Working with access requests
Note
SailPoint enables the updated Request Center on an opt-in basis. To view documentation for the legacy Request Center, refer to Working with Access Requests.
You can use access requests to gain access to apps or business roles. With an approval process that kicks off automatically, you can quickly access the systems and apps you need to perform your job. You can even request access for new teammates or employees.
You can request access to the following:
- Roles - A bundle of access based on your position in your company. For example, if you are an accountant, you can request access to the Accountant role.
- Entitlements - Access rights, such as group memberships or access permissions, granted to a user. For example, you can request to be added to a specific distribution list or Active Directory group in your organization to receive the access permissions granted to that group.
- Access Profiles - Depending on your org's configuration, you may be able to submit access requests for access profiles. An access profile is a bundle of access entitlements that represent a specific set of access. For example, if you are an engineer and need access to Jira, you may select the Engineering access profile to gain the required entitlements.
-
Applications - A set of access related to a specific application within your company. When you request access for an app, you’ll be asked to select an access profile.
Note
If the access profiles list is empty, you may not be configured to use access profiles on that app.
Requesting access
Note
The following steps may differ depending on your org’s configuration.
-
Select Request Center from the navigation menu.
-
Select who you are requesting access for. Depending on your configured permissions, you may select from the following options:
-
Request for Myself - Make an access request for yourself.
-
Request for Your Team - Make an access request on the behalf of your direct reports.
-
Request for Others - Make an access request on behalf of someone in your org. Choose the identities that need this access from the Select Identities dropdown list and select Request Access to continue.
Note
You can request access to an entitlement for up to 10 users at a time.
After you’ve added all identities, select Request Access to continue.
-
-
On the Request Access Page, search for an access item or application.
Select Details on a card to view more information about the access.
If your organization has the Recommendations service, select Recommended from the left panel to view your recommended access items. The Recommended option only displays if you’re requesting access for yourself and there are active recommendations. You can request or ignore a recommendation.
-
Use the Select button to request access for the app or access item.
Note
You can request access for multiple access objects at once. Entitlements are limited to 25 at a time, but there is no limit for roles or access profiles.
If you request access to an application, select the appropriate access profile.
Note
For a single request, you can request access to multiple access profiles or multiple roles and entitlements. If you need to request access to multiple access profiles and multiple roles and entitlements, you’ll need to submit separate access requests.
If the request requires a comment, add a comment about the request to help reviewers determine if this access is needed. Select Submit to continue.
-
(Optional) Set an expiration date for the access. If the identity needs this access longer, you can edit this date on the My Team page or My Access page.
Expiration dates and deprovisioning
For requests submitted through the user interface, IdentityNow automatically starts the deprovisioning process on the expiration date at 12:00 AM, in the time zone defined in the requester’s browser settings.
- Expiration dates can include a time component when they are submitted through IdentityNow’s API with the Submit an Access Request endpoint. The time is included as part of the
removeDate
attribute.
If IdentityNow is directly connected to the source system, the access is automatically deprovisioned.
- The expiration date is not sent to the source system as an account attribute.
If IdentityNow is not connected to the source system, a manual task to remove this access is created and assigned to the source owner.
- Expiration dates can include a time component when they are submitted through IdentityNow’s API with the Submit an Access Request endpoint. The time is included as part of the
-
Select Submit Request to submit your request.
The system validates the access request and will send the requester an email identifying which requests were successfully and unsuccessfully submitted. For example, if you request access for an access item you've already been assigned, that specific request will not proceed forward. If requests for other items in that access request were successfully submitted, those requests will move forward.
If your request does not require approval, you may receive access immediately. This may take longer if the access must be manually provisioned.
If your request requires approval, the request is sent to a reviewer or multiple reviewers. Each reviewer must approve your request before you are granted access. Your administrator may configure your org to reassign your request to another reviewer if the assigned reviewer does not review it by a set time.
Items in a request are individually provisioned as they are approved and can be canceled without affecting other items in the request.
You will receive an email when your request is approved or denied. If your request is denied, you can contact the reviewer who denied the request for more information.
To view the requests you've made, as well as the statuses and comments on those requests, select My Requests from the left panel of the Request Center. To cancel a pending request, select Cancel for that request.