IBM Verify

 View Only

 Access Approval Workflow Delegation

Rodrigo Xavier's profile image
Rodrigo Xavier posted Mon November 10, 2025 01:55 PM

Hi all,

It’s unfortunate that Verify Governance supports task delegation for access approval workflows, while Verify SaaS doesn´t. It only supports for access certification campaign.  How can this be handled if a manager goes on vacation, for example — who approves the access requests? Is it possible to change the manager via API during the execution of the approval workflow or before? Or through a custom workflow?

Regards,

Rodrigo

Ramakrishna Gorthi's profile image
Ramakrishna Gorthi posted Tue November 11, 2025 06:20 AM

Hey Rodrigo,
       There is a different way of solving the same problem. Verify SaaS supports advanced workflows, whereby you can configure a group of reviewers upfront (Upto 25). All of them can technically be on-point to do the access reviews. So, even if somebody is on leave, you can expect the others to review the same. This is definitely not delegation, but the capability alleviates the need for an explicit delegation, bringing in a better experience.

It is not necessary that you configure 25 people in a group, but you can always have a reviewer and a couple back-up reviewers packaged in a group of reviewers and use them in your flows, as a defacto.

Another capability that we have with Verify SaaS is the Timeout based Escalation. So, you can configure that a specific request is to be actioned in 7 days (Anywhere between 1- 15 days), failing which the request escalates to an Escalation Participant / Approver. This arrangement also aligns with the notion of a back-up approver, in case the approvers are not doing their duties in the specified time, irrespective of the reason (leave, efficiency, work pressures).

Let me know if that helps.

Rodrigo Xavier's profile image
Rodrigo Xavier posted Tue November 11, 2025 11:25 AM

Hi Gorthi,

I don´t know why the option of reply to you doesn´t appeared for me.  I hope you can see my message.

Well, thanks for your question.  The Time based Escalation is set using Advanced Workflow also?

Regards,

Rodrigo

Ramakrishna Gorthi's profile image
Ramakrishna Gorthi posted Wed November 19, 2025 01:57 AM

Hey Rodrigo,
        Apologies for the delay in responding back here. You are right. The Timeout based Escalation is part of Advanced Workflow.

Rodrigo Xavier's profile image
Rodrigo Xavier posted Tue November 25, 2025 01:29 PM

Hi Gorthi,

The problem now is how to create this workflow where I need to check which is the user department attribute who ask for an access to send the approval request to a group os managers of this department. Is that possible?

Regards,

Rodrigo

Ramakrishna Gorthi's profile image
Ramakrishna Gorthi posted Fri November 28, 2025 12:32 PM

Hey Rodrigo,
In the workflow, you typically get the requestorId as a default property. You can access it using ctx.requestorId. You can add a Function Task, where you can fire-up the Users API to fetch the user details. Alternatively, you can use the built-in CEL functions to fetch the user details: https://www.ibm.com/docs/en/security-verify?topic=attributes-attribute-rule-functions.

Once you have the user object, you can add a Gateway to the workflow, where you can define your branching conditions and based on the branch you can route the flow to separate groups of approvers.

Let me know if that helps.

Related Content