SAP NetWeaver

How-To Guide

SAP NetWeaver®
Identity Management

Implementation guide
- Creating role approvals

SAP NetWeaver® Identity Management 7.2

Document Revision: 4
© 2013 SAP AG or an SAP affiliate company. All rights reserved. Motorola is a registered trademark of Motorola Trademark
No part of this publication may be reproduced or transmitted in any Holdings LLC.
form or for any purpose without the express permission of SAP AG. The Mozilla and Firefox and their logos are registered trademarks of
information contained herein may be changed without prior notice. the Mozilla Foundation.
Some software products marketed by SAP AG and its distributors Novell and SUSE Linux Enterprise Server are registered
contain proprietary software components of other software vendors. trademarks of Novell Inc.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks OpenText is a registered trademark of OpenText Corporation.
or registered trademarks of Adobe Systems Incorporated in the United Oracle and Java are registered trademarks of Oracle and its
States and other countries. affiliates.
Apple, App Store, FaceTime, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, QR Code is a registered trademark of Denso Wave Incorporated.
Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold,
or registered trademarks of Apple Inc.
BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm,
Bluetooth is a registered trademark of Bluetooth SIG Inc. BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry
Citrix, ICA, Program Neighborhood, MetaFrame now XenApp, AppWorld are trademarks or registered trademarks of Research
WinFrame, VideoFrame, and MultiWin are trademarks or registered in Motion Limited.
trademarks of Citrix Systems Inc. SAVO is a registered trademark of The Savo Group Ltd.
Computop is a registered trademark of Computop Wirtschaftsinformatik The Skype name is a trademark of Skype or related entities.
GmbH.
Twitter and Tweet are trademarks or registered trademarks of
Edgar Online is a registered trademark of EDGAR Online Inc., an R.R. Twitter.
Donnelley & Sons Company.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of
Facebook, the Facebook and F logo, FB, Face, Poke, Wall, and 32665 are the Open Group.
trademarks of Facebook. Wi-Fi is a registered trademark of Wi-Fi Alliance.
Google App Engine, Google Apps, Google Checkout, Google Data API,
SAP, R/3, ABAP, BAPI, SAP NetWeaver, Duet, PartnerEdge,
Google Maps, Google Mobile Ads, Google Mobile Updater, Google
ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP
Mobile, Google Store, Google Sync, Google Updater, Google Voice,
HANA, the Business Objects logo, BusinessObjects, Crystal
Google Mail, Gmail, YouTube, Dalvik, and Android are trademarks or Reports, Crystal Decisions, Web Intelligence, Xcelsius, Sybase,
registered trademarks of Google Inc. Adaptive Server, Adaptive Server Enterprise, iAnywhere, Sybase
HP is a registered trademark of the Hewlett-Packard Development 365, SQL Anywhere, Crossgate, B2B 360° and B2B 360° Services,
Company L.P. m@gic EDDY, Ariba, the Ariba logo, Quadrem, b-process, Ariba
HTML, XML, XHTML, and W3C are trademarks, registered trademarks, Discovery, SuccessFactors, Execution is the Difference, BizX
or claimed as generic terms by the Massachusetts Institute of Mobile Touchbase, It's time to love work again, SuccessFactors
Technology (MIT), European Research Consortium for Informatics and Jam and BadAss SaaS, and other SAP products and services
Mathematics (ERCIM), or Keio University. mentioned herein as well as their respective logos are trademarks
IBM, DB2, DB2 Universal Database, System i, System i5, System p, or registered trademarks of SAP AG in Germany or an SAP
System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, affiliate company.
zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, All other product and service names mentioned are the
POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, trademarks of their respective companies. Data contained in this
BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, document serves informational purposes only. National product
DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, specifications may vary.
WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or These materials are subject to change without notice. These
registered trademarks of IBM Corporation. materials are provided by SAP AG and its affiliated companies
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual ("SAP Group") for informational purposes only, without
Studio are registered trademarks of Microsoft Corporation. representation or warranty of any kind, and SAP Group shall not
INTERMEC is a registered trademark of Intermec Technologies be liable for errors or omissions with respect to the materials.
Corporation. The only warranties for SAP Group products and services are
those that are set forth in the express warranty statements
IOS is a registered trademark of Cisco Systems Inc.
accompanying such products and services, if any. Nothing herein
The Klout name and logos are trademarks of Klout Inc.
should be construed as constituting an additional warranty.
Linux is the registered trademark of Linus Torvalds in the United States
and other countries.
Preface

The product
SAP NetWeaver Identity Management Identity Center is the primary component for identity
management. The Identity Center includes functions for identity provisioning, workflow, password
management, logging and reporting. It uses a centralized repository, called the identity store, to
provide a uniformed view of the data, regardless of the data's original source.

The reader
This manual is written for people who want information about role approvals (using pending value
objects).

Prerequisites
To get the most benefit from this manual, you should have the following knowledge:
General knowledge about the Identity Center, including roles.
The following software and configuration is required:
SAP NetWeaver Identity Management Identity Center 7.2 SP8 or later with the 7.2 approval
mechanism enabled.
An identity store that is enabled for the Identity Management User Interface.
Person entries in the identity store that can be given role assignments.
An Identity Management User Interface (running on Enhancement Package 1 for SAP
NetWeaver Composition Environment 7.1, SAP NetWeaver Composition Environment 7.2 or
SAP NetWeaver 7.3) that is correctly configured for the identity store.
Role definitions.

The manual
This guide describes how an approval of a pending role assignment can be implemented.

Related documents
You can find useful information in the following documents:
SAP NetWeaver Identity Management Identity Center help file
SAP NetWeaver Identity Management Identity Center Tutorial: Working with roles and privileges
Document History
Document Version Description
4 Added sections about re-authentication and approval management

3 Added sections about manual delegation, automatic delegation, conditional

and using uIS_Approval
2 Added information about enabling the 7.2 approval mechanism.
Added section about multi-step approvals
Added links to referenced documents
1 First official release of this guide.
Typographic Conventions
Type Style Description
Example Text Words or characters quoted from the screen. These include field names, screen
titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation
Example text Emphasized words or phrases in body text, graphic titles, and table titles
Example text File and directory names and their paths, messages, names of variables and
parameters, source text, and names of installation, upgrade and database tools.
Example text User entry texts. These are words or characters that you enter in the system
exactly as they appear in the documentation.
<Example Variable user entry. Angle brackets indicate that you replace these words and
text> characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

Icons
Icon Description
Caution

Important

Note
Recommendation or Tip

Example
Table of contents
1 Introduction .....................................................................................................................1
1.1 The Validate Event Tasks .........................................................................................1
1.2 The Pending Value Object ........................................................................................1
1.3 The Approver(s) ........................................................................................................2
1.4 Use Cases ................................................................................................................2
2 Configuring Simple Approvals........................................................................................3
2.1 The Member Event Task ...........................................................................................3
2.2 The Sample Roles ....................................................................................................4
2.3 Configuring the Approver on the Role........................................................................5
2.4 Configuring the Approvers on the Task .....................................................................9
2.5 Configuring the Approvers on the Pending Value Object (Manager Approval/Role
Owner Approval) .....................................................................................................10
3 Configuring Escalations................................................................................................14
3.1 Configuring the Escalation Approvers on the Task .................................................. 14
3.2 Configuring the Escalation Approvers on the Role ...................................................15
3.3 Configuring the Escalation Approvers on the Pending Value Object ........................ 16
4 Configuring Parallel (Multiple) Approvals .................................................................... 17
4.1 Configuring the Approval Task ................................................................................17
4.2 Processing the Approval .........................................................................................18
5 Using the Notification Task ...........................................................................................19
5.1 Configuring the Approval Task ................................................................................19
5.2 Receiving a Notification Message............................................................................ 20
6 Configuring Sequential (Multi-Level) Approvals ..........................................................21
6.1 Manager/Role Owner Approval ...............................................................................21
7 Delegating (Forwarding) an Approval Manually ........................................................... 25
7.1 Configuring the Approval Task ................................................................................25
7.2 Forwarding the Approval .........................................................................................26
7.3 Processing the Approval .........................................................................................27
7.4 Viewing Request Details .........................................................................................28
8 Configuring Automatic Delegation ...............................................................................29
8.1 Enabling Automatic Delegation from the "To Do" Tab .............................................. 29
8.2 Disabling Automatic Delegation from the "To Do" tab .............................................. 30
8.3 Enabling Automatic Delegation from a Task ............................................................ 31
8.4 Disabling Automatic Delegation from a Task ...........................................................32
9 Configuring a Conditional Approval ............................................................................. 33
9.1 Specifying the Criteria .............................................................................................33
9.2 The Switch Task .....................................................................................................34
9.3 Configuring the Role ...............................................................................................37
9.4 Configuring the User ...............................................................................................37
9.5 Processing an Approval ..........................................................................................38
9.6 The "DefineApprovalType" Script ............................................................................ 39
10 Using uIS_Approval to Remove an Approver ..............................................................42
10.1 Configuring the Job .................................................................................................42
10.2 Running the Job......................................................................................................45
11 Requiring Re-Authentication ........................................................................................47
11.1 Processing the Approval .........................................................................................47
12 Managing Approvals .....................................................................................................48
12.1 Listing Pending Approvals .......................................................................................48
12.2 Finding Approvals Using Advanced Search ............................................................. 49
12.3 Declining a Pending Approval ................................................................................. 50
12.4 Escalating a Pending Approval................................................................................51
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

1 Introduction
The purpose of this document is to describe how to configure approval of role/privilege assignments. It
does not describe how to configure basic approvals (any other approval than for assignments, for
instance approving an attribute modification).
This document is based on the 7.2 approval mechanism introduced with SAP NetWeaver Identity
Management 7.2 SP4. For an overview of approval processing using this mechanism, see the topic
"About approval processing" in the help file for the Identity Center Management Console.
If the 7.2 approval mechanism is not already enabled for the Identity Center, it must be enabled. See
SAP NetWeaver Identity Management Identity Center: Installing the database (Microsoft SQL Server)
or SAP NetWeaver Identity Management Identity Center: Installing the database (Oracle). The
documents are available from the Service Marketplace.

1.1 The Validate Event Tasks

An approval is normally configured as part of a Validate Add, Validate Remove or Validate Modify
validity task for a role or privilege. The task references can either be defined directly on the
role/privilege, or on the repository referenced from the privilege (or role). Defining it on the repository is
used to prevent setting this on each and every role or privilege.
The most normal configuration is to have the Validate tasks configured on the role, and that privileges
are assigned to the users based on the role assignments. The privileges will then have the Add and
Remove member tasks.
The Validate task is used to verify whether the assignment is allowed or not, it does not perform the
assignment. For more information, see the topic "About member event handling" in the help file for the
Identity Center Management Console.
The task referenced as a Validate task can be the top task of a task hierarchy, including an approval
task. An approval task can also be referenced directly. It is also possible to have a Validate task
without a manual approval. The validation can for instance be an automatic process that verifies
certain values in other systems before the role is approved or declined.
The parties involved in a typical approval processing are the following:
User/Approvee: the person getting the role assignment after it is approved.
Requester: the person requesting the assignment. This may be the user him-/herself.
Approver: the person(s) responsible for approving or declining the approval of the requested
role assignment (from the approvee), e.g. a manager, a role owner etc. A role may also be
defined as the approver, which then means that any member of the given role is allowed to
perform the approval.

1.2 The Pending Value Object

When an event task is started, an object of the entry type MX_PENDING_VALUE is created. The
pending value object is used to store some information about the assignment being validated, the
most important being the MX_LINK_REFERENCE, which points to the assignment.
With some exceptions described in this document, all attributes on this MX_PENDING_VALUE entry
are read only, and should not be changed. In most cases, changing the attributes does not have any
effect.

Never delete a pending value object, as that will leave the system in an inconsistent
state.
For more details about the pending value object and the attributes, see the document SAP NetWeaver
Identity Management Identity Center Identity store schema.

May 2013 1
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

1.3 The Approver(s)

Where the approvers are found, depends on the configuration of the approval task. The approvers can
be defined on one of the following objects:
The role/privilege
The context (in case of context based assignments)
The pending value object
The approval task itself
Where the approvers are defined, depends on the scenario:
If the same approvers are used to approve many different assignments, it makes sense to
define the approvers on the task itself.
If the approvers vary from role to role, the approvers should be defined on each role.
For context based assignments, the approver could be defined on the context object itself.
If you need to do manual preprocessing of the approver list before the approval task is started,
you can do that on the pending value object. Also if you have an approval task that is upgraded
from a previous version, the approvers are found on the pending value object.

1.4 Use Cases

This document covers the following use cases:
Simple approvals (involving only a single approval):
Configuring the approvers on the role
Configuring the approvers on the approval task
Configuring the approvers on the pending value object
Manager approval – in this scenario the manager of a role requestor is required to
approve the role request.
Role owner approval– where the role owner (MX_OWNER of entry type
MX_ROLE) is required to approve the role request.
Escalations
Parallel (multiple) approvals
Using the notification task
Sequential (multi-level) approvals
Manual forwarding (delegation) of approvals
Automatic forwarding (delegation) of approvals
System approval
For information about using Business Objects Access Enforcer to process the approval, see the
document SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects
Access Control Configuration Guide.

May 2013 2
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2 Configuring Simple Approvals

This section describes the basic setup for role approvals. We will look at the role configuration and the
configuration of the necessary tasks to perform the approval.
We will show the following scenarios:
The approver is defined on the role itself.
The approver defined on the approval task.
The approver defined on the pending value object (role owner and manager approval)

2.1 The Member Event Task

The member event task called from the roles is an ordered task group containing the approval task:

The "Role approval" task is defined as a public ordered task group, with only the default configuration:

May 2013 3
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2.2 The Sample Roles

We use two roles:
ROLE:User (Role assigned to regular users/employees)
ROLE:Manager (Role assigned to managers)
The ordered task group "Role approval" is defined as Validate add task for both roles:

The value in the "Execute" list indicates when the Validate add task is called, and is only relevant is
the assignment has Valid from defined (i.e is not effective immediately). In this case, the "Execute"
setting can be either:
Immediately
The Validate add task is executed immediately, regardless of the Valid from value of the
assignment.
When valid
The Validate add task is not executed until the Valid from is reached.
Inherited
The value defined on the repository will be used.

May 2013 4
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2.3 Configuring the Approver on the Role

In the first example, the approver is defined on the role.

2.3.1 Configuring the Role

The approver is configured on the "Approvers" tab of the role properties:

In this case one specific user is defined as approver for this role. This could have been a reference to
another role, and all members of this role would have received the approval request.
The approvers are stored on the attribute MX_APPROVERS on the role. It can also be added by
executing a task in the Identity Management User Interface or from a job.

May 2013 5
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2.3.2 Configuring the Approval Task

The configuration of the approval task may look like this:

The following fields are filled in:

Approval type
Select "Assignment" as this is an approval for an assignment.
Get approvers from
Select "Role/Privilege" as the approver is defined on the role itself.
Keep the default values for the other settings:
No specific timeout for the approval. If the request is not approved within 90 days it will time out.
The timeout rule is set to "Decline", meaning that if the approval request times out, it is
automatically declined. No escalation in case of timeout.
Only one approval is required for the request to be approved.
No notification task is configured.

May 2013 6
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2.3.3 Processing the Approval

When a role assignment is requested, the approval is displayed in the "To Do" tab of the approver:

2.3.3.1 Displaying Information about the Approval

In the "Entry data" area you can see details about the approval:

Select the "Request Information" tab to display details about the request:

May 2013 7
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

Select the "Approval Information" tab to see information about other approvers:

2.3.3.2 Approving the Assignment

Select the request and choose "Approve":

Enter a reason (optional) and choose "Confirm".

May 2013 8
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2.4 Configuring the Approvers on the Task

In this example, the approver is defined on the approval task itself:

The following fields are filled in:

Get approvers from
Select "Task" in the list. The "Approvers" field is enabled.
Approvers
Enter the MSKEYVALUE of an entry in the identity store. This can either be a user (as in this example)
or a role or privilege. In this case, all members of the role or users assigned to the privilege will receive
the approval.
You can only define one approver on the task itself. If you need multiple approvers, you can reference
a role or privilege that you assign to the approvers and reference that role or privilege here. You also
can define the approvers on the role or privilege itself.

May 2013 9
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2.5 Configuring the Approvers on the Pending Value

Object (Manager Approval/Role Owner Approval)
In this case, the approvers are found on the pending value object. If there are any approvers defined
on the role, they are copied to the MX_APPROVERS attribute of the pending value object when this is
created. Additionally, there can be a task that is executed before the approval task that can modify the
approvers defined on the pending value object.
We introduce a task before the approval task that preprocesses the approvers:

2.5.1 Configuring the Approval Task

The approval task is configured in the following way:

The following fields are filled in:

Get approvers from
Select "Pending Value Object" in the list.

May 2013 10
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2.5.2 Configuring a Role Owner Approval

In this case, we use the owner defined on the role as approver.

2.5.2.1 Configuring the Role

The role owner is configured on the "Visibility" tab of the role properties:

The role owner can be one or more user entries, roles or privileges.

2.5.2.2 Configuring the "Preprocessing approvers" task

The "Preprocessing approvers" task is an ordered task group containing an action task, "Add
approvers", with a "To identity store" pass that works with the MX_PENDING_VALUE entry type:

The approvers are defined with the attribute MX_APPROVERS on the pending value object. We use
the syntax TARGET.MX_OWNER to reference the value of the attribute MX_OWNER of the role.
For more information about this syntax, see the topic "Including attributes from referenced entries
when processing pending value objects" in the help file for the Identity Center Management Console.
Changing this attribute after the approval task has started has no effect on the approvers for this
specific approval, but will take effect for approvals created after the change.

May 2013 11
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2.5.2.3 Processing the Approval

The approval request is displayed on the "To Do" tab of the role owner:

2.5.3 Configuring a Manager Approval

In this example, the manager of the user who is assigned the role will be the approver of the
assignment request.

2.5.3.1 Configuring the User

The user must have a manager defined:

May 2013 12
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

2.5.3.2 Configuring the "Preprocessing approvers" task

The "To identity store" pass of the "Add approvers" task will look like this:

We use the syntax SUBJECT.MX_MANAGER to add the manager of the user to the attribute
MX_APPROVERS of the pending value object.
For more information about this syntax, see the topic "Including attributes from referenced entries
when processing pending value objects" in the help file for the Identity Center Management Console.

2.5.3.3 Processing the Approval

The approval is displayed in the "To Do" tab of the user defined as manager:

May 2013 13
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

3 Configuring Escalations
In this section, we describe how to configure escalations if the assignment request is not processed
within the defined time limit.

3.1 Configuring the Escalation Approvers on the Task

Escalations are defined on the approval task:

In this example all configuration is on the task itself.

Timeout
This is set to one week.
Timeout rule
If the assignment request is not approved within the given time limit, the approval is escalated to a
new list of approvers.
Max no of escalations
The approval will only be escalated once. If it is not approved within the given escalation timeout it will
be declined.
Escalation timeout
The escalation timeout is defined to three days.
Escalation approvers
As "Task" is selected in "Get approvers from", also the escalation approvers are configured on the
task itself.

May 2013 14
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

3.2 Configuring the Escalation Approvers on the Role

In this example the approvers are defined on the role.
The timeouts are defined on the approval task:

The fields "Timeout", "Timeout rule", "Max no of escalations" and "Escalation timeout" are filled in in
the same way as in the previous example.
But as the approvers are defined on the role, the escalation approvers have to be added there, using
the attributes MX_ESCALATION_APPROVERS_1/2/3.
Here we have defined a task to configure the role:

The escalation approver is defined on the attribute "Escalation approvers, level 1".

May 2013 15
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

3.3 Configuring the Escalation Approvers on the

Pending Value Object
In this case, the escalation approvers are defined on the pending value object.
The configuration of the approval task looks like this:

The escalation approvers are added by the preprocessing task:

May 2013 16
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

4 Configuring Parallel (Multiple) Approvals

You can require that several approvers have to approve the assignment request before it is carried
out. The approvers can be defined on all possible objects (role/privilege, pending value object, task or
context). The approvers should be defined to ensure that the approval request is distributed to enough
approvers. If too few approvers are found when the approval is initiated, the approval request is
automatically declined.

4.1 Configuring the Approval Task

The number of required approvals is configured on the approval task:

The following fields are filled in:

Required approvals
In this case we have defined that we need the approvers to approve the assignment request.
Approvers
In this example, the approvers are defined on the approval task itself. To be able to define more than
one approver, we use a role that is assigned to several users.

May 2013 17
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

4.2 Processing the Approval

All users assigned to the referenced role will be identified as approvers when the approval task is
initiated. The approval request is displayed on the "To Do" tab of all these approvers. The approval will
be active until two approvers have approved the assignment request or one approver has declined it.
If only one approval is received before the defined timeout, the approval will be escalated. In this case
the "Timeout rule" is set to "Decline", which means that the assignment request will be declined if not
enough approvals have occurred before the defined timeout.
If the "Timeout rule" is set to "Escalate to new list" or "Escalate to manager", the approval will be
escalated to the new set of approvers. If one approver has approved the request before the timeout,
only one more approval is required from the escalation approvers. All approvals are cumulated,
independent of when in the process the approval happens.
All approvers will receive the approval on their "To Do" tab. If one approver already has approved the
request, the other approvers can see the following information on the "Approval Information" tab in the
"Entry data" area:

Number of required approvals is 2 and 1 approval is already received.

On the "Approval History" tab, the approver can see information about the approvals already done:

May 2013 18
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

5 Using the Notification Task

You can use the notification task to send messages to those involved of the approval process.
Configure the notification repository and message templates, then load the templates into the
database and import the notification task as described in the topic "Configuring the notification
templates" in the help file for the Identity Center Management Console.

5.1 Configuring the Approval Task

Add the reference to the notification task from the approval task:

The following fields are filled in:

Notification task
Select the notification task that you imported as part of the configuration.
Initial message
Select the message you want to send when the approval is initiated.
Reminder message
Select the message you want to send as a reminder to the approvers.
Escalation message
Select the message you want to send to the escalation approvers.
Completion message
Select the message you want to send when the approval is approved or declined.

May 2013 19
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

5.2 Receiving a Notification Message

When an approval is initiated, the approvers will receive an e-mail which may look something like this:

May 2013 20
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

6 Configuring Sequential (Multi-Level) Approvals

In this section we will create a sequence of approvals. After one approver has approved the
assignment request, the approval continues to the next group of approvers. We are showing the
following use case:
Manager/Role owner approval
The assignment request is approved first by the manager and then by the role owner.

6.1 Manager/Role Owner Approval

In this scenario, we create an ordered task group that contains the approval task structure. First, the
"Manager approval" is executed. A "Role owner approval" is added below the "Approval" node of the
"Manager approval". When the first approval is completed, the task below the "Approval" node is
executed:

In the first approval, the manager is added as an approver by the action task before the approval task
is executed.
In the second approval, the role owner is added before the approval task is called.
If the first approval is declined, the whole assignment request is declined.

May 2013 21
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

Both these tasks use a To identity store pass in the same way as in section 2.5.2 and 2.5.3:

Both approval tasks are configured to get approvers from the pending value object:

You could add any timeout/escalation handling to the approval task as well.

May 2013 22
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

6.1.1 Configuring the Role

This approval process is defined as a Validate add task for the "ROLE:User" role:

The role also has a role owner:

May 2013 23
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

6.1.2 Processing the Approval

When a user is assigned the role, the manager receives the approval:

When the manager approves the assignment request, the role owner receives the approval:

The role owner can see that the manager already approved the request.

May 2013 24
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

7 Delegating (Forwarding) an Approval Manually

When configuring the approval task, you can define that the approver(s) can delegate (forward) the
approval to another user when processing the approval in the Identity Management User Interface.
Delegation can be done independently of how the user was identified as approver.
The approver can forward the approval to another user, but not a role or privilege. The following users
are not accepted as new approvers:
The user getting the assignment.
The user requesting the assignment.
Any user that already has been involved in the approval process.
A user that is not allowed to see the role or privilege due to visibility constraints.

7.1 Configuring the Approval Task

To allow delegation of an approval, this must be specified on the approval task:

Allow manual delegation

Select this check box to specify that the "Delegate" button should be enabled in the Identity
Management User Interface.
Delegation message
If you are using the Notification task to send e-mail messages to the involved parties, select a
message in the "Delegation message" drop-down to specify which message template to use.

May 2013 25
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

7.2 Forwarding the Approval

The approver receives the approval:

Choose "Delegate" to open the "Delegate selected approvals" dialog box:

Show
Select the entry type of the user. The default value is "Person". Only entry types defined as "Identity
entry type" are shown in the list.
and find
Enter (parts of) a user name and choose "Go".
The matching entries are shown in the list below. You can view details about the user by clicking the
user's unique ID.
Select the user you want to delegate the approval to.
Reason for delegation
Enter a reason why the approval is delegated. This reason will be included in the notification message
that is sent to the new approver. Reason is optional.
Choose "Delegate" to forward the approval.

May 2013 26
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

7.3 Processing the Approval

The user who receives the forwarded approval will get a notification message (if the notification task is
defined) and the approval will appear on the "To Do" tab:

The approval details show that the approval is forwarded:

The approver processes the approval as usual. He can also delegate the approval further to another
approver.

May 2013 27
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

7.4 Viewing Request Details

Information about approval processing, including delegations can be found by using a "View
assignment request task":

You can also see the details by viewing the properties of the assignment from the display task:

May 2013 28
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

8 Configuring Automatic Delegation

You can specify that all approvals should be forwarded automatically to another user. This can be
used if a user is absent for a period of time, or in any other situation where all approvals should
automatically be forwarded to someone else.
Automatic delegation is done in the following cases:
For any new approvals
If an existing approval is escalated
If someone performs a manual delegation to a person with automatic delegation enabled
In any other circumstance where this user is added as approver
The approver can configure this from the "To Do" tab, or it can be done by updating the attributes
MX_AUTODELEGATE_MSKEY and MX_AUTODELEGATE_MESSAGE of a user from a task or job.
If an automatic delegation fails, the approver is removed from the approval, and if there are not
enough approvers left to handle the approval, it is declined.
Some reasons why an automatic delegation fails are:
The user getting the assignment.
The user requesting the assignment.
Any user that already has been involved in the approval process.
A user that is not allowed to see the role or privilege due to visibility constraints.
There is a loop of automatic delegations.
The processing of automatic delegations is done asynchronously, which means that if for example an
approver performs a manual delegation to another user, the approver will get an immediate response
that the delegation is performed. Automatic delegation is processed afterwards, which means that if
the approval later is automatically delegated, it may result in the approval being declined.

8.1 Enabling Automatic Delegation from the "To Do"

Tab
An approver can specify that all approvals will be forwarded to another user from the "To Do" tab.

May 2013 29
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

Choose "Enable automatic delegation" to open the "Configure automatic delegation" dialog box:

Show
Select the entry type of the user. The default value is "Person". Only entry types defined as "Identity
entry type" are shown in the list.
and find
Enter (parts of) a user name and choose "Go".
The matching entries are shown in the list below. You can view details about the user by clicking the
user's unique ID.
Select the user you want to delegate approvals to.
Reason for delegation
Enter a reason why the approvals are delegated. This reason will be included in the notification
message that is sent to the new approver. Reason is optional.
Choose "Enable" to start forwarding approvals to the given user.
When automatic delegation is enabled, the "Enable automatic delegation" check box is enabled.

8.2 Disabling Automatic Delegation from the "To Do"

tab
To disable automatic delegation, select "Enable automatic delegation" to open the "Configure
automatic delegation" dialog box.
Choose "Disable" to close the dialog box.

May 2013 30
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

8.3 Enabling Automatic Delegation from a Task

You can configure a task for the User Interface with the attributes "MX_AUTODELEGATE_MSKEY"
and "MX_AUTODELEGATE_MESSAGE":

This can either be a self-service or a manager task:

May 2013 31
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

Automatic delegation to
Choose "Select…" to open the "Add…" dialog box:

Make sure to select "Person" or another entry type defined as "Identity entry type" in the "Show" field
and enter a text to search for in the "and Find" field.
Choose "Search". All matching entries are displayed in the list.
Select a user and choose "Add".
Automatic delegation reason
Enter a reason why the approvals are delegated. This reason will be included in the notification
message that is sent to the new approver. Reason is optional.
Choose "Save" to complete the task.

8.4 Disabling Automatic Delegation from a Task

To disable automatic delegation, open the task for the given user:

Automatic delegation to
Choose "Remove" to the right of the field to remove the user.
Choose "Save" to complete the task.

May 2013 32
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

9 Configuring a Conditional Approval

There are cases where you can programmatically decide whether the assignment is allowed or not. In
this scenario, when handling a role request, we can decide if a manual approval is required or not
based on the presence of a privilege. If the user has a specific privilege, s/he is regarded as pre-
approved and the request is automatically approved by the system. If not, a manual approval is
started.
The task structure (high-level) for doing this looks as follows:

First, we specify the criteria for doing a system approval. Then, based on these criteria, the
corresponding node of the switch task is executed. You can either do a system approve or decline, or
start the regular approval task.

9.1 Specifying the Criteria

The criteria for doing a system approval (or decline) are specified in the task "Criteria for approval
type":

The definition of the "To Generic" pass looks like this:

In this example, we check for the presence of the privilege "IsOK". If the user has this privilege, the
role request is automatically approved.

May 2013 33
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

You could also specify roles that that will result in a system approval, or privileges/roles that result in a
system decline.
The script DefineApprovalType is used to decide which action to take:
If the user has one of the roles/privileges defined as
PRIVILEGES_TO_HAVE/ROLES_TO_HAVE, the assignment request is approved by the
system. The context variable IDMAPPROVALTYPE is set to 0.
If the user has one of the roles/privileges defined as
PRIVILEGES_NOT_TO_HAVE/ROLES_NOT_TO_HAVE the assignment request is declined by
the system. The context variable IDMAPPROVALTYPE is set to 1.
If none of these criteria is fulfilled, the assignment request enters the normal approval process.
The context variable IDMAPPROVALTYPE is set to 3.
For the complete script, see section 9.6.

9.2 The Switch Task

The switch task "Check for approval type" uses an SQL query to decide which case node to execute
based on the outcome of the script:

The SQL query checks the value of the context variable that was set by the script and executes the
corresponding case node. The switch task has three case nodes:
0 (System decline)
1 (System approve)
2 (Regular approval)

May 2013 34
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

9.2.1 The System Decline Task

The "System decline" node consists of an ordered task group with an action task that has a "To
identity store" pass.

The pass has the following definition:

The attribute "MX_ATTR_STATE" is set to 3 to indicate that the approval is declined.

May 2013 35
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

9.2.2 The System Approve Task

The "System approve" node is similar to the "System decline" node:

The "To identity store" pass is defined in the following way:

The attribute "MX_ATTR_STATE" is set to 1 to indicate that the assignment request is approved.

9.2.3 The Regular Approval Task

If none of the other criteria is fulfilled, the assignment request will be handled by the normal approval
process. Here, the already existing approval task is linked:

May 2013 36
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

9.3 Configuring the Role

The "Selective approval" task is defined as "Validate add" task for the role "ROLE:User":

When this role is requested, the task checks if the user has the privilege "IsOK" and assignes the role
without an approval. If not, the approval task is started in the normal way.

9.4 Configuring the User

We add the privilege "IsOK" to one of the users in the identity store that does not have the role yet:

This user is then regarded as "pre-approved", and will be assigned the role without approval.

May 2013 37
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

9.5 Processing an Approval

When assigning the role to this user, it is assigned without any approval:

If a user without the privilege is assigned the role, an approval is required:

May 2013 38
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

9.6 The "DefineApprovalType" Script

Below you find the script used in the "Criteria for approval type" job. This script reads the
roles/privileges defined in the pass and compares them to the roles/privileges of the user and sets a
context variable based on the outcome of that comparison.
// Main function: DefineApprovalType

function DefineApprovalType(Par){
CurrentEntryID = uGetEntryID();
CurrentIDStore = uGetIDStore();
AuditID = uGetAuditID();

var PendingUserMSKEY = CurrentEntryID;

uInfo("PendingUserMSKEY : " + PendingUserMSKEY );
OutString = uSetContextVar("PENDINGUSERMSKEY", PendingUserMSKEY );
var PendingUserName = Par.get("MSKEYVALUE");
uInfo("PendingUserName : " + PendingUserName );
OutString = uSetContextVar("PENDINGUSERNAME", PendingUserName );

var ParentMSKEY = uIS_GetValue(CurrentEntryID, CurrentIDStore, "MX_ENTRY_REFERENCE" );

uInfo("ParentMSKEY : " + ParentMSKEY );
OutString = uSetContextVar("PARENTMSKEY", ParentMSKEY );
var ParentName = uIS_GetValue(ParentMSKEY , CurrentIDStore , "MSKEYVALUE");
uInfo("ParentName : " + ParentName );
OutString = uSetContextVar("PARENTNAME", ParentName );

var PendingMSKEY = uIS_GetValue(CurrentEntryID, CurrentIDStore, "MX_ATTRIBUTE_VALUE" );

OutString = uSetContextVar("PENDINGPRIVROLEMSKEY", PendingMSKEY );
uInfo("Pending privilege/role MSKEY : " + PendingMSKEY );
var PendingName = uIS_GetValue(PendingMSKEY , CurrentIDStore , "MSKEYVALUE");
OutString = uSetContextVar("PENDINGPNAME", PendingName );
uInfo("PendingName : " + PendingName );

validAssignments = uSelect("select mcOtherMSKEYVALUE from idmv_link_ext where" +

" mcThisMsKey = " + ParentMSKEY +
" and mcAttrName in ('MXREF_MX_PRIVILEGE', 'MXREF_MX_ROLE')" +
" and mcLinkState = 0 and mcExecState = 1");
validAssignments = validAssignments + "!!";
uInfo("validAssignments = " + validAssignments);

// ----- NOT TO HAVE LIST -------------------------------------------------------

// -- Privileges not to have
var privsNotToHave = Par.get("PRIVILEGES_NOT_TO_HAVE");
if(privsNotToHave == null)
privsNotToHave = "";
// -- Roles not to have
var rolesNotToHave = Par.get("ROLES_NOT_TO_HAVE");
if(rolesNotToHave == null)
rolesNotToHave = "";

var notToHave = privsNotToHave + "|" + rolesNotToHave;

uInfo("notToHave = " + notToHave);
var MsKeyList = notToHave.split("|");

var okToSystemDecline = "false";

for(var ndx=0; ndx < MsKeyList.length; ndx++){
if(MsKeyList[ndx].length < 2)
continue;

May 2013 39
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

var priv = MsKeyList[ndx].substr(1, MsKeyList[ndx].length-2) +"!!";

uInfo("priv = " + priv);
if(validAssignments.indexOf(priv) >= 0){
okToSystemDecline = "true";
}
else {
okToSystemDecline = "false";
break;
}
}
uInfo("okToSystemDecline = " + okToSystemDecline);

// ----- TO HAVE LIST -------------------------------------------------------

// If okToSystemDecline is true, then we system decline it regardless of any other
criteria.
if(okToSystemDecline == "false"){
// -- Privileges to have
var privsToHave = Par.get("PRIVILEGES_TO_HAVE");
if(privsToHave == null)
privsToHave = "";
// -- Roles to have
var rolesToHave = Par.get("ROLES_TO_HAVE");
if(rolesToHave == null)
rolesToHave = "";

var toHave = privsToHave + "|" + rolesToHave;

var MsKeyList = toHave.split("|");

var okToSystemApprove = "false";

for(var ndx=0; ndx < MsKeyList.length; ndx++){
if(MsKeyList[ndx].length < 2)
continue;

var priv = MsKeyList[ndx].substr(1, MsKeyList[ndx].length-2) +"!!";

if(validAssignments.indexOf(priv) >= 0){
okToSystemApprove = "true";
}
else {
okToSystemApprove = "false";
break;
}
}
uInfo("okToSystemApprove = " + okToSystemApprove );
}

// -- System Decline
if(okToSystemDecline == "true"){
OutString = uSetContextVar("IDMAPPROVALTYPE", "0");
}
else {
if(okToSystemApprove == "true"){
// -- System Approve
OutString = uSetContextVar("IDMAPPROVALTYPE", "1");
}
else{

May 2013 40
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

// -- Normal Approval
OutString = uSetContextVar("IDMAPPROVALTYPE", "2");
}
}
}

May 2013 41
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

10 Using uIS_Approval to Remove an Approver

In some situations, it can be necessary to process approvals from the system. For instance, in a
situation where an approver is in a long-term leave and there are approvals in queue for him. The
approvals will go into timeout/escalation, but that may take some time. In this situation we can remove
him as approver. The approvals where he is one of several approvers, the approval will remain in the
"To Do" list for those approvers. If the approver is the only approver, the approval will be declined.
In this case the user Christopher Wright has the following approvals in his "To Do" list:

For the requests for the role "ROLE:Manager", also the "Approver" is defined as approver. For the role
"ROLE:User", he is the only approver.

10.1 Configuring the Job

To remove Christopher Wright as approver, we use a job:

In this sample, we use a hard-coded approver, defined with a job constant:

"3020" is the EmployeeID/MSKEYVALUE for Christopher Wright.

May 2013 42
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

We use a "To Generic" pass that has the following SQL statement defined on the "Source" tab:

This SQL statement finds all approvals for the approver specified with the job constant.
The "Destination" tab is defined as follows:

For each ApprovalID for the given approver, the script "RemoveApprover" is called.

May 2013 43
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

The script looks like this:

The script code:

// Main function: RemoveApprover
function RemoveApprover(Par){
var UniqueId= Par.get("ApprovalId");
var ApproverMSKEY = uSelect("select mcMSKEY from mxiv_entry where
mcMSKEYVALUE='" + %$REMOVE_APPROVER% + "'");
var Result = uIS_Approval(5,ApproverMSKEY,UniqueId,0,"Long term leave");

if (Result.indexOf("!ERROR") >= 0) {
uError(Result);
}
return;
}
We call the function uIS_Approval to remove the approver from the list of approvers.
We need to provide the MSKEY of the approver and the approval ID to the approval, so this is
retrieved with the first statements in the script.
The u-function is called with the following parameters:
var Result = uIS_Approval(5,ApproverMSKEY,UniqueId,0,"Long term leave");
5 – Remove approver (Operation)
ApproverMSKEY – The MSKEY of the approver to remove
UniqueID – The approval ID
0 – Indicates that the operation was done by the system (as opposed to a user)
Long term leave – The reason for the operation

May 2013 44
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

10.2 Running the Job

Run the job and make sure no errors occur. The "To Do" list for Christopher Wright is now empty:

If we look at one of the assignments for the role "ROLE:Manager", we see that Christopher Wright was
removed as approver, and Approver has approved the assignment:

May 2013 45
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

The assignment request for the role "ROLE:User", where Christopher Wright was the only approver, is
declined:

May 2013 46
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

11 Requiring Re-Authentication
To increase security, you can require re-authentication when processing an approval. When this is
enabled, the user will have to provide the login password to perform the operation.
This is configured in the approval task:

Re-authenticate
Select "Approval" to require re-authentication only when approving the request or "Always" if you
require re-authentication also when declining, delegating or escalating a request.

11.1 Processing the Approval

In this case we have specified that a re-authentication is required when approving a request. A
separate re-authentication dialog box appears when the request is approved:

The approver has to provide her/his password and choose "Confirm".

May 2013 47
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

12 Managing Approvals
As a manager, you can get an overview of all approvals for approvers you are defined as a manager
for. Pending approvals are managed from the "Approval Management". The logged-in user must have
one of the following privileges:
MX_PRIV:MANAGED_APPROVALS:READONLY to be able to view pending approvals
MX_PRIV:MANAGED_APPROVALS:PROCESS to be able to decline or escalate the approval
How you configure access to the "Approval Management" tab is described in the document SAP
NetWeaver Identity Management Identity Center: Installing and configuring the Identity Management
User Interface.

12.1 Listing Pending Approvals

The user "Manager" is defined as manager for the "Approver", who has one pending approval in his
list. The "Manager" sees this approval on the "Approval Management" tab:

Enter a search criterion in the "Find" field. This is a free-text search in the name of the user getting the
assignment, the name of the role/privilege, the approver and the context.
You can also use the advanced search (see below).
All approvals matching the search criterion are displayed in the list. The color of the status indicator
shows how many days are left before the approval expires.
Select an approval to show more information in the details view below.

May 2013 48
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

12.2 Finding Approvals Using Advanced Search

If you need to narrow down the search result more than you can by using the basic search, you can
use the advanced search to specify more detailed search criteria.
Choose "Advanced" to open the advanced search panel:

Fill in the fields with the search criteria you want to use.
Approval Type
Select if you want to include all approvals, or only assignment or basic approvals.
Date
Enter a date range. This will find all approvals that have been changed within the period.
Consignee
Choose to the right of the field to open a dialog box where you can find a user you want to find
approvals for. You can only find approvals for one specific user.
Approver
Choose to the right of the field to open a dialog box where you can find an approver you want to
see approvals for. You can only find approvals for one specific approver.
Assigner
Choose to the right of the field to open a dialog box where you can find an assigner you want to
find approvals for. You can only find approvals for one specific assigner.
Context
Choose to the right of the field to open a dialog box where you can find a specific context to use as
search criterion. You can only find approvals for one specific context.
Assignment
Choose to the right of the field to open a dialog box where you can search for the role or privilege
that is requested assigned. You can only search for approvals for one specific role or privilege.
Choose "Go" to start the search.

May 2013 49
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

12.3 Declining a Pending Approval

Provided that you have the necessary privilege, you can decline a pending approval:

Choose "Decline".

Optionally, enter a reason why you are declining the approval.

Choose "Confirm" to complete the process.
When viewing the assignment details, you will see that the assignment request was declined:

May 2013 50
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

12.4 Escalating a Pending Approval

Provided that you have the necessary privilege, you can escalate a pending approval. In this case, the
timeout rule of the given approval task is used, so the outcome of the escalation depends on how the
approval task is configured. It can either:
Decline the assignment
Escalate to the manager(s) of the approver(s)
Escalate to a new list of approvers
The behavior will be exactly as if the approval had timed out, but will be processed immediately and
not wait for the given timeout.

Choose "Escalate".

Optionally, enter a reason why you are escalating the approval.

Choose "Confirm" to complete the process.
The approval will be processed further according to the configuration of the approval task.

May 2013 51
SAP NetWeaver Identity Management Implementation guide - Creating role approvals

May 2013 52