Custom Chief Approval Configuration for ITShop

Hello All,

The OOTB chief approval team is configured in such a way that no segregation can be done on requests based on Business Units. We have 18-20 BUs and need chief approval team to be configured in such a way that the chief approval team members can view and act only on the requests associated with the members of their BU.

We need to configure this so that chief approval team can act on approver's behalf in case of their absence

We tried creating custom permission group corresponding to VI_4_ITSHOPADMIN_CANCEL and assigned to below tables

PersonwantsOrg
Person
QERWorkingStep
PWOHelperPWO
PWODecisionHistory

and placed viewing and edit conditions to filter out users however this is not working we are able to view request but unable to approve them getting permission issue. Please find below error.

An exception has occurred while running the form method F1_ctl00_ControlRef8_ControlRef15_ControlRef15_ControlRef8b_Main_Main_Container43_Button3_Method.

Error running 'OnSaving' in logic module 'QER.Customizer.PersonWantsOrg'.

This employee is not authorized to make approvals (possibly wait for the DBQueue processor evaluation)

(2025-07-07 06:07:29)


We also tried updating the condition on the module->VI_ITShop_Approvals-->Functions-->DbWhereClauseEscalation()

One IM Version:9.0

  • The Chief Approval Team is a global configuration. There is no way to limit its scope.
    Technically all CAT members are added as valid approvers for each step in PWOHelperPWO. And only Persons with such an entry can do decisions.

    It should be possible to put all your BU-escalators in the ChiefApprovalTeam and then use the VI_ITShop_Approvals-->Functions-->DbWhereClauseEscalation() to only show the relevant PWOs in the webfrontend.

    Depending on your setup you can use a custom Approval procedure, to include the primary (current) approver as well as the local team. But that is visible to the enduser, send a ton of emails and will likey more confustion than is worth.

    Again depending on your setup you might use multiple OIM instances for each BU, which would enable multiple CATs, possible as sub-instances only for the purpose of those approvals. But this very likely not fitting in your overal IAM architecture and way too much effort.