27.2 Configuring Access Request

Setting up Identity Governance for Access Request requires configuring several items:

  • Business roles

  • Technical roles

  • Request policies

  • Request approval policies

  • Request policies assigned to resources and roles

If you are using business roles in your organization, you can configure Access Request to show users recommended access. If you want to show recommended access to users and do not have any business roles, create business roles first. For more information, see Section 25.0, Creating and Managing Business Roles.

If you are using technical roles in your organization, you can provide groups of permissions, or Access Profiles, that users can request in a single step. To provide Access Profiles in Access Request, create technical roles to group the permissions. For more information, see Managing Technical Roles.

Request policies define what access can be shown and requested in the Access Request interface. Request approval policies define the approvals needed when users request access. For more information, see the following sections:

27.2.1 Creating Request Policies

To allow users to request access, you must create request policies. Request policies define what access can be shown and requested in the Access Request interface. Users with the Access Request Administrator and Global Administrator authorization can create request policies.

  1. In Identity Governance, select Policy > Access Request.

  2. On the Request Policies tab, select + to create a new policy.

  3. Name the policy.

  4. Select what types of users All Users are allowed to make requests for. For example, if you want all users to be able to request access for themselves and their direct reports, select Self and Direct Reports.

    NOTE:Granting ability to request for All Users automatically includes the ability to request for Self, Direct Reports, and Downline Reports. Granting the ability to request for Downline Reports automatically includes the ability to request for Direct Reports as well.

  5. For more granular control of specific users and groups, use the Allowed Users and Allowed Groups sections. For example, if you want specific users or groups to be able to request access for all users, specify that here.

    NOTE:If All Users are granted the ability to request for a certain type of user, you do not need to grant that same ability to specific users or groups. For example, if All Users are granted the ability to request for Self, you do not need to grant the request for Self ability to specific users or groups.

  6. For exclusions, use the Disallowed Users and Disallowed Group sections.

  7. Use Allowed Business Roles to add business roles as requestors for self, downline reports, direct reports, or all users.

  8. Save the policy.

  9. Add applications, permissions, and technical roles that you want these users to be able to request on the appropriate tabs.

27.2.2 Creating Request Approval Policies

To set appropriate approvals for requested access, you must create request approval policies. Identity Governance provides a default approval policy that you can edit. You can also create new request approval policies to further define your approval policies for various situations.

  1. In Identity Governance, select Policy > Access Request.

  2. On the Approval Policies tab, select + to add an Access Request approval policy.

  3. Name the policy.

  4. Add one or more approval steps, depending on how many levels of approval you require. For each approval step:

    • Specify approvers

      NOTE:You can use coverage maps to specify approvers. For information about coverage maps, see Using Coverage Maps.

    • View notification emails, and optionally set reminder email frequency and add recipients

    • Set escalation period and specify escalation approvers

    • Set expiration period and assign default action at the end of the expiration period

  5. Save the policy.

27.2.3 Assigning Resources to Request and Approval Policies

After you have created request or approval policies, you can assign resources to them, such as applications, permissions, and technical roles.

  1. In Identity Governance, select either the applications, permissions, or roles catalog.

  2. Select the applications, permissions, or roles you want to apply request policies to.

  3. In Actions, select the option you want. You can:

    • Assign access request policy

    • Remove access request policy

    • Assign approval policy

You can also assign resources to a policy or remove resources from a policy while editing the policy definition.

  1. Select the Applications, Permissions, or Roles tab.

  2. Select + under the tab to select resources of the specific type to assign to the policy.

  3. Select the resources to be removed using the check box next to the ones you want to remove.

  4. Select Remove to remove the selected resources.

    NOTE:You cannot remove resources from the default approval policy in this way. A resource can only be removed from the default approval policy by assigning it to another approval policy. Also, removing a resource from a policy other than the default approval policy will re-assign the resource to the default approval policy.