4.2 Requesting Permissions

To request roles and resources, click Access > Requests

Before requesting permissions, review the following considerations:

  • You might be able to request access on behalf of another user. For example, if you are a team manager, you usually can act on behalf of team members. The process is the same, except you must specify that the request is for Others instead of Self.

  • Do not use punctuation when specifying a permission that you want to request. If the name of the permission you want to request includes punctuation, omit the punctuation when searching.

  • Different permissions require different information, depending on how the administrator has configured the permission form. If the permission requires detailed information, the Dashboard redirects you to a separate window when you select the permission.

  • You can request multiple permissions at the same time.

    However, if the permission form for one of the requests requires special types of information, you might not be able to include that permission in a multi-permission request. To request multiple permissions at once, the request forms for the various requests cannot require detailed information.

  • You can specify the expiry date while requesting for a resource or a role.

When you request a permission, you must specify a reason for the request. You can also specify the date that you need the permission to begin or expire.

You can request permissions in the following ways:

  • Select one of the Featured Items. You cannot make this request on behalf of another person.

    NOTE:By default, Helpdesk Ticket permission appears in the Featured Items category. You can raise a helpdesk ticket using this permission.

  • Request several permissions at once.

  • Request a permission that is not among the Featured Items.

  • Perform the request on behalf of someone else.

To request only Identity Manager permissions:

  1. (Conditional) To choose a permission from Featured Items category, select the permission.

  2. (Conditional) To choose a non-featured request or to request several permissions, complete the following steps:

    1. Select New Request.

    2. (Conditional) To request access on behalf of other individuals, select Others, then specify the individual(s).

      NOTE:As a team manager if you request permissions on behalf of other team members, you cannot individually select requesters from a group that is included in the team's recipients list. The Users tab in the Recipients field will display the logged-in team manager and other user recipients in the team.

    3. For Permissions, type the name or description matching the permission.

      NOTE:To raise a helpdesk ticket, search Helpdesk Ticket in the Permissions list.

    4. In the displayed list, select the permission(s) that you want.

  3. Specify a reason for the request.

  4. (Conditional) If you are requesting a role permission, specify the Effective Date and Expiration Date for the permission.

  5. (Conditional) If you are requesting a resource permission, specify the Expiration Date for the permission.

    NOTE:You can specify the Expiration Date only for the resources that have enabled expiration option. Administrators can enable expiration for the resources.

  6. (Conditional) If required, specify additional information related to the request:

    Secondary forms

    Some permissions might have secondary forms that you must complete as part of the request. For example, when requesting a laptop computer, you might need to specify the default operating system or graphics requirements.

    Justification for conflicting roles

    Your organization might have two or more roles that could create security problems when assigned to the same individual. If these types of roles exist, administrators create a separation of duties (SoD) rule to constrain users from gaining access. When a user requests one of these roles while already having a conflicting role or requests two or more conflicting roles, the identity applications respond according to the SoD policies.

    Conflicting roles when User is the Recipients If you request for or assign one or more conflicting roles to a user recipients, the application displays an SoD warning. To override the SOD constraint, you must provide the reason for making an exception in the Justification field.

    Conflicting roles when Groups and/or Containers are the Recipients If you request for or assign one or more conflicting roles to groups and/or container recipients, the application displays a warning with a list of failed roles and SoDs conflicts. A modal window is also displayed that provides you the following information:

    • Recipients: Select the group or container from the list to view its affected users that are violating the SoD.

    • Select SoD to view details: Select the SoD from the list to view the conflicting roles and the affected users. Selection is allowed when the request is violating more than one SoD.

    • Conflicting Role 1 and Conflicting Role 2: Displays the roles violating the selected SoD.

    • Affected Users: Displays a list of affected user(s) based on the selected recipients and SoD.

    • Remove: Click to remove the selected recipient from the modal window.

    • Reset: Click to reset the original list of conflicts displayed in the modal window.

    • Done: Click to confirm the removal of the selected recipient from the modal window.

  7. Select Request.

To request Identity Governance Permissions:

Applies only on two conditions namely, when you have enabled the Show IG Catalog in request page option in the Configuration > Identity Governance page and when you request permission for Self.

  • IDM Catalogs: Lists all the available Identity Manager roles, resources, and workflows.

  • IG Applications: Lists all the applications collected in the Identity Governance. You can then select the permissions associated with the selected application.

  • IG Technical Roles: Lists all the technical roles of the Identity Governance. Select the IG roles that you want to request for and specify a reason for requesting the role.

For more information, click on the Dashboard.