We have requirement that once request is submitted, if there is policy violation, it should be automatically create a certification and assign to manager.
In order to achieve this, I used workflow trigger “Äccess Request Submitted” but while testing the workflow it showing error below
"workflow must have at least one action ‘sp:access-request-approval’ when trigger is ‘idn:access-request-trigger’ "
@vikaspawar0303 As per the error and what I understood from this, you need to configure a Access Request Approval action also in your workflow for your access Request Trigger.
The error you’re seeing is expected behavior for workflows triggered using “Access Request Submitted” (idn:access-request-trigger).
For this trigger, SailPoint expects at least one sp:access-request-approval action to be present in the workflow. This is because the trigger is tightly coupled with the access request approval flow, and the system validates that the workflow participates in that process.
Since your use case is to handle policy violations and trigger a certification, this might not be the ideal trigger to use directly for that purpose.
You could consider a couple of approaches:
Keep the sp:access-request-approval action in the workflow and add your custom logic (for certification creation) after that step
Alternatively, evaluate if there is another trigger or event (like policy violation handling or post-request processing) that better fits your requirement
Also, just to clarify — are you trying to create a certification immediately upon detecting a violation, or after the request is processed?
That might influence the best design approach here.
Just for a further bit of clarity, because this is what it sounds like to me:
In the case of an SOD violation after an access request, you want to run a certification campaign where a manager can say that its okay for that violation to exist?
Because that should not be happening. Are you looking for auto-revocation of the access instead
I believe it’s better to use an event based trigger tied to SOD policy violations, combined with the Certification Campaigns API, to automatically create and assign certifications to the manager when a violation is detected.