Limiting External Access Requests

Identity Security Cloud (ISC) users typically request access through the Identity Security Cloud UI. Access requests can also be initiated from external systems using the access request REST APIs, which allow approvals to flow from the external system into Identity Security Cloud for provisioning without requiring additional approval.

Access requests initiated within the ServiceNow Service Portal communicate with Identity Security Cloud using the access request APIs. As long as access is requested via the ServiceNow Service Portal, the defined approval process will be followed, and access requests will flow to Identity Security Cloud for provisioning.

This means that users with access to the Identity Security Cloud UI could use it to request access and have their request immediately provisioned, bypassing your external approval process.

Preventing users who have access to Identity Security Cloud from directly submitting the access request can be accomplished in two ways:

Disable the Identity Security Cloud access request UI by changing the default setting for the approvalsMustBeExternal access request configuration option from false to true.

Use the REST APIs to make the following REST call:
Copy
```
PUT /beta/access-request-config
```
And include the following in the body of the request:
Copy
```
{
    "approvalsMustBeExternal": true,

    },
```
For more information on the use of this API, refer to Get Access Request Configuration in the Developer Community.

Important
Only users with OrgAdmin can raise requests when the flag approvalsMustBeExternal is set to True. This option is not suggested when using the request catalog for a wider audience.

Create a workflow in Identity Security Cloud, that uses the Access Request Dynamic Approver event trigger to evaluate the origin of an access request, assign an approver, and/or cancel the request if it did not originate from the ServiceNow Service Catalog connector.

Suggested Approach:
1. Create a Workflow in Identity Security Cloud
  1. Setup an external event trigger in SailPoint, subscribing to trigger named Access Request Dynamic Approver.
  2. In the workflow, add an Approver Action to reflect the individual that would be assigned an approval task if a request is not assigned from ServiceNow. If applicable, configure the HTTP action to cancel the request.
  Important
  Do not leave access request via Identity Security Cloud accessible to users if approvals are configured in ServiceNow. Otherwise, access will be unguarded and vulnerable to misuse.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Limiting External Access Requests

Documentation Feedback