Hi all,
What problem are you observing?
If you reject an access request, the requester and recipient will receive an email with this message. This will happen through email templates Access Request Decision and Access Request Decision For Other. They both can refer to the variable rejecterName
which, if the request was denied, will contain:
The display name of the identity who denied the request.
However, this is not always the case. If we reject the request either through
- The API to reject access requests approvals
/v3/access-request-approvals/:approvalId/reject
- Workflows action Deny Access Request
The email will show the name of the person who was at that point marked as owner of the access request approval. This is not always the person who triggers access request approval rejection as it could be caused by an admin or a workflow, so the value is wrong. This is then sending wrong information to the requester/recipient as it looks as if the request got rejected by someone else.
What is the correct behavior?
The email template should populate the variable rejecterName
with the true name of the rejecter, not of the person who was currently assigned the access request approval.
What product feature is this related to?
Identity Security Cloud - Access Request - Email Templates
What are the steps to reproduce the issue?
As identity X, request access for identity Y, and ensure that identity Z is the approver of the access request. Then use the credentials of identity A (an admin) to call the API to deny the access request, and take a look at the mails send to identity X and identity Y. It should mention identity A but will mention identity Z. In addition, you can repeat this but then reject the pending approval similarly by using the workflow action.