Adaptive Approvals Overview
Adaptive Approvals allows admins to use Workflows to configure an Approval Policy for specific access requests or a Generic Approval Policy for task-based items. Admins use the Approval Policy and Generic Approval Policy Workflows actions to define the review process and assign reviewers.
Adaptive Approvals offers three approval types to customize your approval policy.
-
Single – Only one reviewer reviews the request.
-
Multi-Step – Multiple reviewers review this request. All reviewers must approve the request for the item to be approved. If one reviewer denies the request, the item is denied.
-
Quorum – Multiple reviewers review this request. You decide what percentage of the reviewers must approve for the item to be approved. One reviewer rejecting the request does not fail the entire request until it becomes impossible to reach the configured percentage threshold.
The approval policy can use one of the following approval schemes to perform the reviews:
-
Serial – The reviews are performed in a sequential order that you set. Each review must be completed before the request moves to the next reviewer in the sequence.
-
Parallel – All reviewers are notified of the pending review at the same time.
Adaptive Approvals allows Identities, Managers, Access Item Owners, or Governance Groups to be set as the reviewer type. Identities can be dynamically populated from prior data in the workflow.
Approval policies can be configured to send reminders to reviewers if the review has not been completed, as well as time out if the review isn’t completed in a specified amount of time. Admins can select when to time out the request and what action, between Approve and Expire, to take when the request times out.
Understanding the Adaptive Approvals Policy Types
The two types of Adaptive Approvals are Approval Policy and Generic Approval Policy.
Approval Policy
The Approval Policy action is for Access Request based approvals.
Access Request based approval policies allow you to configure approval policies for roles, access profiles, and individual entitlements.
Build a workflow using the Access Request Submitted trigger and the Approval Policy action to customize your approval policy.
After your workflow is enabled, configure the access objects to require approval when requested and select your configured workflow as the Approval Type.
When one of these configured access objects is requested, the adaptive approval policy is initiated through workflows. The requester can track the progress of their request.
Assigned reviewers then review the access requests on the Approvals page under the Access Requests tab. They can approve, deny, or reassign.
Generic Approval Policy
The Generic Approval Policy action allows you to configure approval policies for any task-based items such as disabling accounts or creating a group in Active Directory.
Build a workflow using the Generic Approval Policy action to customize your approval policy. The steps configured in the workflow after the Generic Approval Policy action will determine how the result of the Generic Approval is honored.
After your workflow is enabled and initiated, the Generic Approval Policy action creates the item for approval and sends it to any reviewers configured by the policy.
Assigned reviewers then review the requests on the Approvals page under the Other tab. They can approve, deny, or reassign.
Creating an Approval Policy
Approval Policies allow you to configure dynamic approval requirements for access requests. When a configured access object is requested, an adaptive approvals workflow is initiated, and the configured review process starts.
Building Adaptive Approval Workflows for Access Objects
Build a workflow using the Access Request Submitted trigger and the Approval Policy action to customize your approval policy. This workflow allows you to create a specific policy for handling access requests for configured access objects.
SailPoint offers pre-built Adaptive Approvals workflow templates to assist in getting started with Adaptive Approvals. These templates serve as a starting point and must be configured to meet your needs.
Access Request Submitted Trigger
The Access Request Submitted trigger initiates the workflow when an access request with the workflow attached in the Approval Type is submitted. This starts the review process with the configured approval policy.
Approval Policy Action
The Approval Policy action allows you to configure your custom approval policy. Set up the review process, add reviewers, and define what happens when the request times out. You can also choose whether to send scheduled notifications to the reviewer if they have not completed the request.
Configuring Access Objects for Adaptive Approvals
Configure an access object for adaptive approvals by requiring approval for the item when requested and selecting a workflow as the Approval Type. Select the workflow with your configured approval policy. For more information on configuring each access object type for adaptive approvals, refer to the following pages:
Submitting an Access Request
A user creates an access request for an access object configured with an approval policy from the Request Center. When this request is submitted, the workflow is triggered. The review process for the access object begins.
Tracking an Access Request
Users can track the status of their access request from the Request Center by selecting View My Requests. Select Details on the request to track. The Request Status Tracker shows details about the access request along with the request process details showing each step in the access review process.
Reviewing Access Requests
Reviewers assigned through the Approval Policy action review the access requests on the Approvals page under the Access Requests tab. From here, they can approve, deny, or reassign the request.
Once the configured criteria have been met, the item is either approved or denied.
Creating a Generic Approval Policy
Create a Generic Approval Policy to create a task-based item for approval and to define the approval policy for the item. These items can be any task-based request such as disabling accounts or creating a group in Active Directory.
Building Adaptive Approval Workflows for Generic Approval Policies
Build a workflow using the Generic Approval Policy action. This workflow can use any trigger or steps but must include the Generic Approval Policy action.
SailPoint offers pre-built Adaptive Approvals workflow templates to assist in getting started with Adaptive Approvals. These templates serve as a starting point and must be configured to meet your needs.
Generic Approval Policy action
Use the Generic Approval Policy action to configure an approval policy for a task-based item. This action creates an item for approval using the Name and Description fields within the action. Enter a name and description for the item for approval or use dynamic inputs from an earlier step in the workflow to fill these fields. The name and description from this action display on the card sent to the reviewer for approval.
Configure the review process, add one or more reviewers, and define what happens when the request times out. Select whether to force the reviewer to reauthenticate into Identity Security Cloud before acting on the approval item. You can also choose whether to send scheduled notifications to the reviewer if they have not completed the request.
When a workflow with this action runs, the Generic Approval Policy action creates the approval item and submits it for review. Assigned reviewers will see the item on the Approvals page under the Other tab.
Reviewing Other Approval Policy Requests
Reviewers assigned through the Generic Approval Policy action review the request for approval on the Approvals page under the Other tab. From here, they can approve, deny, or reassign the request. If Force Reauthentication is configured, they will be prompted to reauthenticate through the SSO when they try to approve the item.
Once the configured standards have been met, the item is either approved or denied. The rest of the steps in the workflow will determine what happens based on the results of the approval.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.