Hello guys, I am seeking some of your great wisdom over here

When user is added do IDV, I want my policy to automatically request resource for new user and this request has to be approved/denied, before it is assigned.

What I did:
I have a null driver with something like this:
		<description>Add AD Resource</description>
				<if-class-name mode="nocase" op="equal">User</if-class-name>
				<if-operation mode="nocase" op="equal">add</if-operation>
				<if-op-attr name="x" op="available"/>
				<if-op-attr name="y" op="available"/>
				<if-op-attr name="z" op="available"/>
			<do-add-resource  id="CN=uaadmin,OU=sa,OU=users,O=data" resource-id="cn=UserAccount_Active Directory Driver,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,CN=UserApplication,CN=DriverSet,O=acme" time-out="0" url="~UAProvURL~">
					<token-named-password name="ua-password"/>
				<arg-string name="EntitlementParamKey">
					<token-text xml:space="preserve">{"ID":"ad.acme.com"}</token-text>

In User Application/Resource catalog I set that Approval is Required.

The problem is that the resource is automatically assigned, but the approval step never occurs. So the user ends up with resource that noone approved. I have no idea why it behaves this way. Am I missing something over here? Or is it caused by using uaadmin when requesting the resource? (I did restart all drivers, cleared cache, tried create another resource, even reboot the box).