Designing Workflow Templates
When constructing your Workflows, it is crucial that you understand Workflow Templates so that you can build an effective approval process.
In this article, the following terms will be used.
- Template: The template is the component of the Approval Workflow that defines which approver(s) must approve or reject the access request.
- Requester: The principal that initiates the access request to an object or action.
- Approver(s): The principal(s) that are designated in the template who either approve or reject the access request.
- Rank: The total number of approvals required to advance the workflow to the next step.
- Step(s): The steps required to be completed before the access request is granted.
The first step in constructing any successful workflow is designing a well thought out plan.
Ask yourself, when a user makes a certain request, who should be responsible for its approval and how should this approval process flow?
Let’s begin by designing a common approval workflow example.
Our scenario is a member of our IT department, John, needs to access the Active Directory Domain Controller at 10AM on a Saturday morning.
This is not business hours, so needing to access this privileged system during this time period is quite uncommon.
For this reason John requests access and the workflow process begins.
For our design, this scenario will require that John receives approval from both of his immediate Supervisors, Bill and Linda, that way they know that he needs access and they can further question his need if applicable.
Furthermore, because this is deemed a highly privileged system and the request is happening outside of normal operating business hours, our CIO, Daryl, will also need to consent.
In the end, this means that John will need approval from both Bill and Linda and then Daryl before his access to the AD controller is granted.
Template Planning
Now that we have the plan, let’s get started constructing our template.
-
Workflow templates can be globally created meaning they will be available for use with any workflow binding or they can be created in a vault where they can only be used with workflow bindings in this specific vault.
-
If you wish to create a global workflow template, login to PAM as a System Administrator and navigate to Administration > Workflows > Templates.
-
If you wish to create a vault workflow template, login to PAM with an account that has Record Control: Owner permission to the vault and in this vault navigate to Manage > Workflows > Templates.
-
- Click the Add button to create a new Template.
- Enter a unique Name for this Template. Later on, we will use this Template with a Binding referencing this name so make sure you enter something recognizable like Highly Privileged Off Hours Approval.
- Next to Step 1, click the Add button.
-
When the Add Approver dialog appears, we are going to enter the account name of John’s first supervisor, Bill, and click Add. Then we are going to add the account name of John’s second supervisor, Linda, and again click Add. Both of John’s supervisors should now be shown in the Selected Principals section of the dialog.
-
For Rank, enter the value 2. Rank 2 means that a total of two approvals will be needed in order to advance to the next step and since two principals are defined, both will be required.
-
Click the Select button to complete the constructing of this step.
-
With Step 1 complete, click the Add Step button to add Step 2.
-
When Step 2 appears, click its Add button to begin the construction.
-
When the Add Approver dialog appears, we are going to enter the account name of John’s CIO Daryl and click Add. Daryl’s account should now be displayed in the Selected Principals section.
-
For Rank, we are going to enter a value of 1 because for Step 2, only one approval, Daryl’s, will be required to advance the workflow.
-
Click the Select button to complete the constructing of this step.
-
Our Workflow Template is now constructed. Click the Save button to complete the template.
To summarize, this template consists of two steps.
Step 1 requires the approval of two principals, both of which are defined by their accounts, before it advances to Step 2 which requires only a single approval before it completes which ultimately means the access request is granted to the requester.
As with any approval workflow in PAM, this logic is based on the Approver(s) actually approving the request.
If any Approver at any step decides to Reject the access request, then the workflow is completed and the Requestor’s access request is denied.
At this time, the Requestor would need to create a new access request and its approval would then begin again at Step 1.
Alternative Configurations
Here are a few alternative configurations and scenarios for our example workflow.
-
Chain of Command Approval: If John’s supervisor, Bill and Linda, do not share equal responsibilities, then you can separate them into additional steps.
Step 1, Bill (rank 1), Step 2, Linda (rank 1) and finally Step 3, Daryl (rank 1).
This will ensure that Bill is notified and approves first, then Linda is notified and approves before Daryl receives his notification and finally signs off on the request.
-
Group Approval: If an IT department group exists, then rather than specifying specific users (Bill and Linda) the group’s membership can be used.
Step 1, IT Dept Group (rank 2) and Step 2, Daryl (rank 1).
This creates the scenario where every user in the IT Dept Group will be notified of the request and any two members will need to approve before it advances to Daryl in Step 2.
Please note that if you incorporate Group’s in your template steps, be careful that your ranking is not greater than the number of members in the group. For example, if your IT Dept Group has a rank of 5, but only three members exist than this step will not be able to advance since there are not five principals (group members) to approve. Due to the dynamic nature of Groups, if the group membership today is 5, tomorrow it may be 7 and next week it may be 4, ensuring the Rank never exceeds the total number of group members is key to a successful approval plan.
-
Group and Principal Approval: This is a combination of both Groups used as Principals as well as specific users.
We want at least two members of the IT Dept Group (rank 3) to approve and we want Linda, who is not a member of this group, to be given the opportunity as well (rank 3).
This also constructs the scenario where Linda is “virtually” included in the IT Dept Group without having to actually include her in the group.
-
Multiple Group Approval: We could also use two or more Groups in a Step.
For example, we want two members of the IT Dept Group (rank 2) and three members of the Security Dept Group (rank 3).
This creates a priority status approval process where only two member of the IT Dept Group, three members of the Security Dept Group or a combination of both could be used to advance the Step (1 member of IT plus 1 member of Security would equal rank 2).
-
Emergency Approval: This creates an “emergency” principal associated to one or multiple steps by assigning a rank 1 to their principal.
IT Dept Group (rank 2) plus Linda (rank 1) creates the situation where the IT Dept Group would approve with two approving members or Linda may advance the entire step herself by simply approving the request first.
This is particularly useful if the template is used for workflows during emergency off-peak times when it is more likely that many of the principals may not be available (overnight, weekends or holidays) to approve a step.
As you can tell by just a few of these examples, the flexibility provided with multiple approvers, ranked approvers and multiple steps allows for the construction of a number of different templates that can be created to meet most approval requirements.
