• The FortiPAM approval process allows the approver to revoke the approval before the request is completed or sent to the next tier.
• However, the revoke action is greyed out or not available under some circumstances.
• This happens when only 1 approver is configured per tier of approval.
• When the request is approved by the only approver, the request is considered completed. No more revocation can be done.

For example:

• When the admin user approves the request for 1^st tier, the admin user will no longer be able to revoke the approval. The revoke button will show greyed out:

• When the request goes to the 2^nd tier, if the admin2 user approves it, then the admin2 user will not have the option to revoke the approval as well.
• The concept here is whenever the approval request is completed per tier, then it no longer can be revoked bythe approver in that tier.
• If revoke is needed, then the number of required approvals needs to be increased to at least 2 approvers.
• When 1 approver in that tier approves the request, it is not considered completed as it requires another approver in the same tier to approve the request as well. Hence, the approver still can use the revoke action to revoke the request.
• Alternatively, to revoke the access after the approval process is completed (regardless of number of approvals configured), the approver can still terminate the user after the user access to the secrets whenever necessary under Monitoring -> Active Sessions.