Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Add the option for second-level manager as escalation/alternate approver #1446

Open
svjauffred opened this issue Jul 29, 2024 · 2 comments
Open

Feature: Add the option for second-level manager as escalation/alternate approver #1446

svjauffred opened this issue Jul 29, 2024 · 2 comments
Labels
enhancement feature/identity-governance

Comments

@svjauffred
Copy link

svjauffred commented Jul 29, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

The alternative_approver block should be configured to allow setting manager_level along with subject_type if subject_type is "requestorManager", to allow escalating to the manager of the manager.

Using the following endpoint: https://learn.microsoft.com/en-us/graph/api/resources/accesspackageassignmentpolicy?view=graph-rest-1.0
under requestApprovalSettings.stages.escalationApprovers when manager of manager is set as escalation approver, Graph returns:

Name                           Value
----                           -----
@odata.type                    #microsoft.graph.requestorManager
managerLevel                   2

This affects:
azuread_access_package_assignment_policy

Potential Terraform Configuration

resource "azuread_access_package_assignment_policy" "dummy"{
  access_package_id = azuread_access_package.dummy.id
  display_name      = "All Users"
  description       = "All Users"
  duration_in_days  = 365
  extension_enabled = true
  requestor_settings {
    scope_type        = "AllExistingDirectorySubjects"
    requests_accepted = true
  }

  approval_settings {
    approval_required               = true
    approval_required_for_extension = false
        approval_stage {
            approval_timeout_in_days = 14
            primary_approver {
                subject_type = "requestorManager"
            } 
            alternative_approver{
                subject_type = "requestorManager"
                manager_level = 2
            } 
        }
  }
}
@svjauffred svjauffred changed the title Adding the option for second-level manager as escalation/alternate approver Feature: Add the option for second-level manager as escalation/alternate approver Jul 29, 2024
@svjauffred
Copy link
Author

Under the beta endpoint (which is used for some parts of the provider?), the request is under https://learn.microsoft.com/en-us/graph/api/resources/accesspackageassignmentpolicy?view=graph-rest-beta
And the Graph response:

Name                           Value
----                           -----
id                             ffffffff-bbbb-4444-9999-444444444444
@odata.type                    #microsoft.graph.singleUser
isBackup                       True
description                    Redacted
@odata.type                    #microsoft.graph.requestorManager
managerLevel                   2
isBackup                       False

@kkotov kkotov mentioned this issue Aug 13, 2024
Open
@kkotov
Copy link

kkotov commented Aug 13, 2024

A naive question from a layman passing by: why the feature wouldn't already work with minimal changes of #1453?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement feature/identity-governance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manicminer @kkotov @svjauffred