Self-Service Approval Workflow

    Overview

    The Self-Service Approval Workflow feature routes end users' self-service requests through your IT help desk for approval. A request is applied to Active Directory only after a help desk technician approves it, so you keep control over which changes reach the directory. Approvals are handled in an integrated workflow provider, ManageEngine ADManager Plus.

    Note:This feature applies only to Active Directory. Approval Workflow is not available in Microsoft Entra ID mode, and the option does not appear while the console is in that mode.

    How it works

    When Approval Workflow is enabled, the self-service actions you select no longer write to Active Directory directly. Instead, ADSelfService Plus creates a request and hands it to the integrated workflow provider, where a help desk technician reviews it. The change is applied to Active Directory only after the technician approves it; rejected requests are discarded. For password reset and account unlock, the user's answers to the configured AD questions are checked against their Active Directory attribute values before the request proceeds. Click Show Flow Chart on the page to see a diagram of this flow.

    Configuration instructions

    Step 1: Integrating ADManager Plus

    1. Download, install, and launch ManageEngine ADManager Plus.
    2. Log in to the ADSelfService Plus admin portal as an administrator.
    3. Navigate to Admin > Product Settings > Integration Settings.
    4. Select the ADManager Plus tile.
    5. Enter the Server Name / IP Address and Port number, then select the protocol (http or https) used by ADManager Plus.
    6. Click Save.

    Step 2: Enabling the workflow and selecting actions

    1. Navigate to Configuration > Administrative Tools > Approval Workflow.
    2. Select Enable Approval Workflow.
    3. Under Available Actions, select the self-service actions that should require approval.
    4. Click Save.

    The available actions are:

    ActionWhat approval covers
    Reset Password / Unlock AccountRuns password reset and account unlock only after help desk approval.
    Directory Self-UpdateLets users update their personal information in Active Directory only after help desk approval.
    Mail Group SubscriptionLets users opt in to or out of mail groups only after help desk approval.
    Approval Workflow

    Step 3: (Optional)Configuring AD questions for password reset and unlock

    For the Reset Password / Unlock Account action, click Configure AD Questions to define the questions that verify a user's identity before a request is approved.

    1. In the dialog, review the security questions configured by default. You can add, edit, delete, enable, or disable them.
    2. To add a question, click Add Question at the bottom of the dialog.
    3. Enter the security question, then select the corresponding LDAP attribute. The value of that attribute serves as the answer to the question.
    4. Click Save.
    Important: After you enable Approval Workflow, run the All Users Report in ADManager Plus at least once. This pools users' existing attribute values so help desk technicians can review and approve the answers to the AD questions.

    Step 4: Associating policies

    Use Associate Policy to choose which ADSelfService Plus policies the approval workflow applies to. Click the add (+) control, select the policies, and click Save.

    Tips

    • Run the All Users Report in ADManager Plus after enabling, and refresh it periodically, so technicians always review current attribute values.
    • Associate the workflow with specific policies to apply approval only to the users who need it.
    • Use Show Flow Chart to explain the approval path to your help desk team.