Hi Team!
We have noticed a strange occurance where an access request approval went to an unexpected identity.
We have auto-approval enabled and everyone can request access on behalf of everyone:
"autoApprovalEnabled": true,
"requestOnBehalfOfConfig": {
"allowRequestOnBehalfOfAnyoneByAnyone": true,
"allowRequestOnBehalfOfEmployeeByManager": true
}
According to the following documentation self approval works whenever the reviewer is a single identity. Only when the approver is a goverance group, it will fail (unfortunately).
We have created a role where identity 1 is the role owner and the role owner is the approver.
Identity 1 has work reassignment turned on, sending work to identity 2.
Identity 2 has work reassignment turned off and requests the role on behalf of identity 3.
We see the following on the request status of Identity 2:
Note that the request got reassigned once more to a random admin.
We see the following on the Reassignment History page of Identity 1:
This will be very confusing for Identity 1, given that they had configured work reassignment to Identity 2
We would expect the request to be approved automatically as soon as the request gets assigned to identity 2.
Note that another time this random admin was the identity who has setup work reassignment, so even though they had setup work reassignment, they ended up with this access request anyway. This seems to be a second bug to me, where assignment to random admin is not taking into account work reassignment configuration: