Handle app integration requests
After end users request an app through their Okta End-User Dashboard, Okta notifies the first approver in the workflow with an email containing the request details and a link. The approver can open the link to approve or deny the request. The process continues until every approver in the workflow grants permission or until one approver denies the request.
About admin roles for this task
No special role is required to approve a request other than the approver must be listed in the self service configuration workflow for the app integration, either as an individual or part of a group.
Super Admins or App Admins can intervene in the approval process and perform the approval outside of the usual approval process.
Before you begin
Admins must sign in to the Okta Admin Console.
Start this procedure
The steps required to approve a request depends on if the approver is listed as an individual approver, or is part of a group of approvers, or is an administrator for the org:
After end users request an app, the first approver receives an email containing the request and a link. Following the link gives options to approve or deny the request. Approvers can also check outstanding approvals in their queue at any time through their End-User Dashboard. Selecting the Tasks tab on your dashboard shows all requests awaiting approval.
- If you are the first approver in the workflow and approve the request, then the next approver receives the email message.
- If you are the final or only approver and approve the request, then:
- If the app integration is configured for provisioning, the end user is provisioned to the external application, assigned to the app integration and receives SSO access
- If the app integration is not configured for provisioning, the end user is assigned to the app integration and receives SSO access
- If you deny the request, then the end user is not granted access and the System Log Entries are updated.
Any comments you enter in the Approval Action section are recorded in the System Log, but this text is not included in email notifications to the requester.
If a group is specified as an approver, all group members receive identical email notifications with a link to approve the request. When one group member approves or rejects the request, the entire approval step is complete, and the task is removed from the queue for all the other group members.
Okta admins can intervene in the approval process and perform any of the following actions:
- View outstanding requests and see the current step of the approval process.
- Resend approval notifications to the current approver.
- Cancel an outstanding end-user request.
- Override the process and immediately assign the app to an end user.
To view, resend, or delete a request
- In the Admin Console, go to Applications > Applications.
- Select the app integration that the end user requested.
- On the Assignments tab, click Manage Requests in the APP REQUESTS section of the SELF SERVICE pane.
In the Manage Pending Requests window:
- Click to view the Request History.
- Click to open the confirmation dialog for sending notifications. Click Send Email to send the notification email to the current approver in the workflow and return to the Assignments tab. Click Send and Go Back to send the email and return to the Manage Pending Requests window.
- Click to open the confirmation dialog for deleting request. Click Delete to remove this approval request and return to the Assignments tab. Click Delete and Go Back to delete the request and return to the Manage Pending Requests window. An app integration can still be manually assigned by an admin, even if the request is deleted.
If an admin overrides the approval process and assigns the app integration immediately, the approval process stops, and any remaining steps of the approval workflow are deleted. The end user can access the app integration from their dashboard.
Some administrative actions can impact the approval workflow of the Self Service feature. Doing any of the following can cause issues with existing and future access requests:
- Deactivating the app integration
- Deactivating an approver
- Deleting a group specified as a group approver
- Modifying the schema of an app integration
Before making any of these changes to an app integration or an approver, resolve any pending requests and then disable the Self Service feature for the app integration. After you make changes, you can restore the approval workflow for the app integration.
The following Self Service feature events are tracked in the System Log:
- User app requests: The requester's comment is logged in the System.DebugContext.DebugData section.
- Individual approver approvals and denials: The approver type is logged as USER, and the approver's comment is logged in the System.DebugContext.DebugData section.
- Group approver approvals and denials: The approver type is logged as GROUP, and the approver's groupId, group name, and comment are all logged in the System.DebugContext.DebugData section.
- App approvals: All approvers have approved the request, and access is granted to the end user. These events are triggered by the Okta system granting or denying access, not by the actions of an approver.
- App denials: An approver denied the request, and access is denied to the end user. These items are triggered by the Okta system granting or denying access, not by the actions of an approver.
- Request deletion: The end user's request for an app integration is deleted.