Skip to main content

Test Approval Flow

This article guides you through testing Approval Flow Policies and Steps to ensure proper routing, Four-Eyes enforcement, fallback logic, and fulfillment before deploying to production.

Prerequisites

Before testing your approval flow configuration, ensure:

  • All Approval Steps referenced in the policy have been published
  • The Approval Flow Policy has been published
  • The policy is linked to an Access Request Policy
  • At least one resource (group, role, etc.) is assigned to the Access Request Policy
  • Test users are designated as eligible to request the resource
  • The resource has a defined owner or appropriate approvers in place
  • If testing fallback approvers, ensure the fallback person/role is accessible

Test Basic Approval Routing

Submit a Test Request

  1. Log in to the IAM Shop as a user eligible to request access to a resource.
  2. Shop for an eligible item and submit your request with a justification.

Verify Approval Routing

  1. Navigate to My Tasks > My Requests.
  2. Click on the newly submitted request to view its details.
  3. Verify the following:
    • The Business Request shows the correct Approval Flow Policy name
    • The current approval step matches the first step in your policy
    • The designated approver(s) shown are correct based on your resolver rules

Verify Approver Receives Task

  1. Log in to My Tasks as the approver of the Business Request.
  2. Select To Do and filter the tasks as needed.
  3. Verify that:
    • The approval task appears in the approver's task list
    • The task displays the correct request details
    • The approver can see all items in the request (or individual items if item-level approval is enabled)

Approve the Request

  1. As the approver, review the request details and approve the task.
  2. If your policy includes multiple approval steps, verify that:
    • The request moves to the next approval step in the sequence
    • The next designated approver receives their task
    • Previous approval decisions are recorded in the request history

Verify Fulfillment

  1. After all approval steps are complete, verify that the access was granted:

    • Navigate to the resource (e.g., group membership page)
    • Confirm that the target user now has the requested access
    • Check that the access was provisioned to the appropriate systems

  2. Verify the Business Request status:

    • The request status shows as "Approved" or "Completed"
    • All approval steps show completion timestamps
    • Fulfillment workflows executed successfully

Test Edge Cases

Auto-Approve Logic

  1. Submit a request where the initiator is also an approver (e.g., a manager requesting access for their direct report).
  2. Verify that steps configured for auto-approval when "Initiator Is Approver" skip manual review.
  3. Check the request history to confirm auto-approval was logged with the correct reason.

Fallback Approvers

  1. Submit a request for a target user who has no line manager defined (if testing line manager approval).
  2. Verify that the approval task routes to the fallback approver.
  3. Alternatively, if the primary approver is the only member of a management role and they are requesting for themselves, verify fallback routing occurs when they are excluded.

Four-Eyes Enforcement

  1. Submit a request where the initiator is requesting access for themselves.
  2. Verify that if "Remove from Approvers" is configured, the initiator is excluded from the approver pool.
  3. Confirm that fallback approvers receive the task when the initiator is the only primary approver available.

Multi-Step Approval Chains

  1. Submit a request that requires all steps in the chain.
  2. Verify that each step executes in the correct sequence.
  3. Confirm that later steps do not begin until parent steps are completed.
  4. Check that approvers at each level only see tasks appropriate to their step.

Troubleshooting Common Issues

No Approvers Found

Symptoms: Business Request shows "No approvers available" or remains in pending status indefinitely.

Possible Causes:

  • Primary approver is excluded due to Four-Eyes enforcement and no fallback approver is configured
  • Resolver rule points to an empty management role or undefined relationship (e.g., missing manager)
  • The only available approver is the target person and "Remove from Approvers" is configured

Resolution:

  • Add fallback approvers to the Approval Step
  • Verify management role membership or organizational relationships
  • Review auto-approve settings to ensure appropriate behavior

Approval Step Not Executing

Symptoms: Request proceeds to the wrong step or skips steps entirely.

Possible Causes:

  • Approval Step was not published before being added to the policy
  • Parent step dependencies are not configured correctly
  • Access Request Policy is not using the expected Approval Flow Policy

Resolution:

  • Verify that all Approval Steps are published
  • Check parent step configuration in the Approval Flow Policy
  • Confirm the resource's Access Request Policy references the correct Approval Flow Policy

Fulfillment Did Not Occur

Symptoms: Request is approved but access was not provisioned.

Possible Causes:

  • Fulfillment workflow is not configured on the Item Type Action
  • Background jobs responsible for fulfillment are not running
  • Fulfillment workflow encountered an error

Resolution:

  • Verify the Item Type Action has a valid fulfillment workflow assigned
  • Check background job status and logs
  • Review fulfillment workflow execution logs for errors

Verification Checklist

Use this checklist to confirm successful approval flow testing:

  • Business Request created successfully with correct approval policy
  • First approval step routes to correct approver(s)
  • Approvers receive tasks in their To Do list
  • Approval decisions are recorded in request history
  • Multi-step policies execute steps in correct sequence
  • Auto-approve logic functions as configured
  • Fallback approvers receive tasks when primary approvers unavailable
  • Four-Eyes enforcement excludes appropriate users
  • Access is provisioned after final approval
  • Request status shows as completed
  • Audit trail captures all approval decisions

Next Steps

After successful testing:

  • Document your approval flow configuration for future reference
  • Train approvers on how to review and approve requests in My Tasks
  • Monitor approval flow performance and adjust escalation policies as needed
  • Review approval flow metrics regularly to identify bottlenecks