Configure settings

Configure settings for all access requests for the app or resource collection. You can indicate whether users can request access on behalf of other users. You can also define if access requests that cause conflict between separation of duties (SOD) rules are allowed as is, allowed with custom settings, or blocked.

The SOD conflict setting is available even if you haven't enabled Governance Engine for the app or defined entitlements and bundles. In this case, you can configure the settings but they won't have any impact on the access request.

To allow or prevent requesters from escalating tasks within their access requests, see Allow requesters to escalate tasks.

Start this task

  1. Go to the access requests settings for an app, resource collection, or admin roles.

    Access request settings for an app

    1. In the Admin Console, go to ApplicationsApplications.

    2. Select an app and go to the Access requests tab on the app's profile page.

    3. Click Settings.

    Access request settings for a resource collection

    1. In the Admin Console, go to Identity GovernanceResource Collections.

    2. Search for the collection and click View for that collection.

    3. Go to the Access Requests tab.

    4. Click Settings.

    Access requests settings for admin roles

    1. In the Admin Console, go to SecurityAdministratorsGovernance.

    2. Click Access requests.

    3. Click Settings.

  2. Configure settings to allow or block requests on behalf of another user and requests with separation of duty (SOD) conflicts.

    Configure the Request on behalf of setting

    To allow a user to request access for another user, toggle the Enable request on behalf of option.

    • Only managers can request access for their reports: This option only allows managers to request access on behalf of their team.

    • Any user can request access for any other user: This option allows all users in the org to request access to the resource on behalf of other users irrespective of their roles and hierarchical relationships in the org.

      These options don't prevent a user from requesting access for themselves.

    Define what happens when a separation of duties (SOD) conflict occurs.

    This option isn't available for access requests for admin roles.

    By default, a requester can't submit an access request for entitlement bundles that conflict with their existing entitlement assignments. To change this, click Edit and select one of the following options:

    • Allow requests: Requesters see a warning but they can request access. Their access is processed using the settings defined in the applicable access request condition.

    • Allow requests with custom settings: Requesters see a warning but they can request access. However, their request is managed by the approval sequence and access duration that you specify on this page.

      1. Select an approval sequence.

      2. Specify the access duration.

      For access requests that cause SOD conflicts, the approval sequence and access duration you specify here override similar settings defined in any other conditions for this app.

    • Block requests: Requesters can see the access level but can't request it. This is the default setting.

      Okta evaluates separation of duties rules based on the requester's existing entitlement assignments when they submit the request. This means that separation of duties rule conflict warnings won't appear to requesters or prevent them from requesting access to conflicting entitlements if they create multiple requests in a short period or have multiple requests open simultaneously.

      Before granting access, check all open requests from the requester for any potentially conflicting entitlement requests against your separation of duties rules. Additionally, run access certification campaigns that review separation of duties conflicts regularly to revoke conflicting entitlement assignments.

  3. Click Save. The Access request settings updated event is logged in the System Log.

Related topics

Create requests