Setting Global Reminders and Escalation Policies

If an approver assigned to an access request has not taken action on it, you need the ability to automatically remind them that their review is required. If too much time passes, you need to be able to escalate the issue by sending the request to another reviewer.

To update the settings for these reminders and escalations, refer to the Update Approvals Configuration API.

Notes

• The Update Approvals Configuration API can be used to configure approvals at multiple levels. If a config is set for access_request_approvals, it will override any global config settings. To apply modifications to access requests, update the config with id=access_request_approval and scope=approval_type.
• To remove the access_request_approval level to force a global config setting to be used universally for all approvals, use the Delete Approval Configuration API.
• The Update Approvals Configuration API also supports specifying a separate config on a per access item basis, which will override the global and access-request specific configs.
• The approval order of precedence is applied in the following order:
  • If a per access item config exists, it is applied.
  • If a per access item config does not exist, the access-request-approval config is applied.
  • If a per access item config and access-request-approval do not exist, the global config is applied.

When you use the API, you must define the identity that will act as the fallback approver. You may also configure whether to use escalations, send reminders, the length of time to wait between escalations, and how often to send reminders to reviewers.

Changes to the reminder or escalation configuration will only affect access requests created after the change is made. Pending requests will follow the configuration that existed at the time the request was submitted.

Note

By default, no reminders or escalations are sent.

Escalation Pattern

If reviewers fail to complete their reviews within the time frame, the request is automatically escalated to the manager of the assigned reviewer. The number of escalation levels can be configured using the Update Approvals Configuration API.

The fallback approver is the individual or governance group designated by the API to complete the request if the previous reviewers fail to meet the deadline. If an approver is not found during escalation, the request is assigned to next escalation level in the chain. If the escalation user identified is already in the approval chain, we will escalate again to the next level. If there are no further escalation levels, the request is assigned to the fallback approver. If the fallback approver has been deleted from the system, or is already in the approval chain, the request remains with the last valid approver.

Notes

• If the fallback approver is the same identity that submitted the access request, the original requester might be permitted to review their own access request.
• The request will be assigned to the specified identity, even if the identity is disabled or incomplete. In these cases, an admin can reassign the request by submitting an API call with the Forward Access Request endpoint.
• In the case of governance groups, the request will be escalated to each member's manager. If a member does not have a manager to escalate to, the approval will remain with that member while other members' assignments are escalated to their managers. If none of the members has a manager, all members' requests will be escalated to the fallback approver. Likewise, when the escalation has finished all configured manager_of levels and reaches the fallback approver stage, all members' requests will be escalated to the fallback approver.

If a reviewer reassigns a request, the timing of the escalation process does not restart. Emails will still be sent out at the designated times.

Email Templates

You can customize the emails that users see when requesting, reviewing, or reassigning access requests using the following email templates:

• Access Request Decision
• Access Request Decision for Others
• Access Request for Other
• Access Request Reassignment
• Access Request Reviewer
• Access Request Sunset Date Reminder

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.