22.2 Requesting Access

Identity Governance request policies determine who can request access and what items they can request. Permissions and technical roles already assigned to you will not be available for request and can be viewed on your Current Access page. If the request policy authorizes you to request an application, the application will be available to request even if you have the application account or permission.

When authorized to request by a request policy, you can request an application, application permission, or technical role access for yourself or a user for whom you are authorized to request access. Technical roles enable you to request multiple permissions in a single step. When requesting access, you can search or browse for request items, or select recommended items.

To request applications, permissions, or technical role assignments:

  1. Select the request method.

    To

    Do this

    Search request items by name, categories, applications, request status, request item type, or advanced filters

    • Select Request > Search.

      NOTE:After you click Search, Identity Governance displays all request items, but you can decide whether to display all request items or not. As a Global Administrator you can reset the value of the global property com.netiq.iac.ui.cx.search.preventAutoQuery to true so that Identity Governance prevents loading of all requestable items.

    • (Optional) Sort items by clicking on column names.

    • (Optional) Group items by application or category.

    • Type partial or complete request item name in search bar, and select additional criteria as needed to narrow your results.

      NOTE:For typeahead search, there is a global property that controls the time within which Identity Governance queries the database and displays the search result. The default value for the property is 500 milliseconds. As a Global Administrator you can reset the value of the global property com.netiq.iac.ui.cx.search.typeaheadDelayfor Identity Governance to query and display.

      For example, to search all permissions for a specific category, select a category from categories drop-down list, click More filters, then select permissions as the item type. To select request items in more than one category, click Category, then use typeahead search to find and select categories.

    Browse request items in table or tile view and search request items by name or description

    • Select Request > Browse.

    • (Optional) Select Your Name > My Settings > Enable tile view to view the Application and Technical Roles as tiles and use the same settings to switch back to the default table view.

    • Click on respective tabs to view applications and technical roles.

    • Click an application name to view and search permissions.

    Select recommended request items

    Select Request > Recommended.

    NOTE:You might see recommended items to request only if Identity Governance administrators have created and assigned business roles in your environment. Assigned technical roles will not be included in the recommended list.

    When you review permissions available to request, items might have the following icons signifying the state of the item.

    Shopping cart

    Item was requested and is in the shopping cart, but the request has not yet been submitted.

    Lock

    Requested item needs approval.

    Clock

    Item was requested and is awaiting fulfillment or approval.

    Check mark

    User already owns the item.

  2. Select a item you want to request and add a reason.

  3. (Conditional) If Identity Governance warns you of SoD violations, either change your request to resolve the violation or submit the request with the violations for an SoD administrator, SoD policy owner, or SoD or Access Request policy to approve or resolve the violation.

  4. (Conditional) If requesting dynamic resources, a specific type of permissions or permissions with custom forms, provide additional inputs. For example, if the dynamic resource is a phone, you might have to select a phone model.

  5. Click Add to request.

  6. Repeat above steps as needed to add more items to your cart.

    NOTE:When you request access to a technical role, Identity Governance will generate requests for the missing permissions of the technical role and also assign the technical role to the user. The badges that display the technical roles will display a check mark icon if the technical role is already assigned and a warning icon if the technical role is assigned to the user, but the user is missing one or more permissions of the technical role.

  7. (Conditional) If you have rights to request on behalf of others:

    1. Select the current user to change for whom you are making the request.

    2. Select items and click Add to request. Repeat this to add more items.

    3. (Optional) Select a different user to review and request items for that user.

  8. After you have requested items for all users, select the cart to review your choices.

    NOTE:Selecting X next to a request in the shopping cart immediately removes the request from the cart.

  9. Click Submit to submit your requests.

If one or more requested items in the cart create a combination of permissions for the user that are considered toxic (strictly forbidden), Identity Governance prevents you from submitting the cart until you remove one or more items from the request to resolve the toxic combination. Click the red caution symbol next to the permissions identified as toxic to learn more about the toxic SoD policy violated, and to help determine which permission(s) to remove from the request. For more information, see Understanding Separation of Duties.