Workflow Approval Delegation Options in OpenIAM

I recently had a customer ask me about the delegation options available in OpenIAM. They wanted to know if OpenIAM can support the following use cases:

• Ability to delegate a request
• Ability to define a permanent delegation
• Ability to auto-delegate the approval to the next level in the manager hierarchy
• Ability to delegate to another manager if the current manager cannot complete the approval from some reason
• Define delegation for an executive

These questions come up periodically and given its newness, it’s the subject of today’s post. We will work through each of these cases and describe why this feature maybe needed and how you can access/configure it in OpenIAM. This article is not intended to replace the product documentation for this topic.

Delegate a request

There are times when a request for approval is sent and either the approver is unable to process the request in a timely manner or the designated approver is simply the wrong person for the request. In either case, OpenIAM provides several options which are described below:

Delegate a single request

In situations where the approver can delegate a particular request, they can follow the steps below:

1. Log in to the Self-Service portal.
2. Go to your inbox and open the request that you need to delegate.
3. Scroll to the bottom of the approval form and click on the [delegate] button.
4. From the dialog below, select the user that you want to delegate to.

Permanent delegation/delegate requests for a period

Consider that an approver is planning to be out of the office and wants to delegate their requests to another person during their absence. To enable the out of office feature, the approver can do the following:

1. Log in to the Self-Service portal.
2. Click on My Info -> My information -> Out of office assistant
3. In the dialog below, select the person that you want to delegate to and the dates that you want the delegation to be in effect. If you leave out the “End Date”, then it’s a permanent delegation.

Select the out of office delegate and the time period

When you save this information, you will be given the opportunity to delegate existing items that are in your inbox.

This option also covers the second request on our list where we need to create a permanent delegation.

Manager delegation of a request

There are times when an admin or a manager must step in to delegate one or more requests because the approver is unavailable (e.g. approver is on vacation and forgot the delegate open request). In this case, an authorized user can use the steps below to delegate one or more requests on behalf of the approver.

1. Log in to the Self-Service portal.
2. Select Request approval -> Request administration.

3. Select the request, and then select Delegate Selected Requests.

When you save this information, you will be given the opportunity to delegate existing items that are in your inbox.

This option also covers the second request on our list where we need to create a permanent delegation.

Delegate to another manager

In OpenIAM, both use cases listed below are addressed through the escalation functionality found on all access request and access certification workflows.

• Ability to auto-delegate the approval to the next level in the manager hierarchy
• Ability to delegate to another manager if the current manager cannot complete the approval from some reason

To configure an escalation path for a workflow, follow the steps described below:

1. Log in to the webconsole (admin portal).
2. Navigate to the entitlement (group, role, resource) for which you want to define the escalation.
3. Go to the “Approver association” menu.
4. Click on the “i” icon shown below.

Use the dialog below to define the escalation path. For example, the image below shows that we will first escalate to the supervisor’s manager and then to their manager. To achieve this, the system will use the manager hierarchy that is defined in OpenIAM.

Delegation for an executive

At many companies, senior executives do not want to be bothered with access request or access certification requests. To define the delegations for this audience, OpenIAM provides the ability to define both a delegate for access requests and one for access certifications. Since the sensitivity level of an access review maybe different, it’s possible that the delegate for each will also be different. To define these delegates, follow the steps below:

1. Log in to the webconsole (admin portal).
2. Navigate to User admin -> User search and then find your user.
3. Use the “Classic view”.
4. Expand the section titled “User’s assistants” as shown in the image below.

To define a delegate for access requests, select a person from the “Alternate contact” drop down. To define the delegate for access certification requests, select a user in the “Certification delegate”. In each section define the start date. The end-date is only required if you want to limit this delegate for a period.