Skip to content

Configuring Roles

You can allow users to request access via roles. A role usually represents a responsibility, department, or location within the organization. When a user doesn't have what they need when they start in a position, they can request a role and quickly receive the access once it's approved, so they don't have to wait on a helpdesk ticket to complete their work.

Make a Role Requestable

If you want users to be able to request access to a set of access in the form of a role, you can configure that role for access requests. The role will appear in the Request Center for users and you can configure an approval process to make sure that only the right users get this access. All access within the role is granted to the user when their request is approved, making it ideal for new users who are requesting access they'll need to start in a new position. 

Best Practice

Ensure that you have an approval process in place before configuring a role that can be requested. Auditors typically recommend two approvals.


  • A source connected to IdentityNow with entitlements loaded.
  • A Create Profile has been configured for the source.
  • Provisioning and Access Request are set up for your org.

1. Go to the Admin interface.

2. Go to Access > Roles.

3. Create a new role, or select existing roles to edit them.

4. Select the checkbox for Enable Role if it is not already selected.

5. Select the checkbox for Requestable.

6. Enter any other necessary information for your role, such as Role Name, Role Owner, and Description.

7. In Access Request Approval Process, under Required Approvers, select a reviewer or governance group.

8. Select Add. The user or group is added to the list of required reviewers.

9. Choose any additional reviewers or governance groups that you want to review the access before it's granted to a user. Each new user or group is added to the bottom of the list.

10. If necessary, rearrange the reviewers using the arrow icons to reflect the order you want them to review the request in (the default order is when reviewers see the request). If you select a governance group, any one person from that group can approve or deny the request. To remove a reviewer from the list, select the X icon by their title.

11. If you want to require the user to provide a comment or a reason for requesting the access, check the When User Requests checkbox under Require Comments.

If you want to require the reviewers you selected in steps 7 - 9 to provide comments when they reject a request, check the When Approver Denies checkbox.

If you check this box, the reviewer of an access request will be required to enter a reason for requesting or denying access before their  request or denial can be completed.

13. Select Save. The role will now appear in the Request Center and can be requested by users.


If you have the Separation of Duties service for your site, requesters and reviewers will be automatically notified if granting a role request will put the recipient in violation of an SoD policy.

Revoking a Requested Role

Sometimes, a user may no longer need access to a role they requested, or they may have requested a role that they shouldn't have. Whatever the reason, you can easily see which roles were granted by request and revoke requested role access from individual Identities from your Admin menu.

1. From the Admin interface, go to Access > Roles.

2. Select the role you want to view.

3. Select the Identities tab.

You will see the list of identities that have access to the role. In the Assignment Type column, each role is marked Granted by Membership Criteria or Granted by Request.

4. Select any role marked Requested.

5. In the Actions drop-down, select Revoke to revoke role access from the selected identities.

You are then taken back to the Identities tab. The list no longer contains the person whose access you revoked.


Once Revoke is selected, the person is always removed from the list, even if there is a manual task required to complete revocation.

Revoking a role immediately removes access so the person can no longer perform the functions of the role. They are not notified that their access was revoked.