20.4 Creating Request Approval Policies

To require approvals for requested access, an administrator must create request approval policies. Identity Governance provides a default request approval policy. Users with the Customer, Global, or Access Request Administrator authorization can either edit the default policy and configure it for auto-approval based on specific conditions. They can also create new request approval policies to further define the approval policies for various situations.

If there was an auto-approval based on conditions, that auto-approval will show up in the request timeline, and it will show why it was auto-approved. You can configure automatic approval and automatic denial at the policy level and at the approval step level.

Criteria in the conditions are not limited to the recipient. A request has a recipient, a resource (such as a permission, technical role, or application), and a requester. The criteria can be any combination of attributes of the recipient, requester, and resource. If the resource is a permission, criteria can also be the application to which the permission belongs. Approval conditions for approval steps can also include attributes of the approvers.

20.4.1 Configuring Default Approval Policy

The out-of-the box default approval policy does not require approval, so requests for permissions, technical roles, and applications associated with the default approval policy are not routed through any approval workflow, but are sent directly to fulfillment. For an approval policy that does not require approval, the request timeline will not show any approval as having occurred. It will simply show that the request items were sent directly to fulfillment.

To configure the default request approval policy:

  1. In Identity Governance, select Policy > Access Request.

  2. On the Approval Policies tab, click Edit to edit the default approval policy.

  3. (Optional) Edit the name of the policy.

  4. (Optional) Configure automatic approval or denial at the policy level.

  5. Add one or more approval steps, depending on how many levels of approval you require. For each approval step:

  6. Add or remove applications, permissions, and technical roles assigned to the policy.

  7. Save the policy.

20.4.2 Creating Additional Request Approval Policies

To create additional request approval policies:

  1. In Identity Governance, select Policy > Access Request.

  2. On the Approval Policies tab, click + to add an Access Request approval policy.

  3. Type a name for the policy.

  4. (Optional) Configure automatic approval or denial at the policy level.

  5. Add one or more approval steps.

  6. Save the policy.

  7. Assign applications, permissions, and technical roles to the policy.

20.4.3 Configuring Automatic Approval or Denial at the Policy Level

You can configure an access request approval policy at the approval policy level to:

  • Automatically approve requests matching specified conditions

  • Automatically deny requests matching specified conditions

  • Automatically approve requests matching one set of specified conditions while denying requests matching another set of specified conditions

  • Automatically approve requests where the resource is authorized to the recipient by one or more business roles

To configure automatic approval and denial at the approval policy level:

  1. In Identity Governance, select Policy > Access Request.

  2. On the Approval Policies tab, click + to add an Access Request approval policy.

  3. Enter a name for the policy.

  4. Select one of the following conditions for auto approve, auto deny, or both:

    • None (Disables the feature)

    • For Grant requests (Requests to add a permission, a technical role, or an application)

    • For Revoke requests (Requests to add a permission, a technical role, or an application)

    • For Grant and Revoke requests (For all requests)

    NOTE:Identity Governance applies the condition only to requests of the specified type.

  5. Use the Expression Builder to specify the conditions for automatic approval or denial. For more information see Section 4.1, Using the Expression Builder to Create Advanced Filters.

  6. Save the policy.

As mentioned earlier, in addition to settings auto approval via conditions, administrators can also set automatic approval for resources that are authorized for the recipient by one or more business roles. Administrators can set this option also either at the policy level or at the approval step level. Identity Governance automatically approves a request if the system submits a request for a user, and a business role authorizes the resource for that user.

If you choose to automatically approve a request by business role at the policy level, the choice is no longer available at the approval step level. Automatic approval by business role configured at the approval policy level ends the process, and does not get routed to the approval step level, so approval by business code at the approval step level is not needed. In addition, if a condition fails the test for approval by business role at the approval policy level, it would also fail at the approval step level, so automatic approval by business role at the approval step level is redundant.

To configure automatic approval by business role at the policy level:

  1. In Identity Governance, select Policy > Access Request.

  2. On the Approval Policies tab, click + to add an Access Request approval policy.

  3. Type a name for the policy.

  4. Select one of the following conditions for Auto approve items authorized by business role.

    • No (Disables the feature)

    • For Grant requests (Requests to add a permission, a technical role, or an application)

    • For Revoke requests (Requests to remove a permission, a technical role, or an application)

    • For Grant and Revoke requests (For all requests)

  5. Save the policy.

20.4.4 Configuring Automatic Approval at the Approval Step Level

An access approval policy could need additional approval steps if the access is not authorized by company business policies. Configuring automatic approval at the approval step level allows an administrator to configure the approval policy to skip an approval step under specified conditions, but require approval for any subsequent approval steps.

A request approval policy can be configured at the approval step level to:

  • Automatically approve requests matching specified conditions

  • Automatically approve requests authorized by business roles

To configure automatic approval at the approval step level:

  1. In Identity Governance, select Policy > Access Request.

  2. On the Approval Policies tab, click + to add an Access Request approval policy.

  3. Type a name for the policy.

  4. On the Approvals tab, click +.

  5. Click the approval step, then click Approvers.

  6. Select one of the following for Auto approve condition:

    • None (Disables the feature)

    • For Grant requests (Requests to add a permission, a technical role, or an application)

    • For Revoke requests (Requests to remove a permission, a technical role, or an application)

    • For Grant and Revoke requests (For all requests)

  7. Use the Expression Builder to specify the conditions for automatic approval. For more information see Section 4.1, Using the Expression Builder to Create Advanced Filters.

  8. Select an approver.

  9. (Optional) Add more approval steps.

  10. Save the policy.

To configure automatic approval by business role only at the approval step level:

  1. In Identity Governance, select Policy > Access Request.

  2. On the Approval Policies tab, click + to add an Access Request approval policy.

  3. Type a name for the policy.

  4. Do not select Auto approve items authorized by business role at the policy level.

    NOTE:If you select Auto approve items authorized by business role at the policy level, you cannot enable it at the approval step level.

  5. On the Approvals tab, click +.

  6. Click the approval step, then click Approvers.

  7. Select one of the following conditions for Auto approve items authorized by business role.

    • No (Disables the feature)

    • For Grant requests (Requests to add a permission, a technical role, or an application)

    • For Revoke requests (Requests to remove a permission, a technical role, or an application)

    • For Grant and Revoke requests (For all requests)

  8. Select an approver.

  9. (Optional) Add more approval steps.

  10. Save the policy.

20.4.5 Assigning and Removing Resources

After you have created request or approval policies, you can assign resources to them, such as applications, permissions, and technical roles. Note that adding application to a policy does not automatically include the application permissions. To request permissions and to require approval for permission requests, you must also assign the permissions to the policy.

  1. In Identity Governance, select Catalog > Applications, Permissions, or Roles.

  2. Select the applications, permissions, or roles.

  3. In Actions, select the option you want. You can:

    • Assign access request policy

    • Remove access request policy

    • Assign approval policy

You can also import assignments, assign resources to a policy, or remove resources from a policy while editing the policy definition.

  1. (Conditional) If you have an assignments file that you had chosen to export when exporting a access request policy, click Import Assignments in the policy details page to import assignments.

    NOTE:If you import more than the preconfigured threshold for assignments, you cannot import assignments using the assignments file and will need to import the policy from the policies list page.

  2. Alternately, assign resources.

    1. Select the Applications, Permissions, or Roles tab.

    2. Select + under the tab to select resources of the specific type to assign to the policy.

  3. (Optional) Specify if a request for a technical role access should be approved at the role level or at the individual permission level.

    1. Select one or more technical roles.

    2. Select Actions > Set Role Level Approval to enable approval of all requests for permissions included in the technical role as a group.

      Or

      Select Actions > Set Permission Level Approval to enable approval of each permission included in the technical role individually.

  4. Select the resources to be removed using the check box next to the ones you want to remove.

  5. Select Remove to remove the selected resources.

    NOTE:You cannot remove resources from the default approval policy in this way. A resource can only be removed from the default approval policy by assigning it to another approval policy. Also, removing a resource from a policy other than the default approval policy will re-assign the resource to the default approval policy.