Skip to content

Configuring Access Requests for Entitlements

After you've created sources and uploaded entitlements, you can configure access requests for entitlements.

Important

Be sure the name and description of requestable entitlements are user-friendly and easy to understand. Detailed descriptions will improve the accuracy, quality, and speed of requests and review decisions.

Enabling Entitlement Requests Globally

Enable entitlement requests and configure how you want them to function globally in your tenant. After enabling entitlement requests globally, you can choose to override the approval and comments configuration for individual entitlements.

If entitlement requests are not enabled, entitlement removal requests are automatically disabled globally, too. If you want to allow revocation but not entitlement requests, enable entitlement requests globally but do not enable any entitlements to be requestable. Optionally, you can also set up a global and/or entitlement-level approval configuration for revocation.

  1. Go to Admin > Global > System Settings.

  2. Select System Features from the left pane.

  3. Under Access Request, select the Enable Entitlement Requests checkbox.

    Selecting this checkbox enables the feature for your site, but you'll still be able to choose which entitlements are and aren't requestable.

  4. Go to the Enable Entitlement Requests subsection.

  5. If you don't want entitlement requests to require review, select the No Approval Required checkbox.

  6. If you are requiring approval, select the dropdown menu under Required Approvers.

    You can choose from the following options:

    • Entitlement Owner - The entitlement owner will review entitlement requests.
    • Governance Group - Members of a governance group will review entitlement requests. Only one member of the group you select must review a request for it to move to the next step.
    • Manager - The manager of the requester will review entitlement requests.
    • Source Owner - The owner of the source the entitlement comes from will be required to review requests.

  7. If you want to require comments at any point in the submission or review process, select one or more of the options under Require Comments:

    • When User Requests - The user requesting access will be required to submit a comment alongside their request.
    • When Approver Denies - When a reviewer denies a request for access, they'll be required to leave a comment explaining their decision.

  8. Go to the Entitlement Removal Requests subsection.

  9. If you don't want entitlement revocation requests to require review, select No Approval Required.

  10. If you are requiring approval, select the the dropdown menu under Required Approvers. You can choose from the following options:

    • Entitlement Owner - The entitlement owner will review entitlement removal requests.
    • Manager - The manager of the requester will review entitlement removal requests.
    • Source Owner - The owner of the source the entitlement comes from will be required to review removal requests

  11. Select Save.

After this, you must now configure individual entitlements to be requestable.

Marking Entitlements as Requestable

Make source entitlements available for users to request in the Request Center.

  1. Go to Admin > Connections > Sources.
  2. Select or edit the source you want to update.
  3. In the Entitlement Management section, select Entitlements.
  4. Select the checkbox beside the entitlements you want to mark as requestable.

  5. Select the Actions dropdown list and choose Mark as Requestable.

    List of entitlements. The checkboxes next to 2 entitlements are selected. The Actions dropdown list is displayed, with the Mark as Requestable option highlighted.

Alternatively, you can make source entitlements available for users to request from the Entitlements page.

  1. Go to Admin > Access Model > Entitlements.
  2. Locate the entitlement that you want to update.
  3. Select Actions > Mark as Requestable.

Configuring Individual Entitlement Access Requests

You can configure access requests and access revocation requests for individual entitlements. The approval process defined for individual entitlements supersedes the approval process defined for the source and globally in your tenant.

Note

Before you can make entitlements requestable, you must enable access requests for entitlements in your org.

To configure an entitlement for access requests:

  1. Go to Admin > Access > Entitlements.
  2. Select Actions > Edit for the entitlement you want to update.
  3. Select Access Requests from the left panel.
  4. Select the Allow Access Requests toggle if the entitlement is not already marked as requestable.

  5. (Optional) To require approvals for requests, select the Require Approval option under Reviewing Access Requests.

    Note

    If you don't choose Require Approval, the global approval configuration still applies.

    • Select either Reviewer, if you want to add an individual or governance group to review, or Workflow, if you want an approval workflow to process the approval.

    • If you selected Reviewer, choose an identity or governance group from the dropdown list and select + to add them as a reviewer.

      • Governance Group - A governance group. When you choose this option, another field appears for selecting which governance group should approve.
      • Manager - The manager of the identity that the access is being requested for.
      • Entitlement Owner - The owner of the entitlement.
      • Source Owner - The owner of the source of the entitlement.

    • If you selected Reviewer and need multiple approvers, repeat the previous step to add additional reviewers.

      • Use the arrows to rearrange the reviewers into the order they should be asked for approval. To remove a reviewer from the list, select the X in that reviewer's row.

    • If you selected Workflow, use the dropdown to select from a list of workflows that are compatible with this type of approval. Only enabled workflows using the Access Request Submitted trigger are listed.

      Note

      When selecting the Workflow option, make sure that you understand the functionality of that workflow or consult with your Org Admin to define a Workflow that functions as you intend.

  6. (Optional) Under Require Comments, specify when comments must be provided.

    • Select When the user requests access to require the user to provide a comment or business justification when they submit a request.
    • Select When a reviewer denies the request to require the request reviewers to provide a comment or reason when they reject a request.

    Note

    If comments are required by your global configuration, they will still be required even if this is left blank.

  7. (Optional) To require approvals for revocation requests, select the Require Approval for Removal checkbox. Choose an approver, such as a manager, owner, or governance group from the dropdown list and select the + icon to add them.

    • If you require approvals for revocation requests and need multiple approvers, repeat this step to add additional reviewers.

      • Use the arrows rearrange the reviewers into the order they should be asked for approval. To remove a reviewer from the list, select the X icon in that reviewer's row.

    Note

    If you don't choose Require Approval for Removal, the global revocation configuration still applies.

  8. Select Save to save your changes.

Users can now request the entitlement from the Request Center. If the identity needing access has multiple accounts on a source, the requester will select which account should receive that access.

Notes

  • You can use the API to configure requirements for entitlement approval and comments per source as well. If set, this configuration behaves like a global configuration for all entitlements connected to that source. It can be overridden with changes or additions at the entitlement level.
  • For sensitive or regulated access items you can enable reauthenticated approvals to require reviewers to reauthenticate when they approve a request.

Revoking Requested Entitlements

Once an entitlement has been assigned to an identity using access requests, it will be provisioned to the identity's source account. If the entitlement is directly removed from the account on the source, it will be reprovisioned to the account at the next aggregation.

If the account is deleted on the source, such as Active Directory, it is recreated along with the requested entitlement upon the next refresh.

To remove an entitlement from an identity after it's assigned through access requests, you can:

  • Submit a revocation request.
  • Revoke it in a certification campaign.
  • Revoke it by submitting an API call with the Submit Access Request endpoint. You can only submit revoke requests for one entitlement at a time.
  • Delete the entitlement itself on the source.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.