Skip to main content

EmpowerID Admin Lab 17: Configuring Approval Flow and Access Request Policies

Purpose

This lab guides you through configuring a multi-step approval flow in EmpowerID. You’ll build an escalation policy, create an approval step involving a security oversight team, configure an approval flow with multiple levels of review, and tie it all together with an access request policy. You'll then make a group requestable under this policy and walk through submitting, approving, and fulfilling the request with a time-limited membership.

Prerequisites

  1. Access to the EmpowerID training environment.
  2. Familiarity with approval steps, policies, escalation handling, and access requests.
  3. At least one Active Directory group available for configuration.

Steps

1. Create a Management Role for the Security Oversight Team

This role will serve as the approver group for one of the approval steps.

  1. Navigate to Role Management > Management Roles.
  2. Click to run the Onboard Management Role workflow.
  3. Enter the following information:
    • Name: Security Oversight Team
    • Location: Temporary
    • Responsible Party: Yourself
    • Mark as Requestable in IAM Shop: Enabled
    • Access Request Policy: Default Access Request Policy
  4. Click Next, skip any group assignments or permanent members, and submit the workflow.
  5. After creation, open the role and go to the Members tab. Add yourself so you can participate in approvals later.

2. Create an Escalation Policy

This policy defines what happens if an approver doesn’t respond promptly.

  1. Go to Low Code / No Code Workflows > Approval Policies > Escalation Policies.
  2. Click + to create a new policy named Frequent Escalation.
  3. Add escalation steps:
    • Day 1: Notify Approvers Day 1 – sends a reminder.
    • Day 2: Notify Approvers Day 2 – sends a second reminder.
    • Day 3: Reject on Close – auto-rejects the request if no decision has been made.
  4. Save the escalation policy.

3. Create the Security Oversight Approval Step

  1. Navigate to Approval Policies > Approval Steps.
  2. Click + to create a new approval step:
    • Name: Security Oversight Approval
    • Escalation Policy: Frequent Escalation
  3. Set the Approver Resolver Rule to Static Approver by Management Role.
  4. Assign the Security Oversight Team role as the approver.
  5. Set a Fallback Approver—such as Lab Admin—in case the primary approvers are unavailable.
  6. Save the step and click Publish so it’s available to use in an approval flow.

4. Create the Approval Flow Policy

Now you’ll define the full approval chain.

  1. Navigate to Approval Policies > Approval Flow Policies.
  2. Click + to create a new policy:
    • Name: Line Manager - Security Oversight - Owner Approval
  3. Save and reopen the policy to add steps.
  4. Add the following in order:
    • Step 1: Line Manager Approval
    • Step 2: Security Oversight Approval (your new custom step)
    • Step 3: Resource Owner Approval
  5. Leave all conditional logic as Send for Approval for each step.
  6. Save and Publish the approval flow policy.

5. Create the Access Request Policy

This policy defines how users can request access and how approvals are handled.

  1. Go to Access Request Policies.
  2. Create a new policy:
    • Name: Security Oversight Approval Required
    • Selectable in UI: Yes
    • Approval Flow Policy: Line Manager - Security Oversight - Owner Approval
    • Default Duration: 2880 minutes (48 hours)
    • Maximum Duration: 2880 minutes
    • Allow Duration Selection: No
  3. Save the policy.

If saving fails, check that your approval flow and steps are properly published.

6. Assign the Access Request Policy to a Group

You’ll now make the Executive Reports group requestable with the new policy.

  1. Navigate to Identity Administration > Groups.
  2. Locate the Executive Reports group under the Restricted Groups OU.
  3. Assign the following:
    • Access Request Policy: Security Oversight Approval Required
    • Responsible Party: Yourself (you’ll approve ownership requests)
    • Publish in IAM Shop: Enabled
    • Description: Brief explanation of the group’s purpose
  4. Go to the Advanced > Eligibility tab:
    • Type: Eligible
    • Assignee Type: Business Role and Location
    • Assignment: All Employee Roles in All Business Locations
  5. Save your changes.

7. Test the Approval Flow via IAM Shop

  1. Open IAM Shop > Shop for Access.
  2. Confirm the Executive Reports group appears.
  3. Click Shop for Someone Else, and choose Susan Cabrera.
  4. Add the Executive Reports group to the cart.
  5. Submit the request.

Approval Testing and Fulfillment

  1. Go to Business Requests to monitor the submitted request.
  2. You should see all three approval steps in the flow:
    • Line Manager Approval
    • Security Oversight Approval
    • Resource Owner Approval
  3. If needed, assign yourself as Susan's temporary Line Manager to proceed.
  4. Approve each step:
    • Approve as Line Manager
    • Approve as Security Oversight Team member
    • Approve as Resource Owner
  5. Once all steps are approved, monitor the Fulfillment Status.
  6. Navigate to the Executive Reports group:
    • Confirm Susan Cabrera has been added as a member.
    • Check the RBAC Assignment tab and confirm the 48-hour membership limit is shown with the clock icon.

Notes

  • Approval steps must be Published to be used in policies.
  • Escalation policies ensure timely decisions and can enforce automated outcomes if no action is taken.
  • Time-constrained access is ideal for sensitive or temporary group memberships.

Completion

Once all approval steps are completed and the group membership is applied with the defined time constraint, this lab is complete. You can now explore advanced approval scenarios or move on to the next EmpowerID lab to continue your learning.

Video Walk-thru

View a video walk-thru of this lab exercise.