Available actions for user with appropriate privileges:

Add approvable operation

New approval operation configuration

View metadata

Display metadata for specified approval operation - metadata are parameters that could be used for the more precize definition of approvable configurations

Add approval configuration

Create specific configuration of approval process.

E.g. add approval by group or specific user (beside OTP approval)

Note: approval configuration can be modified only if there is no active approval task waiting for approval.

Create metadata rules

Create even more detailed configuration of approval process

E.g. add specific configuration for onboarding user to specific group to be approved by specific user

Note: new rule can be created or adjusted only if there is no active approval task waiting for approval.

Delete approvable operation

Delete action - button is available only in case that there is no active approval request pending on the specific action.

E.g. when onboarding approval is waiting for the decision of more user from specific group, the onboard_user action can't be deleted.

List of actions for which the approval can be set:

Onboard user

approval of the onboarding action done from Selfservice or Operational console - approval is done before the user gets the invitation email

Delete user

approval of deleting user from the list of users in Operational console

Selfservice token operation

approval of the enrollment of the new token, disable or delete operations in the Selfservice

Unenroll user

approval of un-enrolling user from the list of users in Operational console

Delete approval action

approval of the deletion of the approval action

vSEC card revoke

approval of the revoking of the vsec card done from list of vsec cards in Operational console

Toggle approval configuration

approval of the disable or enable of approval configuration within the approval action

Operational console token operation

approval of the enrollment and other operation on tokens done on behalf (by operators)

Assign / Unassing ANT ID group

approval of assigning or unassigning of internal groups done by operators from operator console

User field operation on behalf

approval of actions on user field done by operators from operator console 

User field operation

approval of actions on user fields done by user on Selfservice portal

Assign / Unassign external group

approval of assigning or unassigning of external groups done by operators from operator console

Basic rules for approval configuration:

1

Every predefined action can be set as approvable action

The list of actions is predefined.

How to create an approvable action

2

Every action can have multiple approval configurations.

Depend on needs of specific client.

How to create an approval configuration

3

Every configuration can have own set of rules.

Rules are based on metadates predefined for every action

How to create metadata rules for approval configurations

Approval process:

1. When a user/operator requests one of above described actions in ANT ID, the system collects the relevant metadata.

2. The system will check if there is any rule related to the approved action where the metadata matches the rule definition.

     - If so, then the configuration containing the specific rule is activated and ANT ID requests approval of the action -> requests OTP or sends an email to the approver/group of approvers

     - If no, then the configuration is activated at a general level and ANT ID requests an approval action -> requests an OTP or sends an email to the approvers/approval group.

Create an operation for approval

1

Open the Approval configuration menu option in the TAC menu.

2

Press button Add operation [ ] to add new approvable operation

3

Use operation from the list and press Add button.

Notes:

• every predefined operation has its own set of metadata relevant to the meaning of the operation

View metadata

1

Open the Approval configuration menu option in the TAC menu.

2

List of approval operations will be displayed.

3

Use menu option View metadata [ ] from the context menu [ ] of desired operation to display the list of metadata.

Create an approval configuration of operation

1

Open the Approval configuration menu option in the TAC menu.

2

List of approval operations will be displayed.

3

Use the button to expand the row of the table to display all approval configurations.

• Note: every operation has own default configuration - mostly OTP type - the action is approved by user himself by entering OTP from any of his enrolled tokens

4

Press button Add configuration [ ] on the right side of the expanded table.

OTP:

User:

Group:

None:

5

The creation form will be opened.

Parameters of configuration:

• Priority - the higher number, the higher priority - configuration with the highest number will be used first
• Approval type:
• OTP - the action will be approved by user himself by entering the OTP generated on any of his tokens
• validity in minutes can be defined - the validity of approval will last for specific amount of time - user can do more approvable operations with one approval
• USER - the action will be approved by specific user
• select specific user by his username
• GROUP - the action will be approved by number of users of specific group
• insert group email where the notification will be sent
• select specific group from the list
• insert number of group members who has to approve the request 
• NONE - the action won't need any approvals
• REJECT - the approval of specific action will be autoamtically rejected

6

Press button Add and new configuration item will be displayed in the list of configurations

7

Configuration is created inactive (and only inactive configration is ready to be changed or deleted) - to activate the configuration press button Activate [ ] from the context menu of the new configuration.

8

The approval configuration is finished and will be aplied in the process.

Create metadata for configuration

1

Open the Approval configuration menu option in the TAC menu.

2

List of approval operations will be displayed.

3

Use the button to expand the row of the table to display all approval configurations

4

Click on the row of the desired approval configuration.

5

The drawe with the detail of the configuration approval will be opened. On tab Rules will be all metadata configurations set on the approval configuration.

6

Press Add buttom in the Rules tab.

7

Select Metadata, Operation and Value

Parameters of rules:

• Metadata ID - select specific metadata - for specific type of approval:
• requestor_group - specificy requestor's group
• requestor_name - specificy requestor's name
• requestor_id - specificy requestor's id from the list
• target_user_id - specificy target's id from the list
• target_user_name - specificy target's name
• target_user_groups - specificy target's group from the list
• target_user_username - specificy target's username from the list
• Operation - select operation
• EQUALS - rule is activated when the value of the metadata equals with the value from Value field
• CONTAINS - rule is activated when the value of the metadata contains the the string from Value field
• STARTS_WITH - rule is activated when the value of the metadata starts with the same value as is value from the Value field
• ... and other (Any substring, Any start with, Contains (ignore case), Starts with (ignore case), Equals (ignore case), Any substring (ignore case), Any start with (ignore case)
• Value - string which is compared with the value of metadata

8

Press Add button when it is done to save the Rule.

Delete approvable operation

1

Open the Approval configuration menu option in the TAC menu.

2

List of approval operations will be displayed.

3

Use menu option Delete [ ] from the context menu [ ] of desired operation to display the list of metadata.

4

Confirm the confirmation message and press DELETE button to remove the operation.

From this moment all actions of the removed operation will not be involved in the approval process.