Auto approve permission revoke requests by Application Owner

It looks like this should be possible, but upon attempting to configure it, it appears as though something is missing.  When setting up an approval policy in IG 4.2, there is an "Auto approve condition" setting that can be configured "For revoke requests".  Within the expression builder, I have the ability to select "Permission Application: Owners" as an attribute, but am running into two issues.

The first issue is that it does not appear that I can actually successfully match an attribute of the requester against the value.  I suspect that the value of "Permission Application: Owners" is the internalID of that user in the IG system, but that attribute on the Identity object cannot be made to appear in the list.  I tried using another value that contains the DN of the Identity, but that value is also not working. 

The second issue I am running into I am also going to open a ticket for.  If the application has more than one "Owner" defined on it, the entire request will error if I reference "Permission Application: Owners" with an error from the PostgreSQL side of the equation similar to the following:

2024-05-20 11:24:57.573 AST [2943240] ERROR: more than one row returned by a subquery used as an expression
2024-05-20 11:24:57.573 AST [2943240] STATEMENT: select distinct unique_user_id as uniqueUserId from suser su1 where (su1.unique_user_id = (select owner4.unique_user_id from application reviewedAPPLICATION2 join application_owner owners3 on owners3.application = reviewedAPPLICATION2.id join suser owner4 on (owner4.unique_user_id = owners3.owner_unique_id and owner4.effective = $1 and owner4.deleted = $2) where reviewedAPPLICATION2.id = $3) and (su1.effective = $4 and (su1.deleted is NULL or su1.deleted = $5)))

There is a corresponding error in catalina, but it is because PostgreSQL is kicking this query.  If I remove the other owners and make it only a single Identity, the SQL error goes away.

In short what I'm trying to accomplish is this - if the person requesting the revocation of a permission is one of the owners of the application for the permission, I want to autoapprove the request and move to fulfillment immediately.  The owner of the application should be allowed to execute an access removal for anyone in their application.  I suspect I may have found two bugs, but am not completely sure I'm just not "doing it wrong".

Tags: