title: Escalation & SLA Tracking category: Workflows & Automation tags: escalation, sla, timeout, reminders, compliance priority: Normal
Escalation & SLA Tracking
Service Level Agreement (SLA) tracking and escalation rules ensure that approval workflows complete in a timely manner. IdentityCenter monitors every pending workflow step against configurable time thresholds and automatically escalates when deadlines are missed.
Why SLA Tracking Matters
Unresolved approval requests create security and compliance risk:
- Access delays block employees from doing their work
- Stale requests may be approved after context has changed
- Compliance frameworks (SOX, HIPAA, PCI-DSS) require timely access decisions
- Audit findings often cite slow or incomplete approval processes
SLA tracking provides visibility into response times and triggers automated actions when approvers are unresponsive.
SLA Configuration
Setting SLAs Per Workflow Step
Each Approver node in a workflow can have its own SLA configuration:
| Setting | Description | Example |
|---|---|---|
| Response Time | Maximum time for the approver to act | 48 hours |
| Warning Threshold | Time before SLA breach to send a warning | 12 hours before breach |
| Breach Action | What happens when the SLA expires | Escalate to next-level manager |
| Business Hours Only | Count only working hours toward the SLA | Mon-Fri, 8 AM - 6 PM |
SLA Tiers
Configure different SLA expectations based on request priority or risk level:
| Request Priority | Response SLA | Warning At | Breach Action |
|---|---|---|---|
| Critical | 4 hours | 2 hours | Escalate to CISO |
| High | 24 hours | 8 hours | Escalate to skip-level manager |
| Normal | 48 hours | 12 hours | Send reminder, then escalate |
| Low | 5 business days | 1 day before | Send reminder |
Tip: For privileged access requests (Domain Admins, Enterprise Admins), set aggressive SLAs of 4-8 hours. Privileged access should never sit in a pending state for days.
Business Hours
When Business Hours Only is enabled, the SLA clock pauses outside of configured working hours.
| Setting | Description |
|---|---|
| Working Days | Select which days count (e.g., Monday through Friday) |
| Working Hours | Set start and end times (e.g., 8:00 AM to 6:00 PM) |
| Time Zone | The time zone for business hours calculation |
| Holidays | Optional holiday calendar to exclude from SLA calculation |
Example: A 24-hour SLA set at 4 PM on Friday with business hours enabled would expire at 4 PM on Monday (assuming no holidays).
Reminder Notifications
Reminders are sent before the SLA breaches to give the approver a chance to respond.
Reminder Schedule
Configure one or more reminders for each workflow step:
| Reminder | Timing | Recipient |
|---|---|---|
| First Reminder | At warning threshold (e.g., 12 hours before breach) | Current approver |
| Second Reminder | Closer to breach (e.g., 4 hours before) | Current approver |
| Final Warning | At SLA breach | Current approver + their manager |
Reminder Email Content
Reminder emails include:
- The request details (who is requesting what)
- The current SLA status and time remaining
- A direct link to the approval page
- The consequence if no action is taken (escalation, auto-decision)
Subject: [Urgent] Approval Required - SLA Breach in 4 Hours
Hello [Approver Name],
The following access request is approaching its SLA deadline:
Requester: Jane Smith (Engineering)
Resource: Azure DevOps - Admin Group
Risk Level: High
Submitted: February 18, 2026 at 2:15 PM
SLA Deadline: February 19, 2026 at 2:15 PM
Time Remaining: 4 hours
If no action is taken, this request will be escalated to [Next Approver].
[Review Now]
Thank you,
IdentityCenter
Escalation Rules
When an SLA breaches, escalation rules determine what happens next.
Escalation Actions
| Action | Description | When to Use |
|---|---|---|
| Escalate to Next-Level Manager | Reassign to the approver's manager | Standard escalation for most requests |
| Escalate to Admin | Reassign to a designated administrator or security team | When management chain is unavailable |
| Reassign to Backup | Reassign to a configured backup approver | When the original approver is known to be unavailable |
| Auto-Approve | Automatically approve the request | Low-risk requests where delay is more costly than risk |
| Auto-Deny | Automatically deny the request | High-risk requests where no response should default to denial |
| Notify Only | Send a notification but take no routing action | Informational awareness without changing the approval path |
Escalation Chain
Configure a multi-level escalation chain for persistent non-response:
| Level | Trigger | Action | Recipient |
|---|---|---|---|
| Level 1 | SLA breach | Send escalation notification | Approver's manager |
| Level 2 | 24 hours after Level 1 | Reassign approval | Backup approver or department head |
| Level 3 | 48 hours after Level 2 | Reassign approval | IT Security team or CISO |
| Level 4 | 72 hours after Level 3 | Auto-decide | System applies default decision |
Configuring Escalation Rules
- Open the workflow in the Workflow Designer
- Click the Approver node to open its properties
- Navigate to the Escalation tab
- Set the following:
| Field | Description |
|---|---|
| Enable Escalation | Toggle escalation on or off |
| Escalation Delay | Time after SLA breach before escalation fires |
| Escalation Action | What to do (escalate, auto-approve, auto-deny, etc.) |
| Escalation Target | Who receives the escalated request |
| Max Escalation Levels | How many times to escalate before applying the final action |
| Final Action | What happens if all escalation levels are exhausted |
Timeout Actions
A timeout is the specific behavior when the SLA clock expires and no decision has been made.
Timeout Configuration
| Option | Behavior | Risk Level |
|---|---|---|
| Wait Indefinitely | No automatic action; workflow stays pending | Not recommended for production |
| Escalate | Move to escalation chain | Recommended for most scenarios |
| Auto-Approve | Approve the request automatically | Use only for low-risk items |
| Auto-Deny | Deny the request automatically | Use for high-risk or privileged items |
| Cancel Request | Cancel the entire workflow | Use when the request is time-sensitive |
Tip: Never use Auto-Approve as a timeout action for privileged access requests. Default to Auto-Deny for high-risk requests so that unanswered requests do not silently grant elevated access.
SLA Reporting and Compliance Metrics
IdentityCenter tracks SLA performance across all workflows and generates reports for compliance audits.
Key Metrics
| Metric | Description | Target |
|---|---|---|
| Average Response Time | Mean time from notification to decision | < 24 hours |
| SLA Compliance Rate | Percentage of approvals completed within SLA | > 95% |
| Breach Count | Number of SLA breaches in a period | Trending downward |
| Escalation Rate | Percentage of requests that required escalation | < 10% |
| Auto-Decision Rate | Percentage resolved by auto-approve/deny | < 5% |
| Mean Time to Resolution | Average total workflow completion time | < 3 business days |
SLA Dashboard
The SLA dashboard provides at-a-glance visibility:
- Current SLA Status -- Requests approaching or past their SLA deadline
- Breach Trend -- Historical chart of SLA breaches over time
- Top Offenders -- Approvers with the most breaches or slowest response times
- Workflow Performance -- Per-workflow SLA compliance rates
Compliance Reports
| Report | Contents | Audience |
|---|---|---|
| SLA Summary | Overall compliance rate, breach count, average response time | Management |
| Breach Detail | Every SLA breach with request, approver, and resolution details | Audit |
| Escalation Log | All escalation events with timestamps and outcomes | Operations |
| Approver Performance | Per-approver response times and decision patterns | Management |
| Trend Analysis | SLA performance trends over weeks, months, quarters | Compliance |
Best Practices for SLA Configuration
Setting Response Times
- Align with business impact -- Critical access requests need shorter SLAs than informational reviews
- Account for time zones -- If approvers span multiple time zones, use business hours with the appropriate zone
- Be realistic -- An SLA that is routinely breached is worse than no SLA; set achievable targets first and tighten over time
- Differentiate by risk -- High-risk requests should have shorter SLAs and more aggressive escalation
Escalation Strategy
- Start with reminders -- Most approvers respond to a well-timed reminder before escalation is needed
- Escalate to the right level -- The escalation target should have authority to make the decision
- Limit auto-decisions -- Auto-approve and auto-deny should be last resorts, not routine
- Review escalation patterns -- If a specific approver frequently triggers escalation, address the root cause
Notification Effectiveness
- Include a direct action link -- Make it easy for the approver to click through and decide
- State the consequence -- "If you do not respond by [date], this request will be escalated to [person]"
- Keep emails concise -- Include only the essential details; link to the full request for more
- Use email templates -- Configure templates in Email Configuration for consistent messaging
Integration with Email Notifications
SLA reminders and escalation notifications are delivered via the configured email service. Ensure that:
- SMTP settings are configured correctly (see Email Configuration)
- Email templates exist for reminder, escalation, and auto-decision notifications (see Creating Templates)
- Approver email addresses are populated in the directory
- Email delivery logs are monitored for failures
Next Steps
- Workflow Designer -- Build workflows and configure SLA settings on each node
- Workflow Triggers -- Connect workflows to events and schedules
- Approver Resolution -- How approvers are determined
- Access Reviews Overview -- SLA tracking for access review campaigns
- Policies Overview -- Policy-driven workflows with escalation
- Email Configuration -- Set up email delivery for notifications