Create an access request condition
Access Requests conditions help you streamline the process of requesting access to an app.
Before you begin
-
Sign in to the Admin Console as a super admin or as a user with both access requests admin and app admin roles.
-
Read Considerations.
-
To define access level using entitlement bundles, enable Governance Engine for the app and create entitlements and bundles.
-
To streamline access requests for admin roles, see Govern Okta admin roles and Access Requests for admin roles instead.
Start this task
-
In the Admin Console, go to .
-
Select an app and go to the Access requests tab on the app's profile page.
-
Optional. To allow a user to request access for another user, click Settings and toggle the Enable request on behalf of option. Next, indicate whether you want to grant this permission to all users or limit it to a user's manager. When you enable or disable this option, it applies to all conditions that manage access requests for the app.
-
Click + Create condition.
-
In the Requester scope section, select one of the following options to define the user who can request access:
- Everyone in the organization
- Specific groups
-
In the Access level section, select one of the following options to define the level of access to the app that users can request:
-
Only app: Select this option to provide the default access to the app to users.
-
Groups associated with the app: Select the groups that users can request. Groups that are assigned or pushed to the application can be selected. Each group appears as an option that the user can pick.
This option doesn't appear if you've enabled Governance Engine for the app.
-
Entitlements associated with the app: Select the bundles that the user can request.
This option is only available if you've enabled Governance Engine for the app. Check that you've created at least one entitlement bundle that you can use in the condition.
-
-
In the Access duration section, enable the toggle and select one of the following options:
-
Specify duration now: Indicate when the users' access expires.
-
Requester specifies the duration: Allow users to specify how long they need access. You must configure a Maximum duration to limit their options.
-
-
In the Approval Sequence section, click Select sequence.
-
Select an existing approval sequence by clicking Select for that sequence. Alternatively, you can also click New sequence to create a sequence and then select it. See Configure an approval sequence.
-
Click Create. This condition is in an inactive state by default.
-
Use the drag-and-drop handle for a condition to move it and define its priority over other conditions. Okta only considers the priority order for the condition after you enable the condition.
-
Optional. Enable a condition to use it. Check that the items you've referenced in a condition are active or available. If any of these items are deactivated or deleted, the condition becomes invalid when you enable it or when a requester submits a request.
Assign the Okta Access Requests app to approvers so they can act on a request. See Assign a single app to groups or Assign applications to users.
User experience
When you enable Governance Engine for an app, Okta removes the access expiration for any user whose access was granted by a condition. Consider updating these users' access expiration manually. See Manage user entitlements.
If a requester meets the criteria for more than one condition, the condition with the highest priority determines which approval sequence is used to approve the request. If their group memberships change and they no longer meet the conditions, they can't request the groups, entitlements, or bundles that are governed by those conditions. Their existing assignments aren't affected.
To understand the experience for requesters, request assignees, and approvers, see Create requests, Manage requests, and Manage tasks.