Managing Requests for Roles and Access Profiles
You can allow users to request access to roles and access profiles by configuring them for access requests. This access appears in the Request Center and each request can be reviewed by a pre-configured set of identities to ensure the access only goes to users who need it.
To allow requests for a role or access profile through the Request Center, you must:
- Set up the access item for requests.
- Configure the approval process.
- Specify when comments are required.
Items in a request can be individually provisioned or canceled without affecting other items in the request.
Configuring Roles for Requests
If a role can’t be easily auto-assigned, or if it is needed by someone who doesn’t meet the assignment criteria, you can allow users to request the role. When the request is approved, the entitlements in the role’s access profiles are provisioned to the user’s source accounts.
To configure a role for access requests:
-
Go to Admin > Access Model > Roles.
-
Select Actions > Edit for the role you want users to be able to request.
-
Select Access Requests.
-
Select Requests Enabled.
-
To require approval for access requests, select the Approval Required toggle under Reviewing Access Requests.
-
Choose a reviewer option in the Select Reviewers list and select + to add it.
- Governance Group - A governance group. When you choose this option, another field appears for selecting which governance group.
- Manager - The manager of the identity the access is being requested for.
- Role Owner - The owner of the role.
-
Repeat this selection if you need multiple approvers.
-
Use the arrows to arrange the reviewers into the order they should be asked for approval.
To remove a reviewer from the list, select the X icon by that reviewer row.
-
Under Require Comments, specify when comments must be provided.
- Select When the user requests access to require the user to provide a comment or business justification when they submit the request.
- Select When a reviewer denies the request to require the request reviewers to provide a comment or reason when they reject a request.
-
Select Save.
Note
If you have separation of duties policies configured for your site, reviewers will be automatically notified if granting the role request will put the recipient in violation of an SoD policy. Requesters will also notice the violation notice when they review their submitted requests.
Configuring Role Removal Requests
Managers can request access removal of previously requested roles from their direct reports. You can optionally require approvals for the removal process. This configuration does not apply to certification-based access revocations.
Note
Only roles obtained through access requests can be removed through revoke requests, so the roles must be marked as Requestable.
To configure an approval process for role removal requests:
-
Go to Admin > Access Model > Roles.
-
Select Actions > Edit on the role you want to configure.
-
Select Access Requests.
To require managers' access removal requests to be approved, select the Removal Requires Approval toggle. By default, no approvals are required.
-
Select one of the reviewer options in the Select Reviewers list and select + to add it.
- Governance Group - A governance group. When you choose this option, another field appears for selecting which governance group.
- Manager – The manager of the identity the access is being requested for.
- Role Owner - The owner of the role.
-
Repeat this selection if you need multiple approvers.
-
Use the arrows to rearrange the approvers into the order they should be asked for approval.
To remove a reviewer from the list, select the X icon by that reviewer row.
-
Select Save.
Comments in Access Removals
- Removal requests always require comments when submitted.
- The Require Comments configuration for when a reviewer denies an access request also applies when a removal request is denied.
Configuring Access Profiles for Requests
Users can request access to an access profile in the Request Center. Requesting access to an access profile allows users to submit one request for multiple related entitlements on a single source. When the request is approved, the access profile’s entitlements are provisioned to the user’s source account.
To configure an access profile for requests:
-
Go to Admin > Access Model > Access Profiles.
-
Select Edit on the access profile you want users to be able to request.
-
Select Access Requests.
-
Select the Allow Access Requests toggle to allow users to request it in the Request Center.
-
You can optionally require approval for access requests. Under Reviewing Access Requests, select the Require Approval checkbox.
-
Choose a reviewer option from the Select Reviewers dropdown list to select + to add it.
- Access Profile Owner - The owner of the access profile.
- Governance Group - A governance group. When you choose this option, another field appears for selecting which governance group.
- App Owner - The owner of the application that the access profile is assigned to.
- Source Owner - The owner of the source of the entitlements in the access profile.
- Manager - The manager of the identity the access is being requested for.
Repeat this selection if you need multiple approvers.
-
Use the arrows to rearrange the reviewers into the order they should be asked for approval.
To remove a reviewer from the list, select the X icon in that reviewer row.
Note
This approval process only applies to requests for the access profile itself. Requests for roles which include the access profile use the role’s approval processes instead. Access profiles granted through auto-assigned roles or lifecycle states do not include approval at all.
-
Under Require Comments, specify when comments must be provided.
- Select When the user requests access to require the user to provide a comment or business justification when they submit the request.
- Select When a reviewer denies the request to require the request reviewers to provide a comment or reason when they reject a request.
-
Select Save.
Users can now request the access profile from the Request Center.
Notes
- If you associate the access profile with an access application, users can request the access profile from both the Access Items and Applications sections of the Request Center.
- If a user cannot see access profiles in an access application, they may be prevented from viewing those access profiles due to segmentation.
Configuring Access Profile Removal Requests
Managers can request access removal of certain access profiles from their direct reports. You can optionally require approvals for the removal process. This configuration does not apply to certification-based access revocations.
Note
Only access profiles that are not part of a user’s assigned roles or lifecycle state can be removed through revoke requests.
To configure an approval process for access profile removal requests:
-
Go to Admin > Access Model > Access Profiles.
-
Select Actions > Edit on the access profile you want to configure.
-
Select Access Requests.
-
To require approval of the manager’s removal request, select the Removal Requires Approval toggle under Reviewing Removal Requests. By default, no approvals are required.
-
Choose one of the reviewer options in the Select Reviewers list and select + to add it.
- Access Profile Owner - The owner of the access profile.
- App Owner - The owner of the app that the access profile is assigned to.
- Governance Group - A governance group. When you choose this option, another dropdown list appears for selecting which governance group.
- Manager - The manager of the identity the access is being requested for.
- Source Owner - The owner of the source of the entitlements that are in the access profile.
-
Repeat this selection if you need multiple approvers.
-
Use the arrows to rearrange the approvers into the order they should be asked for approval.
To remove a reviewer from the list, select the X icon by that reviewer row.
-
Select Save.
Comments in Access Removals
- Removal requests always require comments when submitted.
- The Require Comments configuration for when a reviewer denies an access request also applies when a removal request is denied.
Multi-Approver Process
When a review process involves multiple reviewers, the process follows these rules:
- Approval requests are sent to reviewers in the order you configured.
- If you select a governance group as a reviewer, anyone from that group can review and approve or deny the request on behalf of the group.
- All required reviewers must approve the request before access can be granted. If a reviewer denies a request, the review stops and the access is not provisioned.
Ensuring Complete Reviews
Identity Security Cloud has a number of processes in place to ensure access requests in your site are reviewed by the right users.
Preventing Self-Approval
By default, Identity Security Cloud does not permit self-approval of access requests. Whether a request is made for self or for others, if the requester or the access recipient is listed as a reviewer for a requested item, their review responsibilities are automatically reassigned to someone else.
- For approvals assigned to them as an individual, the approval request is reassigned to their manager.
- For governance group approvals, they are omitted from the review.
- If either is the only member of that governance group, the request is reassigned to their manager. If the governance group contains both users as its only members, the request is reassigned to both their managers.
- If they don't have a manager, the request is reassigned to an administrator.
Automatic Approval
You can optionally enable automatic approval when the configured reviewer is the requester identity. This setting requires an API call with the Update Access Request Configuration endpoint.
- Automatic approval only applies when the configured reviewer is an identity.
- If the configured reviewer is a governance group, even if the requester is the only member, automatic approval does not apply.
- All other configured review levels still apply.
Auto-approval events are detected and audited at the start of a review sequence. Audit logs show auto-approval events even if a request denial by another reviewer ends the review process before the auto-approval would occur.
Requests Missing a Reviewer
If one of the reviewers in an access item's review process is missing, Identity Security Cloud automatically reassigns that item's review responsibility to another user. When this happens, replacement reviewers are added at the end of the approval chain.
In most cases, that responsibility is assigned to one of your Identity Security Cloud administrators. However, if the review process requires manager approval and the access recipient doesn't have one listed, reassignment depends on the type of access requested:
- If the requested item is an access profile that is tied to an access application, the review is reassigned to both the access application owner and the source owner. If the access profile is not associated with an access application, the review is reassigned only to the source owner.
- If the requested item is a role, the review is reassigned to the role owner.
- If it's an entitlement, the review is reassigned to the source owner.
- If any owner who would regularly be assigned as a replacement reviewer is not found, the review responsibility is reassigned to an administrator.
Tracking Access Requests
You can track access requests by going to Search > Reports > Access Request Activity.
You can also enter the search query type:"ACCESS_REQUEST"
to retrieve this data.
Request Retries
Access request provisioning which fails with a retryable error will be automatically retried once per hour, up to 3 times.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.