title: Workflow Designer category: Workflows & Automation tags: workflow, designer, approval, chains, visual priority: Normal
Workflow Designer
The Workflow Designer is the visual interface for building multi-level approval workflows in IdentityCenter. Located at /access-review/workflows, it provides a drag-and-drop canvas where administrators construct the approval logic that governs access requests, policy remediation, and lifecycle events.
Accessing the Workflow Designer
- Navigate to Access Reviews > Workflows
- Click New Workflow to create a new workflow, or select an existing one to edit
- The visual designer canvas opens with a toolbar of available node types
Workflow Concepts
What is a Workflow?
A workflow is an ordered sequence of steps that determines how a request moves from submission to completion. Each workflow consists of nodes connected by paths that define the approval chain.
| Concept | Description |
|---|---|
| Node | A single step in the workflow (approver, condition, action, end) |
| Path | A connection between two nodes defining the flow direction |
| Chain | The full sequence of nodes from start to finish |
| Branch | A split in the workflow based on conditions |
Approval Chain Types
IdentityCenter supports two fundamental chain types:
| Chain Type | Behavior | Use Case |
|---|---|---|
| Sequential | Approvers act one after another; each must approve before the next is notified | Manager approves, then Security reviews, then IT provisions |
| Parallel | All approvers are notified simultaneously; all (or a quorum) must approve | Both the Resource Owner and the CISO must approve at the same time |
Tip: Use sequential chains when later approvers need context from earlier decisions. Use parallel chains when independent reviewers can evaluate the request simultaneously to reduce overall approval time.
Node Types
Approver Node
The Approver node assigns a person or group to review and approve or deny the request.
| Property | Description |
|---|---|
| Name | Display label for the node (e.g., "Manager Approval") |
| Resolution Method | How the approver is determined (see Approver Resolution below) |
| Timeout | Hours or days before escalation triggers |
| Allow Delegation | Whether the approver can delegate to someone else |
Condition Node
The Condition node evaluates an expression and routes the request down different paths based on the result.
| Property | Description |
|---|---|
| Attribute | The field to evaluate (e.g., risk level, department, title) |
| Operator | Comparison operator (equals, contains, greater than) |
| Value | The target value to compare against |
| True Path | Where to route if the condition is met |
| False Path | Where to route if the condition is not met |
Example conditions:
Risk Level = High --> Route to CISO for approval
Department = Finance --> Add Finance Manager as approver
Request Type = Privileged --> Require two-level approval
Action Node
The Action node performs an automated operation when the workflow reaches it.
| Action | Description |
|---|---|
| Send Notification | Email a specific person or group |
| Create Ticket | Generate a helpdesk ticket for provisioning |
| Log Event | Record an entry in the audit log |
| Update Attribute | Modify a field on the request or identity |
| Execute Script | Run a custom automation script |
End Node
The End node terminates the workflow with a final status.
| End Status | Description |
|---|---|
| Approved | The request was fully approved and proceeds to provisioning |
| Denied | The request was denied; the requester is notified |
| Cancelled | The workflow was cancelled by an administrator |
Dynamic Approver Resolution
The Approver node supports several methods for determining who should approve:
| Method | How It Works | Example |
|---|---|---|
| Direct Manager | Reads the manager attribute from the requester's synced AD data | Employee's immediate supervisor |
| Skip-Level Manager | Resolves the manager's manager from the AD hierarchy | VP or director above the direct manager |
| By Role | Assigns to a user who holds a specific business role | Anyone with the "CISO" role |
| By Department | Assigns to the designated head of a department | Head of IT Security |
| Specific User | Hardcodes a named individual as approver | Compliance Officer John Smith |
| Group-Based | Any member of a specified approval group can respond | Members of "Access Approval Committee" |
For full details on resolution methods, fallback logic, and delegation, see Approver Resolution.
Conditional Routing
Condition nodes let you build dynamic workflows that adapt to request context:
Risk-Based Routing
[Start] --> [Condition: Risk Level]
|
High ----> [CISO Approval] --> [IT Security Approval] --> [End: Approved]
|
Medium --> [Manager Approval] --> [Resource Owner Approval] --> [End: Approved]
|
Low -----> [Manager Approval] --> [End: Approved]
Attribute-Based Routing
Route based on any synced attribute: department, title, location, or custom fields. For example, requests from the Finance department may require an additional Compliance Officer review.
Building a Workflow
Step 1: Create the Workflow
- Click New Workflow
- Enter a Name and Description
- Select a Category (Access Request, Policy Remediation, Lifecycle Event)
Step 2: Add Nodes
- Drag nodes from the toolbar onto the canvas
- Position them in the desired order
- Connect nodes by dragging from one node's output port to the next node's input port
Step 3: Configure Each Node
- Click a node to open its properties panel
- Set the resolution method, timeout, delegation rules, or condition logic
- Save the node configuration
Step 4: Define Paths
- Connect the True and False outputs from Condition nodes to their target nodes
- Ensure all paths eventually reach an End node
- The designer highlights any disconnected or orphaned nodes in red
Clone and Template Workflows
Cloning an Existing Workflow
- From the workflow list, click the three-dot menu on any workflow
- Select Clone
- The cloned workflow opens in the designer with a "Copy of" prefix
- Modify as needed and save with a new name
Using Templates
IdentityCenter includes built-in workflow templates for common scenarios:
| Template | Description |
|---|---|
| Simple Manager Approval | Single-level manager approval |
| Two-Level Approval | Manager then department head |
| Risk-Based Routing | Routes by risk level to different approval chains |
| Privileged Access Request | Multi-level with security review |
| Emergency Access | Fast-track with post-hoc review |
To use a template, click New from Template and select the desired starting point.
Save, Test, and Activate
Saving
Click Save at any time to preserve your progress. Saved workflows remain in Draft status until explicitly activated.
Testing
- Click Test Workflow in the designer toolbar
- Enter sample request data (requester, resource, risk level)
- The designer simulates the workflow path, highlighting each node as it would execute
- Review the simulated path and approver assignments to verify correctness
Tip: Always test with multiple scenarios (different risk levels, departments, and edge cases like missing managers) before activating a workflow.
Activating
- When testing is complete, click Activate
- The workflow status changes from Draft to Active
- Active workflows can be assigned to triggers (see Workflow Triggers)
- Only one version of a workflow can be active at a time
Deactivating
To modify an active workflow, click Deactivate first. Any in-flight requests will continue on the previously active version. New requests will not use the workflow until it is reactivated.
Best Practices
- Keep workflows focused -- Design each workflow for a specific purpose rather than building one monolithic workflow for all scenarios
- Name nodes clearly -- Use descriptive labels like "Finance Director Approval" instead of "Approver 2"
- Test edge cases -- Simulate what happens when a manager is missing, an approver is on leave, or a condition evaluates unexpectedly
- Use conditions sparingly -- Overly complex branching makes workflows difficult to maintain and troubleshoot
- Document your design -- Add a description to each workflow explaining its purpose and expected flow
- Review quarterly -- As organizational structure changes, verify that approver resolution and routing logic remain accurate
Next Steps
- Workflow Triggers -- Connect workflows to events and schedules
- Approver Resolution -- Understand how approvers are determined
- Escalation & SLA Tracking -- Configure timeouts and escalation rules
- Access Catalog Overview -- See how workflows power the self-service portal
- Access Reviews Overview -- Periodic access certification campaigns
- Policies Overview -- Policy-driven violation workflows