Skip to content

Managing User Access

IdentityIQ can be set up to let you request and manage access for yourself or for other identities. Based on how your system is configured, users who are able to manage access for both themselves and others have a Manage User Access Quicklinks menu item and card on the home page. Users who can manage only their own access see a similar menu item and card called Manage My Access.

  • Manage My Access – users request and manage access for themselves. Users selecting this option are only able to manage access for themselves, and therefore do not see the Select Users panel, but go directly to the Add or Remove Access page.

  • Manage User Access – users request and manage access for one or more identities, including their own. Users selecting this option are directed to the Select Users panel to choose the users whose access they would like to manage.

If you click the Home button, exit the IdentityIQ application, or navigate away from the manage access pages before you complete all tasks, your entries are cleared and the access request is NOT submitted.

Note

When searching for a user to add or remove access, the elevated access icon displays on any user that has elevated roles or entitlements.

Requesting Access

Based on how your system is configured, you can:

Request Access for Others

This option must be configured on the Lifecycle Manager configuration page. Access it via the Quicklink Manage User Access menu item or card on the home page.

  1. On the Select User tab, select the checkmark icon on the card for one or more identities.

    a. To search for an identity, enter the name or first few letters of an identity in the search box and click the Search icon. To limit the number of listings, select Filters, choose specific filter criteria, and then select Apply.

    b. Select the checkmark icon to choose one or more identities. You can also select the All button to select all identities (maximum of 100).

    c. The Users Selected list just below the navigation bar shows the users you have selected; you can click on this list of users at any point in the access request process to remove users from the selection.

    d. Select the person icon on any user card to see details about that identity.

  2. Select Next to move on to the Manage Access page.

  3. On the Manage Access page, select the Add Access tab.

  4. Click Browse all access items to display the full list of access options available. To search, select either Search by Keywords, Find Users' Access, or Filter Population from the dropdown options.

    • Search by Keywords – enter a search term and select the search icon or select Browse Access to see a full list of roles and entitlements. The specifics of which attributes can be searchable is configured by your system administrator.

    • Find Users' Access – select a user from the dropdown options to see access granted to that identity so you can choose items from that set of access and request those items for the identities in your selection. If you search on multiple users, the search results show the number and percentage of users that have each type of access. Note that is a configurable option that may not be enabled in your particular installation.

    • Filter Population – filter by a number of configurable options such as Manager, Region, Department, Location, or Job Title to find users and see the access granted to them. Results are shown in groups that include a notification about what percentage of the given population the role or entitlement applies to. Select a percentage notification for details. Note that is a configurable option that may not be enabled in your particular installation.

  5. Alternately, click Filters to limit the number of listings using various filtering options, including Role Source Application, Role Source Attribute, Role Classification, Entitlement Application, Entitlement Attribute, and more. After choosing your filter criteria, select Apply to see search results.

    • The Filter button turns green when filtering is applied to alert you that you are seeing a filtered subset of access. To clear filtering, select the Filters button again and select Clear.

  6. From the listed results, select the checkmark icon for each access item you want to add.

    • When you select a role that permits additional roles, you are alerted that additional, optional roles are available and can select any of them to add to the request.

  7. After IdentityIQ validates that the user does not currently have the requested access, the number of items you selected displays on the Add Access tab.

  8. Select Next to move on to Set Dates, Finalize and Submit tab.

    • A pop-up message notifies you if conflicting changes have been requested.

  9. Review access request information and verify your choices. Based on how your system is configured, before you complete the access request you may:

    • Remove an access request entry – select the trash can icon next to the access item.

    • Add an attachment (for single user requests only) – if your configuration allows, you may add attachments by selecting the paper clip icon. See Adding Attachments to Access Requests (link).

    • Add a comment – if your configuration allows, you may add a comment to your request by selecting the comments icon to the right. Your system may be configured to required comments, in which case the Comment icon is flagged with a red asterisk. See Viewing and Posting Comments (link).

    • Change the priority – see Editing an Access Request (link)

    • Change the start / end dates – see Editing an Access Request (link)

  10. Select Submit. After you click Submit, forms are issued if further information is needed before your request can be completed.

    • If you are requesting access for a single identity, a pop-up displays enabling you to complete the form immediately or send it to your Home page.

    • If you are requesting access for multiple identities, the forms are sent directly to your Home page and no pop-up is displayed.

  11. A banner message confirms that your request was successfully submitted and shares the request ID.

Request Access for Yourself

If your system is set up to allow you to request access for yourself, a card with your identity details is the first card displayed on the Select User tab. This option must be configured in IdentityIQ.

  1. On the Manage My Access tab, select the Add Access tab.

  2. Select Browse all access items to display the full list of access options available. To search for available access, select either Search by Keywords or Recommended for You from the dropdown options.

    • Search by Keywords – enter a search term and select the search icon.

    • Recommended For You – if AI-Driven Identity Security has been configured for your organization, the Search field includes an option in the drop-down list to show access items that AI-Driven Identity Security recommends for you based on peer group analysis. Access recommendations are available only for your own access; if you are able to request access for other users such as your direct reports, you will not be offered access recommendations for those users. See Enabling Recommendations for Access Requests (link).

    • You can also select the Yes, show my access recommendations button to see AI-recommended access if AI-Driven Identity Security are configured.

  3. Alternately, select Filters to use various filtering options, including Role Source Application, Role Source Attribute, Role Source Value, Entitlement Application, Entitlement Attribute, Entitlement Owner, and more. After choosing your filter criteria, select Apply to see search results.

    • The Filters button turns green when filtering is applied to alert you that you are seeing a filtered subset of access. To clear filtering, select the Filters button again and select Clear.

  4. From the listed results, select the checkmark icon for each access item you want to add.

    • Some roles allow related roles to be added. To add the additional roles, select the role or roles and click Continue.

  5. Select Next to move on to Set Dates, Finalize and Submit tab.

    • A pop-up message notifies you if a duplicate change has been requested.

  6. Review access request information and verify your choices. Based on how your system is configured, before submitting the access request you may:

    • Remove an access request entry – select the thrash can icon next to the access item.

    • Add an attachment (for single user requests only) – if your configuration allows, you may add attachments by selecting the paper clip icon. See Adding Attachments to Access Requests (link).

    • Add a comment – if your configuration allows, you may add a comment to your request by selecting the comments icon to the right. Your system may be configured to required comments, in which case the Comment icon is flagged with a red asterisk. See Viewing and Posting Comments (link).

    • Change the priority – see Editing an Access Request (link)

    • Change the start / end dates – see Editing an Access Request (link)

  7. Select Submit. After you click Submit, forms are issued if further information is needed before your request can be completed. A pop-up is displayed enabling you to complete the form immediately or send it to your Home page.

  8. A banner message confirms that your request was successfully submitted and shares the request ID.

Request Access Containing a Permitted Role

A permitted role is generally a requested or assigned role and is not automatically granted to a user. Permitted roles are enabled by default. When permitted roles are available, they are displayed on the following tabs:

  • Add Access – when you select a role that has permits, the associated permitted roles are displayed as cards after you complete the account selection setup.

  • Review – permitted roles are displayed below the associated assigned role.

You can set start / end dates and comments on permitted roles.

Removing Access

The remove access feature is only available for an individual user. If your system is set up to allow you to add or remove access for yourself, a card with your identity details is the first card displayed on the Select User tab.

  1. On the Select User tab, click the checkmark icon on the card for an identity.

  2. Navigate to the Manage Access tab and select the Remove or Change Access tab. Current access is listed on the lower part of the window. You may use the search bar to search current access by keyword. Enter a term in the search box and click the search icon. Full text search is not available for Remove Access.

  3. Alternately, use the Filters button to apply available filters, including options for Status, Role Source Application, Role Source Attribute, Entitlement Application, Entitlement Attribute, and more. After choosing your filter criteria, select Apply to see search results.

    • The Filter button turns green when filtering is applied to alert you that you are seeing a filtered subset of access. To clear filtering, select the Filters button again and select Clear.

  4. From the search results, select the X icon next to any role to remove access.

    • When removing access, only the roles and entitlements the user currently has assigned are available for removal

  5. The number of items you selected to be deleted is displayed in a circle on the Remove or Change Access tab.

  6. Once you have selected all access you want to remove, select Next to move on to Set Dates, Finalize and Submit.

  7. Review access request information and verify your choices. Based on how your system is configured, before submitting the request you can:

    • Remove an access request entry – select the thrash can icon next to the access item.

    • Add an attachment – if your configuration allows, you may add attachments by selecting the paper clip icon. See Adding Attachments to Access Requests (link)

    • Add a comment – if your configuration allows, you may add a comment to your request by selecting the comment icon to the right. Your system may be configured to require comments, in which case the comment icon is flagged with a red asterisk. See Viewing and Posting Comments(link)

    • View Details – select the Details button. See Viewing Details(link)

  8. Select Submit.

  9. A banner message confirms that your request was successfully submitted and shares the request ID.

Viewing Details

You can view the following information about a user:

View User Details

Based on how your system is configured, you can view items such as User Name, Last Name, First, email, Location Owner, Region, and more.

  1. Navigate to the Manage User Access page.

  2. On the Select User tab, click the user icon on any user card.

To view user details from the Review tab, click the user name next to the user icon to return to the Select User tab and then click the user icon on the user card.

View Role Details

For any role, you can view information such as the application associated with the role, the Attribute, the Name of the role and how the role was assigned.

  1. Navigate to the Manage User Access page.

  2. On the Manage Access tab, click Details for any role listing.

Viewing and Posting Comments

Note

Assignment notes can only be added to assigned roles. You cannot add assignment notes to permitted roles.

You can view or post comments and assignment notes to an access request using the comments button, talk bubble icon. The number next to the icon indicates the number of comments and notes for the access request. If comments are required for this item, the comment icon is flagged with a red asterisk. Comments can be made at the overall request level and at the individual request item level; when comments are required, a comment at the request satisfies the requirement for comments at the individual request item level.

Note

Requiring comments is off by default. To configure comments being required, see Miscellaneous(Link) in the System Configuration Guide.

When you add a comment or assignment note to an access request line item, the note icon turns green.

Based on how your system is configured, you can:

View or Post Access Request Line Item Comments

Before you complete and access request, you can view or post a comment to line items for entitlements and roles.

Note

If an Assignment note is not permitted for the item, the title of the dialog is Comment.

  1. On the Set Dates, Finalize and Submit tab, select the comments icon for the request item.

  2. In the Comments and Notes dialog, select the Comments tab.

  3. To post a new comment, type your comments in the text box and click Save.

Post an Assignment Note to Access Request Line Items

Before you complete an access request, you can post an assignment note to line items for roles.

Note

If an assignment note is not permitted for the item, the Assignment Notes tab is not displayed.

  1. On the Set Dates, Finalize and Submit tab, select the comments icon for the request item.

  2. In the Comments and Notes dialog, select the Assignment Notes tab.

  3. Type your note in the text box and click Save.

Adding Attachments to Access Requests

You can add attachments to access request items using the attachments (paper clip) icon. Based on how your system is configured, you may have the option to add attachments, or you may be required to add an attachment for specific items. See Configuring File Attachments for Access Requests (Link).

Attachments are only available for single user access requests. If attachments are enabled, you will see the attachment icon on all request items, but it will only be active on requests that support attachments.

To add an attachment to an access request:

  1. On the Set Dates, Finalize and Submit tab, select the attachments icon (paper clip) for the request item.

  2. In the attachments overlay, add attachments by dragging and dropping or uploading files.

    Once you've added an attachment, you have the option to add a description, download the attachment, or delete the attachment. You can also add more attachments to the request.

  3. Select OK after all files are loaded.

If you try to add an attachment for a file type that is not supported, or that exceeds the maximum file size that was configured for attachments, you will see an error.

Supported File Types: Your IdentityIQ system administrator can configure what types of file attachments are supported; for example, PDF documents, text files, JPG images, etc.

Caution

IdentityIQ does not perform file content validation or verification on attachments. It is your responsibility to ensure that only files that do not violate security policies within your environment are included as attachments.

File Size Limits: There may be an attachment size limit set during the configuration of IdentityIQ. If you run into issues, contact your system administrator. For information how file attachment options are configured, see Enabling File Attachments (Link).

Required Attachments: IdentityIQ can be configured to make attachments required for access requests. If attachments are required, it will be indicated on the icon and you will receive a warning if you try to submit the request with out an attachment.

Attachments for Specific Roles: Attachments are added to individual access request items, and can also be added for specific roles that may be included with the access request item.

Single-Identity Requests Only: Note that attachments can NOT be added to requests that encompass multiple identities; they can be added for single-identity requests only.

Note

Adding any attachment will fulfill the required attachment rules. IdentityIQ does not validate to ensure the correct item was attached. If attachments are required for an item and you include that item in a request for multiple users, a message is displayed instructing you to amend the request as required.

Attachments Overlay

The information displayed on the attachment overlay is controlled using AttachmentConfig rules. Every time a user accesses the Set Dates, Finalize and Submit tab of an access request, every AttachmentConfig rule is reviewed and the attachment overlay is constructed based on that input, possibly with the names of required or suggested attachments displayed in a list.

Required attachment names are displayed with a red asterisk. All required attachments should be included in the access request, but any attachment will satisfy the requirement rules. IdentityIQ does not validate the attached files.

Drag and drop or upload the attachments to add them to the Attached to This Item list.

The Attached to This Item list contains any files already attached to this request item. From this list you can:

  • Add or edit comments – click the pencil icon to add or edit comments

  • Download and view – download and view the attachment

  • Remove – remove the attachment from the request and delete it from the database

Viewing Attachments when Approving Requests

When an Access Request item includes file attachments, the reviewer sees a green attachment icon indicating the presence and number of attachments. The reviewer can click the icon to download and view the attachment. IdentityIQ does not have any built-in viewers; in order to open and view an attachment, the user must have the appropriate application installed (for example, Adobe Acrobat or similar, to open and view a PDF attachment).

Editing an Access Request

Before you submit an Access Request, the following editing options may be available from the Set Dates, Finalize and Submit tab:

  • Changing Access Request Priority

  • Changing Access Start and End Dates

Changing Access Request Priority

If your system is set up to allow priorities for access requests, you can change the priority for an access request. The default setting is Normal Priority. When you create an access request, you can change the priority to High Priority or Low Priority.

Before you complete an access request, change the priority for an access request by completing these steps:

  1. On the Set Dates, Finalize and Submit tab, select the button with the flag icon.

  2. Select High Priority, Normal Priority, or Low Priority.

Note

For this feature to be available to users, the Administrator must select the option to Enable requesters to set request priorities under gear > Lifecycle Manager > Configure tab. See Configure Tab.

Changing Access Start and End Dates

Start and end dates support the temporary assignment of roles and entitlements by letting you set a start and end date for access. Access is deprovisioned when the end date arrives. For information on using start and end dates for entitlements, see Using Start and End Dates for User Access (Link) For information on using start and end dates for roles, see Using Start and End Dates in Roles (Link).

Before completing an access request, you can set a beginning and ending date for a line item in an access request or for the full request in bulk. If all the dates in the access request are the same, the global calendar icon is green. If the dates for one or more line items in the access request are different, the global calendar icon is gray.

For line items, set start / end dates by completing these steps:

  1. On the Set Dates, Finalize and Submit tab, select the calendar icon for the line item in the access request.

  2. In the Set Start / End Dates dialog, select the crossmark icon to remove the existing date, as required. Type a new date in the field in the mm/dd/yyyy format or select the calendar to choose a date.

  3. Select Save. The set date displays on the line item card.

For full requests, set global start / end dates by completing these steps:

  1. On the Set Dates, Finalize and Submit tab, select the calendar icon for the access request.

  2. In the Set Start / End Dates dialog, select the crossmark icon to remove the existing date, as required. Type a new date in the field in the mm/dd/yyyy format or select the calendar to choose a date.

  3. Select Save. The set date displays on all line item cards.

Note

If you specify a global start / end date on an entire access request and then change the global setting, the new global setting overrides any individual line item date settings you may have made.

Note

For this feature to be available to users, the administrator must enable the option to allow start / end dates on role assignment.

Setting Start and End Date Format

You can set a different date format for start date and end date that displays on the Access Request and Access Approval page for roles and entitlements.

Examples of the date format type that you can set are:

  • medium – equivalent to ‘MMM d, y h🇲🇲ss a’ for en_US locale (e.g. Apr 24, 2024 12:00:00 AM)

  • short – equivalent to ‘M/d/yy h:mm a’ for en_US locale (e.g. 4/18/24 12:00 AM)

  • fullDate – equivalent to ‘EEEE, MMMM d, y’ for en_US locale (e.g. Thursday, May 2, 2024)

  • longDate – equivalent to ‘MMMM d, y’ for en_US locale (e.g. April 17, 2024)

  • mediumDate – equivalent to ‘MMM d, y’ for en_US locale (e.g. Apr 30, 2024)

  • shortDate – equivalent to ‘M/d/yy’ for en_US locale (e.g. 5/10/24)

Follow the below steps to set the date format in the Debug pages:

  1. Log in as an IdentityIQ administrator.

  2. Navigate to the Debug pages through the Debug URL: https:///identityiq/debug (for example, http://localhost:8080/identityiq/debug).

  3. From the Configuration Objects dropdown list, select UI Configuration.

  4. Change the date format:

    • Locate uiAccessItemsColumnsRole and set, dateStyle = "" for ColumnConfig having headerKey = "my_approvals_start_date" and headerKey = "my_approvals_end_date".

      This setting changes the start and end date format for roles on the access request page.

    • Locate uiAccessItemsColumnsEntitlement and set, dateStyle = "" for ColumnConfig having headerKey = "my_approvals_start_date" and headerKey = "my_approvals_end_date".

      This setting changes the start and end date format for entitlements on the access request page.

    • Locate uiApprovalItemsColumnsRole and set, dateStyle = "" for ColumnConfig having headerKey = "my_approvals_start_date" and headerKey = "my_approvals_end_date".

      This setting changes the start and end date format for roles on the access approval page.

    • Locate uiApprovalItemsColumnsEntitlement and set, dateStyle = "" for ColumnConfig having headerKey = "my_approvals_start_date" and headerKey = "my_approvals_end_date".

      This setting changes the start and end date format for entitlements on the access approval page.

    • Save your change to the UI Configuration object.

Request Violations

Note

The section only applies for single identity access requests. If a request for multiple users contains violations, the request goes through and notifications are sent.

When you submit an access request that results in a policy violation and IdentityIQ is configured to have interactive violation handling, a warning message appears at the top of the page with a list of the violations. Click a violation to view details about the violation possibly including compensating controls and correction advice if they were included.

Access Request Violations Options

For access requests that generate policy violations, IdentityIQ can be configured to:

Reject and Cancel Requests with Policy Violations

If you submit an access request that results in a policy violation and IdentityIQ is configured to reject any requests with policy violations, the request fails and is canceled. You can navigate to the Manage User Access page and create a new request.

Reject Requests with Policy Violations – Interactive

If you submit an access request that results in a policy violation and IdentityIQ is configured to reject any requests with policy violations, the request fails. If you are notified that the request failed because of a policy violation and you are still on the Manage User Access page, you can:

  • Change the access request

  • Cancel the access request

Allow Requests with Policy Violations – Non-Interactive

If you submit an access request that results in a policy violation and IdentityIQ is configured to allow any requests with policy violations, the request goes through and you are not notified.

Allow Requests with Policy Violations – Interactive

Note

When you continue with an access request with a violation, IdentityIQ can be configured to allow the violation with no user interaction or require users to add a comment or end date.

If you submit an access request that results in a policy violation and IdentityIQ is configured to allow requests with policy violations and notify the requester, the request continues. When you are notified of the violation, you can:

  • Change the access request

  • Cancel the access request

  • Continue with the access request