Skip to content

Configuring Access Requests for Entitlements

After you've created sources and uploaded entitlements, you can configure access requests for entitlements.

Important

Be sure the name and description of requestable entitlements are user-friendly and easy to understand. Detailed descriptions will improve the accuracy, quality, and speed of requests and review decisions.

Enabling Entitlement Requests Globally

Enable entitlement requests and configure how you want them to function globally in your tenant. After enabling entitlement requests globally, you can choose to override the approval and comments configuration for individual entitlements.

If entitlement requests are not enabled, entitlement removal requests are automatically disabled globally, too. If you want to allow revocation but not entitlement requests, enable entitlement requests globally but do not enable any entitlements to be requestable. Optionally, you can also set up a global and/or entitlement-level approval configuration for revocation.

  1. Go to Admin > Global > System Settings.

  2. Select System Features from the left pane.

  3. Under Access Request, select the Enable Entitlement Requests checkbox.

    Selecting this checkbox enables the feature for your site, but you'll still be able to choose which entitlements are and aren't requestable.

  4. Go to the Enable Entitlement Requests subsection.

  5. If you don't want entitlement requests to require review, select the No Approval Required checkbox.
  6. If you are requiring approval, select the dropdown menu under Required Approvers.

    You can choose from the following options:

    • Entitlement Owner - The entitlement owner will review entitlement requests.
    • Governance Group - Members of a governance group will review entitlement requests. Only one member of the group you select must review a request for it to move to the next step.
    • Manager - The manager of the requester will review entitlement requests.
    • Source Owner - The owner of the source the entitlement comes from will be required to review requests.
  7. If you want to require comments at any point in the submission or review process, select one or more of the options under Require Comments:

    • When User Requests - The user requesting access will be required to submit a comment alongside their request.
    • When Approver Denies - When a reviewer denies a request for access, they'll be required to leave a comment explaining their decision.

  8. Go to the Entitlement Removal Requests subsection.

  9. If you don't want entitlement revocation requests to require review, select No Approval Required.
  10. If you are requiring approval, select the the dropdown menu under Required Approvers. You can choose from the following options:

    • Entitlement Owner - The entitlement owner will review entitlement removal requests.
    • Manager - The manager of the requester will review entitlement removal requests.
    • Source Owner - The owner of the source the entitlement comes from will be required to review removal requests
  11. Select Save.

After this, you must now configure individual entitlements to be requestable.

Marking Entitlements as Requestable

Make source entitlements available for users to request in the Request Center.

  1. Go to Admin > Connections > Sources.
  2. Select or edit the source you want to update.
  3. In the Entitlement Management section, select Entitlements.
  4. Select the checkbox beside the entitlements you want to mark as requestable.
  5. Select the Actions dropdown list and choose Mark as Requestable.

    List of entitlements. The checkboxes next to 2 entitlements are selected. The Actions dropdown list is displayed, with the Mark as Requestable option highlighted.

Alternatively, you can make source entitlements available for users to request from the Entitlements page.

  1. Go to Admin > Access Model > Entitlements.
  2. Locate the entitlement that you want to update.
  3. Select Actions > Mark as Requestable.

Configuring Individual Entitlement Access Requests

You can configure access requests and access revocation requests for individual entitlements. The approval process defined for individual entitlements supersedes the approval process defined for the source and globally in your tenant.

Note

Before you can make entitlements requestable, you must enable access requests for entitlements in your org.

  1. Go to Admin > Access Model > Entitlements.
  2. Select Actions > Edit for the entitlement you want to update.
  3. Select Access Requests from the left panel.
  4. Select the Allow Access Requests toggle if the entitlement is not already marked as requestable.
  5. (Optional) To require approvals for requests, select the Require Approval checkbox. Choose an identity or governance group from the dropdown list and select the + icon to add them as a reviewer.

    Note

    If you don't choose Require Approval, the global approval configuration still applies.

  6. (Optional) Choose whether to require comments when a user requests this entitlement or when a reviewer denies the request.

    Note

    If comments are required by your global configuration, they will still be required even if this is left blank.

  7. (Optional) To require approvals for revocation requests, select the Require Approval for Removal checkbox. Choose an approver, such as a manager, owner, or governance group from the dropdown list and select the + icon to add them.

    Note

    If you don't choose Require Approval for Removal, the global revocation configuration still applies.

  8. Select Save to save your changes.

Users can now request the entitlement from the Request Center. If the identity needing access has multiple accounts on a source, the requester will select which account should receive that access.

Note

You can use the API to configure requirements for entitlement approval and comments per source as well. If set, this configuration behaves like a global configuration for all entitlements connected to that source. It can be overridden with changes or additions at the entitlement level.

Revoking Requested Entitlements

Once an entitlement has been assigned to an identity using access requests, it will be provisioned to the identity's source account. If the entitlement is directly removed from the account on the source, it will be reprovisioned to the account at the next aggregation.

If the account is deleted on the source, such as Active Directory, it is recreated along with the requested entitlement upon the next refresh.

To remove an entitlement from an identity after it's assigned through access requests, you can:

  • Submit a revocation request.
  • Revoke it in a certification campaign.
  • Revoke it by submitting an API call with the Submit Access Request endpoint. You can only submit revoke requests for one entitlement at a time.
  • Delete the entitlement itself on the source.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.