ISC Escalation - Owner Access Profile

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello everyone,

Is it possible to stop the approval escalation only at the first manager?

Let me explain better, we need to manage the approval phase in the ISC request center.
In practice I make the request for an access profile for an identity, the owner of the access profile must approve the request, usually if he does not perform the approval, ISC proceeds to make the escalation to the superior manager of the owner of the access profile and if he does not manage the approval it is escalated to his manager and so on.

We need this escalation to stop at the first manager, is this possible? Do you have any advice?

2

Hello @vcarelli

Welcome to the Developer Community :tada:

Please refer :

Hope this helps!

Thanks
Sid

2 Likes
3

you can Manage it in two different ways

Method 1
You can create a custom approval rule either in IdentityNow’s Approval Rule configuration or directly within the Access Profile if using advanced approval settings.

The rule can specify:

Primary Approver: AccessProfileOwner

Escalation (one level only): AccessProfileOwner.manager

Note: No additional escalation logic is applied beyond this point.

Method 2
Set Escalation Depth (If Configurable in UI)
Check if your ISC tenant has the approval escalation configuration exposed:

Navigate to Identity Security Cloud → Access Requests → Approval Settings.

Look for options like Max Escalation Depth or similar (some tenants expose this as part of advanced features or through a backend configuration).

If visible, set max escalation depth to 1.

1 Like
4

Hi Anusha Nallagrola,

I was following the second method you suggested, however from the request center I can’t see the approval settings and therefore I can’t set the escalation depth. Did I do something wrong or do I have to configure it from the API?

Thanks a lot,
Vito

5

Hi TARLAPALLY SIDHARTH,

I followed this guide and set the put for access requests as suggested by Margo Bain, however the request went directly to approval and in the history of the access profile the provisioning already appears for the identity. Clearly this solution does not meet the requirements I meant because what I need is to send the approval notification/mail to the owner of the access profile and then only and exclusively to the manager of the owner of the access profile, once the approval notification has arrived to him, if he does not approve I would like the request to remain in pending until he approves.

So the escalation is one step,
One Step: Escalation to the Manager of the owner of the access profile.

6

When you trigger a custom workflow from a Quick link (like your “Create AD Group” form), it doesn’t use the standard access request engine, so the Approval Settings" UI under Access Requests does not apply. You won’t see options like “Max Escalation Depth” because they are tied to LCM-based workflows or standard Access Profile requests. Custom workflows bypass the built-in approval engine’s UI configurations and require all logic to be defined directly in the workflow JSON. Instead If you’re using the custom workflow approach (Method 2) with an approval step, you need to define escalation behavior manually in your workflow JSON:

Sample code
json
{
“name”: “ApprovalStep”,
“type”: “approval”,
“approverRef”: {
“type”: “identity”,
“id”: “${workflow.dynamicApprover.id}”
},
“reason”: “Approve AD group creation”,
“timeout”: “PT48H”,
“escalation”: {
“type”: “identity”,
“id”: “${workflow.dynamicApprover.manager.id}”
},
“escalationCount”: 1,

“next”: “ProvisionStep”
}
UI escalation depth settings do not apply to custom workflows triggered from Quick links.
You must handle escalation manually within the workflow.
No additional API configuration is currently supported for this use case.

2 Likes
7

Are you using Sailpoint IQ or Sailpoint ISC ?
Because in Sailpoint ISC are not present quick link or LCM-based workflows.