Managing Requests for Roles
You can allow users to request access via roles. A role usually represents a responsibility, department, or location within the organization. When a user doesn't have what they need when they start in a position, they can request a role and quickly receive the access, so they don't have to wait on a help desk ticket to complete their work.
Making Roles Requestable
If you want users to be able to make a single request for different types of access, you can configure that role for access requests. The role will appear in the Request Center for users and you can configure an approval process to make sure that only the right users get this access. All access within the role is granted to the user when their request is approved, making it ideal for new users who are requesting access they'll need to start a new position.
Ensure that you have an approval process in place before configuring a role that can be requested. Auditors typically recommend two approvals.
- A source is connected to IdentityNow with entitlements loaded.
- A Create Profile has been configured for the source.
- Provisioning and Access Request services are in place for your org.
- Foundation data is in place.
To make a role requestable:
Go to the Admin interface.
Go to Access > Roles.
Create a new role, or select existing roles to edit them.
Select the checkbox for Enable Role if it is not already selected.
Select the checkbox for Requestable.
Enter any other necessary information for your role, such as Role Name, Role Owner, and Description.
In Access Request Approval Process, under Required Approvers, select a reviewer or governance group.
Select Add. The user or group is added to the list of required reviewers.
Choose any additional reviewers or governance groups that you want to review the access before it's granted to a user. Each new user or group is added to the bottom of the list.
If necessary, rearrange the reviewers using the arrow icons to reflect the order you want them to review the request in the default order is when reviewers see the request. If you select a governance group, any one person from that group can approve or deny the request. To remove a reviewer from the list, select the X icon by their title.
If you want to require the user to provide a comment or a reason for requesting the access, check the When User Requests checkbox under Require Comments. If you want to require the reviewers you selected in steps 7 - 9 to provide comments when they reject a request, check the When Approver Denies checkbox. If you check this box, the reviewer of an access request will be required to enter a reason for requesting or denying access before their request or denial can be completed.
Select Save. The role will now appear in the Request Center and can be requested by users.
If you have the Separation of Duties service for your site, requesters and reviewers will be automatically notified if granting a role request will put the recipient in violation of an SoD policy.
Revoking Requested Roles
Sometimes, a user may no longer need access to a role they requested or they may have requested a role that they shouldn't have. Whatever the reason, you can easily see which roles were granted by request and revoke requested role access from individual Identities from your Admin menu.
To revoke a requested role:
From the Admin interface, go to Access > Roles.
Select the role you want to view.
Select the Identities tab. You will see the list of identities that have access to the role. In the Assignment Type column, each role is marked Granted by Membership Criteria or Granted by Request.
Select any role marked Requested.
From the Actions drop-down menu, select Revoke to revoke role access from the selected identities.
You are then taken back to the Identities tab. The list no longer contains the person whose access you revoked.
Once Revoke is selected, the user is always removed from the list, even if there is a manual task required to complete revocation.
Revoking a role immediately removes access so the user can no longer perform the functions of the role. They are not notified that their access was revoked.
Setting Up Approval Workflow for Revoking Requested Role Access
Managers often want to be able to revoke employees' roles without having to rely on admins. You can now configure IdentityNow to allow managers to revoke these roles as part of an approval workflow. To enable a manager to revoke a requested role as part of an approval workflow and for information on enabling managers to revoke requested app access as part of an approval workflow, read Setting Up Approval Workflow for Revoking Requested Access. Both processes require the same steps.