Skip to content

Managing Access Requests for Apps

When a user doesn't have what they need when they start in a position, they can request access to the apps they need and quickly receive the access, so they don't have to wait on a help desk ticket to get started on their work. Depending on your company's needs, you can configure how app access requests are handled and resolved.

Configuring Access Requests

If you want to require approval for an app before users can access it, you can assign an access profile that requires approval to that app. The app will automatically appear on the My Access and/or My Team access tiles in their home page for all users who have that access profile or its entitlements.

To configure an access request for an app:

  1. From the Admin interface, select Access > Access Profiles.

  2. Select the access profile you want to assign to the app.

  3. Under Access Request Approval Process, deselect the checkbox beside No Approval Required.

  4. Under Required Approvers, select an approver or governance group.

  5. Select Add. This user or group is added to the list of required approvers.

  6. Choose any additional approvers or governance group who you want to review the access before it's granted to a user.

    Each new user or group will be added to the bottom of the list.

    Sometimes, the users requesting access will also be part of the approval process for that access. In this case, you can configure their approval step to be either auto-approved or reassigned to the requester's manager using the appropriate API.

    Note

    • You can add up to 100 access profiles per application. If you reach the limit, you'll need to remove access profiles from the application before adding more. You can reach out to your SailPoint CSM to extend this limit, however, exceeding the limit could negatively impact performance and is therefore not recommended.
    • Access requests assigned to a governance group to review cannot be auto-approved. If the requester is part of a governance group that is responsible for approving the request, the decision will be assigned to the other members.
    • If you have the Separation of Duties (SoD) service for your site, requesters and reviewers will be automatically notified if granting an access request will put the recipient in violation of an SoD policy. If an access profile doesn't have any reviewers configured, no one is preemptively notified of the violation. The violation will still appear in violation reports.

    An audit event is created for an auto-approval when the approvals are calculated after the request has been submitted.

    For example, if there are three approvals in the approval chain and the second approver is the requester, the auto-approval audit event of the second approval will be logged before the first approver's decision. So even if the first approver denies the request, the second approval will still be shown as auto-approved in audit events.

  7. If necessary, rearrange the approvers to reflect the order you want them to approve the access in. The list reflects the order that approvers review the request. You can select as many reviewers from this list as you need. If you select a governance group, anyone from that group may review and approve or deny the request.

    Note

    To remove a reviewer from the list, select the X icon by their title.

  8. If you want to require the user to provide a comment or a reason for requesting the access, select the When User Requests checkbox under Require Comments. If you select this box, the user will be required to enter a reason for requesting the access before they can submit their request for this access profile.

  9. If you want to require the reviewers you selected in steps 5 and 6 to provide comments when they reject a request, select the When Approver Denies box. If you select this box, when the reviewer of an access request will be required to enter a reason for denying access before their denial can be completed.

  10. Select Save to apply and save your changes. If the access profile you're editing is assigned to an identity via roles or a lifecycle state, the approval process does not apply.

  11. Go to Applications.

  12. Select the application you want to edit and configure it so that only specific users from the source have the app.

  13. Under Select Source, choose a source. The source you choose must be enabled for provisioning.

  14. Select Save to apply and save your changes.

  15. Go to the app's Configuration tab.

  16. In Request Center Options, select the Visible in the Request Center checkbox.

  17. Select the Allow Access Requests checkbox and enable the app for users.

  18. Select Save to apply and save your changes.

The app appears in the Request Center of all users who already have the access profile you selected above.

If a user requests an app, each reviewer is sent the Access Request Reviewer email when the previous reviewer approves the request. If any one reviewer denies the request, the requester is not granted access and the approval process stops.

If someone requests access to an app and they're also a reviewer, the following workflow is used instead:

  1. The request is delegated to the requester's manager.
  2. If the requester is part of a governance group that's listed as a reviewer for the request, they aren't included in the review.
  3. If they're the only member of that governance group, the request is delegated to their manager.
  4. If the requester doesn't have a manager, the request is delegated to an IdentityNow administrator.

Configuring App Requests for Others

To configure app requests for others:

  1. Go to Admin > Global > System Settings.

  2. In the System Features menu, under Access Requests, select the box for Enable Request On Behalf Of.

  3. Use the radio buttons to select Managers Only or Everyone, depending on who you want to have the ability to make access requests for others.

Tracking Access Requests for Administrators

As an administrator, you'll use audit data to track your access requests. This data is available in Search in a default report. You can also use the search query type: "ACCESS_REQUEST" to retrieve this data.

Setting Up Approval Workflow for Revoking Requested Access

Managers often want to be able to revoke employees' access without having to rely on admins. You can configure IdentityNow to allow managers to revoke their employees' requested app access or a role as part of an approval workflow.

To enable a manager to revoke requested access or a role as part of an approval workflow:

  1. From the Admin interface, go to Access > Access Profiles or Roles.

  2. Select the access profile or role for which you want update the approval requirements.

  3. Scroll down to Revoke Access Approval Process and clear the checkbox beside No Approval Required.

  4. Under Required Approvers, select Manager or the manager's group the desired user or governance group as an approver.

  5. Select Add. This user or group is added to the list of required approvers. If you need to enable another approver, choose any additional approvers or governance group who you want to review the revoke request before the access is removed.

  6. Click Save to apply and save your changes.