Skip to content

Configuring Access Requests for Entitlements

After you've created sources and uploaded entitlements, you can configure access requests for entitlements.

Important

Be sure the name and description of any requestable entitlements are user-friendly and easy to understand. Detailed descriptions will improve the accuracy, quality, and speed of requests and review decisions.

Enabling Entitlement Requests

  1. Go to Admin > Global > System Settings.

  2. Select System Features from the left pane.

  3. Under Access Request, select the Enable Entitlement Requests checkbox.

    Selecting this checkbox enables the feature for your site, but you'll still be able to choose which entitlements are and aren't requestable.

  4. If you don't want entitlement requests to require review, select the No Approval Required checkbox.

  5. Otherwise, to require reviews for each entitlement request, select the dropdown menu under Required Approvers.

    You can choose from the following options:

    • Entitlement Owner - The entitlement owner will review entitlement requests.
    • Governance Group - Members of a governance group will review entitlement requests. Only one member of the group you select must review a request for it to move to the next step.
    • Manager - The manager of the requester will review entitlement requests.
    • Source Owner - The owner of the source the entitlement comes from will be required to review requests.
  6. If you want to require comments at any point in the review process, select one or more of the options under Require Comments:

    • When User Requests - The user requesting access will be required to submit a comment alongside their request.
    • When Approver Denies - When a reviewer denies a request for access, they'll be required to leave a comment explaining their decision.

  7. Select Save.

After this, you must configure individual entitlements to be requestable.

Marking Entitlements as Requestable

  1. Go to Admin > Connections > Sources.

  2. Choose the source of the entitlements you want to update.

  3. Select the Entitlements tab.

  4. Select the checkbox beside the entitlements you want to mark as requestable.

  5. In the Actions menu, select Mark Requestable.

Managing Access Request Configurations

You can configure access requests for individual entitlements. The approval process defined for individual entitlements supersedes the approval process defined for the source and globally in your tenant.

Note

Before you can make entitlements requestable, you must enable access requests for entitlements in your org.

  1. Go to Admin > Access Model > Entitlements.
  2. Select Actions > Edit for the entitlement you want to update.
  3. Select Access Requests from the left panel.
  4. Select the Allow Access Requests toggle if the entitlement is not already marked as requestable.
  5. (Optional) To require approvals for requests, select the Require Approval checkbox. Choose an identity or governance group from the dropdown list and select the + icon to add them as a reviewer.
  6. (Optional) Choose whether to require comments when a user requests this entitlement or when a reviewer denies the request.
  7. (Optional) To require approvals for removal requests, select the Require Approval for Removal checkbox. Choose an identity or governance group from the dropdown list and select the + icon to add them as a reviewer.
  8. Select Save to save your changes.

Revoking Requested Entitlements

Once an entitlement has been assigned to an identity using access requests, it will be provisioned to the identity's source account. If the entitlement is directly removed from the account on the source, it will be reprovisioned to the account at the next aggregation.

If the account is deleted on the source, such as Active Directory, it is recreated along with the requested entitlement upon the next refresh.

To remove an entitlement from an identity after it's assigned through access requests, you can:

  • Revoke it in a certification campaign.
  • Revoke it by submitting an API call with the Submit Access Request endpoint. You can only submit revoke requests for one entitlement at a time.
  • Delete the entitlement itself on the source.