Understanding Resourceless Approval Workflows for Person Onboarding

Purpose

When onboarding new individuals into EmpowerID, a unique challenge arises: how should approval workflows function when the person's final ResourceID is not yet established? This article explains the concept of resourceless approval workflows and how they ensure proper authorization during the transitional period of person onboarding.

This article helps you understand:

What a resourceless onboarding state is
Why it occurs and how it affects approval routing
How EmpowerID maintains workflow security and continuity
How to configure routing logic and system fields to support it

The Resourceless State

What Creates a Resourceless Condition

During onboarding, EmpowerID may not have the final ResourceID immediately available. In these cases, the system enters a resourceless state, using placeholder values until the correct ResourceID is assigned.

This is not an error condition but a common transitional stage when resource identification is pending. It allows workflows to proceed without prematurely blocking progress.

Why Resourceless Approval Logic Is Necessary

All approval workflows in EmpowerID rely on RBAC-defined approvers. Traditional RBAC routing depends on knowing the person's resource context—like their department or organizational unit. Without a ResourceID, that context isn't available.

The resourceless approval model solves this by routing approvals through global fallback approvers until the final resource information becomes available.

note

During this stage, the approval request is temporarily routed through a global fallback process—similar to routing a package to a central hub before the final destination is confirmed. This ensures the request moves forward securely until full identity details are available.

How Resourceless Approval Routing Works

Visual Workflow

The diagram below illustrates how EmpowerID routes approval requests during a resourceless onboarding: Resourceless Approval Flow

Stage 1: Global-Level Approval for Resourceless Requests

When no valid ResourceID exists at the time of the request:

The system generates a placeholder ResourceID.
Approvals are routed solely to global RBAC approvers.

This ensures that no request proceeds without proper oversight, even when identity details are incomplete.

Stage 2: Transition to Resource-Based Approvals

Once the ResourceID is assigned:

EmpowerID re-evaluates the request.
Routing logic shifts to item-level RBAC approvers based on attributes like department or role.

Multiple items in the same onboarding request can now have their own granular approval logic, if applicable.

Required System Information

Essential Configuration Parameters

To properly route approvals at both stages, the following fields must be included in the onboarding request:

{
  "request_data": {
    "target_resource_type_id": "[ID of resource type, e.g. Person]",
    "additional_resource_id": "[ID of org unit or context]"
  }
}

Field	Purpose
`target_resource_type_id`	Identifies what type of resource is being onboarded.
`additional_resource_id`	Specifies the org context for RBAC logic.

warning

If these fields are not set, approval routing may fail or revert to ineffective defaults.

Supported Operations

EmpowerID supports both standard and custom onboarding workflows:

Create (default operation)
Custom: Ensure custom operations comply with resourceless logic and provide the necessary fields.

Organizational Context Handling

Location-based or organizational approvals are supported using additional_resource_id.
Manager-based references are not supported in resourceless workflows.
Ensure the additional_resource_id accurately reflects the appropriate RBAC scope.

Resourceless Workflow Example

Let's walk through a typical example of how this works:

Request Initiation: An onboarding request is submitted, but no final ResourceID exists. A placeholder ID is assigned.
Resourceless Approval: The system routes the approval to global-level RBAC approvers.
Resource Assignment: Backend processes assign the real ResourceID to the person.
Granular Routing: With the identity finalized, the system re-routes future tasks or item approvals to the appropriate item-level RBAC approvers.
Verification: Admins confirm that the required fields (target_resource_type_id, additional_resource_id) were set correctly, ensuring accurate approval routing.

Key Design Principles

Security Through Consistent Authorization

Resourceless approval ensures that workflows never bypass RBAC approval logic—even when identity details are incomplete.

Workflow Continuity

This model allows onboarding to begin immediately, avoiding delays that would otherwise occur if the process had to wait for finalized ResourceIDs.

Context-Aware Evolution

Once full identity context is available, approval logic dynamically shifts from global to specific routing, maintaining both agility and compliance.

This resourceless approval model provides a foundation for flexible, secure onboarding workflows in EmpowerID. By understanding and correctly configuring this pattern, administrators can ensure approval continuity, maintain security compliance, and support operational efficiency even when identity data is provisioned incrementally.

Purpose​

The Resourceless State​

What Creates a Resourceless Condition​

Why Resourceless Approval Logic Is Necessary​

How Resourceless Approval Routing Works​

Visual Workflow​

Stage 1: Global-Level Approval for Resourceless Requests​

Stage 2: Transition to Resource-Based Approvals​

Required System Information​

Essential Configuration Parameters​

Supported Operations​

Organizational Context Handling​

Resourceless Workflow Example​

Key Design Principles​

Security Through Consistent Authorization​

Workflow Continuity​

Context-Aware Evolution​