Skip to content

Managing Requests for Access Profiles

To get started with Access Requests, you'll first need to complete your IdentityNow setup.

When IdentityNow is set up, you can configure your access profiles so that users can request access to them, or managers can request that access is removed from their direct reports.

Prerequisite: One or more access profiles has been created in your site.

Configuring Access Requests for Access Profiles

You can configure access profiles so that users can request them in the form of apps. If a request for an access profile is approved, the entitlements in the access profile are provisioned to the user's source account.

The app is automatically made available to all identities with that access profile or its entitlements.

To configure an access profile for requests:

  1. From the Admin interface, go to Access > Access Profiles.

  2. Select the access profile you want users to be able to request.

    If an identity has more than one account on a source, you might need to make configurations to this access profile to determine which account receives it when an identity requests it.

  3. Under Access Request Approval Process, clear the checkbox beside No Approval Required.

  4. If you want requests for this access profile to go through a review process, under Required Approvers, select all of the reviewers who need to review requests for this access profile.

    You can add any of the following users or groups to the list of required reviewers:

    • Access Profile Owner - The owner of the access profile.
    • App Owner - The owner of the app the access profile is assigned to.
    • Governance Group - A governance group. When you choose this option, another drop-down list will appear where you can select which governance group should be responsible for reviewing these requests.
    • Manager - The manager of the identity the access is being requested for.
    • Source Owner - The owner of the source of the entitlements that are in the access profile.
  5. Select Add.

    This user or group is added to the list of required reviewers.

    If you select a governance group, anyone from that group may review and approve or deny the request.

    Note

    If someone requests access to an app and they're also a reviewer, the following features help keep your access secure:

    • The request is delegated to the requester's manager.
    • If the requester is part of a governance group that's listed as a reviewer for the request, they aren't included in the review.
    • If they're the only member of that governance group, the request is delegated to their manager.
    • If the requester doesn't have a manager, the request is delegated to an IdentityNow administrator.
    • An audit event is created for any configured auto-approval as soon as the request has been submitted. For example, if there are 3 approvals in the approval chain and the second approver is also the requester, the auto-approval audit event of the second approval will be logged before the first approver's decision. So even if the first approver denies the request, the second approval will still be shown as auto-approved in audit events.

    To remove a reviewer from the list, select the X icon by their title.

  6. Choose any additional approvers or governance groups that you want to review the access before it's granted to a user.

    Each new user or group will be added to the bottom of the list. You can select as many reviewers from this list as you need.

  7. If necessary, rearrange the approvers to reflect the order you want them to approve the access in.

    The list reflects the order that approvers review the request.

  8. If you want to require the user to provide a comment or a reason for requesting the access, select the When User Requests checkbox under Require Comments.

    If you select this box, the user will be required to enter a reason for requesting the access before they can submit their request for this access profile.

  9. If you want to require the reviewers you selected in steps 5 and 6 to provide comments when they reject a request, select the When Approver Denies box.

    If you select this box, when the reviewer of an access request will be required to enter a reason for denying access before their denial can be completed.

  10. Select Save.

    Note

    If the access profile you're editing is assigned to an identity via roles or a lifecycle state, the approval process won't apply before the access profile is granted.

The access profile can then be assigned to an app so that it can be requested.

Configuring Access Profile Removal Requests

You can configure your site to allow managers to request that access is removed from their direct reports. Access profiles that were assigned to a user via a role can't be removed using revoke access requests.

This functionality is not dependent on whether you've selected the checkbox in Enable Request on Behalf Of.

To configure an approval process for requests to revoke access profiles:

  1. From the Admin interface, go to Access > Access Profiles.

  2. Select the access profile you want to enable revoke requests for.

  3. In the Revoke Access Approval Process section, clear the checkbox beside No Approval Required.

  4. If you want requests to remove this access to go through a review process, under Required Approvers, select all of the reviewers who need to review requests to revoke this access profile.

    You can add any of the following users or groups to the list of required reviewers:

    • Access Profile Owner - The owner of the access profile.
    • App Owner - The owner of the app the access profile is assigned to.
    • Governance Group - A governance group. When you choose this option, another drop-down list will appear where you can select which governance group should be responsible for reviewing these requests.
    • Manager - The manager of the identity the access is being requested for.
    • Source Owner - The owner of the source of the entitlements that are in the access profile.
  5. Select Add.

    The user or group is added to the list of reviewers.

    In situations where the requester is also one of the reviewers, the same reassignment process will occur for revoke requests as for access requests.

  6. Choose any additional approvers or governance groups that you want to review the request to remove access.

    Each new user or group will be added to the bottom of the list. You can select as many reviewers from this list as you need.

  7. If necessary, rearrange the approvers to reflect the order you want them to approve the access in.

    The list reflects the order that approvers review the request.

  8. If you want to require the user to provide a comment or a reason for requesting that the access be removed, select the When User Requests checkbox under Require Comments.

    If you select this box, the user will be required to enter a reason for requesting the removal before they can submit their request.

  9. If you want to require the reviewers you selected in steps 5 and 6 to provide comments when they reject a request, select the When Approver Denies box.

    If you select this box, when the reviewer of a removal request will be required to enter a reason for denying the request before it can be submitted.

  10. Select Save.

Managers will be able to request that this access profile be removed from their direct reports.

Configuring Access Profile Requests for Others

  1. Go to Admin > Global > System Settings.

  2. In the System Features menu, under Access Requests, select the box for Enable Request On Behalf Of.

  3. Use the radio buttons to select Managers Only or Everyone, depending on who you want to have the ability to make access requests for others.

Assigning an Access Profile to an App

Access profiles are requestable through apps, which also allows you to group them based on the app the access is associated with. For example, if you need users to be able to request access to various parts of Amazon Web Services, you can assign all access profiles related to that access to an AWS app.

  1. Go to Applications.

  2. Select the application you want to edit.

    The Configuration tab is displayed.

  3. Under Account Source, select the radio button beside Specific Users from Source.

  4. Under Select Source, choose a source. The source you choose must be enabled for provisioning.

  5. In Request Center Options, select the Visible in the Request Center checkbox.

  6. Select the Allow Access Requests checkbox.

  7. Select Save.

  8. Select the Access tab.

  9. Under Add Existing Access Profile, choose the access profile you configured in Configuring Access Requests for Access Profiles.

    You can add up to 100 access profiles per application. If you reach the limit, you'll need to remove access profiles from the application before adding more. You can reach out to your SailPoint CSM to extend this limit, but this can negatively impact performance and is not recommended.

  10. Select Save.

  11. In the Configuration tab, enable the app for users and select Save.

    The app is made available to all users who already have the access profile you selected in step 11. This app can be seen in the Request Center and can be requested by users.

    If a user requests an app, each reviewer is sent the Access Request Reviewer email when the previous reviewer approves the request. If any one reviewer denies the request, the requester is not granted access and the approval process stops.

    If you have the Separation of Duties service for your site, requesters and reviewers will be automatically notified if granting an access request will put the recipient in violation of an SoD policy. If an access profile doesn't have any reviewers configured, no one is preemptively notified of the violation. It will still appear in violation reports.

Tracking Access Requests for Administrators

As an administrator, you'll use audit data to track your access requests. This data is available in Search in a default report. You can also use the search query type:"ACCESS_REQUEST" to retrieve this data.