Auorization flow in profile update in NERM

Hello everybody!
I would like to know if it is possible to implement an authorization flow in a profile update.
I mean, I have a flow to create profiles, each profile has a start date and an end date, if someone updates the end date (or start date) I would like that the change is not saved without going through an authorization flow, is this possible, how can I do it?

Thanks in advance,
I hope I have clearly explained the use case.
Best regards!

Hi Gilberto,

I would suggest using a workflow in order to process updates to a Profiles attributes. Then, as part of that workflow, you can add an Approval Form action to have a set performer approve the changes. The performer could be a specified contributor of the Profile or Users from a particular User Role group like “Admins” or “Reviewers”.

When an Approval is Approved, it continues to the next action (which could be the Update action in order to save the new value to the Profile). If it is Denied, the workflow goes back to the previous form-type action to allow the Requester to fix whatever issues the Approver had with the data.

There are two additional options with Approval Forms:

1. You can check a box to require the Approvers to leave comments for why they approved/denied the request.
2. You can check a box to allow the Approval to be skipped if the Requester of the workflow is someone who could Approved.
   • For example, if an Admin is filling out the workflow to update a Profile’s End Date and Admins are configured as Approvers for the Approval Form - the approval is skipped / automatically approved.

Hi, @ZackTarantino-Woolson

Thank you for your reply. Do you mean an “Update Workflow”, if so, how do these workflows work?
Are they like the “Create Workflows” that we can run them directly from the dashboard, or how can we make these workflows run during an attribute update?

Thanks in advance.

@GilbertoOledo14 AFAIK, you can’t run the update workflow directly from dashboard however you can run them from a CREATE workflow if you want to run from dashboard.

For your requirement, when someone submits a change to the end date,

1. you can first show the request form, get the change you want requestor to make,
2. add an approval form to get the approval
3. Once request is approved, run the update action in the workflow.

Let me know if you have any follow up question.

Hello, @sunnyajmera

Thank you very much for your reply.
I have a doubt, when you say “you can first show the request form” do you mean to create a “Create workflow” to search the profile I want to edit and then edit it, or which “request form” should I show"?

If your use case involves updating a profile’s start or end date, then there are two ways you can do this:

1. You can either create an UPDATE type workflow which will be triggered after you select a profile. This won’t be available in the dashboard though. Once you select the form, you can display a request form which will show the start date and end date field, which the performer/requester can update and submit the form. This will trigger a approval to the supervisor or whosoever and once approved, the change is made to the profile.

2. Second option, is to create a CREATE type WORKFLOW which will first show a request form which will prompt you to select a profile, after that its the same flow as UPDATE Workflow. Just remember to delete the CREATE action from the CREATE workflow as you are not creating profile.

Hope it make sense. Feel free to ask more questions if you have.

Hello!

Thank you very much for the answer, I honestly did not understand very well how the Update Workflow worked, however, I have tried and I see that we can run them by selecting the profile.
I think I can solve my use case with this.

Thanks for the support.

Great, let us know if you have more questions.

Hello!
I am back to validate a use case, I hope you can help me,
Is it possible to define levels in the NERM authorization flows as in IDN, for example, first the supervisor approves and then a NERM administrator?
2. What if I want the approval to be sent to a group of people, is it possible, if so, will the approval be valid if only one person of that group approves?

Thanks in advance
Best regards!

1. Yes, you can do that. something like this

image517×807 18 KB

2. I am guessing it has to be one of them and the first one to approve put the request as approved. Let me test and confirm this though

Thanks for your answer.

1. I thought that selecting who you want to approve only that person would do it, but from what you say, if I set up different people, then the approval would be by levels, right?
2. Thank you, the process to assign the “Approvers” role to the users is what we discussed in other posts, right? about if they can come from IDN or it would have to be an API assignment. About this I still have doubts about how to assign this role to the users that require it.

Thanks!

1. If you want multiple approvals, then add multiple approval action in your workflow. They will be carried out in serial order. see below:

image1109×728 32.9 KB

approval actions in my workflow

image1333×382 16.4 KB

2. within the same approval action, if you add multiple approvers, then the first one to approve the request approved the request for that level.

Thank you very much for the explanation, it is quite clear to me now.
I’ll be testing it in my tenant.

To be able to add users to the “Approvers” role, did you do it through the endpoint?
https://acmeco.nonemployee.com/api/user_role?

Thanks again,
Best regards!

No, the screenshow that you saw is from a tenant which is using Azure for SSO, so I am c creating a group in azure, adding users there and then mapping the object id of the group in the role I have created in NERM. see below:

image1130×655 24.7 KB

image1153×619 36.8 KB