# Configuring approval workflows

An **approval flow** in OpenIAM is a configurable process that determines how actions such as access requests, role assignments, or user changes are reviewed and approved before they are executed.

It is a governance mechanism that ensures **the right people validate sensitive changes** in the identity lifecycle.

In OpenIAM, approval flows are typically tied to:

* **Access request workflows.**
* **Provisioning policies.**
* **Lifecycle events** (joiner, mover, leaver).

They can be customized using OpenIAM’s workflow engine to match organizational policies and governance requirements.

## Define an approval workflow

OpenIAM allows you to define approval workflows at two levels:

* **Application level** — Managed System or Manual Managed System.
* **Entitlement level** — Roles, Groups, or Resources.

For applications with many entitlements, define the approval flow at the **application level**. Override it at the **entitlement level** only when needed.

To define approvers, follow the steps below.

{% stepper %}
{% step %}

### Locate the application or entitlement

#### For applications

1. Go to **WebConsole** → **Access Control** → **Resource**.
2. Filter by **Managed System** or **Manual Managed System** in the **Type** column.
3. Find your application by searching in the **Name** column.
4. Click the **Actions** button to view the application details.

#### For entitlements

1. Enable Entitlement-Level Approvals.
   * Go to **WebConsole** → **Administration** → **System Configuration**.
   * Navigate to the **Workflow** tab.
   * Enable **Use approver association or role/group instead of resource**.
2. Find the entitlement.
   * Determine the entitlement type — **Role**, **Resource**, or **Group**.
   * Go to **WebConsole** → **Access Control** → **\[Entitlement Type]**.
   * Filter by **Managed System** name in the **Managed System** column.
   * (Optional) Further filter by **Metadata Type**.
   * Find your entitlement by searching in the **Name** column.
   * Click the **Actions** button to view entitlement details.
3. Define the approval flow.
   * Click on **Approval Associations** from the sidebar.
   * Click the `+` button to add an approver.

<figure><img src="/files/bf3aa6bb06b1c8444fc90a88317deeb5653aa82f" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Configure the approval flow

Fill in the following fields:

* **Approver** — Select the approver type and name.
* **Notify on Approval** — Choose who is notified when this step is approved.
* **Notify on Reject** — Choose who is notified when this step is rejected.
* **Request Service Level Agreement (SLA) Parameters**

  * **Number of Reminders** — How many reminders to send.
  * **Days Before Sending Reminder** — When to send the first reminder.
  * **Total Time to Complete** — The calculated completion window.

  <figure><img src="/files/51ce9973c5af7902d790a220f5ac8fdc058fffce" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
Save each row before saving the full page.
{% endhint %}
{% endstep %}
{% endstepper %}

### Approval flow field descriptions

<table><thead><tr><th width="266.6666259765625">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Is Mandatory</strong></td><td>If enabled, the step must be completed. If no approver is set, the request is sent to the default approver.</td></tr><tr><td><strong>Approver Type</strong></td><td>Defines who approves or rejects access. See <a href="#approver-types">Approver types</a>.</td></tr><tr><td><strong>Approver</strong></td><td>Auto-filled based on the selected approver type.</td></tr><tr><td><strong>Notify on Approve Type</strong></td><td>Specifies who receives an additional notification when this step is approved.</td></tr><tr><td><strong>Notify on Approval</strong></td><td>Auto-filled based on the previous field.</td></tr><tr><td><strong>Notify on Reject Type</strong></td><td>Specifies who receives an additional notification when this step is rejected.</td></tr><tr><td><strong>Notify on Rejection</strong></td><td>Auto-filled based on the previous field.</td></tr><tr><td><strong>Number of Reminders</strong></td><td>How many reminders are sent to the approver.</td></tr><tr><td><strong>Days Before Sending Reminder</strong></td><td>When to send the first reminder.</td></tr><tr><td><strong>Days to Escalation</strong></td><td>The total time allowed before escalation.</td></tr></tbody></table>

#### Adding additional approval steps

To add another step:

1. Save the first approver.
2. Click the `+` button again.
3. Repeat the configuration process.

## Approver Types

<table><thead><tr><th width="156">Approver Type</th><th>Description</th></tr></thead><tbody><tr><td><strong>Supervisor</strong></td><td>The direct manager of the user making the request.<br>Note: If the manager creates the request, this step is skipped.</td></tr><tr><td><strong>User</strong></td><td>A specific individual assigned as the approver.</td></tr><tr><td><strong>Group</strong></td><td>A group of users who can approve. Anyone in the group can claim and approve the request.</td></tr><tr><td><strong>Role</strong></td><td>Any user with a specific role can approve.</td></tr><tr><td><strong>Owner</strong></td><td>The owner assigned to the <strong>Managed System</strong> or <strong>Manual Managed System</strong>.</td></tr><tr><td><strong>Admin</strong></td><td>The administrator assigned to the <strong>Managed System</strong> or <strong>Manual Managed System</strong>.</td></tr></tbody></table>

## Escalations

If a request is not approved or rejected within the defined timeframe, it can either:

* Be **automatically rejected** by the system.
* Be **escalated** to a higher-level approver.

To configure escalations:

{% stepper %}
{% step %}

### Open the Approver Association screen

1. Open the **Approver Association** screen.
2. Click the blue escalation button.

<figure><img src="/files/2ea0a922469d55b08f1623329926bbc0456c72cc" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### Configure the Escalation List

In the **Escalation List** window:

* Select the **user** or **group** to escalate to.
* Click **Add**.
* Configure **reminder frequency** and **days before escalation**.

![](/files/7c1f3086f5fd07d81c14fb72fbfeb38d6c25162e)

If the initial approver does not take action, the request is escalated based on these settings. If it remains unresolved past the expiration date, it is automatically rejected.
{% endstep %}
{% endstepper %}

### Enabling escalation processing

Escalations are managed by a **batch task**. To enable it:

1. Go to **WebConsole** → **Administration** → **Batch Tasks**.
2. Find **Escalation of Expired Requests**.
3. Click **Edit** and enable the **Is Enabled** flag.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-beta.openiam.com/access-control/configuring-approval-workflows.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.