Requests
A workflow request is a set of rules that Directory Manager uses as a built-in auditing system to ensure that users enter correct data before committing changes to a directory. A workflow triggers when some Directory Manager operation, performed by a user, meets the criteria defined in the workflow route.
Workflow requests are defined for an identity store and applied to the different operations performed using Directory Manager.
Directory Manager provides the following predefined workflows (also called system workflows) that trigger when their associated events occur:
| Workflow Name | Description | Default Approver | |
|---|---|---|---|
| 1. | Workflow to Reset Password | When a user resets his or her password. It does not apply when helpdesk users reset the passwords of other users. | Primary and additional managers of the user |
| 2. | Workflow to Change Group Expiration Policy | When a user changes the expiry policy of a group. By default, this workflow is disabled and no approver is specified. You can edit the workflow to add an approver. | None |
| 3. | Workflow to Nest a Group | When a user adds a group (Group A) to the membership of another group (Group B). | Primary and additional owners of Group A |
| 4. | Workflow to Join a Group | When a user joins a semi-private group. | Primary and additional owners of the group |
| 5. | Workflow to Leave a Group | When a user leaves a semi-private group. | Primary and additional owners of the group |
| 6. | Workflow to Transfer a User | When a user transfers his or her direct report. | The new manager |
| 7. | Workflow to Terminate a User | When a manager terminates a direct report. By default, this workflow is disabled and no approver is specified. You can edit the workflow to add an approver. | None |
| 8. | Workflow to Change Manager | When a user changes his or her primary or additional manager. If the user does not have a primary manager, and no default approver is set, the request is auto approved. | Existing primary and additional managers of the user |
The administrator can also define more workflows for the identity store.
In case of a Synchronize job, Directory Manager evaluates whether the task it will perform falls under the scope of a workflow. If yes, then a workflow request is triggered the first time the job is executed. The job will run when the request is approved.
On Directory Manager portal, use the Requests node to view and manage workflow requests for the connected identity store. Expanding this node displays the following tabs:
- My Requests lists workflow requests that you have generated. It displays both pending and processed requests.
- Request Inbox lists the workflow requests for which you are the approver. You can view, approve, deny, or reroute these requests.
- All Requests lists all pending workflow requests generated by enterprise users.
NOTE: If the user is high priority such as Administrator, only then they will see the All Requests tab.
Workflow Implementation
Directory Manager workflows are carried out in a standard action sequence:
- When a user performs an action in Directory Manager, it is evaluated according to the workflow settings.
- If no approval is required, the change takes place in the directory and change notifications are sent.
- If a workflow applies, Directory Manager routes an approval request to the approving authorities and a 'request sent' notification is send to the requester. When the request is approved, the requested changes are made in the directory and change notifications go to the requester and approvers (except the one who has approved the request) by email.
- If the request is denied, information is not updated in the directory and an email notification is sent to the requester and th pe approvers (except the one who has approved the request) with an explanation of why it was denied.
The administrator may enable the email approval option for a workflow route. Email notifications generated for such workflow requests contain the Accept and Deny buttons. On clicking any of these, the approver is redirected to the Directory Manager portal, where he or she can approve or deny the request. Navigation within the portal will require authentication.
NOTE: Email notifications are sent when an SMTP server has been configured for the identity store.
Approving authority for a Workflow Request (without Workflow Acceleration)
For each workflow, an approving authority is also specified. The following scenarios are valid when workflow approver acceleration settings are not applied:
-
If the object specified as an approver in a workflow route is not available (such as if it is disabled or not specified), the workflow request would be routed to the default approver. If the default approver is not specified or disabled, the request is auto approved.
See the Specify a Default Approver topic.
-
If the requester is also the approver for that workflow, the request is auto-approved.
-
When a Synchronize job runs to set the manager for a user who does not already have a manager, the following happens:
- The Workflow to Change Manager will trigger if a default approver is set in advanced workflow settings.
- If the default approver is not set, the workflow will not trigger and the user's manager will be set without requiring any approval.
Workflow Acceleration
The workflow approver acceleration feature in Directory Manager ensures that no workflow request remains unnoticed and undecided. Based on certain rules, it automatically accelerates a request to another approver if the current approver does not act on it for a certain number of days.
The administrator can enable and configure workflow approver acceleration for an identity store in Directory Manager Admin Center.