Approval items that are rejected by email and have multiple concurrent approvers may potentially be provisioned in RSA Identity Governance & Lifecycle
4 years ago
Originally Published: 2019-11-18
Article Number
000043641
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0, 7.1.1
 
Issue
When multiple resources are concurrently assigned to an approval task, the expected behavior is that the first rejection or any rejection supersedes the approval task and no further approvals can be made. This is true for requests approved in the user interface or through a request form. However, if an approval task is rejected via an email approval, the approval task is incorrectly marked as Completed which allows the other approvers the ability to approve the request even though it has been rejected.

This occurs when the Activity Node Properties of the Approval Node defined in the request Approval Workflow has Assignment defined as All Concurrent and more than one approver is included. In the user interface go to Requests > Workflows > Approval tab > {workflow name} > click on the approval node > scroll to Resources on the right-hand side.

For example, in the following workflow there are two users defined as concurrent approvers. If the first user rejects the request (it can be either user) via an email, the second approver will mistakenly have a chance to approve the request.

User-added image


 
Cause
After a request is rejected via an email approval node, the request is incorrectly changed to the Completed state instead of the Cancelled state which allows any additional approvers to approve it. 

This is a known issue in the following versions and has been reported in ACM-98948:

  • RSA Identity Governance & Lifecycle 7.1.0
  • RSA Identity Governance & Lifecycle 7.1.1
 
Resolution
This issue is resolved in the following RSA Identity Governance & Lifecycle versions and/or patch levels:
  • RSA Identity Governance & Lifecycle 7.1.1 P03
  • RSA Identity Governance & Lifecycle 7.2

A change has been made which ensures that as soon as one approver rejects a request regardless of how the approval was made (user interface, request form, email), the request moves to the Cancelled state and can no longer be approved. 
 

Related Articles

Trending Articles

Don't see what you're looking for?