Skip to content

Configuring Access Requests for Entitlements

After you've created sources and uploaded entitlements, you can configure access requests for entitlements.

Important

Be sure the name and description of requestable entitlements are user-friendly and easy to understand. Detailed descriptions will improve the accuracy, quality, and speed of requests and review decisions.

Enabling Entitlement Requests Globally

Enable entitlement requests and configure how you want them to function globally in your tenant. After enabling entitlement requests globally, you can choose to override the approval and comments configuration for individual entitlements.

  1. Go to Admin > Global > System Settings.

  2. Select System Features from the left pane.

  3. Under Access Request, select the Enable Entitlement Requests checkbox.

    Selecting this checkbox enables the feature for your site, but you'll still be able to choose which entitlements are and aren't requestable.

  4. If you don't want entitlement requests to require review, select the No Approval Required checkbox.

  5. Otherwise, to require reviews for each entitlement request, select the dropdown menu under Required Approvers.

    You can choose from the following options:

    • Entitlement Owner - The entitlement owner will review entitlement requests.
    • Governance Group - Members of a governance group will review entitlement requests. Only one member of the group you select must review a request for it to move to the next step.
    • Manager - The manager of the requester will review entitlement requests.
    • Source Owner - The owner of the source the entitlement comes from will be required to review requests.

  6. If you want to require comments at any point in the review process, select one or more of the options under Require Comments:

    • When User Requests - The user requesting access will be required to submit a comment alongside their request.
    • When Approver Denies - When a reviewer denies a request for access, they'll be required to leave a comment explaining their decision.

  7. Select Save.

You must now configure which individual entitlements are requestable.

Marking Entitlements as Requestable

Make source entitlements available for users to request in the Request Center.

  1. Go to Admin > Connections > Sources.
  2. Select or edit the source you want to update.
  3. In the Entitlement Management section, select Entitlements.
  4. Select the checkbox beside the entitlements you want to mark as requestable.

  5. Select the Actions dropdown list and choose Mark as Requestable.

    List of entitlements. The checkboxes next to 2 entitlements are selected. The Actions dropdown list is displayed, with the Mark as Requestable option highlighted.

Alternatively, you can make source entitlements available for users to request from the Entitlements page.

  1. Go to Admin > Access Model > Entitlements.
  2. Locate the entitlement that you want to update.
  3. Select Actions > Mark as Requestable.

Configuring Individual Entitlement Access Requests

You can configure access requests for individual entitlements. The approval process defined for individual entitlements supersedes the approval process defined for the source and globally in your tenant.

Note

Before you can make entitlements requestable, you must enable access requests for entitlements in your org.

  1. Go to Admin > Access Model > Entitlements.
  2. Select Actions > Edit for the entitlement you want to update.
  3. Select Access Requests from the left panel.
  4. Select the Allow Access Requests toggle if the entitlement is not already marked as requestable.

  5. (Optional) To require approvals for requests, select the Require Approval checkbox. Choose an identity or governance group from the dropdown list and select the + icon to add them as a reviewer.

    Note

    If you don't choose Require Approval, the global approval configuration still applies.

  6. (Optional) Choose whether to require comments when a user requests this entitlement or when a reviewer denies the request.

    Note

    If comments are required by your global configuration, they will still be required even if this is left blank.

  7. Select Save to save your changes.

Users can now request the entitlement from the Request Center. If the identity needing access has multiple accounts on a source, the requester will select which account should receive that access.

Note

You can use the API to configure requirements for entitlement approval and comments per source as well. If set, this configuration behaves like a global configuration for all entitlements connected to that source. It can be overridden with changes or additions at the entitlement level.

Revoking Requested Entitlements

Once an entitlement has been assigned to an identity using access requests, it will be provisioned to the identity's source account. If the entitlement is directly removed from the account on the source, it will be reprovisioned to the account at the next aggregation.

If the account is deleted on the source, such as Active Directory, it is recreated along with the requested entitlement upon the next refresh.

To remove an entitlement from an identity after it's assigned through access requests, you can:

  • Revoke it in a certification campaign.
  • Revoke it by submitting an API call with the Submit Access Request endpoint. You can only submit revoke requests for one entitlement at a time.
  • Delete the entitlement itself on the source.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.