Configuring Access Requests for Entitlements
To get started with Access Requests, you'll first need to complete your IdentityNow setup.
When you have completed your setup, including creating sources and uploading entitlements, you can begin configuring access requests for entitlements.
Be sure the name and description of any requestable entitlements are user-friendly and easy to understand. Detailed descriptions will improve the accuracy, quality, and speed of requests and review decisions.
To enable entitlement requests for your site:
In the Admin interface, go to Global > System Settings.
Select System Features from the left pane.
Under Access Request, select the Enable Entitlement Requests checkbox.
Selecting this checkbox enables the feature for your site, but you'll still be able to choose which entitlements are and aren't requestable.
If you don't want entitlement requests to require review, select the No Approval Required checkbox.
Otherwise, to require reviews for each entitlement request, select the dropdown menu under Required Approvers.
You can choose from the following options:
- Governance Group - Members of a governance group will review entitlement requests. Only one member of the group you select must review a request for it to move to the next step.
- Manager - The manager of the requester will review entitlement requests.
- Source Owner - The owner of the source the entitlement comes from will be required to review requests.
If you want to require comments at any point in the review process, select one or more of the options under Require Comments:
After this, you must configure individual entitlements to be requestable.
To configure individual entitlements to be requestable:
From the Admin interface, go to Connections > Sources.
Choose the source of the entitlements you want to update.
Select the Entitlements tab.
Select the checkbox beside the entitlements you want to mark as requestable.
- In the Actions menu, select Mark Requestable.
The entitlements you've selected are made requestable and will appear in users' Request Centers.
If you configured an approval process for entitlements, that process is applied to all requestable entitlements in your site.
Once an entitlement has been assigned to an identity using access requests, it will be provisioned to the identity's source account. If the entitlement is directly removed from the account on the source, it will be re-provisioned to the account at the next aggregation.
To remove an entitlement from an identity after it's assigned through access requests, take one of the following actions:
- Revoke it in a certification campaign.
- Delete the entitlement itself on the source.
- Delete the source account the entitlement is assigned to. This will remove the access from the account, but will also delete the account itself and remove all access associated with it.