Skip to main content

Understanding Approval Steps in EmpowerID

Approval Steps are modular components within an Approval Flow Policy. Each step represents a stage in the approval process for access requests submitted through the IAM Shop. Steps can evaluate entire requests or allow item-level decisions. They are integral to implementing multi-tiered approval strategies and aligning access governance with organizational policies.

Key Concepts

Publishing and Version Control

Approval Steps must be published to be used in production workflows:

  • Click the Publish button to activate the step after configuration.
  • EmpowerID supports versioning, allowing changes to be published without affecting approvals already in progress. Only new requests use the latest version.

This mechanism enables administrators to evolve approval logic safely and incrementally.

Approval Step Lifecycle Figure: Approval step lifecycle from draft to versioned use in policies

Resolver Rules and the Four-Eyes Principle

The Four-Eyes Principle is a governance safeguard that requires no individual should approve their own access request. Resolver Rules in EmpowerID help support this by defining who receives approval tasks. These rules can be configured to:

  • Route tasks to specific individuals (e.g., a manager, owner, or role).
  • Support separation of duties by ensuring approvers do not review their own requests or those affecting them directly.

For example, using the "Initiator Manager" rule ensures that the initiator does not approve their own request.

Resolver Logic Flow Figure: Resolver rules can enforce separation of duties by excluding initiators and targets from the approver pool

Step-Level Fulfillment and Escalation

Approval Steps can optionally execute logic when a decision is made. This is known as step-level fulfillment and is often used to:

  • Log decisions
  • Trigger notifications
  • Halt request processing early upon rejection

Each step should also include an Escalation Policy to ensure unaddressed tasks are reassigned after a defined timeframe, improving responsiveness and accountability.

Item-Level Approval

When enabled, Item-Level Approval allows approvers to accept or reject specific items within a request. This is useful when:

  • A request contains multiple unrelated resources
  • Different items require distinct review or risk evaluation

Resolver Logic Flow Figure: Comparison of step-level approval versus item-level approval behavior

Best Practices

  • Use descriptive names and descriptions to promote clarity and effective auditing.
  • Avoid static resolver groups that may inadvertently include initiators or targets.
  • Test Approval Steps in a development environment prior to publishing.
  • Document the purpose and scope of each step to support transparency and maintenance.
  • Review escalation and fulfillment settings regularly to align with evolving policy and compliance needs.