Skip to main content
Skip table of contents

Partitioned Approval Workflow

The PARTITIONED approval workflow is described in the following steps:

Introduction

EJBCA Approvals

Slide Deck: EJBCA Approvals

Overview: The PARTITIONED workflows are a more complicated form of approvals than the simple accumulative approval. Partitioned approvals should be used when you need to:

  1. Create an approval workflow which is more complex than what you can achieve with a accumulative approval.

  2. Enter data during the approval process which can be reviewed by other administrators and saved for audit purposes.

Each partitioned approval consists of one or more steps. Each step contains one or more partitions which can be approved in any order, and each partition contains zero or more UI controls where the administrator can enter data before approving. The following rules apply:

  • A request is approved if all steps are approved. When a step is approved, the approval process advances to the next step

  • A step is approved if all partitions in the step are approved

  • A partition is approved when an administrator with approval rights approves it. When an administrator approves a partition, the partition becomes read-only and the same administrator is not allowed to approve any other partition in approval request. If a partition is rejected, the whole request is immediately rejected.

In this lab, you will create a Partitioned workflow, and obtain "sign off" for each step from various administrators. We will set up approvals for an issuer of national ID cards using the three roles we created in the previous module. This is achieved using a partitioned approval profile with two steps. In the first step, the citizen registers their personal information on a kiosk and walks over to an RA administrator responsible for checking the relevant identification document. The information is cross-checked by a CA administrator. Once the first step is approved, an order is sent out to the card manufacturer. In the second step, the citizen pays and the certificate is loaded on the card.

At the end of the lab you may optionally create the certificate with the approval request ID, or enrollment code and passcode.

Overview

To simulate this process, we are going to perform the following steps in EJBCA:

  • Create a partitioned approval profile with three partitions and two steps

  • Configure the approval profile to be used when issuing a new certificate

  • Edit some access rules to ensure the administrators can approve requests

  • Request a certificate

  • Approve the partitioned request

  • Look at the approved request

Slide Reference

Partitioned workflow allows data to be entered and captured during the approval process

Partitioned workflow process

Approval workflow steps

All workflows are placed on the queue for approval

Partitioned Approval Workflow Steps

Reminder you can visit the Accessing Your Environment page for details on how to connect to your Admin web portal

Create a partitioned approval profile

  1. Open a browser and access the Admin Web Portal. Ensure you are logged in as the SuperAdmin.

  2. Click on Supervision Functions >> Approval Profiles

  3. Fill in the name ID Card Approval and click Add to create a new approval profile

  4. Click Edit for the new approval profile to edit it

  5. Change Approval Profile Type to Partitioned Approval

  6. For Step 1. >> Partition Name enter Data Entry as the name of the partition

  7. Change Roles which may approve this partition to Training RA Administrator Role

  8. Add a new text field to the partition by selecting Text Field in the drop down list and type Form of identification in the Label text box

  9. Click Add Field

  10. Add a new Check Box to the partition with the label Form signed

  11. Click Add Field

  12. Click on the button called Add Partition to add a new partition

  13. Name the second partition to Data validation

  14. Change Roles which may approve this partition to Training CA Administrator Role

  15. Add a new text field to the partition by selecting Text Field in the drop down list and type Comment in the Label text box

  16. Click Add Field

  17. Click on the button called Add Step to add a new step

  18. Name the second step partition to Receipt

  19. Change Roles which may approve this partition to Super Administrator Role

  20. Add a new text field to the partition by selecting Number (Short) in the drop down list and type Amount paid in the Label text box

  21. Click Add Field

  22. Click Save to save the approval profile

Enable the approval profile

  1. Click on CA Functions >> Certificate Profiles in the left menu

  2. Click Edit for the profile ApprovalCertificateProfile

  3. In the Approval Settings-section, change Add/Edit End Entity to ID Card Approval

  4. Click Save

Edit access rules

  1. Click on System Functions >> Roles and Access Rules in the left menu

  2. For Training RA Administrator Role, click on the link Access rules

  3. In the End Entity Profiles listbox, add ApprovalEndEntityProfile

  4. Click Save

  5. Click on the link in the top right corner called Back to Roles Management

  6. For Training CA Administrator Role, click on the link called Access rules

  7. In the Authorized CAs listbox, select All

  8. Click Save

Request a certificate 

Reminder you can visit the Accessing Your Environment page for details on how to connect to your RA web portal

  1. Open a browser and click RA Web, from the ribbon menu across the top of page

  2. Click Enroll >> Make New Request

  3. Choose Certificate Type ApprovalEndEntityProfile

  4. In the Key-pair generation selection, select By the CA

  5. In the CN, Common name field, enter ID Card Request

  6. In the Username field, enter ID Card Request

  7. In the Enrollment code field, enter foo123

  8. In the Confirm enrollment code field, enter foo123

  9. Click on the button Confirm Request

  10. Close the browser

Approve the request

To log in as different administrators open a NEW PRIVATE Window in Firefox, or the browser you are working with. A private window allows you to login as a different user from the main browser window. To login using a PRIVATE window in Firefox, select New Private window from the “Burger menu” - upper right corner in Firefox. See the “Accessing your Environment” page for more details on launching a PRIVATE window and logging into RA Web.

  1. Open a browser and click RA Web, from the ribbon menu across the top of page.
    Ensure you are logging in using the training_RAAdmin certificate.

  2. Click on Manage Requests in the menu

  3. Click on the tab To Approve

  4. Click on the Review link for the request with the name ID Card Request

  5. In the text field Form of identification type in Passport

  6. Tick the checkbox Form signed

  7. Click Approve to approve the first partition in the first step

  8. Close the PRIVATE window

To log in as different administrators open a NEW PRIVATE Window in Firefox, or the browser you are working with. A private window allows you to login as a different user from the main browser window. To login using a PRIVATE window in Firefox, select New Private window from the “Burger menu” - upper right corner in Firefox. See the “Accessing your Environment” page for more details on launching a PRIVATE window and logging into RA Web.

  1. Open a browser and click RA Web, from the ribbon menu across the top of page.
    Ensure you are logging in using the training_CAAdmin certificate.

  2. Click on Manage Requests in the menu

  3. Click on the tab To Approve

  4. Click on the Review link for the request with the name ID Card Request

  5. In the text field Comment type OK

  6. Click Approve to approve the second partition in the first step

  7. Close the PRIVATE window

To log in as different administrators open a NEW PRIVATE Window in Firefox, or the browser you are working with. A private window allows you to login as a different user from the main browser window. To login using a PRIVATE window in Firefox, select New Private window from the “Burger menu” - upper right corner in Firefox. See the “Accessing your Environment” page for more details on launching a PRIVATE window and logging into RA Web.

  1. Open a browser and click RA Web, from the ribbon menu across the top of page.
    Ensure you are logging in using the training_SuperAdmin certificate.

  2. Click on Manage Requests in the menu

  3. Click on the tab To Approve

  4. Click on the Review link for the request with the name ID Card Request

  5. In the number field Amount paid, type 25

  6. Click Approve to approve the second step

  7. Close your browser

View the approved request

To log in as different administrators open a NEW PRIVATE Window in Firefox, or the browser you are working with. A private window allows you to login as a different user from the main browser window. To login using a PRIVATE window in Firefox, select New Private window from the “Burger menu” - upper right corner in Firefox. See the “Accessing your Environment” page for more details on launching a PRIVATE window and logging into RA Web.

  1. Open a browser and click RA Web, from the ribbon menu across the top of page.
    Ensure you are logging in using the SuperAdmin certificate.

  2. Click on Manage Requests in the menu

  3. Click on the tab Processed

  4. Click on the Review link for the request with the name ID Card Request. Here you can see the data which was entered during the approval process.

? Question and Answers ?




JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close