Skip to content

Approvals Administration

Identity Security Cloud requires users to execute core governance processes throughout the product, such as access requests, certifications, and provisioning tasks. Instead of an access request being viewable only by the user who submitted it, admins can also view and manage everything that users see in the Request Center > My Requests UI.

Log into Identity Security Cloud as an administrator and go to Admin > Dashboard > Approval Management. Selecting from the left navigation options, you can manage Access Requests, Entitlement Descriptions, and all Other Approvals.

Access Requests

Access Request Administration is helpful when a pending access request is stuck and an administrator needs to be able to view, examine, and reassign it. You can view and manage all work across Identity Security Cloud to enable the timely flow of governance activities.

Refer to User Level Permissions for information about user levels specific to Access Request Administration.

Log into Identity Security Cloud as an administrator and go to Admin > Dashboard > Approval Management.

The Approval Management page defaults to a table view, but you may use the toggle at the right to view the same information on cards. Use the options above the table or cards to filter for All, Pending, or Concluded requests. By default, the requests are sorted by age, with the newest at the top.

Access requests includes the following information:

  • Access Name - Name of the access being requested.
  • Access Request ID - ID number related to the request.
  • Assigned to - Identity that this task is assigned to. When the next review is assigned to more than one person or a governance group, this column displays “Multiple.”
  • Access for - Identity that the access is for.
  • Requested by - Name of the requestor.
  • Days old - Elapsed time (in days) since the request was submitted.
  • Status - Status of the request, including Pending, Partial Provisioning, Failed, Error, Canceled, Denied, and Completed.
  • Actions - Includes View Details, Reassign, Remind User, and Cancel Request.

Note

If the approval was marked to require reauthentication, you will be asked to reauthenticate through your SSO provider to complete the approval.

Searching for an Access Request

Search for a specific access request by pasting or entering Access Request IDs in the search bar at the top of the page. Add comma-separated values to find multiple access requests. Queries are limited to 350 characters.

Note

This is the only Identity Security Cloud search bar where you can search with comma-separated values.

Filtering Access Requests

To find an access request on the Approval Management page using characteristics other than ID, use the Filter icon next to the search field to filter. Add as many filters together as you want.

Available Access Request filters include:

  • Requested For - Identity that the access is requested for.
  • Requested By - Identity that submitted the request.
  • Created Date - Date that the request was created.
  • Current Owner - Identity to whom the request is currently assigned.
  • Status
    • Pending - Request is executing.
    • Completed - Request has been completed.
    • Canceled - Request was terminated by the user before it was able to complete.
    • Denied - Request was rejected by the approver.
    • Provisioning Failed - The request has failed to complete, and not all items were provisioned.

Select Apply to apply the selected filters. To remove filters, select X next to any filter criteria, then select Apply.

Quick filters are available above the table to the left. They are All, Pending, and Concluded. The quick filters add on to any other filters you may apply. For example, if you select the quick filter Concluded, then select the Filter icon , the Filters overlay shows that the Concluded statuses have been added to the filter’s states.

Note

The Concluded filter lists all requests that are no longer pending. This includes requests with a status of Completed, Canceled, or Denied, as well as requests with Not All Items Provisioned or Provisioning Failed.

Entitlement Descriptions

The Entitlement Descriptions page defaults to a table view, but you may use the toggle at the right to view the same information on cards. Use the options above the table or cards to filter for All, Pending, or Concluded requests. By default, the requests are sorted by age, with the newest at the top.

Entitlements are the access rights an account has on a source. Entitlement descriptions should provide useful information about the entitlement and its access. To ensure that a GenAI entitlement description is accurate, approval by a reviewer is required before the suggested description can be applied to the entitlement.

Go to Admin > Dashboard > Approval Management and select the Entitlement Descriptions tab from the left navigation.

Each entitlement description approval request includes the following information:

  • Entitlement Name - Name of the entitlement.
  • Description - Entitlement description as generated by AI.
  • Source - Entitlement source.
  • Assigned To - Approver assigned to review the request.
  • Assigned By - User who assigned the approval.
  • Days Old - Elapsed time (in days) since the entitlement was assigned.
  • Status - Status of the request, including Pending, Failed, Error, Canceled, Denied, and Completed.
  • Actions - Includes Approve, Deny, Edit, Remind, Reassign, Cancel, and View Details.

The Details overlay shows the assigned date and reviewer name.

Other Approvals

When you select the Other tab from the left navigation, the Generic Approvals page defaults to a table view, but you may use the toggle at the right to view the same information on cards. Use the options above the table or cards to filter for All, Pending, or Completed requests. By default, the requests are sorted by age, with the newest at the top.

Available actions include Approve, Deny, Edit, Remind, Reassign, Cancel, and View Details.

Each approval request listed on the Other page includes the following information:

  • Name - Name of the request.
  • Description - Request description.
  • Requester - Workflow owner or identity assigning the request.
  • Requesting For - Workflow owner or identity receiving the access, if applicable.
  • Assigned to - Approver.
  • Days Old - Elapsed time (in days) since the entitlement was assigned.
  • Priority - Request priority, expressed as Low, Medium, or High.
  • Status - Status of the request, including Pending, Partial Provisioning, Failed, Error, Canceled, Denied, and Completed.
  • Actions - Includes Approve, Deny, Edit, Remind, Reassign, Cancel, and View Details.

Select Actions > View Details for request details, including the full description, priority, last approver, created, and expiration date.

The Details overlay also includes the Process tab, which shows how the request is progressing through the approval and provisioning process. To view a list of approvers, select the down arrow next to the approval step. When a request is assigned to a governance group, the Process tab includes a down arrow to show the first 10 members of the governance group that may complete the approval. Once the request has been approved or denied, only the person who acted on the request is shown.

Note

If the approval was configured to require reauthentication, you will be asked to reauthenticate through your SSO provider to complete the approval.

From the Actions column, you can View Details, Reassign, Remind User, or Cancel a Request for a request. Alternately, you can select an item in the Access Name column to open the Details panel. From there, an admin can:

  • Review request information and workflow progress
  • Reassign a request
  • Remind an approver with email
  • Overwrite an approver
  • Cancel a request

Searching for an Other Approval Request

Search for a specific request by name or by workflowExecutionId using the search bar at the top of the page. Add comma-separated values to find multiple requests. Queries are limited to 350 characters.

Note

This is the only Identity Security Cloud search bar where you can search with comma-separated values.

Filtering Other Approval Requests

To find an approval request using characteristics other than ID, use the Filter icon next to the search field to filter. Add as many filters together as you want.

Available Other approval request filters include:

  • Assigned to - Approver.
  • Created Date - Date the request was created.
  • Status - Status of the request, including Pending, Partial Provisioning, Failed, Error, Canceled, Denied, and Completed.
  • Priority - Request priority, expressed as Low, Medium, or High.
  • Requested For - Identity that the access is requested for.
  • Requested By - Identity that submitted the request.

Select Apply to apply the selected filters. To remove filters, select X next to any filter criteria, then select Apply.

Quick filters are available above the table to the left. They are All, Pending, and Concluded. The quick filters add on to any other filters you may apply. For example, if you select the quick filter Concluded, then select the Filter icon , the Filters overlay shows that the Concluded statuses have been added to the filter’s states.

Note

The Concluded filter lists all requests that are no longer pending. This includes requests with a status of Completed, Canceled, or Denied, as well as requests with Not All Items Provisioned or Provisioning Failed.

Managing Access Requests

On the Admin > Dashboard > Approval Management page, go to the Access Requests tab and select an Access Name to review the request details. The Grant: [Access Name] panel or the Remove: [Access Name] panel appears, depending on whether the request is to add or remove access.

On the Process tab, you can view the flow of the access request and provisioning. This includes the status of each task or the date it was completed. When more than one approval is required, you can select the down arrow to expand the approval step to view the names of approvers and the status of their review. Solid lines represent the completed progression through the request processing workflow. Solid circles represent previous or active steps and open circles represent future steps.

On the Assignees tab, view who is assigned to approve the access request for access requests that require approval. When a review is assigned to a governance group, it is actually assigned to the individual members of that group. In that case, the assignee listed is Multiple to let you know it's currently assigned to more than one person. The Assignees tab lists the individuals who are currently assigned as part of the governance group. You have the option to remind or reassign any of the current assignees on the Assignees tab.

On the Details tab, view access request details, such as description, type, created date, and status.

Reassigning an Access Request

Admins can reassign an access request to someone else.

  1. Locate the request you need to reassign.

  2. Select Reassign from one of three places:

    • In the Actions column, select Reassign.

      Note

      When a request is assigned to multiple approvers, the Reassign option in the Actions column is disabled. Instead, you can select the word Multiple in the Assigned To column or use the Assignees tab to reassign the request.

    • Select the Name, then select Reassign at the bottom of the panel.

    • Select the Name, go to the Assignees tab, then select Reassign next to the person whose review you want to reassign.

  3. Enter a user in Reassign To.

    Note

    You can’t reassign an access request review to a governance group. To reassign an item that is currently assigned to a governance group, you need to reassign it at an individual level.

  4. Enter comments.

  5. Select Reassign.

After a request is reassigned, the new approver is listed in the Assigned To column on the Access Request Administration page. You can also view a record of the changed assignment in the request’s Grant: [Access Name] page on the Process tab.

Reminding an Approver of a Request

Send email to remind someone of a request they are assigned to review.

  1. Locate the request on the Access Requests tab > Access Request Administration page or the Other tab > Generic Approvals page.

  2. Select Remind from one of two places:

    • In the Actions column, select Remind User.

      Note

      When the request is assigned to multiple approvers, the Remind option in the Actions column is disabled.

    • Select the request's Name, then select Remind User at the bottom of the panel.

  3. An email link opens with a message addressed to the assigned reviewer. You can add a subject, edit the message, and send.

Overwriting a Request Approver

Overwrite a request approval without the currently assigned approver. This only overwrites the current approval step, not all steps in the workflow.

  1. Locate the request on the Access Requests tab > Access Request Administration page or the Other tab > Generic Approvals page.
  2. Select the access name or task name.
  3. In the Grant or Remove panel, select More.
  4. Select Overwrite Current Approver.
  5. Enter comments.
  6. Select Approve Request.

View a record of the approval on the access request’s Details page.

If an admin overwrites an approval, the Process tab will show it as Reassigned to Admin and Approved by Admin [name].

Canceling a Request

You can cancel a request that’s no longer valid.

  1. Locate the request on the Access Requests tab > Access Request Administration page or the Other tab > Generic Approvals page.
  2. Select Cancel Request from one of two places:
    • In the Actions column, select Cancel Request.
    • Select the access name or task name, then select More > Cancel Request.
  3. Enter comments.
  4. Select Cancel Request.

The Status column updates to Canceled. An email is sent to the requester to confirm that the request has been canceled.

Bulk Actions

For Other approvals, you can use the checkboxes to select multiple items and cancel them all at once. Reassign, Deny, and Approve need to be done one by one.

For Access Requests, you can Approve, Cancel, or Reassign multiple access requests at once.

  1. On the Access Requests tab > Access Request Administration page or the Other tab > Generic Approvals page, select the checkboxes next to the items that you want to include.

    Note

    For efficiency, you can filter for the requests you need, then select everything in the list using the checkbox above the table.

  2. Select Cancel, Approve, or Reassign at the top right side of the table. The action will apply to all of the selected access requests.

Approval Request Audit Events

Approval requests generate audit events for the following activities:

  • APPROVAL_REQUEST_CREATED - Audit events related to request creation.
  • APPROVAL_REQUEST_APPROVED - Audit events related to approved requests.
  • APPROVAL_REQUEST_CANCELLED - Audit events related to an approval request cancellation.
  • APPROVAL_REQUEST_TIMED_OUT - Audit events related to approval requests that have timed out. This may be configured anywhere from 1-90 days.
  • APPROVAL_REQUEST_REJECTED - Audit events related to approval requests that are denied.
  • APPROVAL_REQUEST_UPDATED - Audit events related to approval events that are updated in any way.
  • APPROVAL_REQUEST_ESCALATED - Audit events related to approval requests that are escalated to a different approver following the configured procedure.
  • APPROVAL_REQUEST_ASSIGNED - Audit events related to approval requests being assigned to an approver.

To search audit events:

  1. Go to Search.

  2. Enter one of the following search queries:

    • type:approval_request_created
    • type:approval_request_approved
    • type:approval_request_cancelled
    • type:approval_request_timed_out
    • type:approval_request_rejected
    • type:approval_request_updated
    • type:approval_request_escalated
    • type:approval_request_assigned

Refer to Viewing Events.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.