Hi everyone,
we’re working with Identity Security Cloud (IdentityNow) Access Requests using the out-of-the-box approval configuration on an Access Profile.
Use case / requirement
For some access profiles, the Manager of the access recipient and the Access Profile Owner happen to be the same person.
Today, when we configure a multi-step approval chain like:
-
Reviewer 1 = Manager
-
Reviewer 2 = Access Profile Owner
…we still see the request waiting for two approvals, even though both steps resolve to the same identity. The customer’s expectation is:
If Manager and Access Profile Owner are the same person, can the request skip the second approval and move directly to provisioning after the first approval?
What we found in the official documentation (OOTB behavior)
- In the “Multi-Approver Process” section, the documentation states that when multiple reviewers are configured, all required reviewers must approve before access can be granted, and the process stops on a denial. This suggests there is no built-in “merge/deduplicate” behavior when two steps resolve to the same person.
Reference: https://documentation.sailpoint.com/saas/help/requests/config_ap_roles.html#multi-approver-process
- Under “Ensuring Complete Reviews” → “Preventing Self-Approval”, ISC prevents self-approval by default and can optionally enable Automatic approval only when the configured reviewer is the requester identity (and “all other configured review levels still apply”). This doesn’t address our scenario because the duplicated reviewer is not the requester.
Reference: https://documentation.sailpoint.com/saas/help/requests/config_ap_roles.html#ensuring-complete-reviews
What we would like to achieve
An OOTB (configuration-only) way to say:
- If Reviewer 1 and Reviewer 2 resolve to the same identity, treat it as one approval and proceed to provisioning
Questions for the community
- Is there any OOTB setting (Access Requests / Approval configuration / Adaptive Approvals / etc.) that can collapse duplicate reviewer steps when they resolve to the same identity?
- If not OOTB, is the recommended approach to switch from “Reviewer” approvals to a Workflow-based approval and implement a small piece of logic to deduplicate/skip the second step when approvers are the same? If anyone has done this, any best practices/pitfalls?
Thanks in advance for any guidance!
Kind Regards,
Paolo
Hi @psalat8887100 ,
There is no out of the box configuration that I am aware of to handle this scenario. But this sounds like a great use-case for adaptive approvals! Here is some documentation on the specific event trigger input - Access Request Dynamic Approval | SailPoint Developer Community
At the start of the workflow you would need to grab the requestor’s manager id (through the get identity action) then grab the access profile owner id (through the get access profile API endpoint). Then check if these are equal, if so then only add a single approval. Otherwise setup a multi-step approval to both identities.
Some more documentation on how adaptive approvals work - Adaptive Approvals Overview - SailPoint Identity Services
Thanks,
Liam
Hi @liamkokeeffe
Thanks a lot for the suggestion - Adaptive Approvals looks like the right direction for our use case and we’ll explore it.
Quick follow-up question: if we implement this with Adaptive Approvals (e.g., a serial multi-step approval where step 1 is the beneficiary’s manager and step 2 is the access profile owner), is there a way to differentiate the notifications sent to each approver?
Concretely, we’d like:
-
a “manager-style” notification for Reviewer 1 (manager of the requested-for identity), with a predefined/custom message, and (e.g. Hi Manager of Beneficiary, please log into SailPoint to approve this request for your direct report”)
-
a different “application owner-style” notification for Reviewer 2 (access profile owner), e.g. “Hi Application Owner, please log into SailPoint to approve this request in your role as access profile owner.”
Is there any OOTB way to use different email templates (or different text) per reviewer step/category in Adaptive Approvals, or to pass a “label/context” into the approval so the standard Access Request Reviewer email template can render different content per approver?
Thanks again!
Paolo
Hey @psalat8887100 ,
No I don’t believe there is a simple OOTB way to do this. One thing you could do, is specify velocity logic in the email subject that determines whether to send the ‘Access Request Approval’ email or not based off the attributes available to you in the email template - Approval Request Notification Email Template - SailPoint Identity Services
This would then disable the email template for these specific access requests, then you would add a ‘Send Email’ action in the workflow before assigning the approval(s) to mimic the approval request email template.
Here’s a reply I made to another community member about the velocity logic in email templates (you would need different logic than the request submitted likely) - Disable email notification workflow - #6 by liamkokeeffe
Thanks,
Liam
