Multi-Level Approval Workflow for Role Lifecycle Management in SailPoint

Introduction Of Workflow for Role Lifecycle Management in SailPoint

Managing roles is one of the most important parts of Sailpoint IdentityIQ. Roles define access, and every change to them can have a big impact on security and compliance. For that reason, role lifecycle operations, whether it’s creating new role, updating an existing one, or deleting it should always go through a controlled approval process.

A simple “submit” and approval by one person is often not enough. Multi-level approval provides stronger governance by ensuring that several key stakeholders validate the change before it goes live.

Why a Custom Workflow?

Identity has a built-in option called “Submit with Impact Analysis”. It does trigger a workflow, but it comes with two drawbacks:

• It routes approval to the role owner.

• It requires the user to press a different button instead of the normal “submit”, which is not very practical in daily use.

To make approval both seamless and reliable, a custom workflow is the better approach.

How the workflow works?

The custom workflow is tied directly to role create and update actions in Global settings. This way, whenever someone presses the regular submit button, the workflow starts automatically.

The approval chain is setup in parallal order. Role Administartor and system administrator will receive the workitem parallelly but one person’s decision will affect the all approval. If any of the approver reject the workitem whole flow will be ended. The Workitem will have details like Role name, owner, operation , previous and new value.

Closing the audit Gap

There is one limitation to keep in mind. Changes made from the debug page don’t fo through workflow. To handle this, auditing for role objects should be enabled. With that in place, every change is recorded, who made it, when, and from where. Even if approval is skipped, there’s still a complete audit trail.

Code

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Workflow PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Workflow explicitTransitions="true" libraries="Role" monitored="true" name="Role Lifecycle Approval Workflow" type="RoleModeler" workItemRenderer="workflow.xhtml">

  <Variable editable="true" name="doArchive" type="boolean">

    <Description>Set to true to enable archiving role versions.</Description>

    <Prompt>Enable Role Versioning</Prompt>

  </Variable>

  <Variable editable="true" initializer="true" name="doOverlapAnalysis" type="boolean">

    <Description>Set to true to enable role overlap analysis.</Description>

    <Prompt>Enable Overlap Enalysis</Prompt>

  </Variable>

  <Variable editable="true" initializer="1" name="overlapThreshold" type="int">

    <Description>Minimum overlap percentage in any facet a role must have to be included in the result.</Description>

    <Prompt>Minimum Overlap Percentage</Prompt>

  </Variable>

  <Variable input="true" name="approvalObject">

    <Description>New version of role to approve</Description>

  </Variable>

  <Variable name="approvalType">

    <Description>Set to &amp;quot;delete&amp;quot; when deleting roles. Set to &amp;quot;rollback&amp;quot; when restoring an archive.  Otherwise null.</Description>

  </Variable>

  <Variable input="true" name="approvalSource">

    <Description>Where in the UI we are requesting the approval.

      Values: modeler, directed, undirected, certification.</Description>

  </Variable>

  <Variable name="roleName">

    <Description>Role name referenced by the email templates</Description>

  </Variable>

  <Variable editable="true" initializer="false" name="noRolePropagation" type="boolean">

    <Description>Set to true to disable role change propagation.</Description>

  </Variable>

  <Step action="getDisplayableRoleName" icon="Start" name="start" resultVariable="roleName">

    <Description>

      Copy the role name to a variable for easier reference in the

      email template.  Skip to approvals if there is no impact

      analysis owner.

    </Description>

    <Transition to="Approve"/>

  </Step>

  <Step icon="Approval" name="Approve" posX="276" posY="222">

    <Approval name="Approve" owner="call:buildOwnerApproval">

      <Approval mode="parallelPoll" name="Child Approval" owner="Walter.Henderson"/>

      <Approval mode="parallelPoll" name="Child Approval" owner="spadmin"/>

      <WorkItemConfig escalationStyle="none">

        <NotificationEmailTemplateRef>

          <Reference class="sailpoint.object.EmailTemplate" name="Role Modeler - Approval"/>

        </NotificationEmailTemplateRef>

      </WorkItemConfig>

    </Approval>

    <Transition to="Audit Success" when="approved"/>

    <Transition to="Audit Failure" when="!approved"/>

    <Transition to="Audit Failure"/>

  </Step>

  <Step action="audit" icon="Audit" name="Audit Failure" posX="423" posY="218">

    <Arg name="string1" value="failure"/>

    <Arg name="action" value="call:getApprovalAuditAction"/>

    <Arg name="source" value="ref:launcher"/>

    <Arg name="target" value="Role: $(roleName)"/>

    <Transition to="stop"/>

  </Step>

  <Step action="audit" icon="Audit" name="Audit Success" posX="334" posY="120">

    <Arg name="string1" value="success"/>

    <Arg name="action" value="call:getApprovalAuditAction"/>

    <Arg name="source" value="ref:launcher"/>

    <Arg name="target" value="Role: $(roleName)"/>

    <Transition to="Commit"/>

  </Step>

  <Step action="commit" name="Commit" posX="423" posY="120">

    <Arg name="archive" value="ref:doArchive"/>

    <Transition to="stop"/>

  </Step>

  <Step icon="Stop" name="stop" posX="423" posY="12"/>

</Workflow>

conclusion

• No role changes slip through without review.

• Approvers can see what’s changing before they sign off.

• Audit logs keep a permanent record of all changes.

By combining multi-level approval with audit tracking, role lifecycle management in identityIQ becomes more secure, more transparent, and easier to align with governance policies.