in a long-term leave and there are approvals in queue for him. The approvals will go into timeout/escalation, but that may take some time. In this situation we can remove him as approver. The approvals where he is one of several approvers, the approval will remain in the "To Do" list for those approvers. If the approver is the only approver, the approval will be declined. In this case the user Christopher Wright has the following approvals in his "To Do" list:

    For the requests for the role "ROLE:Manager", also the "Approver" is defined as approver. For the role "ROLE:User", he is the only approver.

    10.1 Configuring the Job To remove Christopher Wright as approver, we use a job:

    In this sample, we use a hard-coded approver, defined with a job constant:

    "3020" is the EmployeeID/MSKEYVALUE for Christopher Wright.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 43

    We use a "To Generic" pass that has the following SQL statement defined on the "Source" tab:

    This SQL statement finds all approvals for the approver specified with the job constant. The "Destination" tab is defined as follows:

    For each ApprovalID for the given approver, the script "RemoveApprover" is called.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 44

    The script looks like this:

    The script code: // Main function: RemoveApprover function RemoveApprover(Par){

    var UniqueId= Par.get("ApprovalId");

    var ApproverMSKEY = uSelect("select mcMSKEY from mxiv_entry where mcMSKEYVALUE='" + %$REMOVE_APPROVER% + "'");

    var Result = uIS_Approval(5,ApproverMSKEY,UniqueId,0,"Long term leave");

    if (Result.indexOf("!ERROR") >= 0) {

    uError(Result);

    } return;

    }

    We call the function uIS_Approval to remove the approver from the list of approvers. We need to provide the MSKEY of the approver and the approval ID to the approval, so this is retrieved with the first statements in the script. The u-function is called with the following parameters: var Result = uIS_Approval(5,ApproverMSKEY,UniqueId,0,"Long term leave");

    5 Remove approver (Operation) ApproverMSKEY The MSKEY of the approver to remove UniqueID The approval ID 0 Indicates that the operation was done by the system (as opposed to a user) Long term leave The reason for the operation

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 45

    10.2 Running the Job Run the job and make sure no errors occur. The "To Do" list for Christopher Wright is now empty:

    If we look at one of the assignments for the role "ROLE:Manager", we see that Christopher Wright was removed as approver, and Approver has approved the assignment:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 46

    The assignment request for the role "ROLE:User", where Christopher Wright was the only approver, is declined:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 47

    11 Requiring Re-Authentication To increase security, you can require re-authentication when processing an approval. When this is enabled, the user will have to provide the login password to perform the operation. This is configured in the approval task:

    Re-authenticate Select "Approval" to require re-authentication only when approving the request or "Always" if you require re-authentication also when declining, delegating or escalating a request.

    11.1 Processing the Approval In this case we have specified that a re-authentication is required when approving a request. A separate re-authentication dialog box appears when the request is approved:

    The approver has to provide her/his password and choose "Confirm".

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 48

    12 Managing Approvals As a manager, you can get an overview of all approvals for approvers you are defined as a manager for. Pending approvals are managed from the "Approval Management". The logged-in user must have one of the following privileges:

    MX_PRIV:MANAGED_APPROVALS:READONLY to be able to view pending approvals MX_PRIV:MANAGED_APPROVALS:PROCESS to be able to decline or escalate the approval

    How you configure access to the "Approval Management" tab is described in the document SAP NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management User Interface.

    12.1 Listing Pending Approvals The user "Manager" is defined as manager for the "Approver", who has one pending approval in his list. The "Manager" sees this approval on the "Approval Management" tab:

    Enter a search criterion in the "Find" field. This is a free-text search in the name of the user getting the assignment, the name of the role/privilege, the approver and the context. You can also use the advanced search (see below). All approvals matching the search criterion are displayed in the list. The color of the status indicator shows how many days are left before the approval expires. Select an approval to show more information in the details view below.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 49

    12.2 Finding Approvals Using Advanced Search If you need to narrow down the search result more than you can by using the basic search, you can use the advanced search to specify more detailed search criteria. Choose "Advanced" to open the advanced search panel:

    Fill in the fields with the search criteria you want to use. Approval Type Select if you want to include all approvals, or only assignment or basic approvals. Date Enter a date range. This will find all approvals that have been changed within the period. Consignee Choose to the right of the field to open a dialog box where you can find a user you want to find approvals for. You can only find approvals for one specific user. Approver Choose to the right of the field to open a dialog box where you can find an approver you want to see approvals for. You can only find approvals for one specific approver. Assigner Choose to the right of the field to open a dialog box where you can find an assigner you want to find approvals for. You can only find approvals for one specific assigner. Context Choose to the right of the field to open a dialog box where you can find a specific context to use as search criterion. You can only find approvals for one specific context. Assignment Choose to the right of the field to open a dialog box where you can search for the role or privilege that is requested assigned. You can only search for approvals for one specific role or privilege. Choose "Go" to start the search.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 50

    12.3 Declining a Pending Approval Provided that you have the necessary privilege, you can decline a pending approval:

    Choose "Decline".

    Optionally, enter a reason why you are declining the approval. Choose "Confirm" to complete the process. When viewing the assignment details, you will see that the assignment request was declined:

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 51

    12.4 Escalating a Pending Approval Provided that you have the necessary privilege, you can escalate a pending approval. In this case, the timeout rule of the given approval task is used, so the outcome of the escalation depends on how the approval task is configured. It can either:

    Decline the assignment Escalate to the manager(s) of the approver(s) Escalate to a new list of approvers

    The behavior will be exactly as if the approval had timed out, but will be processed immediately and not wait for the given timeout.

    Choose "Escalate".

    Optionally, enter a reason why you are escalating the approval. Choose "Confirm" to complete the process. The approval will be processed further according to the configuration of the approval task.

  • SAP NetWeaver Identity Management Implementation guide - Creating role approvals

    May 2013 52

    SAP NetWeaver Identity Management Implementation guide: Creating role approvalsPrefaceTable of Contents1 Introduction1.1 The Validate Event Tasks1.2 The Pending Value Object1.3 The Approver(s)1.4 Use Cases

    2 Configuring Simple Approvals2.1 The Member Event Task2.2 The Sample Roles2.3 Configuring the Approver on the Role2.3.1 Configuring the Role2.3.2 Configuring the Approval Task2.3.3 Processing the Approval

    2.4 Configuring the Approvers on the Task2.5 Configuring the Approvers on the Pending Value Object (Manager Approval/Role Owner Approval)2.5.1 Configuring the Approval Task2.5.2 Configuring a Role Owner Approval2.5.3 Configuring a Manager Approval

    3 Configuring Escalations3.1 Configuring the Escalation Approvers on the Task3.2 Configuring the Escalation Approvers on the Role3.3 Configuring the Escalation Approvers on the Pending Value Object

    4 Configuring Parallel (Multiple) Approvals4.1 Configuring the Approval Task4.2 Processing the Approval

    5 Using the Notification Task5.1 Configuring the Approval Task5.2 Receiving a Notification Message

    6 Configuring Sequential (Multi-Level) Approvals6.1 Manager/Role Owner Approval6.1.1 Configuring the Role6.1.2 Processing the Approval

    7 Delegating (Forwarding) an Approval Manually7.1 Configuring the Approval Task7.2 Forwarding the Approval7.3 Processing the Approval7.4 Viewing Request Details

    8 Configuring Automatic Delegation8.1 Enabling Automatic Delegation from the "To Do" Tab8.2 Disabling Automatic Delegation from the "To Do" tab8.3 Enabling Automatic Delegation from a Task8.4 Disabling Automatic Delegation from a Task

    9 Configuring a Conditional Approval9.1 Specifying the Criteria9.2 The Switch Task9.2.1 The System Decline Task9.2.2 The System Approve Task9.2.3 The Regular Approval Task

    9.3 Configuring the Role9.4 Configuring the User9.5 Processing an Approval9.6 The "DefineApprovalType" Script

    10 Using uIS_Approval to Remove an Approver10.1 Configuring the Job10.2 Running the Job

    11 Requiring Re-Authentication11.1 Processing the Approval

    12 Managing Approvals12.1 Listing Pending Approvals12.2 Finding Approvals Using Advanced Search12.3 Declining a Pending Approval12.4 Escalating a Pending Approval