cu2fu (cu2fu) asked a question.
How to rework an Access Request when manager is used for approval and the manager is out
Hi team! One of our Access Requests has the approval step setup for the requester's manager to approve then moves to a second approval group. One of our manager's is out on leave and I cannot figure out how we can have the requests automatically route to another person in the meantime. The only thought I had was changing the managerID to the temp manager, but our Okta receives its directory information from our HRIS tool and our HR team would rather not update several accounts to a temp manager. Help!
@cu2fu (cu2fu) - The "Assignee" which is the "Admin" of that specific Request can change the target manually from within the UI from one user to another to perform the review (or they can just action against it themselves.
However, "going forward" you would need to have some sort of accessible logic setup in your user profiles.
So for example lets say you have 3 attributes:
You could then map from Okta to Access Requests User the "managerValue" attribute using an Okta Expression Language.
user.usePrimaryManager==true ? user.managerId : user.backupManager
This way when the primary manager is OOTO and the "boolean" is switched as part of that process of them going OOTO it would update the profile attribute for all of their reports in Access Requests so any new requests would go to the alternate target.
For this specific access request its headless, so the assignee for it is a service account - any issues on it the approval groups typically handle it and its only escalated to my team if something like this turns up.
Do you have any suggestions on logic setup for the user profile? I was thinking I can override the manager value for each person under the app (the group isnt that big), but seeing if you had something better than my semi-manual idea.
Thanks!
@cu2fu (cu2fu) - The second part of my previous post talks about basically doing an over-ride. You just need to have some automated method to flip the "Boolean" attribute from T/F to use an alternate manager when a manager goes OOTO (This portion I have no real insight on so it is hard to speak to. I don't know what is available/your internal processes etc..). It is taking advantage of Okta's built in profile mapping from Okta -> APP with Okta Expression Language.
Basically "IF" Boolean is True then the "reviewer" manager on new requests will be the primary attribute (typically managerId). Else "IF" the boolean is False then the "reviewer" manager on new requests will be the alternate manager attribute "backupManager". So as soon as the Okta user Profile is updated and that boolean switches it should cause a profile push to the Access Requests app switching the manager value.
You could even potentially create some sort of "Form" for managers to fill out when they go OOTO which includes the email of their backup while they are out. That form could be processed by lets say Okta Workflows to update a Workflow table that is processed on a daily schedule to update the "backupManager" attribute and flip the boolean when the OOTO start date begins, then flip stuff back when it ends (and remove the table entry).