Issue
Symptoms
User without any roles is able to approve a Change Request if they are added to the Approvers. They wanted to know if this is a PRB (Product Defect), or if it is how the system is designed.
Release
Kingston Patch 3a
Cause
This is indeed OOB functionality, but with a caveat (further explanation below...)
Resolution
In order to test the above, a user with no roles was created in sub-production instance. Also, a test Change Request was created.
Upon impersonating the user with no roles, there was an immediate redirection to the Service Portal of our customer's instance.
From the Service Portal, the user with no roles can access (view) the test Change Request created. The impersonated no-role user can see the "Approvals" tab, but they cannot see any Approvers within it, or add/remove users in it.
If an admin user is impersonated, and the user with no roles is added as an approver, the approval is automatically set to a state of "not yet requested". Without changing this approval to a state of "requested", the no-role user was impersonated again to see if they could see the approval created on their behalf in the Service Portal. They could not see it, as it was still in a state of "Not yet requested".
Trying to access the Change Request record outside of SP did not work either, as the no-role user was redirected back to the SP, so that is good.
Once again the admin user was impersonated, and the Approval created for our no-role user was pushed from a state of "not yet requested" to "requested".
The no-role user was then re-impersonated and they were able to both see and approve the Approval for the test Change Record created. They cannot, however, approve for any other user but themselves.
Hypothetically, if they were the only approver added to a Change Request, they could approve a Change Request and move that Change Request forward.
This behavior is the same in an OOB instance for a user with no roles. They must be added to the Approvers by an admin user and intentionally have the state of their approval moved from "not yet requested" to "requested". Only then can the user with no roles go in an Approve the change.