Setting up Identity Governance for Access Request requires configuring several items:
(Optional) Business roles
(Optional) Technical roles
(Optional) Application and permissions request forms
(Optional) Application and permissions request approval forms
Request policies
(Optional) Request approval policies.
Request policies assigned to resources and roles
As indicated above, you need not configure all the items. Create business roles if you want to show recommended access to users and do not already have any business roles in your system. For more information, see Section 17.0, Creating and Managing Business Roles. Create technical roles to group permissions if you want to enable users to request access to many permissions in a single step. For more information, see Section 16.0, Creating and Managing Technical Roles. Create a request approval policy if you need access requests to require approval. Otherwise, the default approval policy will be in effect. The default approval policy does not require approval. Create and edit request and approval forms if you want to provide custom options to users. For more information about request forms and request approval policies, see the following sections:
To allow users to request access, you must create request policies. Request policies define what access can be shown and requested in the Access Request interface. Users with the Customer, Global, or Access Request Administrator authorization can create request policies.
In Identity Governance, select Policy > Access Request Policies.
On the Request Policies tab, select + to create a new policy.
Name the policy.
Select types of requests that all users are allowed to make. For example, if you want all users to be able to request access for themselves and their direct reports, select Self and Direct Reports.
NOTE:Granting ability to request access for All Users automatically provides the user with the ability to request for Self, Direct Reports, and Downline Reports. Granting the ability to request for Downline Reports automatically provides the ability to request for Direct Reports as well.
For more granular control of specific users and groups, use the Allowed Users and Allowed Groups sections. For example, if you want specific users or groups to be able to request access for all users, specify that here.
NOTE:If All Users are granted the ability to request for a certain type of user, you do not need to grant that same ability to specific users or groups. For example, if All Users are granted the ability to request for Self, you do not need to grant the ability to request for Self to specific users or groups.
For exclusions, use the Disallowed Users and Disallowed Group sections.
Use Allowed Business Roles to add members of business roles as requesters for self, downline reports, direct reports, or all users.
Save the policy.
(Optional) Select the gear icon in the Applications, Permissions, and Roles (technical roles) tabs to customize column display. For example, in Permissions tab you can drag and drop Authorized By column to view if a permission is from an Identity Manager role or application or from an Identity Governance role.
Add applications, permissions, and technical roles on the respective tabs.
To set appropriate approvals for requested access, you must create request approval policies. Identity Governance provides a default approval policy that you can edit. You can also create new request approval policies to further define your approval policies for various situations.
In Identity Governance, select Policy > Access Request.
On the Approval Policies tab, select + to add an Access Request approval policy.
Name the policy.
Add one or more approval steps, depending on how many levels of approval you require. For each approval step:
Specify approvers
NOTE:You can use coverage maps to specify approvers. For information about coverage maps, see Using Coverage Maps.
View notification emails, and optionally set reminder email frequency and add recipients
Set escalation period and specify escalation approvers
Set expiration period and assign default action at the end of the expiration period
Save the policy.
After you have created request or approval policies, you can assign resources to them, such as applications, permissions, and technical roles.
In Identity Governance, select either the applications, permissions, or roles catalog.
Select the applications, permissions, or roles you want to apply request policies to.
In Actions, select the option you want. You can:
Assign access request policy
Remove access request policy
Assign approval policy
You can also import assignments, assign resources to a policy, or remove resources from a policy while editing the policy definition.
(Conditional) If you have an assignments file that you had chosen to export when exporting a access request policy, click Import Assignments in the policy details page to import assignments.
NOTE:If you import more than the preconfigured threshold for assignments, you cannot import assignments using the assignments file and will need to import the policy from the policies list page.
Alternately, assign resources.
Select the Applications, Permissions, or Roles tab.
Select + under the tab to select resources of the specific type to assign to the policy.
(Optional) Specify if a request for a technical role access should be approved at the role level or at the individual permission level.
Select one or more technical roles.
Select Actions > Set Role Level Approval to enable approval of all requests for permissions included in the technical role as a group.
Or
Select Actions > Set Permission Level Approval to enable approval of each permission included in the technical role individually.
Select the resources to be removed using the check box next to the ones you want to remove.
Select Remove to remove the selected resources.
NOTE:You cannot remove resources from the default approval policy in this way. A resource can only be removed from the default approval policy by assigning it to another approval policy. Also, removing a resource from a policy other than the default approval policy will re-assign the resource to the default approval policy.
Global potential SoD violation approval policy applies to all access requests that if granted might result in Separation of Duties (SoD) violations. It determines if approvals are required for potential violations and if required are self-approvals allowed. For more information about SoD and SoD violations, see Section 18.0, Creating and Managing Separation of Duties Policies and Section 19.0, Managing Separation of Duties Violations
To set global potential SoD violation approval policy:
Log in as a Customer, Global, Access Request, or SoD Administrator, or as a policy owner.
In Identity Governance, select Policy > Access Request.
On the Potential SoD Violation Approval tab, select Require approval for potential SoD violations.
(Conditional) If approval is required, select Allow self approval of potential SoD violations to allow access requester to approve their own potential violations. Note that regardless of this setting, Customer or Global Administrator can always approve their own potential violations.