Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

SAV Role requirements for delegated approvers

glegault
Regular Contributor
Regular Contributor

Hi,

We would like to grant our end users the ability to approve requests assigned to them.

Use case: A manager having a ROLE_MANAGER SAV Role in Saviynt creates a temporary delegation to a user having only the ROLE_ENDUSER role. We were thinking the Approve all requests assigned to me setting on the SAV Role would allow the delegated user to approve requests but the user having only the ROLE_ENDUSER role does not see any approvals in the UI.

glegault_0-1726515251962.png

glegault_1-1726515263327.png

If we add the Pending Approvals feature on the End User SAV Role, the end user becomes able to approve the requests assigned to him but also for others which gives more access than what we are aiming for.

glegault_2-1726515282363.png

What would be the best recommendation for us to be able to have end users approving only requests assigned to them? We are trying so setup a baseline that all End Users could have and prevent us from adding and removing SAV Roles manually. We are confident this is feasible, and we are just missing something in our understanding.

Thank you for the help.

8 REPLIES 8

Amit_Malik
Valued Contributor II
Valued Contributor II

Approve all requests assigned to me setting at end user role should work. 

Hope the user in screen shot has been assigned something to approve.

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

rushikeshvartak
All-Star
All-Star
  • If requestor and end user is same then end user can’t approve the request. 
  • who is requestor / requestee in your case?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Thank you for the feedback @rushikeshvartak  and @Amit_Malik.

Our test user definitely has requests pending approval. In fact when I grant the Pending Approvals feature on the End User SAV Role I can see and approve requests while using the test user having the active delegation.

glegault_0-1726573781403.png

My question was more around the permissions required for a delegated user to be able to only approve requests assigned to him thru the delegation from a manager.

When not granting the Pending Approvals feature on the End User SAV Role, the end user having the active delegation does not see anything in the UI for approvals. Example where this is the same user from the screenshot above only without the Pending Approvals feature.

glegault_1-1726573850357.png

I am trying to figure out if this is a misunderstanding / misconfiguration on our end (I suppose so) or a bug.

Thank you!

Amit_Malik
Valued Contributor II
Valued Contributor II

@glegault , delegated requests stays with orignal approver. That is how Saviynt designed right now. Though the delegated user can take action but the request stays with actual approver only.

Add pending approval feature and restrict what user can approve via approve all request assigned to me.

Also make sure there is not another sav role added to user , which gives him more access than "approve all request assigned to me"

 

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

glegault
Regular Contributor
Regular Contributor

Hi @Amit_Malik,

This makes sense to me.

FYI, I was testing all this in our DEV environment.

I just validated the behaviour in our PROD environment and the Approve all requests assigned to me seem to be working as expected. I am not able to reproduce what I am currently seeing in DEV. Both are 23.10.

In DEV I even tried setting the SAV Role to Cannot approve any request just for test purposes and my delegated user who only has access to this one SAV Role still can approve all requests. Really strange...

glegault_0-1726577827928.png

Any ideas of what can cause this setting to be ignored or override?

Thank you again!

glegault
Regular Contributor
Regular Contributor

Hi @rushikeshvartak and @Amit_Malik,

After further investigation and testing in our DEV environment, I believe the behaviour I had observed was caused by having used as a Parent User in the delegation a user having the ROLE_ADMIN access. I guess the approval delegation in that case allowed the delegated user to see all approval request the parent (admin) would...

I did another test using a regular manager as parent user and it is working as expected.

@Amit_Malik I will mark you suggestion as a solution. Thank you!

  • Here KPI is not updating count for delegated user because original approver is different hence its expected behavior in modern KPI.
  • did you validated same in NEO ? After 24.7 version ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

I only have access to 23.10 for now.