Hello guys, I am seeking some of your great wisdom over here

When user is added do IDV, I want my policy to automatically request resource for new user and this request has to be approved/denied, before it is assigned.

What I did:
I have a null driver with something like this:
Code:
	<rule>
		<description>Add AD Resource</description>
		<conditions>
			<and>
				<if-class-name mode="nocase" op="equal">User</if-class-name>
				<if-operation mode="nocase" op="equal">add</if-operation>
				<if-op-attr name="x" op="available"/>
				<if-op-attr name="y" op="available"/>
				<if-op-attr name="z" op="available"/>
			</and>
		</conditions>
		<actions>
			<do-add-resource  id="CN=uaadmin,OU=sa,OU=users,O=data" resource-id="cn=UserAccount_Active Directory Driver,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,CN=UserApplication,CN=DriverSet,O=acme" time-out="0" url="~UAProvURL~">
				<arg-password>
					<token-named-password name="ua-password"/>
				</arg-password>
				<arg-string name="EntitlementParamKey">
					<token-text xml:space="preserve">{"ID":"ad.acme.com"}</token-text>
				</arg-string>
			</do-add-resource>
		</actions>
	</rule>
</policy>

In User Application/Resource catalog I set that Approval is Required.


The problem is that the resource is automatically assigned, but the approval step never occurs. So the user ends up with resource that noone approved. I have no idea why it behaves this way. Am I missing something over here? Or is it caused by using uaadmin when requesting the resource? (I did restart all drivers, cleared cache, tried create another resource, even reboot the box).