24.2 Requesting Access

Identity Governance request policies determine who can request access and what items they can request. Permissions, technical roles, and business roles already assigned to you will not be available for request and can be viewed on your Current Access page. If the request policy authorizes you to request an application, the application will be available to request even if you have the application account or permission.

Identity Governance supports time-based requests. Requesters can specify an effective date and an expiration date for each request. You can view the effective and expiration dates on the Requests page that displays list of all pending and completed requests. When expiration date is specified, Identity Governance will generate additional expire requests that will be effective on the expiration date. Users can change the expiration date or remove expiration request as needed when viewing list of requests that have been submitted.

When authorized to request by a request policy, you can request an application, application permission, technical role, and business role access for yourself or a user for whom you are authorized to request access. Technical roles enable you to request multiple permissions in a single step. When requesting access, you can search or browse for request items, or select recommended items.

To request applications, permissions, or technical role assignments or business role membership:

  1. Select the request method.

    To

    Do this

    Search request items by name, categories, applications, request status, request item type, or advanced filters

    • Select Request > Search.

      NOTE:After you click Search, Identity Governance displays all request items, but you can decide whether to display all request items or not. As a Global Administrator you can reset the value of the global property com.netiq.iac.ui.cx.search.preventAutoQuery to true so that Identity Governance prevents loading of all requestable items.

    • (Optional) Sort items by clicking on column names.

    • (Optional) Group items by application or category.

    • Type partial or complete request item name in search bar, and select additional criteria as needed to narrow your results.

      NOTE:For typeahead search, there is a global property that controls the time within which Identity Governance queries the database and displays the search result. The default value for the property is 500 milliseconds. As a Global Administrator you can reset the value of the global property com.netiq.iac.ui.cx.search.typeaheadDelay

      For example, to search all permissions for a specific category, select a category from categories drop-down list, click More filters, then select permissions as the item type. To select request items in more than one category, click Category, then use typeahead search to find and select categories.

    Browse request items in table or tile view and search request items by name or description

    • Select Request > Browse.

    • (Optional) Select Your Name > My Settings > Enable tile view to view the Application, Technical Roles, and Business Roles as tiles and use the same settings to switch back to the default table view.

    • Click on respective tabs to view applications, technical roles, and business roles.

    • Click an application name to view and search permissions.

    Select recommended request items

    Select Request > Recommended.

    NOTE:You might see recommended items to request only if Identity Governance administrators have created and assigned business roles in your environment. Assigned technical roles and requestable businness roles will not be included in the recommended list.

    When you review permissions available to request, items might have the following icons signifying the state of the item.

    Shopping cart

    Item was requested and is in the shopping cart, but the request has not yet been submitted.

    Lock

    Requested item needs approval.

    Clock

    Item was requested and is awaiting fulfillment or approval.

    Check mark

    User already owns the item.

  2. Select a item you want to request and add a reason.

  3. (Conditional) If Identity Governance warns you of SoD violations, either change your request to resolve the violation or submit the request with the violations for an SoD administrator, SoD policy owner, or SoD or Access Request policy to approve or resolve the violation.

  4. (Conditional) If requesting dynamic resources, a specific type of permissions or permissions with custom forms, provide additional inputs. For example, if the dynamic resource is a phone, you might have to select a phone model.

  5. (Conditional) When requesting a permission for a user who has multiple accounts, select an account to which the permission should be associated.

  6. (Conditional) When requesting a technical role that includes one or more permissions belonging to one or more applications where the recipient user has multiple accounts, select an account for each application to which the permission should be associated.

  7. (Optional) Add effective and expiration dates.

    NOTE:

    • When you specify an expiration date for the access item, Identity Governance will create related pending expiration request items that will become effective on the expiration date. The expiration request is created only after all approvals have been given for the request item. If a request item is denied during the approval process, expiration request will not be created.

    • While specifying the effective and expiration dates, use the left or right arrow on the calendar date picker to select previous or next month.

  8. Click Add to request.

  9. Repeat above steps as needed to add more items to your cart.

    NOTE:When you request access to a technical role, Identity Governance will generate requests for the missing permissions of the technical role and also assign the technical role to the user. The badges that display the technical roles will display a check mark icon if the technical role is already assigned and a warning icon if the technical role is assigned to the user, but the user is missing one or more permissions of the technical role.

    A warning is displayed on the request panel when requesting access to a business role for a user specifically excluded from membership. The role can be requested, however membership will not be granted until the exclusion is removed.

  10. (Conditional) If you have rights to request on behalf of others:

    1. Select the current user to change for whom you are making the request.

    2. Select items and click Add to request. Repeat this to add more items.

    3. (Optional) Select a different user to review and request items for that user.

  11. After you have requested items for all users, select the cart to review your choices.

    NOTE:Selecting X next to a request in the shopping cart immediately removes the request from the cart.

  12. Click Submit to submit your requests.

If one or more requested items in the cart create a combination of permissions for the user that are considered toxic (strictly forbidden), Identity Governance prevents you from submitting the cart until you remove one or more items from the request to resolve the toxic combination. Click the red caution symbol next to the permissions identified as toxic to learn more about the toxic SoD policy violated, and to help determine which permission(s) to remove from the request. For more information, see Understanding Separation of Duties.