To allow users to request access, an administrator must create request policies or edit the default request policy provided by Identity Governance. Request policies define what access can be shown and requested in the Access Request interface. Users with the Customer, Global, or Access Request Administrator authorization can configure a default request policy and additional request policies based on their business needs. The default policy enables users to request all permissions, applications, or roles that are not directly assigned to an access request policy.
To configure a default access request policy:
In Identity Governance, select Policy > Access Request Policies.
Click Edit.
(Optional) Edit name and description.
Specify which type of request items are included in this policy. For example, when instead of individually assigning permissions to a policy, you want specified users to request all permissions, select the permissions check box.
Specify who can request access for whom.
To define who all users can request access for by default, click Add request for and select an option in the All Users section. For example, if you want all users to be able to request access for themselves, select Self. If you want all users to request access for other users who meet a set of criteria, select Users matching query, then define the criteria using the Expression Builder.
NOTE:Granting ability to request access for All Users automatically provides the user with the ability to request for Self, Direct Reports, and Downline Reports. Granting the ability to request for Downline Reports automatically provides the ability to request for Direct Reports as well.
(Optional) For more granular control of who can request for whom:
Select allowed users, groups, or business roles, then click + to add the users, groups, or business roles.
For the selected allowed entity, click Add request for and select an option. For example, if you added group A in the previous step, then added a request for group A, all members of group A would be able to request access for all other members of the group.
NOTE:If the request policy allowed all users to request access for all users, these settings will be ignored.
For exclusions to the All Users settings, specify disallowed users and groups.
(Optional) Create additional access request policies.
Save the policy.
To create additional access request policies:
In Identity Governance, select Policy > Access Request Policies.
On the Request Policies tab, scroll down and expand the Request Policies panel.
Click + to create a new policy.
Type name and description.
Save the policy.
Assign applications, permissions, technical roles, and business roles to the policy.
IMPORTANT:Only Business Roles that were defined as requestable and published will be available for selection.
(Optional) Select the gear icon in the Applications, Permissions, and Roles (technical roles) tabs to customize column display. For example, in Permissions tab you can drag and drop Authorized By column to view if a permission is from an Identity Manager role or application or from an Identity Governance role.