How to remove the requestor from being an approver if the requestor is in the owner workgroup

chaynes2434 · March 27, 2026, 9:04pm

Hello,

I am trying to determine how best to prevent the requestor from approving his/hers own access requests if he/she is in the workgroup for a particular role. I would think the answer would be to create a new managed attribute and use that as a flag to remove the identity from the workgroup when the approvals are determined. It appears though that a workgroup is being treated as a identity for approvals so I am struggling to see how I can remove an approver from the list of approvers as the lcm workflow seems to just hand the workgroup name off for approvals rather then looping through the workgroup to determine approvals. Any help is appreciated!

robert-hails · March 27, 2026, 9:37pm

Hi @chaynes2434 - you wouldn’t want to remove the user from the workgroup given that workgroup could have other functions within IIQ, and you’d be stripping that user of certain functionality.

Instead, I would recommend using a ValidationScript within the Provisioning Approval Subprocess to validate the approver of the work item is not the target user.

I’d refer to this post for an example: https://community.sailpoint.com/t5/IdentityIQ-Forum/Identity-Can-Approve-Own-Request-if-in-Approval-Workgroup/m-p/187831#M148720

FYI, you are correct that workgroups are identity objects. This is useful when setting owners of roles/entitlements/applications so you can use workgroups instead of sole identities.

Hope this helps!

This post was answered by a Palyrian Solutions Architect. Feel free to message me directly if your problem requires a deeper dive.
palyrian.com | ‪(301) 284-8124‬

naveenkumar3 · March 29, 2026, 10:57pm

Hi Christian,

We have the same requirement, where a requestor if he/she is part of the workgroup as part of approval they should not be able to approve it. We can’t remove the approver from the workgroup, as again adding them will be task.

We have achieved it using a validation script and the provisioning and subprocess workflow, where it will validate , if the requestor is also part of the approval workgroup, they will get an error, if they tries to approve the request. Please use the below solution, it works fine, add the below validation script.

<ValidationScript>
  <Source>
    			import org.apache.commons.logging.Log;
					import org.apache.commons.logging.LogFactory;
	
					import sailpoint.tools.GeneralException;
          
					String completer = item.getCompleter();
					Identity wiRequestor = item.getRequester();	
         	log.error("completed and requester" + completer + wiRequestor );		
					try {
			
					Identity requesteeId = context.getObjectByName(Identity.class, identityName);
		    	if (null != requesteeId @and null != completer @and null != wiRequestor) {		
		        if (completer.equalsIgnoreCase(requesteeId.getDisplayName())) {
		            return " Self approval is not allowed";
		        	}
		    		}		
					} catch (Exception e) {
		    	log.error("Error Validation Script.." + e.getMessage());
					}				
				
      </Source>
      </ValidationScript>

Topic		Replies	Views
How to stop auto-approval if requested by member of owner group? IIQ Discussion and Questions identityiq , access-requests	7	135	February 2, 2026
Need to skip the workgroup member frrom approval, if he/she is a requester for the role IIQ Discussion and Questions workflows , identityiq	8	334	November 10, 2024
Data owner approval is getting triggered for empty workgroup IIQ Discussion and Questions workflows , identityiq	6	238	April 20, 2024
Changing the approvalScheme based on the Requester Identity IIQ Discussion and Questions workflows , identityiq , provisioning	10	431	October 18, 2024
Approval Assignment rule not creating request when workgroup used for approval IdentityIQ (IIQ)	0	1636	April 29, 2022

How to remove the requestor from being an approver if the requestor is in the owner workgroup

Related topics