Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/16/2024 12:35 PM
Hi,
We would like to grant our end users the ability to approve requests assigned to them.
Use case: A manager having a ROLE_MANAGER SAV Role in Saviynt creates a temporary delegation to a user having only the ROLE_ENDUSER role. We were thinking the Approve all requests assigned to me setting on the SAV Role would allow the delegated user to approve requests but the user having only the ROLE_ENDUSER role does not see any approvals in the UI.
If we add the Pending Approvals feature on the End User SAV Role, the end user becomes able to approve the requests assigned to him but also for others which gives more access than what we are aiming for.
What would be the best recommendation for us to be able to have end users approving only requests assigned to them? We are trying so setup a baseline that all End Users could have and prevent us from adding and removing SAV Roles manually. We are confident this is feasible, and we are just missing something in our understanding.
Thank you for the help.
Solved! Go to Solution.
09/16/2024 01:59 PM
Approve all requests assigned to me setting at end user role should work.
Hope the user in screen shot has been assigned something to approve.
09/16/2024 02:01 PM
09/17/2024 04:56 AM
Thank you for the feedback @rushikeshvartak and @Amit_Malik.
Our test user definitely has requests pending approval. In fact when I grant the Pending Approvals feature on the End User SAV Role I can see and approve requests while using the test user having the active delegation.
My question was more around the permissions required for a delegated user to be able to only approve requests assigned to him thru the delegation from a manager.
When not granting the Pending Approvals feature on the End User SAV Role, the end user having the active delegation does not see anything in the UI for approvals. Example where this is the same user from the screenshot above only without the Pending Approvals feature.
I am trying to figure out if this is a misunderstanding / misconfiguration on our end (I suppose so) or a bug.
Thank you!
09/17/2024 05:29 AM - edited 09/17/2024 05:30 AM
@glegault , delegated requests stays with orignal approver. That is how Saviynt designed right now. Though the delegated user can take action but the request stays with actual approver only.
Add pending approval feature and restrict what user can approve via approve all request assigned to me.
Also make sure there is not another sav role added to user , which gives him more access than "approve all request assigned to me"
09/17/2024 05:59 AM
Hi @Amit_Malik,
This makes sense to me.
FYI, I was testing all this in our DEV environment.
I just validated the behaviour in our PROD environment and the Approve all requests assigned to me seem to be working as expected. I am not able to reproduce what I am currently seeing in DEV. Both are 23.10.
In DEV I even tried setting the SAV Role to Cannot approve any request just for test purposes and my delegated user who only has access to this one SAV Role still can approve all requests. Really strange...
Any ideas of what can cause this setting to be ignored or override?
Thank you again!
09/17/2024 08:29 AM
Hi @rushikeshvartak and @Amit_Malik,
After further investigation and testing in our DEV environment, I believe the behaviour I had observed was caused by having used as a Parent User in the delegation a user having the ROLE_ADMIN access. I guess the approval delegation in that case allowed the delegated user to see all approval request the parent (admin) would...
I did another test using a regular manager as parent user and it is working as expected.
@Amit_Malik I will mark you suggestion as a solution. Thank you!
09/17/2024 05:31 AM
09/17/2024 05:59 AM
I only have access to 23.10 for now.