Approval Assignment rule auto approval

markussippo12 · May 26, 2025, 10:48am

Hey,

We are currently implementing Approval assignment rule to add additional features to approval flows. The rule is working mostly fine, but we’re experiencing issues with one particular use case. In certain scenarios the I would like to skip all approvals, meaning that no one needs to approve.

The default approverScheme is “manager,owner”, and I would like to simply remove both approvals. How should I do that in Approval Assignment rule?

I have tried to return empty list, return null values, mark the approval object as completed (approval.setCompleted(true), but nothing seems to work. Has anyone implemented this behaviour?

pattabhi · May 26, 2025, 12:45pm

Hi @markussippo12
Focus on setting workflow.set("approvalScheme", "none"); in your Approval Assignment rule. This is the idiomatic SailPoint way to tell the workflow not to generate any approvals.

markussippo12 · May 26, 2025, 1:01pm

Hey!

Thanks for the reply. Unfortunately, this is not really feasible for me. I know that “none” option exists for appravalScheme, but I would like to keep it as “manager,owner”. The reason is that most of the time that scheme is desired value.

However, there is extended attribute on the entitlements, which will indicate if “no approvals” is needed. Only in this case I would like to remove all approvals from the request, but I’ve been unable to implement this using Approval assignment rule.

Any ideas?

Tarek_ICC_AT · May 26, 2025, 1:28pm

Hey Markus,
I saw an example in Compass using the IdentityApprovalGenerator class, where you can go through the approval object and use getChild() to access the entitlement object. From there, you can build your if condition based on your extended attribute and update the approval using the class below. here the example: https://community.sailpoint.com/t5/IdentityIQ-Forum/Approval-Assignment-Rule-Skip-Both-Manager-Owner-Approvals/m-p/47090

markussippo12 · May 26, 2025, 1:42pm

Im getting access denied on the link.. (im logged in)

But yes, that sounds like what I’m after. And basically I have the conditions ready already. Meaning that I go trough the Approvals, check individual entitlements for the extended attributes, and then I modify the approvals accordingly. The only issue I have is that I dont know what to return from ApprovalAssignment rule in case no approvals are needed. I’ve tried to return empty list, null value, I’ve tried to approve the dynamically, but so far dead ends. The rule expects newApprovals in a list, but what to return if no approvals are needed at all?

Tarek_ICC_AT · May 26, 2025, 1:57pm

Here the example : you need to return the approvals in case the if condition false otherwise the new approvals

  log.debug("Enter Assignment Rule");
  Identity targetUser = context.getObjectByName(Identity.class, identityName);
  log.debug("Target user is : "+targetUser.getDisplayableName());
  
  Map approvalMap = new HashMap();
  List newApprovals = new ArrayList();

  if (approvalSet.getItems() != null) {
    List items = approvalSet.getItems();
    log.debug("Items are : "+items);

    for(ApprovalItem item : items){

      if(item.getApplication().equalsIgnoreCase("Database"))
      { 
        log.debug("Expanded item plan : "+item.toXml());

        ApprovalSet newSet = new ApprovalSet();
        newSet.add(XMLObjectFactory.getInstance().clone(item, context));
        log.debug("New approval set is : "+newSet.toXml());

        String name = "UK"; //assuming target user's location is UK
        Custom mappingCustom = context.getObjectByName(Custom.class, "test"); //Retrieving Regional Manager from a Custom Object
        Attributes attr = mappingCustom.getAttributes();
        String RegionalManager = attr.get(name);

        approvalMap.put(RegionalManager, newSet);
        log.debug("Approval map is : "+approvalMap);

        IdentityApprovalGenerator iag = new IdentityApprovalGenerator(wfcontext);
        newApprovals = iag.buildApprovalsFromMap(approvalMap, "Regional Manager"); 
        log.debug("New approval list : "+newApprovals);

        for ( Approval approval : newApprovals ) {
          log.debug("Expanded new approval : "+approval.toXml());} 

        return newApprovals; 
      }
      else{
        log.debug("Old approval list : "+approvals);
        for ( Approval approval : approvals ) {
          log.debug("Expanded old approval : "+approval.toXml());
        }
       return approvals;
      }
    }
  }```

markussippo12 · May 27, 2025, 7:01am

Hey,

Thanks for the replies and suggestions. Before making any major redesigns I would like to understand if “no approval” can be achieved with Approval Assignment rule alone, as we put lot of work getting it done.

The example highlights my issue. If I want no approvals whatsoever, can I return something from Approval Assignment rule that would cause no approvals generated?
I’ve tried returning newApprovals as empty list, null, with approval that has been completed, and all lead to broken access request.

Also, just information if this functionality is unachievable would be good, and we could then rethink the approach. I would just imagine that this rule must support this scenario somehow

Tarek_ICC_AT · May 27, 2025, 8:18am

Hi @markussippo12 ,
If I’m not wrong, the Approval Assignment rule is only triggered when there is an approval to be assigned. So, if the rule returns an empty approval list, it shouldn’t stop the process — the request will simply continue directly to provisioning.

king075 · May 28, 2025, 1:49am

Insted of setting the approval.setCompleted(true) you can approve the item.

item.approve();