Description

To support better tracking between access requests and their related approvals, we have added the associated access request ID to the list-pending-approvals API endpoint response. Additionally, access request ID is now a filter option on this endpoint, making searches more efficient!

Since access request ID is now returned in the submit-request API response, this enhancement will be especially helpful to customers who have chosen to script processes based around that ID.

Who is affected?

This will be rolled out to all customers.

Important Dates

Sandbox rollout: February 4th, 2025

Production rollout: week of February 10th, 2025

Additional Resources

list-pending-approvals

Love it, thank you @jennifer_mitchell!

Just tested and it works well! Both seeing the id and the filter.

Some minor remarks/questions from my side:

1. Hoping documentation of the API will also be updated to reflect these improvements.
2. Hoping the same will be applied to the /v2024/access-request-approvals/completed endpoint. Or even better, have a general access-request-approvals endpoint that shows all access request approvals, regardless of if they are pending, cancelled, rejected or approved. In this way, if we have the approval id, we can obtain the object immediately, instead of trying out both options to figure out what the status is.
3. Given an accessRequestId, we can get approvals both through /v2024/access-request-approvals/:accessRequestId/approvers and through /v2024/access-request-approvals/pending?filters=accessRequestId eq "2c91808568c529c60168cca6f90c1313". Is there any difference in behavior of these two API’s? will they always return the same approvals, and do you recommend one option over the other?
4. If you create an access request and request a single item for a single user, you mentioned a specific edge case might occur, where still multiple accessRequestIds are returned (which is the reason the response value for accessRequestIds is an array, even though it most often contains only 1 value). But if this edge case occurs where one access request returns multiple access request ids, will one access request approval also be associated to both access requests ids? If not, what will happen instead?

Hi @angelo_mekenkamp ,

1. The API documentation will be updated soon (either as this goes into prod and possibly shortly after that).
2. Please open an idea to request this. We will not be addressing this in the immediate term. Your use case extends beyond what we were trying to address with this enhancement, but we can consider this for future work.
3. You can get overlapping (but not identical) information from these two endpoints, and they should be in sync. The /approvers endpoint is meant to support providing a list of who the approvers are for a given access request (which we use for access request admin today and plan to use for governance group approver visibility in the future - timing TBD ). This enhancement to the pending endpoint lets you pull the whole approval record (vs. just the assignees and approval IDs) by access request ID. Different intentions.
4. The edge case you are asking about here is when we find multiple duplicate requests submitted within milliseconds of each other. The ID generation is happening now at the very start of the process. A subsequent step will still be checking for duplicates, and I believe that check will cancel all but the first with the message that they are duplicates of a pending request.