SecurID® Governance & Lifecycle Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.
Article Number
000038157
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0, 7.1.1
RSA Version/Condition: 7.1.0, 7.1.1
Issue
When multiple resources are concurrently assigned to an approval task, the expected behavior is that the first rejection or any rejection supersedes the approval task and no further approvals can be made. This is true for requests approved in the user interface or through a request form. However, if an approval task is rejected via an email approval, the approval task is incorrectly marked as Completed which allows the other approvers the ability to approve the request even though it has been rejected.
This occurs when the Activity Node Properties of the Approval Node defined in the request Approval Workflow has Assignment defined as All Concurrent and more than one approver is included. In the user interface go to Requests > Workflows > Approval tab > {workflow name} > click on the approval node > scroll to Resources on the right-hand side.
For example, in the following workflow there are two users defined as concurrent approvers. If the first user rejects the request (it can be either user) via an email, the second approver will mistakenly have a chance to approve the request.
This occurs when the Activity Node Properties of the Approval Node defined in the request Approval Workflow has Assignment defined as All Concurrent and more than one approver is included. In the user interface go to Requests > Workflows > Approval tab > {workflow name} > click on the approval node > scroll to Resources on the right-hand side.
For example, in the following workflow there are two users defined as concurrent approvers. If the first user rejects the request (it can be either user) via an email, the second approver will mistakenly have a chance to approve the request.
Cause
After a request is rejected via an email approval node, the request is incorrectly changed to the Completed state instead of the Cancelled state which allows any additional approvers to approve it.
This is a known issue in the following versions and has been reported in ACM-98948:
- RSA Identity Governance & Lifecycle 7.1.0
- RSA Identity Governance & Lifecycle 7.1.1
Resolution
This issue is resolved in the following RSA Identity Governance & Lifecycle versions and/or patch levels:
A change has been made which ensures that as soon as one approver rejects a request regardless of how the approval was made (user interface, request form, email), the request moves to the Cancelled state and can no longer be approved.
- RSA Identity Governance & Lifecycle 7.1.1 P03
- RSA Identity Governance & Lifecycle 7.2
A change has been made which ensures that as soon as one approver rejects a request regardless of how the approval was made (user interface, request form, email), the request moves to the Cancelled state and can no longer be approved.
In this article
