22.7 Using Workflows to Approve Requests

When additional logic is required to approve a request, Identity Governance enables you to use workflows that supplement your out-of-the-box approval processes. Use the provided workflow templates as a starting point to include essential elements and activities for your workflow. The workflow associated with the policy will be activated when one or more resources are assigned to the associated access approval policy. You can debug these workflows and simulate a request workflow. Based on your authorization, you can also create or edit a workflow using Workflow Administration Console.

HINT:We recommend that you use the Identity Governance workflows provided to you. Create a new workflow only when you need a custom workflow beyond the provided approval flows. Proceed with caution when making any changes to the provided workflows. Each workflow template includes multiple activities that references a form on the catalog view of Workflow Administration Console. Multiple workflows might share the same workflow form. This means if you change the form content, all workflows using that form will be affected. If you do not want this, make a copy of the form and change your workflow to use the form copy before editing your form content. When changing the form reference within the workflow editor (also known as Workflow Builder), copy the data item mappings within the Workflow Builder. Use the workflow catalog to tell you which workflows are referencing any particular form.

To assign a workflow as an approver and to create and edit a workflow for approvals:

  1. Log in to Identity Governance as a Customer, Global, or Request Administrator who also has Workflow Administrator authorization.

  2. In Identity Governance, select Policy > Access Request.

  3. On the Approval Policies tab, add a new policy or edit an existing policy.

  4. When adding or editing approval steps, specify the approver as Workflow.

  5. Use * or enter the workflow name to search for a workflow.

  6. (Conditional) If a workflow does not exist, create a sample approval workflow.

    1. Click Create Sample Approval Workflow.

    2. Enter an identifier and name. Note that special characters and spaces are not allowed in the identifier field.

    3. Select a template.

  7. (Optional) Click Edit and customize the template as needed in Workflow Administration Console but do not change the default form in the Start Activity pane.

    IMPORTANT:To ensure that proper integration happens between Identity Governance and your custom approval workflow process, you must use the default IGA approval request form in Workflow Administration Console. Using any other form for your approval workflow activity might result in unpredictable behavior because Identity Governance requires entityType, entityId, igApprovalFlowdata, reason, and isAdd fields.

    As mentioned earlier, proceed with caution when editing workflows. For additional information about creating and editing workflows, see the Using Workflow Builder to Create Workflows chapter in the Workflow Administration Guide. For additional information about exporting and importing workflows, see the Exporting and Importing Workflows section in the Workflow Administration Guide.

  8. Save the policy.

  9. Assign resources to the policy.

  10. Access the assigned resource to debug the workflow and to customize the workflow as needed.

    1. Select the name of a assigned application or permission.

    2. Select the Custom Forms tab.

    3. (Optional) Click the workflow identifier to launch the workflow in the Workflow Administration Console.

    4. On the Select Debug to debug the workflow in the Identity Governance catalog view without impacting your production data.

    5. Simulate request workflow to view the workflow debug status.

      NOTE:The approval form displayed on the Custom Forms tab when running the simulator is different from the workflow IGA approval request form. The request approval form on the Custom Forms tab on the Identity Governance catalog page is a specialized Identity Governance defined form used for approvals when the approver type is Self, Supervisor, Item owners, Coverage maps, or Select users or groups.