Skip to content

Managing Requests for Roles and Access Profiles

You can allow users to request access to roles and access profiles by configuring them for access requests. This access appears in the Request Center and each request can be reviewed by a pre-configured set of identities to ensure the access only goes to users who need it.

To allow requests for a role or access profile through the Request Center, you must:

  1. Set up the access item for requests.
  2. Configure the approval process.
  3. Specify when comments are required.

Items in a request can be individually provisioned or canceled without affecting other items in the request.

Configuring Roles for Requests

If a role can’t be easily auto-assigned, or if it is needed by someone who doesn’t meet the assignment criteria, you can allow users to request the role. When the request is approved, the entitlements in the role’s access profiles are provisioned to the user’s source accounts.

To configure a role for access requests:

  1. Go to Admin > Access Model > Roles.

  2. Select Actions > Edit for the role you want users to be able to request.

  3. Select Access Requests.

  4. Select Requests Enabled.

  5. To require approval for access requests, select the Approval Required toggle under Reviewing Access Requests.

  6. Choose a reviewer option in the Select Reviewers list and select + to add it.

    • Governance Group - A governance group. When you choose this option, another field appears for selecting which governance group.
    • Manager - The manager of the identity the access is being requested for.
    • Role Owner - The owner of the role.
  7. Repeat this selection if you need multiple approvers.

  8. Use the arrows to arrange the reviewers into the order they should be asked for approval.

    To remove a reviewer from the list, select the X icon by that reviewer row.

  9. Under Require Comments, specify when comments must be provided.

    • Select When the user requests access to require the user to provide a comment or business justification when they submit the request.
    • Select When a reviewer denies the request to require the request reviewers to provide a comment or reason when they reject a request.
  10. Select Save.

Note

If you have separation of duties policies configured for your site, reviewers will be automatically notified if granting the role request will put the recipient in violation of an SoD policy. Requesters will also notice the violation notice when they review their submitted requests.

Configuring Role Removal Requests

Managers can request access removal of previously requested roles from their direct reports. You can optionally require approvals for the removal process. This configuration does not apply to certification-based access revocations.

Note

Only roles obtained through access requests can be removed through revoke requests, so the roles must be marked as Requestable.

To configure an approval process for role removal requests:

  1. Go to Admin > Access Model > Roles.

  2. Select Actions > Edit on the role you want to configure.

  3. Select Access Requests.

    To require managers' access removal requests to be approved, select the Removal Requires Approval toggle. By default, no approvals are required.

  4. Select one of the reviewer options in the Select Reviewers list and select + to add it.

    • Governance Group - A governance group. When you choose this option, another field appears for selecting which governance group.
    • Manager – The manager of the identity the access is being requested for.
    • Role Owner - The owner of the role.
  5. Repeat this selection if you need multiple approvers.

  6. Use the arrows to rearrange the approvers into the order they should be asked for approval.

    To remove a reviewer from the list, select the X icon by that reviewer row.

  7. Select Save.

    Comments in Access Removals

    • Removal requests always require comments when submitted.
    • The Require Comments configuration for when a reviewer denies an access request also applies when a removal request is denied.

Configuring Access Profiles for Requests

Users can request access to an access profile in the Request Center. Requesting access to an access profile allows users to submit one request for multiple related entitlements on a single source. When the request is approved, the access profile’s entitlements are provisioned to the user’s source account.

To configure an access profile for requests:

  1. Go to Admin > Access Model > Access Profiles.

  2. Select Edit on the access profile you want users to be able to request.

  3. Select Access Requests.

  4. Select the Allow Access Requests toggle to allow users to request it in the Request Center.

  5. You can optionally require approval for access requests. Under Reviewing Access Requests, select the Require Approval checkbox.

  6. Choose a reviewer option from the Select Reviewers dropdown list to select + to add it.

    • Access Profile Owner - The owner of the access profile.
    • Governance Group - A governance group. When you choose this option, another field appears for selecting which governance group.
    • App Owner - The owner of the application that the access profile is assigned to.
    • Source Owner - The owner of the source of the entitlements in the access profile.
    • Manager - The manager of the identity the access is being requested for.

    Repeat this selection if you need multiple approvers.

  7. Use the arrows to rearrange the reviewers into the order they should be asked for approval.

    To remove a reviewer from the list, select the X icon in that reviewer row.

    Note

    This approval process only applies to requests for the access profile itself. Requests for roles which include the access profile use the role’s approval processes instead. Access profiles granted through auto-assigned roles or lifecycle states do not include approval at all.

  8. Under Require Comments, specify when comments must be provided.

    • Select When the user requests access to require the user to provide a comment or business justification when they submit the request.
    • Select When a reviewer denies the request to require the request reviewers to provide a comment or reason when they reject a request.
  9. Select Save.

Users can now request the access profile from the Request Center.

Notes

  • If you associate the access profile with an application, users can request the access profile from both the Access Items and Applications sections of the Request Center.
  • If a user cannot see access profiles in an application, they may be prevented from viewing those access profiles due to segmentation.

Configuring Access Profile Removal Requests

Managers can request access removal of certain access profiles from their direct reports. You can optionally require approvals for the removal process. This configuration does not apply to certification-based access revocations.

Note

Only access profiles that are not part of a user’s assigned roles or lifecycle state can be removed through revoke requests.

To configure an approval process for access profile removal requests:

  1. Go to Admin > Access Model > Access Profiles.

  2. Select Actions > Edit on the access profile you want to configure.

  3. Select Access Requests.

  4. To require approval of the manager’s removal request, select the Removal Requires Approval toggle under Reviewing Removal Requests. By default, no approvals are required.

  5. Choose one of the reviewer options in the Select Reviewers list and select + to add it.

    • Access Profile Owner - The owner of the access profile.
    • App Owner - The owner of the app that the access profile is assigned to.
    • Governance Group - A governance group. When you choose this option, another dropdown list appears for selecting which governance group.
    • Manager - The manager of the identity the access is being requested for.
    • Source Owner - The owner of the source of the entitlements that are in the access profile.
  6. Repeat this selection if you need multiple approvers.

  7. Use the arrows to rearrange the approvers into the order they should be asked for approval.

    To remove a reviewer from the list, select the X icon by that reviewer row.

  8. Select Save.

    Comments in Access Removals

    • Removal requests always require comments when submitted.
    • The Require Comments configuration for when a reviewer denies an access request also applies when a removal request is denied.

Multi-Approver Process

When a review process involves multiple reviewers, the process follows these rules:

  • Approval requests are sent to reviewers in the order you configured.
  • If you select a governance group as a reviewer, anyone from that group can review and approve or deny the request on behalf of the group.
  • All required reviewers must approve the request before access can be granted. If a reviewer denies a request, the review stops and the access is not provisioned.

Ensuring Complete Reviews

IdentityNow has a number of processes in place to ensure access requests in your site are reviewed by the right users.

Preventing Self-Approval

By default, IdentityNow does not permit self-approval of access requests. Whether a request is made for self or for others, if the requester or the access recipient is listed as a reviewer for a requested item, IdentityNow automatically reassigns their review responsibilities to someone else.

  • For approvals assigned to them as an individual, the approval request is reassigned to their manager.
  • For governance group approvals, they are omitted from the review.
  • If either is the only member of that governance group, the request is reassigned to their manager. If the governance group contains both users as its only members, the request is reassigned to both their managers.
  • If they don't have a manager, the request is reassigned to an IdentityNow administrator.

Automatic Approval

You can optionally enable automatic approval when the configured reviewer is the requester identity. This setting requires an API call with the Update Access Request Configuration endpoint.

  • Automatic approval only applies when the configured reviewer is an identity.
  • If the configured reviewer is a governance group, even if the requester is the only member, automatic approval does not apply.
  • All other configured review levels still apply.

Auto-approval events are detected and audited at the start of a review sequence. Audit logs show auto-approval events even if a request denial by another reviewer ends the review process before the auto-approval would occur.

Requests Missing a Reviewer

If one of the reviewers in an access item's review process is missing, IdentityNow automatically reassigns that item's review responsibility to another user.

In most cases, that responsibility is assigned to one of your IdentityNow administrators. However, if the review process requires manager approval and the access recipient doesn't have one listed, reassignment depends on the type of access requested:

  • If the requested item is an access profile, the review is reassigned to both the app owner and the source owner. If the source or app owner isn't found, the review responsibility is reassigned to an IdentityNow administrator.
  • If the requested item is a role, the review is reassigned to the role owner.
  • If it's an entitlement, the review is reassigned to the source owner.

Tracking Access Requests

You can track access requests by going to Search > Reports > Access Request Activity.

You can also enter the search query type:"ACCESS_REQUEST" to retrieve this data.

Request Retries

Access request provisioning which fails with a retryable error will be automatically retried once per hour, up to 3 times.