20.2 Configuring Access Request

Setting up Identity Governance for Access Request requires configuring several items:

  • (Optional) Business roles

  • (Optional) Technical roles

  • Request policies

  • (Optional) Request approval policies.

  • Request policies assigned to resources and roles

As indicated above, you need not configure all the items. Create business roles if you want to show recommended access to users and do not already have any business roles in your system. For more information, see Section 16.0, Creating and Managing Business Roles. Create technical roles to group permissions if you want to enable users to request access to many permissions in a single step. For more information, see Section 15.0, Creating and Managing Technical Roles. Create a request approval policy if you need access requests to require approval. Otherwise, the default approval policy will be in effect. The default approval policy does not require approval. For more information about request and request approval policies, see the following sections:

20.2.1 Creating Request Policies

To allow users to request access, you must create request policies. Request policies define what access can be shown and requested in the Access Request interface. Users with the Access Request Administrator and Global Administrator authorization can create request policies.

  1. In Identity Governance, select Policy > Access Request Policies.

  2. On the Request Policies tab, select + to create a new policy.

  3. Name the policy.

  4. Select types of requests that all users are allowed to make. For example, if you want all users to be able to request access for themselves and their direct reports, select Self and Direct Reports.

    NOTE:Granting ability to request access for All Users automatically provides the user with the ability to request for Self, Direct Reports, and Downline Reports. Granting the ability to request for Downline Reports automatically provides the ability to request for Direct Reports as well.

  5. For more granular control of specific users and groups, use the Allowed Users and Allowed Groups sections. For example, if you want specific users or groups to be able to request access for all users, specify that here.

    NOTE:If All Users are granted the ability to request for a certain type of user, you do not need to grant that same ability to specific users or groups. For example, if All Users are granted the ability to request for Self, you do not need to grant the ability to request for Self to specific users or groups.

  6. For exclusions, use the Disallowed Users and Disallowed Group sections.

  7. Use Allowed Business Roles to add members of business roles as requesters for self, downline reports, direct reports, or all users.

  8. Save the policy.

  9. (Optional) Select the gear icon in the Applications, Permissions, and Roles (technical roles) tabs to customize column display. For example, in Permissions tab you can drag and drop Authorized By column to view if a permission is from an Identity Manager role or application or from an Identity Governance role.

  10. Add applications, permissions, and technical roles that you want these an users to be able to request on the appropriate tabs.

20.2.2 Creating Request Approval Policies

To set appropriate approvals for requested access, you must create request approval policies. Identity Governance provides a default approval policy that you can edit. You can also create new request approval policies to further define your approval policies for various situations.

  1. In Identity Governance, select Policy > Access Request.

  2. On the Approval Policies tab, select + to add an Access Request approval policy.

  3. Name the policy.

  4. Add one or more approval steps, depending on how many levels of approval you require. For each approval step:

    • Specify approvers

      NOTE:You can use coverage maps to specify approvers. For information about coverage maps, see Using Coverage Maps.

    • View notification emails, and optionally set reminder email frequency and add recipients

    • Set escalation period and specify escalation approvers

    • Set expiration period and assign default action at the end of the expiration period

  5. Save the policy.

20.2.3 Assigning Resources to Request and Approval Policies

After you have created request or approval policies, you can assign resources to them, such as applications, permissions, and technical roles.

  1. In Identity Governance, select either the applications, permissions, or roles catalog.

  2. Select the applications, permissions, or roles you want to apply request policies to.

  3. In Actions, select the option you want. You can:

    • Assign access request policy

    • Remove access request policy

    • Assign approval policy

You can also assign resources to a policy or remove resources from a policy while editing the policy definition.

  1. Select the Applications, Permissions, or Roles tab.

  2. Select + under the tab to select resources of the specific type to assign to the policy.

  3. (Optional) Specify if a request for a technical role access should be approved at the role level or at the individual permission level.

    1. Select one or more technical roles.

    2. Select Actions > Set Role Level Approval to enable approval of all requests for permissions included in the technical role as a group.

      Or

      Select Actions > Set Permission Level Approval to enable approval of each permission included in the technical role individually.

  4. Select the resources to be removed using the check box next to the ones you want to remove.

  5. Select Remove to remove the selected resources.

    NOTE:You cannot remove resources from the default approval policy in this way. A resource can only be removed from the default approval policy by assigning it to another approval policy. Also, removing a resource from a policy other than the default approval policy will re-assign the resource to the default approval policy.

20.2.4 Setting Global Potential SoD Violation Approval Policy

Global potential SoD violation approval policy applies to all access requests that if granted might result in Separation of Duties (SoD) violations. It determines if approvals are required for potential violations and if required are self-approvals allowed. For more information about SoD and SoD violations, see Section 17.0, Creating and Managing Separation of Duties Policies and Section 18.0, Managing Separation of Duties Violations

To set global potential SoD violation approval policy:

  1. Log in as Global, Access Request, or SoD Administrator or as policy owner.

  2. In Identity Governance, select Policy > Access Request.

  3. On the Potential SoD Violation Approval tab, select Require approval for potential SoD violations.

  4. (Conditional) If approval is required, select Allow self approval of potential SoD violations to allow access requester to approve their own potential violations. Note that regardless of this setting, Global Administrator can always approve their own potential violations.