Skip to Content

SAP NetWeaver Identity Management: Delegate Access in Workflows via Referrals at runtime

The responsible manager or administrator for each employee can be set to access different types of workflows on behalf of his employee. Instead of using the access controls in the Identity Center, we will set access controls directly in workflows at runtime. Therefore we set a referral attribute for persons which points to another person. You can reuse this attribute in several workflows or set different responsibilities for different types of workflows.

The following systems / applications have been used in this blog:

  • SAP NetWeaver Identity Management 7.0 SP02 Patch 2
  • MS SQL Server 2005 Database

Knowledge / experience in the following area is helpful:

  • Basic SAP NW Identity Management knowledge

Some blogs, which cover additional topics:

The Referral Attributes for Delegating Access

First we need to define our referral attributes in the Identity Center. Below your Identity Store, navigate to “Identity store schema” ? “Attributes”. Create a new attribute and name it ISV_REFERRAL. In the “Storage” tab, select “Referral attribute”, “Entry reference” and “MX_PERSON” like on the screenshot below.


In the tab “Entry types” select “Allow” for “MX_PERSON”.


If you like to have references to different persons for each employee, e.g. manager, key user or administrator, you can repeat the last steps to create more referral attributes with different names. Note that selecting “Multivalues attributes” for this referral attribute is not supported.

Example Workflows for Setting Referrals

We use different types of workflows in our scenario, either to set or to use our created attributes. As an example for setting referrals, we could create a simple Self-Service for every user in the Identity Store. It is a precondition that you have some users in your Identity Store, who can set referrals. Otherwise create a task for creating these users, similar to the following steps.

Create an ordered task group below a folder of your Identity Store. Go to the “Attributes” tab, choose “MX_PERSON” as entry type and select your referral-attribute(s) as displayed below.


Go to the “Access control” tab to give access for every user to his own referral attribute (Self-Service).


Afterwards you can log into your workflow (e.g. http://localhost/Workflow/index.php) and assign some persons via your referral attribute(s).

Alternatively, you could use the filter functionalities as explained in the blog “Dynamic Resolution of Approver and Approvee in Workflows”. Depending on the kind of referral, it is recommended to use enhanced access control, e.g. an employee is only allowed to delegate the approval of requested Business Roles to certain key users and not to every colleague. A manager on the other hand could decide in a Self-Service who is allowed to act on his behalf.

You could also set the referral attribute in the first step of an approval workflow instead of using a separate task. Just deselect “Read only” in the following task group “ISV – Referral Request”.

Example Workflows for Using Referrals

We will create an ordered task group and an approval task to use referrals in a workflow with two steps. In the first step, employees are able to request roles. In the second step, the person who is set in the referral attribute for the requester, will be able to approve the request

Select a new attribute like “ISV_REQUEST_ROLE” without read only to have a Business Role request. This multivalue attribute could be of type “Entry reference” to “MX_ROLE”. After approving, we could create an action task with a To-Identity-Store-Pass, which copies the chosen roles from “ISV_REQUEST_ROLE” to “MX_ROLE”. If you are interested about implementing this scenario, you find more about this in my blog “How To Determine Business Roles Proposals in Workflows”.

First, create the ordered task group on the same level as the task group before. In the “Attributes” tab, select some general attributes of “MX_PERSON” as read only. Select “ISV_REFERRAL” to inform about the referral user we have selected in the task before.


In the “Access control” tab, create a Self-Service like in the task we’ve created before, so that every employee can request roles.

Afterwards, create an approval task below this task. In the “Attributes” tab, select the same attributes as before, but all as read only. In the “Approval” tab, select “Referral” as approver and “ISV_REFERRAL” as referral attribute.


The person who is referenced in this attribute of the requesting user will be able to approve. As you see in the screenshot, we have “ISV_MANAGER” for another referral.

The same we’ve done for an approval task is also possible in the access control of a task group. You could create a new ordered task group for setting address and communication data for the employees. In the “Access control” tab, fill in the same values as in the “Approval” tab before. Therefore, the referenced secretary will be able to set address and communication data for the other persons who point with their referral attribute to the secretary.


We have created the referral attribute for delegating access in workflows. With this attribute, a person can act on behalf of another person for different types of workflows. With two example workflows, we have set and used this referral attribute in a scenario. First we have set this attribute in a task group. In an approval workflow, employees could request business roles, which has to be approved by the person who is referenced by the referral attribute.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.