How to execute an action when a approval workflow has been rejected.

Hi all,

I need to execute an action when a group approval workflow has been rejected. How can this be done? I noticed that the workflow gets terminate by the approval rule activity when the approval is rejected. 

Thanks, Andy

  • Unfortunately, workflows are immediately terminated as you have seen, once they are rejected. Sending out an email notification within the Approval rule itself is about all that can be performed upon a rejection. I also haven't seen any KB articles that indicate if this has been submitted as an Enhancement Request. If you would be willing to open a support case to get this added as an ER, this could get it added as an item to be considered for a future release.

  • Hi Richard, thanks for your answer. I will open a support case to get this added as an ER.

  • Hi Andy

    As Richard says, there is no method currently to continue a workflow after an approval step has been rejected.

    However, depending on your use case, you might be able to do something via a separate automation workflow.

    This workflow would have a script activity step to find all rejected (Denied) group membership operations with in some time frame. This would not be as easy as just a continuation of the original workflow, and also would be heavily dependant on what you need to do after the rejection.

    The ARS powershell module has a commandlet Get-QARSOperation, this can be used to give you a list of operations (OperationType) that have occurred (created, updated, copy, group membership changes etc), but also the status (OperationStatus) of the request (Pending, Completed, Denied, Canceled etc). However the data you might need for your use case might be discarded after the request was rejected.

    Hope this helps

    Stu

  • Another option I would propose is a custom response that mimics a rejection but does not actually terminate the workflow.  There exists the ability to customize the response buttons in any approval workflow so just come up with a label that implies rejection like "No way!" but actually allows the workflow to continue.  Using the QARSOperation cmdlet you can then cancel the operation in the background after the fact if need be.

  • Hi,

    let us know about the ER status since we also are interested into this feature.

    Meanwhile, our workaround has been to monitor Windows Event Logs and trigger a script when next event ID is triggered:

    2715 - "Request for operation rejected. Activity name: {0}Workflow name: {1}Workflow GUID: {2}Workflow instance GUID: {3}Initiator: {4}Rejected by: {5}Action reason: {6}"

    The script then verifies if the "Workflow name" matches the one where the approval rejection occurred and then I execute some commands and so on...

    This workaround might not be suitable for everyone, in our case it is: 

    Comprehensive list of EventID's posted to the Active Roles Event Viewer Log (215433)

    https://support.oneidentity.com/active-roles/kb/215433/comprehensive-list-of-eventid-s-posted-to-the-active-roles-event-viewer-log