000038157 - Approval items that are rejected by email and have multiple concurrent approvers may potentially be provisioned in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Nov 19, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038157
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0, 7.1.1
IssueWhen multiple resources are concurrently assigned to an approval task, the expected behavior is that the first rejection or any rejection supersedes the approval task and no further approvals can be made. This is true for requests approved in the user interface or through a request form. However, if an approval task is rejected via an email approval, the approval task is incorrectly marked as Completed which allows the other approvers the ability to approve the request even though it has been rejected.

This occurs when the Activity Node Properties of the Approval Node defined in the request Approval Workflow has Assignment defined as All Concurrent and more than one approver is included. In the user interface go to Requests > Workflows > Approval tab > {workflow name} > click on the approval node > scroll to Resources on the right-hand side.

For example, in the following workflow there are two users defined as concurrent approvers. If the first user rejects the request (it can be either user) via an email, the second approver will mistakenly have a chance to approve the request.

User-added image

CauseAfter a request is rejected via an email approval node, the request is incorrectly changed to the Completed state instead of the Cancelled state which allows any additional approvers to approve it. 

This is a known issue in the following versions and has been reported in ACM-98948:

  • RSA Identity Governance & Lifecycle 7.1.0
  • RSA Identity Governance & Lifecycle 7.1.1
ResolutionThis issue is resolved in RSA Identity Governance & Lifecycle 7.1.1 P03.

A change has been made which ensures that as soon as one approver rejects a request regardless of how the approval was made (user interface, request form, email), the request moves to the Cancelled state and can no longer be approved.