Request and Review Access

After your System Administrator has successfully integrated Identity Security Cloud with the ServiceNow Portal, you’ll be able to use it to generate access requests.

Note

  • Duplicate requests are blocked. A new request can't be submitted for a user if its identical to an existing request waiting to be processed. The same applies for a user with multiple accounts, respective of the source and account combination.

  • Users who are managers can submit requests to revoke access for their directly managed employees, however, they cannot revoke access for themselves.

To request access profiles and roles for users:

  1. Sign in to the ServiceNow Portal with your credentials.

  2. Select Manage Access to access the application.

    Depending on the type of authorization used for your integration, you may receive a dialog to sign into Identity Security Cloud before continuing.

    Note
    This is the default configuration. Your organization may use a different method to access the app from within your ServiceNow Service Portal.

  1. In stage 1 – User Details you can search for a specific user by entering their name in the search field. You can also use the controls below the set of cards to page through the users.

  2. To select a user, click the top section of their "card" that contains a check mark and their name, and then select Next.

    Up to 10 users can be selected. The initials of each selected user are displayed at the top of the widget. Hover over a user's initials on the widget to reveal their full name on all pages.

    User Retrieval and Synchronization:

    Users are retrieved from the users table in ServiceNow. As a prerequisite, SailPoint requires that user data be synchronized between ServiceNow and SailPoint. If a user mismatch is detected, a validation process occurs, and an error message (e.g., "User Mismatch") is displayed. This validation occurs:

    • The system allows navigation to the next screen.

    • The user that does not exist on ISC remains in the selection.

    • Upon submission, the system displays: “You cannot submit an access request for a user who does not exist.”

    Expected Behavior / Functionality:

    • Requests for users that exist on ISC are processed correctly.

    • Submissions for users that do not exist on ISC are blocked.

    • This behavior is consistent with product design and expected functionality.

  1. In stage 2 – Select Access you can use the Add Access tab to choose options to refine your search to a specific subset of roles and / or access profiles.

    • Description

    • Name

    • Owner

    • Source (searches for access profiles only, not roles)

    For each filter option you select, the corresponding operator options are displayed beside it.

    The Description and Name filters offer the following three options for the operator. Expand each one to learn more.

      • Ability to search for ANY keywords

        • the default option

        • case insensitive

        • does not support searching for special characters

          Search Term

          Expected Results

          Excluded from Results

          Ep

          Epic Admin, Epic Admin123, Epic Admin Role

          Admin, Admin123, Admin Role, Admin Role Owner

          Epic

          Epic Admin, Epic Admin123, Epic Admin Role

          Admin, Admin123, Admin Role, Admin Role Owner

          Epic Ad

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          		  

          Epic Admin

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          		  

          Epic Admin R

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          		  

          Ad

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          		  

          Admin

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

           

          Admin R

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          		  

          Admin Role

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

           

          Admin Role O

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

           

      • Ability to search for ALL keywords

        • case insensitive

        • does not support searching for special characters

          Search Term

          Expected Results

          Excluded from Results

          Ep

          Epic Admin, Epic Admin123, Epic Admin Role

          Admin, Admin123, Admin Role, Admin Role Owner

          Epic

          Epic Admin, Epic Admin123, Epic Admin Role

          Admin, Admin123, Admin Role, Admin Role Owner

          Epic Ad

          Epic Admin, Epic Admin123, Epic Admin Role

          Admin, Admin123, Admin Role, Admin Role Owner

          Epic Admin

          Epic Admin, Epic Admin123, Epic Admin Role

          Admin, Admin123, Admin Role, Admin Role Owner

          Epic Admin R

          Epic Admin Role

          Admin, Admin123, Admin Role, Admin Role Owner

          Ad

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          		  

          Admin

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

           

          Admin R

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          Epic Admin, Epic Admin123

          Admin Role

          Admin Role, Admin Role Owner, Epic Admin Role

          Epic Admin, Epic Admin123, Epic Admin Role

          Admin Role O

          Admin Role Owner

           

          Admin, Admin123, Admin Role, Epic Admin, Epic Admin123, Epic Admin Role

      • Ability to search for EXACT match

        • case sensitive

        • supports searching for special characters

          Search Term

          Expected Results

          Excluded from Results

          Ep

          		  

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          Epic

          		  

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          Epic Ad

          		  

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          Epic Admin

          Epic Admin

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin123, Epic Admin Role

          Epic Admin R

          		  

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          Ad

          		  

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          Admin

          Admin

          Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          Admin R

           

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          Admin Role

          Admin Role

          Admin, Admin123, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

          Admin Role O

           

          Admin, Admin123, Admin Role, Admin Role Owner, Epic Admin, Epic Admin123, Epic Admin Role

    The Owner and Type filters offer one option for the operator; Equals. This operator is read-only and cannot be changed.

  2. For Description and Name, select one of the three provided operators, enter the keyword to search for, and then select the magnifying glass to add the filter.

  3. For Owner and Source, select a specific value from the corresponding dropdown list and select the magnifying glass icon to add the filter.

  4. Combine these filters as needed to refine the results returned.

    Note
    Unlike access profiles, roles are not associated with a specific source. If you use the Type filter and choose Role, you cannot combine that filter with the Source filter. If you attempt to combine these filters, a message is displayed to notify you that your Source filter will be effectively ignored.

  5. When you've finished building your search query, all the search results that match your criteria are displayed.

View information about the specific entitlements:

  1. To view information about the specific entitlements that comprise an access profile, select the Details link in its card.

  2. To select an access profile or role in the search results, click the top section of the card that contains a check mark and its name, and then select Next.

  1. In stage 3 – Recommendations Review you can review recommended items in tabular form.

    • Tabbed and pagination helps the user to navigate between result sets. Tabs and their order will be the same as in the Add Access page configuration.

    • The recommendations view is only visible when a single user is selected. It is not applicable for multi-user selections.

    • It's possible for users to ignore recommended items. Refer to the Access Recommendations feature documentation of Identity Security Cloud (ISC) for details.

    ServiceNow administrators have the ability to determine whether to display or conceal the recommendation tab by following the steps outlined below.

  2. Go to SailPoint Identity Security Cloud for Service Catalog > Setup.

  3. For Show Recommendations, applicable only if required license available? leave the default value of Yes to show the recommendation tab. Change the value to No to hide the tab.

  1. In stage 4 – Review & Submit you can review the access you are requesting and add comments to help any reviewers make more informed decisions about the request.

  2. When you’ve finished reviewing the access being requested and are confident that reviewers will have all of the information they’ll need to make an informed decision on whether or not to grant the access, select Submit.

When a user has more than one account on a source, the multi-account feature prompts the requester to choose which account to provision access to, and likewise, each record of a user’s access includes account data to support access revocation from the appropriate account.

Note
Support for the Multi-Account feature has been introduced using widget architecture only and is not supported in the Manage_Access page.

  1. Admins must define one source per system and configure their logic to correlate all of a user’s accounts from that source to their identity. At the end of the request submission flow, when applicable, the access requester is then prompted to select the appropriate account from the list of the target user’s correlated accounts.

  2. Request line items, if associated with multiple accounts/assignments, will require a mandatory selection. A window will populate for the requester to make selections.

    isc_request Page Review & Submit

    isc_request_2 Page Review & Submit

  3. While requesting access, the account name must be selected.

     

  4. While reviewing access, the assignment must be selected.

Note

  • Request for multi-accounts is supported for Role and Entitlements as per ISC architecture.

The behavior of access removal (revocation) differs based on the type of connection established between ServiceNow and Identity Security Cloud (ISC).

With OAuth 2.0, the ability to request access revocation is governed by the following rules:

  • Manager-Initiated Revocation: Managers can only request access revocation for their direct reports.

  • ORG_ADMIN: Users possessing the ORG_ADMIN role in ISC can request access revocation for any user within the organization, irrespective of the reporting structure.

  • Self-Revocation Restriction: Users are not permitted to request revocation of their own access.

  • ServiceNow User with x_sap_intidn.onbehalfof Role: ServiceNow users with the x_sap_intidn.onbehalfof role can initiate access requests on behalf of other users. However, if the ServiceNow user lacks ORG_ADMIN privileges in ISC, they cannot initiate access revocation requests

When a PAT is used for the catalog integration, it is automatically granted ORG_ADMIN privileges within ISC. This results in the following behavior:

  • Initiate access revocation requests without any restrictions.

  • The user can select any user visible to them and successfully initiate an access revocation request for that user.

  1. Sign in to the ServiceNow Portal with your credentials.

  2. Select Manage Access.

  3. To review the access for a user who also exists in Identity Security Cloud, search for the user and click the top section of the card that contains a check mark and their name, and then select Next.

    Note
    You can select multiple users and create a request to add the same access to them all at once. You cannot remove access this way, as each user has a unique combination of access.

    At the top of the page, you’ll see options to Add Access, Recommendations, and Review Existing Access. Use these to request the level of access that’s appropriate for the user.

  4. Use the Add Access tab to search for roles, access profiles, and entitlements that are currently eligible to be added to the user’s access by selecting the appropriate tab component. For each filter option you select, the corresponding operation is displayed beside it.

    To filter the search results by owner or source, select a filter from the Select Filters list, and then enter the owner or source in the Keyword Search. The Add Access pagination supports up to 10,000 search results.

  5. Use the Recommendations tab to view recommended access profiles or roles.

    Note

    • The Recommendations tab only displays if you enable the IdentityAI feature in Identity Security Cloud for the selected organization

    • The generation of available recommendations per user requires additional configuration of the Identity Security Cloud organization. For more information about configuration, contact the support team.

  6. Use the Review Existing Access tab to see the access associated with the user's profile. You can select and remove any existing roles or access profiles that are revocable.

    Note
    A tab to view Entitlements may (or may not) exist. This is based on the setup in Admin settings.

    Whether you are adding or removing access, you can view information about the specific entitlements that comprise an access profile by selecting the Details link in the access profile’s card.

  7. When you are finished selecting access to be added or removed, select Next.

  8. In stage 3 – Review & Submit you can review the access you are adding or removing and add comments to help any reviewers make more informed decisions about the request.

  9. When you're finished reviewing your request to add and / or remove access to determine the appropriate access for one or more users, select Submit.

  • A single request containing all related items is generated and assigned a unique number for tracking purposes.

  • Depending on how Access Requests are configured for your site, the request will either be fulfilled automatically, or it will generate a request for manual approval.

  • Administrators can view the current status of requests that have been generated by going to Account Requests in the main ServiceNow Service Catalog menu.

Note
Suitably entitled users can also view their own requests in the ServiceNow Portal.

To view details for a specific request in the list, select its name.

""