Configure settings

Configure settings for all access requests for the app or resource collection. You can indicate whether users can request access on behalf of other users. You can also define if access requests that cause conflict between separation of duties (SOD) rules are allowed as is, allowed with custom settings, or blocked.

The SOD conflict setting is available even if you haven't enabled Governance Engine for the app or defined entitlements and bundles. In this case, you can configure the settings but they won't have any impact on the access request.

Start this task

  1. Go to the access requests settings for an app, resource collection, or admin roles.

    Access request settings for an app

    1. In the Admin Console, go to ApplicationsApplications.

    2. Select an app and go to the Access requests tab on the app's profile page.

    3. Click Settings.

    Access request settings for a resource collection

    1. In the Admin Console, go to Identity GovernanceResource Collections.

    2. Search for the collection and click View for that collection.

    3. Go to the Access Requests tab.

    4. Click Settings.

    Access requests settings for admin roles

    1. In the Admin Console, go to SecurityAdministratorsGovernance.

    2. Click Access requests.

    3. Click Settings.

  2. Configure settings to allow or block requests on behalf of another user and requests with separation of duty (SOD) conflicts.

    Configure the Request on behalf of setting

    To allow a user to request access for another user, toggle the Enable request on behalf of option.

    • Only managers can request access for their reports: This option only allows managers to request access on behalf of their team.

    • Any user can request access for any other user: This option allows all users in the org to request access to the resource on behalf of other users irrespective of their roles and hierarchical relationships in the org.

      These options don't prevent a user from requesting access for themselves.

    Define what happens when a separation of duties (SOD) conflict occurs.

    This option isn't available for access requests for admin roles.

    By default, a requester can't submit an access request for entitlement bundles that conflict with their existing entitlement assignments. To change this, click Edit and select one of the following options:

    • Allow requests: Requesters see a warning but they can request access. Their access is processed using the settings defined in the applicable access request condition.

    • Allow requests with custom settings: Requesters see a warning but they can request access. However, their request is managed by the approval sequence and access duration that you specify on this page.

      1. Select an approval sequence.

      2. Specify the access duration.

      For access requests that cause SOD conflicts, the approval sequence and access duration you specify here override similar settings defined in any other conditions for this app.

    • Block requests: Requesters can see the access level but can't request it. This is the default setting.

  3. Click Save. The Access request settings updated event is logged in the System Log.

Related topics

Create requests