During the setup of Application Approval Workflow that can be downloaded here, you are asked to provided a user to connect to ConfigMgr and Service Manager. These accounts are stored in Orchestrator to run different runbooks. There is a few things that the documentation doesn’t cover or assumes that you already know from using Orchestrator.
If you selected to use an AD group during install for your Orchestrator user Group you will need to create a local group called OrchestratorUsersGroup on your Orchestrator Server.
Any uses that will be used in an invoke runbook security tab will need to be added to this group. below is an example from the AAW runbooks.
you can find the user accounts under variables in the Application Approval Workflow folder
The two users defined in these two variables need to be added to the OrchestratorUsersGroup Group on the local machine.
the most interesting thing I found was that the “Poll Service Manager” runbook process.
The invoke runbook activity calls the Process SM for App Request runbook and starts the runbook with the service manager account
Upon further investigation I found that this runbook is making a call to Configuration Manager to make the request approved.
If you look at the powershell script inside of the approve activity you will see that the script connects to ConfMgr to approve the request. This runbook as I mentioned earlier is being run as the Service manager run as account in Orchestrator so the service manager account will also need to have application approval permissions in Config Mgr.