I recently tested the latest functionality released in our SailPoint sandbox environment - Enhancement: Approvals - Expiration, Governance Group Visibility, and More but I’m running into issues getting automatic expiration to behave as expected. I wanted to check if anyone else has this working correctly and better understand the intended behavior.
What I’m trying to achieve:
Automatically cancel/expire any pending access requests that are 8 days or older
Notify the requester with an email that includes clear next steps
Indicate who cancelled the request and who it was pending with
What I’ve done so far:
Called: GET /v2025/generic-approvals/config/ACCESS_REQUEST_APPROVAL
Observed behavior:
The timeout works, but the request is marked as denied, and the requester receives the following email:
“Your access has been denied.
Please contact ${rejecterName} if you have any questions.”
This doesn’t provide much context. It’s also different from the 90-day auto-expire email, which is more informative. For reference, that email looks like:
“An approval request for Everyone that was submitted on your behalf by identity has timed out after failing to reach a resolution after 90 days and is now closed.
To review your approval requests or to create a new one, please go to: https://tenant.identitynow.com/ui/d/request-center/my-requests.”
I’d prefer behavior similar to the 90-day timeout email.
Questions:
Does anyone know which email template is used for this timeout/expiration scenario?
The request appears to be denied by a governance group member, but it doesn’t show who specifically— is this expected? (I have govGroupVisibilityEnabled set to true.)
Is there a better or recommended way to implement this functionality? I’m not sure if I’m approaching this correctly.
The Access Request Decision email template is what you’re looking for. You can customize that to fit your needs and provide more information.
This is expected, or at least what I’m seeing as well.
Overall, I think you’re handling it correctly, but could improve the messaging in the notification. I would use the email template below to customize exactly what you need. You can add some logic in there for this exact scenario and make custom wording so your end users understand exactly what happened.
Does the new functionality only support a “Denied” status? I was expecting statuses like “Expired” or “Cancelled” instead of “Denied.”
The rejectedName in the email response comes out as empty. We wouldn’t want users to see a blank rejector name.
How would I modify logic for email templates? I’d like to include more context, such as directing users to go to the Access Request Center under “My Requests” to resubmit their request and follow up with the approver after resubmission.
@trettkowski I was able to figure out the answers while doing some research. It looks like only “Denied” applies, and the rejectedName issue was due to the identity setup on my end.
For the email template, I was able to access the HTML and make the necessary changes.
The only thing I’m still unsure about is the 90-day expiry email. I couldn’t find that template, and it seems like it might not be editable. Ideally, I’d like to use the 90-day template for the auto-expiry notification
@trettkowski The issue I’m encountering is that when I update the timeout configuration using PUT: /v2025/generic-approvals/config/ACCESS_REQUEST_APPROVAL,
the email I received is the Access Decision email template instead of the Approval Timed Out email template.
Would you be able to test this behaviour on your end?
Received the notification and confirmed it’s showing as denied even though my configuration is set to expired like you mentioned. I would probably do the following if this is game breaking for your project:
Submit a bug report since this seems like a mistake on the SP side.
Submit a support case to SailPoint and mention it’s a show-stopper for your org.
Once you’ve done all the above, reach out to your CSM to get this properly escalated and/or see if someone on the expert services side has a workaround.
