Workflow Binding Duration
Setting a workflow binding’s Duration value will allow a different template to be applied based on the length of the time the requester submits.
For example, if a user requests a short amount of time for access then it could be approved by a small group of approvers, perhaps just their immediate manager or supervisor or maybe it is auto-approved.
However, if a user requests a longer amount of time, say several hours or even days, then it should go through a more stringent review and approval process that may include additional managerial approval.
Let’s now show you how to configure this workflow in PAM. Our scenario is simple, but should provide a base level so that you can customize it to your specific needs.
We are going to apply a workflow binding to our IT member John.
When John needs to Connect to our production Unix server, he will need to first submit a request.
However, if John just needs to login really quickly to fix a production issue, we don’t want him to sit around and wait for many people to approve it as time can become critical.
So, if John requests access to the server for less than 10 minutes, the request will be auto-approved.
Conversely, if John requests access for 10 or more minutes, then it will go through our normal, multi-tiered approval process and he will need to wait until it completes.
Before you begin, ensure that two workflow templates are already created. For our scenario, one will be auto-approved and the other will require at least two approvals in order to complete.
- Login to the System with a user who has Owner permissions to your record or is a System Administrator.
- Open the record where this workflow will be applied and select Manage > Workflows.
- If not already unique, click the Make Unique button. For this scenario, we will make the record unique, but please note this is not required. You may apply this workflow configuration to a parent object and have it inherit to the child object(s) as well.
- Click the Add button to create a new workflow binding on this record.
- Configure your workflow binding using the following as an example. This will be an example of applying the workflow template for an extended amount of requested time (10 or more minutes).
Workflow Template: Select your multi-step approval template. In our scenario this will be our Production Server Approval template.
Users: Apply the binding to a user(s) or group(s)
IP Filter: Leave empty
Actions: Enable at least one action. We will choose Connect Control for this example.
Time Selectors: Enable at least one action. We will choose Work Hours because we are doing this during business hours.
Duration: Enter a value of 10. Now when a user requests an extended period of time to this record (10 or more minutes), this binding and ultimately this template will be applied to their submitted request.
Checkout: Choose a value as required.
Weight: Choose a value as required.
Click the Save button to complete your first binding.
Click the Add button to create a new workflow binding on this record.
Configure your workflow binding exactly as you did in the previous steps with the exception of Workflow Template and Duration.
Workflow Template: Select your automatically approved template. In our scenario this will be our Auto Approved template.
Duration: Leave this empty. While this configuration typically means any requested time will have this template applied, in this scenario when the workflow engine evaluates this binding against our first (because they are identical to the user and access), it actually applies this binding and its template for any requests less than 10 minutes.
Click the Save button to complete your second binding.
Now we are going to create another workflow binding that will be applied when a user requests access for a brief amount of time (less than 10 minutes).
Return back to the record’s Workflow Bindings page (Manage > Workflows) and you should now see two bindings displayed, only differences being in the Workflow Template and Duration as shown in the screenshot below.
Now let’s test these bindings.
- Login to the System with the user account that has these bindings applied and navigate to this record.
- Click on the Request Connect button to open the Request Access dialog.
In the Requested Minutes field, enter a value of 5. Because this value is less than our Duration of 10, our first, Auto Approved template will be applied as shown in the Workflow Template field.
In the Requested Minutes field, enter a value of 120. Because this value is greater than our Duration of 10, our second, Production Server Approval template will be applied as shown in the Workflow Template field.
To summarize, think of Duration as setting that threshold between applying the two workflow templates.
When the Duration is empty, it means any requested time period from one to a million minutes, but when you create that second near-identical binding with a duration defined, then it sets that cutoff.
In our example, the first binding defines the threshold at 10 or more minutes and the second binding with an undefined (empty) duration covers the remaining possible times (less than 10).
If either of these requests are submitted, then the appropriate template would be applied and notification would be sent to the required Approvers.
Now that this concept is hopefully more clear, feel free to return to the bindings and modify them as needed to fulfill your business requirements.