Managing approval for BHOLD organizational units with attributes


Updated: July 1, 2013

Applies To: Forefront Identity Manager

By using attributes of an organizational unit (orgunit) object in BHOLD Core, you can give users the authority to approve proposed-role activation requests by other users who belong to the orgunit. The names of these attributes indicate the function of the approver, that is, (primary) approver, escalator, or security officer. More than one approver of each type can be specified for an orgunit by adding a number to the attribute name (for example, approver2). Because these attributes are not defined in BHOLD Core by default, you must add them to the orgunit object type in BHOLD Core before you can use them to specify role-activation approvers. For more information about how orgunit attributes are used in creating a BHOLD FIM Integration approval framework, see Introduction to administering Microsoft BHOLD FIM Integration.

The following are the basic tasks for managing approval for BHOLD orgunits by using attributes:

BHOLD FIM Integration recognizes attributes that follow a predefined naming system to identify users who act as role approvers for an organizational unit (orgunit). The following are the three attribute names that BHOLD FIM Integration uses to create role-approval workflows:

  • approver<n>

  • escalator<n>

  • securityOfficer<n>

where <n> is an optional number that you can use to differentiate multiple approvers of the same type. For example, if you want to specify three escalation approvers for each orgunit, you would add attributes named escalator1, escalator2, and escalator3 to the orgunit object type. For more information about using orgunit attributes to specify role approvers, see Understanding object attributes for role approvers in Introduction to administering Microsoft BHOLD FIM Integration elsewhere in this guide.

To add attributes to the orgunit object type

  1. In the BHOLD Core portal, in the left pane, click Attribute types.

  2. On the Attribute types page, click Add.

  3. On the Add attribute type page, in Identity, type approver, escalator, or securityOfficer. If you will be specifying more than one of the approver type, add a sequential number.

  4. In Maximum length, type 255.

  5. In English, type the name of the attribute as you want it to appear in the BHOLD Core portal (for example, Approver 1 for an attribute named approver1), and then click OK.

  6. Repeat the previous four steps to add more attributes as needed.

  7. In the left pane, click Attribute type sets.

  8. On the Attribute type sets page, click Add.

  9. On the Add attribute type set page, in Description, type a name for the set (such as ApproverTypes), in English, type a name to appear in the BHOLD Core portal (such as Role approvers, and then click OK.

  10. On the Attribute type set/<set> page, expand Attribute types, and then click Modify.

  11. In the Attribute type list, click the role-approval attribute type you want to add to the type set, in Order, type a number indicating position of the attribute in the attribute list in the BHOLD Core portal, and then click Add.

  12. Repeat the preceding step to add the remaining role-approval attribute types to the attribute type set, and then click Done.

  13. In the left pane, click Object types.

  14. On the Object types page, click OrgUnit.

  15. On the Object type/OrgUnit page, expand Attributte type sets, and then click Modify.

  16. On the Link attribute type set/OrgUnit page, in Order, type a number indicating the position of the new attribute type set in the sequence of attribute type sets displayed in the BHOLD Core portal, in the Attribute type set list, click the attribute type set that you created, click Add, and then click Done.

After you add the role-approver attribute types to the orgunit object type, you can use those attributes to specify the role approvers for specific organizational units (orgunits).

To set orgunit attributes to specify role approvers

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. On the Organizational units page, click the orgunit you want to modify.

  3. On the Organizational unit/<orgunit> page, click Modify.

  4. On the Modify organizational unit attributes/<orgunit> page, in the boxes next to the role-approver types that you added, type the default alias of the users that you want to perform those functions, and then click OK.