Approval Flexibility

Approval Flexibility functionality offers a set of capabilities to configure Approval Rules and arrange them in multiple levels (sequential and parallel). This feature enables the use of the Out Of The Box ServiceNow Approval module, which makes configuring emails, reports, and other required ServiceNow customizations easier.

SailPoint Administrators (users with role x_sap_intidn.sapadmin) can enable this functionality and configure it by performing the following steps:

  1. Go to SailPoint Identity Security Cloud for Service Catalog > Setup.

  2. Select the Approval Flow dropdown, and then select Configurable Approvals.

There are two key components in order to configure an approval flow; Approval Rules and Approval Definitions.

Approval Rules

The Approval Rules define who should be assigned as an approver for the Access Request.

To configure Approval Rules, perform the following steps:

  1. Go to SailPoint Identity Security Cloud for Service Catalog > Approval Rules.

  1. Select New. The window to create Approval Rules will appear.

    The following table lists each field name and description:

  2. Enter a unique name in the Approval Rule Name field.

  3. Select the Approval Type dropdown to make a selection.

    The following lists each Approval Type and description:

    • ServiceNow User

      Gives the ability to select a ServiceNow User as the approver for the Access Request.

    • ServiceNow Group

      Gives the ability to select a ServiceNow Group. All ServiceNow Users who are members of this group will be assigned as approvers for the Access Request.

      Leave the All Must Sign checkbox unchecked if any one user from the group can approve the request. Select the checkbox if all users from the group should approve the request.

    • ServiceNow Role

      Gives the ability to select a ServiceNow Role. All ServiceNow Users who are members of this role will be assigned as approvers for the Access Request.

      Leave the All Must Sign checkbox unchecked if any one user in the role can approve the request. Select the checkbox if all users in the role should approve the request.

    • ServiceNow Manager

      The Manger as per ServiceNow for whom the request is being raised would be the assigned approver in this access request.

    • ServiceNow Script

      Assigns all ServiceNow Users returned from the ServiceNow GlideRecord query as approvers for the access request.

      Leave the All Must Sign checkbox unchecked if any one user can approve the request. Select the checkbox if all users should approve the request.

      The scripts receive a parameter currentRecord which is the GlideRecord of the Requested Item (RITM). Dot-walk and access every Variable associated with it. For example:

      Access Name | u_access_name

      Access Id | u_access_id

      Access Type | u_access_type

      Start Date | u_start_date

      End Date | u_end_date

      Requested For | requested_for

      Comments | u_comments

      The expected output from the script should be an array of ServiceNow users sys_ids

      Note
      The ServiceNow admin role is needed to modify the ServiceNow Script Field

      GlideRecord Examples:

    • Identity Security Cloud Workflow

      Identity Security Cloud approval is used to initiate the approvals. The Approval request is received by users in ServiceNow. This approval rule will be initiated by Identity Security Cloud workflow after the access request is sent to Identity Security Cloud.

      Redirect Identity Security Cloud Approval Notifications

      Redirect the Identity Security Cloud Approval Notifications to ServiceNow https://<servicenowinstance>/sp?id=approvals by modification of the notification template https://{tenant}.identitynow.com/ui/admin#admin:global:emailtmpls:AccessRequestReviewer

      For more information about the SailPoint Identity Security Cloud email templates, refer to Using Email Templates.

      Notifications can also be customized in ServiceNow. For example, this is the notification that is sent every time an approval is generated:

      For more information, refer to the ServiceNow documentation for Notifications.

      Note
      The "Identity Security Cloud Workflow" type for Approval Definition cannot be combined with other Approval Rules.

      Important
      Approvals should not be Approved or Rejected from Identity Security Cloud, as doing so will impact the consistency between the two systems when using "Configurable Approvals".

    • ServiceNow Workflow

      Gives the ability to configure ServiceNow Workflow that will be executed as part of the approval flow. The aim is to give administrators the full flexibility to configure additional approval logic.

      The ServiceNow Workflow should be built on the Requested Items table (sc_req_item). This way provides access to the current object and it`s variables.

      There cannot be more than one approval rule of type ServiceNow Workflow on a given order. The ServiceNow Workflow is a very flexible option to build really complex approval logic and also to add some custom activities as part of the overall flow.

      Note
      At the end of the Workflow the SailPoint MLA Current Level (x_sap_intidn_sailpoint_mla_current_level) field of the RITM must be set to ‘approved' or 'rejected’. This will trigger the parent approval process to continue it’s flow.

      For example:

      The Run Script Activity can also be used with this code snippet:

      Copy
      current.x_sap_intidn_sailpoint_mla_current_level = 'approved';
    • ServiceNow Flow

      Gives the ability to configure ServiceNow Flow that will be executed as part of the approval flow. The aim is to give administrators the full flexibility to configure additional approval logic.

      The ServiceNow Flow has access to the current object and it`s variables.

      There cannot be more than one approval rule of type ServiceNow Flow on a given order. The ServiceNow Flow is a very flexible option to build really complex approval logic and also to add some custom activities as part of the overall flow. The ServiceNow Flow should have the trigger set to Service Catalog if the customer wants to get the sys_id of the RITM from the trigger. Other options should be viable as well, though they would require scripting in the Action input field.

      Note
      At the end of the Flow, the SailPoint MLA Action must be used. This will signal the parent process whether to consider the request as approved or rejected.

      For Example:

      SailPoint MLA Action internally sets the field SailPoint MLA Current Level (x_sap_intidn_sailpoint_mla_current_level) to ‘approved’ or ‘rejected’.

      It has two input parameters:

      RITM sys_id: the sys_id of the Requested Item.

      Action: ‘approved’ or 'rejected'. Typically, the output of the Ask For Approval Action should be used.

    • Identity Security Cloud Governance Group

      Gives the ability to assign anyone or all members from the selected Identity Security Cloud Governance Group as approvers for the access request. The request to Identity Security Cloud will be made to fetch all members of the group and correlate them with the local ServiceNow users.

      Leave the All Must Sign checkbox unchecked if any one user can approve the request. Select the checkbox if all users should approve the request.

    • Identity Security Cloud Manager

      Gives the ability to assign the configured Manager in Identity Security Cloud of the Requested For User as approver for the access request. The request to Identity Security Cloud will be made to fetch the Manager and correlate it with the local ServiceNow user.

    • Identity Security Cloud Owner

      Gives the ability to assign the configured Access Object Owner in Identity Security Cloud as approver for the access request. The request to Identity Security Cloud will be made to fetch the Owner and correlate it with the local ServiceNow user.

    • Identity Security Cloud Source Owner

      Gives the ability to assign the configured Source Owner of the requested Access Object as approver for the access request. This approval type is only applicable for an access object of type Entitlement or Access Profiles. A request will be made to Identity Security Cloud to fetch the Source Owner and correlate it with the local ServiceNow user. If no valid approver is found, approval will be assigned to the default approval group. For example, SailPoint Access Governance Group.

    • Identity Security Cloud App Owner

      Gives the ability to assign the configured Application Owners of the requested Access Object as approvers for the access request. This approval type is only applicable for an access object of type Access Profiles. A request will be made to Identity Security Cloud to fetch the Application Owner and correlate it with the local ServiceNow user.

      If there are multiple applications associated with the Access Profile, all the application owners will be fetched and an approval will be generated for each valid user. Leave the All Must Sign checkbox unchecked if any one user from the valid approver’s list can approve the request. Select the checkbox if all valid users should approve the request. If no valid approver is found, approval will be assigned to the default approval group. For example, SailPoint Access Governance Group.

  4. Enter a Description.

  5. Select Submit.

Approval Definitions

The Approval Definitions are used to map SailPoint's IdentityNow Access Object (Role/ Access Profile/ Entitlement) with Approval Rules.

The implemented approval engine processes the approvals on levels in the following way:

  • The Approval Rules for the Access Request for a given Access Object are processed sequentially based on their order number. One waits for the other to complete.

    • Order 100 is the first level of approval.

    • Order 200 is the second level of approval.

    • Order 300 is the third level of approval.

  • If there are multiple Approval Definitions for the same Access Object within the same Order, the Approval Rules will apply in parallel. The engine will wait for their completion before moving on to the next Order level.

    The following diagram shows an example of how multiple approval levels can be set going up the approval chain.

To configure Approval Definitions, perform the following steps:

  1. Go to SailPoint IdentityNow for Service Catalog > Approval Definitions.

  2. Select New. The window to create Approval Definitions will then appear.

    The following table lists each field name and description:

    Note

    • A mapping record must be created for each and every access object name. An easy way to configure in bulk is to create the records offline and import them using the standard ServiceNow Import Set. For more information, refer to Import Sets.
    • Additionally, generic definitions can be assigned to each object type to avoid definition for each object. For more information, refer to Generic Approval Definition.
    • Any object definition if defined will be executed ignoring the generic definition for that object.

  3. Select the Access Object Type from the dropdown and specify an Access Object that is already configured in SailPoint IdentityNow.

  4. Use the copy/paste method to enter the Access Object Name exactly as it is in Sailpoint IdentityNow.

  5. Enter a Description.

  6. Select the Active checkbox to enable the definition. Leave it unchecked to disable the definition.

  7. Enter the Order Levels with integers in increasing order for the desired chain of approval. Suggested 100, 200, 300 and so on, which gives flexibility and readability for future changes.

  8. Select Approval Rule Details and then select an Approval Rule that was previously defined.

  9. Select Submit.

Approvals, Flexibility, Considerations, and Limitations (applicable to versions 3.1.0 and earlier)

The following validation rules apply for the Approval Rules and Definitions:

  • The Approval Rule Name should be unique.

  • There can be only one unique combination of Access Object and Approval Rule (for the given type Access Profile/ Role /Entitlement).

  • For Approval Rules of type IdentityNow Workflow, there cannot be multiple Approval Definitions with different order (for given type Access Profile/ Role /Entitlement).

  • There cannot be more than 2,000 rules per Access Object (for given type Access Profile/ Role /Entitlement).

  • There cannot be more than one Approval Rule of type ServiceNow Workflow on a given order.

  • There cannot be more than one Approval Rule of type ServiceNow Flow on a given order.

  • A signal to the parent process must be provided for Approval Rules of type ServiceNow Workflow or Flow. Set the SailPoint MLA Current Level at the end of it the field to signal the parent process whether the request should be considered approved or rejected.

  • For Approval Rules of type ServiceNow Flow, flows should be created in the Global or SailPoint IdentityNow for Service Catalog scopes. Support for any application scope will be added in a future version.

  • Configuring Auto-Approval and behavior when approver and requester/requested for are the same.

  • For IdentityNow Owner and IdentityNow Manager types of approval under configurable approval:

    • If auto-approval is enabled on the IdentityNow side and the approver and requester/requested for is the same user, then the request will be auto approved with the approval comment “Requester or Requested For is same as Approver, this request has been auto approved as per the Identity Security Cloud configuration”.

    • If auto-approval is disabled on the Identity Security Cloud side and the approver and requester/requested for is the same user, then the approval will be changed to the approver’s manager. The work note “Approver has been changed to approver's manager as per the Identity Security Cloud configuration” will be added on the request. If the approver does not have a manager, then the request will be canceled.

    • For all other approval types, the request is cancelled when the requestor and approver are the same user.

      Note
      Request cancellation when the "requester/requested for" and "approver" is the same user is not applicable for the ServiceNow Flow and Workflow rules.

    In order to improve security, the solution rejects the Access Requests if it is unable to assign the correct user as an approver.

    The following Auto-Rejection rules apply (applicable to versions 3.1.0 and earlier):

    • The ServiceNow User set in an Approval Rule is inactive or was deleted.

    • No manager is assigned to the ServiceNow User.

    • No appropriate User exists in ServiceNow in the Approval Rule of type IdentityNow Workflow.

    • The assigned approver is the same as the Requestor.

    • The assigned approver is the same as the Requested For.

    • There are Multiple Approval Definitions with the same order, however, one of them is improper (where it is impossible to identify the approver).

    • The Approval Rule of type ServiceNow Group and the All Must Sign checkbox is selected, however, some group members are inactive (if users became inactive before the approval assignment they are not selected for review).

    • Approval Rule of type ServiceNow Role and the All Must Sign checkbox is selected, however, some role members are inactive (if users became inactive before the approval assignment they are not selected for review).

    • Approval Definitions are not set for Access Object.

    • Approval Definitions set for Access Object are inactive.

    • No rule is specified in Approval Definition (assigned rule was deleted).

    Approvals, Flexibility, Considerations, and Limitations (applicable to versions 3.2.0 and later)

    The following validation rules apply for the Approval Rules and Definitions:

    • The Approval Rule Name should be unique.

    • There can be only one unique combination of Access Object and Approval Rule (for the given type Access Profile/ Role /Entitlement).

    • For Approval Rules of type Identity Security Cloud Workflow, there cannot be multiple Approval Definitions with different order (for given type Access Profile/ Role /Entitlement).

    • There cannot be more than 2,000 rules per Access Object (for given type Access Profile/ Role /Entitlement).

    • There cannot be more than one Approval Rule of type ServiceNow Workflow on a given order.

    • There cannot be more than one Approval Rule of type ServiceNow Flow on a given order.

    • A signal to the parent process must be provided for Approval Rules of type ServiceNow Workflow or Flow. Set the SailPoint MLA Current Level at the end of it the field to signal the parent process whether the request should be considered approved or rejected.

    • For Approval Rules of type ServiceNow Flow, flows should be created in the Global or SailPoint Identity Security Cloud for Service Catalog scopes. Support for any application scope will be added in a future version.

    • The default group and auto approval settings are not applicable for rule types ServiceNow Workflow, ServiceNow Flow, and Identity Security Cloud Workflow.

    • There is no auto approval and no exclusion for requester/requested for if the request is assigned to the default group.

    • Any member of the default group can mark the request as approved or rejected. At least one member must mark it.

    • For rule type ServiceNow User, ServiceNow Manager, IdentityNow Manager and IdentityNowOwner:

      • Requests are auto-approved when the approver and requester/requested for are the same.

      • If Auto Approve Enabled is set to Yes

        • The request will be auto approved if theapprover and requester/requested for are the same user.

      • If Auto Approve Enabled is set to False

        • ServiceNow User and ServiceNow Manager: The approval will be reassigned to the ServiceNow manager of the approver if the approver and requester/requested for are the same.

        • Identity Security Cloud Manager and Identity Security Cloud Owner:The approval will be re-assigned to the Identity Security Cloud manager of the approver if the approver and requester/requested for are the same.

    • The default Approval Group is SailPoint Access Governance Group. This group is designated to approve requests if no approver has been identified during execution of the approval flexibility rules. Any one group member may mark requests as approved.

      Use Cases

      • If the approver is missing for ServiceNow Manager, ServiceNow User, Identity Security Cloud Manager, Identity Security Cloud Owner, ServiceNow Group, ServiceNow Role, Identity Security Cloud Governance Group, or ServiceNow Script:

        • The approval will assign to a default of SailPoint Access Governance Group.

        • If SailPoint Access Governance Group is empty or there are no valid members in it, the requested item will be put in a Closed Incomplete state as Request Cancelled, with the approval being Rejected.

        Note

        • For ServiceNow Workflow, ServiceNow Flow, and Identity Security Cloud Workflow, approvals will not be reassigned to the SailPoint Access Governance Group even if no approver is identified.

        • If a requested item(RITM) is marked as Closed Incomplete at any time during its lifecycle, the approval field will be marked as Rejected even if all approvals are successfully completed, as per ServiceNow's OOTB behavior.

In order to improve security, the solution rejects the Access Requests if it is unable to assign the correct user as an approver.

The following Auto-Rejection rules apply (applicable to versions 3.2.0 and earlier):

  • No appropriate User exists in ServiceNow in the Approval Rule of type IdentityNow Workflow.

  • There are Multiple Approval Definitions with the same order, however, one of them is improper (where it is impossible to identify the approver).

  • Approval Definitions are not set for Access Object.

  • Approval Definitions set for Access Object are inactive.

  • No rule is specified in Approval Definition (assigned rule was deleted).

  • If the approval is reassigned to the default group, and there is no active member found in the group.

Approval History

All current and historical data about the approvers is captured in the standard ServiceNow Approval (sysapproval_approver) table.

Additional guidance for Approval Flexibility Approvals

Known Issue during Approval Flexibility (Multi Level Approval) Implementation.

Customers migrating to Approval Flexibility may face the following kinds of errors. This will be addressed in the upcoming release. ServiceNow admins may take the following action to resolve the issue.

For any further help, they may raise a SET ticket.

Issue: Exception (ConversionError): The undefined value has no properties in business rule; skipping business rule.

This error is observed in the following business rules:

  • SP_SPNT_SNOW_INT_MLA_Approval_Manager

  • SP_SPNT_SNOW_INT_MLA_Approval_Manager_IW

- OR -