• State Not Answered
  • Replies 3 replies
  • Subscribers 95 subscribers
  • Views 341 views
  • Users 0 members are here
Options
Related

[One Identity Manager 9.3] Is it possible to disable auto-submit for attestation decisions?

matheus candido
17 days ago

Hi everyone,

I'm working with One Identity Manager 9.3 and noticed that during an attestation campaign, as soon as an approver makes a decision (approve or deny), the action is automatically processed — meaning the item is submitted without needing to wait for the entire campaign to be completed.

I'd like to know if there's a way to disable this "auto-submit" behavior, so that decisions are only processed after the full campaign is completed, or after a manual submission step.

Has anyone needed to configure this before, or knows if it's possible to adjust it via the Designer, approval workflows, or any other configuration?

Thanks in advance!

Parents
  • 0 16 days ago

    Can you please explain in more detail how you (in your use case) define an entire campaign and why you want to postpone the processing of a decision?


  • 0 16 days ago in reply to Markus Weiss-Ehlers

    One example of a scenario we're dealing with involves access review campaigns conducted by managers. In many cases, these managers don’t complete the campaign all at once — they review access items gradually over several days.

    Ideally, at the end of the campaign, the manager should be able to review all the decisions made during that period and, if necessary, undo or adjust any of them before they are actually processed.

    I’m aware that One Identity Manager allows decisions to be undone, but since actions are processed immediately after an approval or denial (as soon as the status changes from Pending), it’s no longer possible to undo them — they're considered final at that point.

    We even considered adding a second approval step to allow time for this review, but it didn’t seem like a very efficient solution for our use case.

    That’s why we’re looking for a way to configure the process so that actions are only executed once the entire campaign is completed, or when the reviewer manually submits their decisions.

Reply
  • 0 16 days ago in reply to Markus Weiss-Ehlers

    One example of a scenario we're dealing with involves access review campaigns conducted by managers. In many cases, these managers don’t complete the campaign all at once — they review access items gradually over several days.

    Ideally, at the end of the campaign, the manager should be able to review all the decisions made during that period and, if necessary, undo or adjust any of them before they are actually processed.

    I’m aware that One Identity Manager allows decisions to be undone, but since actions are processed immediately after an approval or denial (as soon as the status changes from Pending), it’s no longer possible to undo them — they're considered final at that point.

    We even considered adding a second approval step to allow time for this review, but it didn’t seem like a very efficient solution for our use case.

    That’s why we’re looking for a way to configure the process so that actions are only executed once the entire campaign is completed, or when the reviewer manually submits their decisions.

Children
  • 0 15 days ago in reply to matheus candido

    Technically, there is no way of postponing the decisions. You can add an approval step to the approval workflow at the end that works as a collector somehow. It could be a WC (Waiting for further approval) approval step where you provide a function that defines when your campaign is ready to be finalized.

    But be aware that the WC approval step leads to recurring checks if the condition is fulfilled. Depending on the number of attestation cases, this can be demanding for the DB queue processing. 

    I wouldn't recommend doing this.