Approvals terminology

Last modified 05 Mar 2021 18:03 +01:00

The following terms are to be used in the area of approvals (workflows) - shown in bold:

  1. A user requests *a change*, e.g. adding an assignment of a role to him (or to somebody else).

  2. Such a change is either carried out immediately, or an approval process has to be executed for it.

  3. Approval process results in either approving or rejecting the change. (In future, the result can be also a modification of the change.) This result is called an outcome.

  4. Approval process itself consists of zero, one or more work items.

  5. A work item is a decision task offered to a user or a group of users (candidate actors), among which exactly one completes the work item (the actor). The one who completed the work item is called an approver. (The term object’s approver is also used to denote user/org that is expected to approve a change related to an object.)

  6. Work item can be either not allocated, i.e. offered to a group of users (candidate actors), or allocated, i.e. allocated (or assigned - but we try to avoid use of this word, because it is used in midPoint in other sense) to a single user. If not allocated, each of candidate actors can claim the work item. If allocated (and having at least one candidate actor) it can be released by the current actor.

  7. Work item has two possible outcomes: approve or reject. (In future there could be also a delegate outcome and perhaps something like abstain = "I don’t know".)

So far so good. However, the situation quickly gets a bit complicated:

Original change that is requested can consist of more simpler changes. For example, a user requests creation of three assignments, along with changing two user properties. Among these 5 simple modifications, let’s say two assignments and one property modification are "sensitive" such that they have to be approved. Currently each of these simple changes is considered independently, so that we have:

  1. An (attempted) operation that consists of one or more changes. In our case, the operation consists of 5 changes.

  2. Each change becomes an approval request, causing approval process to be executed.

  3. …​and the rest is as before: each approval process has its outcome. So the resulting change is a combination of 2 changes that do not require approvals, and 0-3 changes that are approved by the 3 approval processes executed.

One more terminological nuance: we should speak about process instances instead of processes: a process is a "blueprint" (definition) for creating process instances. However, in order not to complicate our language too much, we won’t differentiate between these terms.


In some way analogous, there is an access certification (or certification for short) area. Whereas approvals/workflows deal with changes before they are carried out, certification deals with effects of such changes after their execution. So it might be useful to compare the terminology used in these two areas. In access certification we speak about the following:

  1. A certification case is an item (effect of some change that occurred in the past) that has to be certified (evaluated), i.e. whose fate has to be determined by manual inspection.

  2. Certification of the cases is carried out in batches, called campaigns. Campaigns are internally organized into stages; each campaign has one or more of these.

  3. At the start of each stage, each certification case gets zero, one or more reviewers. They are responsible for providing a certification **decision (or decision) for each assigned case. Decision consists of a response (accept, revoke, reduce, no decision, delegate) and a comment.

  4. For each stage, individual decisions are combined to provide an outcome for given case in a given stage. Outcomes in individual stages are combined into an overall outcome for a given case (in given campaign).

Summary:

Term Approvals/workflows Access certification

an item that has to be authorized/approved

change (alt: request)

certification case

person that decides

approver

reviewer

positive result

approve

accept

negative result

reject

revoke

other results

-

reduce, not decided

elementary decisive activity

work item

certification decision

elementary decisive activity result

work item outcome

certification decision

compound decisive activity

approval process

stage, campaign

compound decisive activity result

process outcome

stage/campaign outcome