I’m currently working on a workflow in IdentityNow to manage access profile requests specifically for the Source “AD Tier 2”. The requirement is to implement a two-step approval process:
Manager Approval
“SOD team” Governance Group Approval
However, we have an exception to this standard approval flow. If the user making the access request (the requester) is a member of the Governance Group “Team EUS”, the Manager approval step should be skipped entirely. The request should proceed directly to the “SOD team” Governance Group for approval.
To start, because the approvals are set in the access profiles, you’ll need two access profiles that have the same entitlements. One that requires both manager and governance group approval, and another that only requires the governance group approval.
If you’re doing this with a Workflow, you can use the HTTP Request step to make an API call to get the governance group members with this endpoint:
Then, you can use a compare string operator in the workflow to see if the identity ID of the requester is in the list of identity IDs returned by the call. If the ID is listed, the workflow proceeds with a request for the access profile that only requires the governance group approval (I believe the workflow action you’ll need is the Manage Access action). If not, it proceeds with a request for the access profile that requires both manager and governance group approval.
Hello @vkashat, this approach would require to duplicate all APs and, in someway, change the initial user request.
I don’t know much about changing a request but I think it would reject the original request and open a new one. This will lead to showing the same request twice in the Request Center’s “My Requests”.
I would like something more like: Subscribe to the “Access Request Submitted” event trigger and then implement some workflow logic where it compares the requester with the Governance Group members and auto-approves the first step only if there’s a match.
Would it be possible something like this?
You’re correct it would require duplicate APs, but there shouldn’t be duplicate requests. The request would be made after the check. Rather than using the “Access Request Submitted” trigger, you can create a form that kicks off the workflow.
Once a request is made, I don’t think it’s possible to change the approval flow. You can reassign an approval, but it wouldn’t skip the approval entirely