Using Adaptive Approval Trigger in Workflow to Auto-Approve a Request Based on a Condition

Hello! I am trying to create a workflow to be used as an adaptive approval for an access profile. I have read all the documentation and the workflow has the Access Request Submitted trigger as well as an Approval Policy action so that it can be used as an adaptive approval workflow.

The workflow is supposed to check the identity’s access to verify that it has an AD group provisioned. If it does, then the access request should automatically be approved. If it is not a part of the group, then it should deny the request.

image669×641 27.5 KB

At this point, I have not been able to get the workflow to complete successfully once. It always gets stuck at the step to deny or approve the access. I need assistance in identifying how to get this workflow to approve or deny the request. I read the Request Response trigger requirement for a response (approval/denial or approval policy) in a certain time, but I am unsure how to do that if it cannot make it past the deny or approve steps. The error that I get is 404 - Not Found:

image691×492 9.72 KB

I have been unable to find any example workflows of this that do not use the Access Request Submitted trigger with an external trigger. Here is what I have tried and has not worked:

1. Using the Approve Access Request and Deny Access Request Actions
   1. With approvalID as AccessRequestID from the trigger
   2. Called access-request-status API to get approvalID (suggested by SailPoint Support)
      1. returns nothing, even with status code 200
      2. {
         “body”: ,
         “headers”: {
         “Content-Type”: [
         “application/json;charset=utf-8”
         ]
         },
         “responseTime”: “0.534657 seconds”,
         “statusCode”: 200
         }
2. Calling Complete Trigger Invocation API

   1. “input”: {

      "approved": false,
      
      "comment": "Access request denied - Identity is not a member of the required Active Directory group",
      
      "approver": "System"
      

      },

   2. I can’t get a secret because this is not an async response? I have seen that there can only be one subscription to the Access Request Submitted event trigger in Admin, but it appears that someone else is using it. Can there only be one workflow with this trigger?

Any guidance on next steps to complete this in the adaptive approval workflow would be greatly appreciated.

Hi @Gimarti ,

In my case I have added auto approve and its working for me as expected. I have attached the screenshot of my workflow.

PracticeMultiStepSerialApprovalofAccessRequest20260326890×1454 60.6 KB

Thank you.

Hello @suraj_gorle , thank you very much for the example.

I see that you have an operator being the “auto-approve.” Are you just using the End Step - Sucess Operator to get that? Conversely, is the end step failure for an auto-denial? Additionally, do you know if it’s possible to automatically approve the request after the Approval Policy action? I see that you have a step that comes after the approval policy and depends on the action taken by the Manager.

One more thing, what is the base action that you are using for the “Access Denied” step after the approval?

Hi @Gimarti ,

Please find my response below:

1. Auto-Approval Configuration
   • Yes, the End Step – Success operator is being used to achieve auto-approval.
2. Auto-Denial Configuration

   • No, the End Step – Failure operator is not being used.

   • Instead, the Success step is used for handling auto-denial.

3. Auto-Approval After Approval Policy

   • Yes, it is possible to automatically approve the request after the Approval Policy action.

   • A configuration has been implemented for this (please refer to the attached screenshot).

image1155×884 76.7 KB

1. • For the “Access Denied” scenario, the base action used is sending an email notification to the requester.

Thank you.

Hello @suraj_gorle ,

How does the access request get approved with simply an End Step-Success Operator? Do you need to set anything or make any HTTP calls to get the access profile to approve, or the operator enough? If it is, then how would the workflow distinguish between the deny and approval?