Get started with Access Requests

To manage access requests to resources, you must be a super admin or an access requests admin. To manage access requests to Okta admin roles, you must be a super admin.

Before you begin, determine the method you want to use to configure and manage access requests:

The setup, maintenance tasks, and limits vary for each method.

Ensure that you've allowlisted the standard Okta IPs for your orgs before accessing Access Requests. See Allow access to Okta IP addresses.

Conditions

Early Access release. See Enable self-service features.

Initial setup tasks

As a super admin or a user with both access requests admin and app admin roles, follow this sequence of tasks to configure conditions for an app:

Admin task

Description

Access request conditions Introduction to access request conditions.
Enable the Access request conditions and Resource catalog feature

When you enable the feature, all users in the org are implicitly assigned to the Okta Access Requests Resource Catalog app. All existing super admins are automatically assigned the Okta Access Requests Admin app.

If you don't have the Okta Access Requests app already, it's added automatically when you enable the feature. All existing super admins and access requests admins are automatically assigned the Okta Access Requests app.

Assign OktaAccess Requests app to users

Assign the Okta Access Requests app to users (requesters and approvers) so that they can submit, approve, or deny a request.

If you have the Okta Access Requests app already, assign it to super admins and access requests admins as well to avoid errors.

See Assign a single app to groups or Assign applications to users.

Optional. Modify your app sign-on policy

To avoid errors, modify the existing app sign-on policy for the following apps:

  • OktaAccess Requests Admin:

    Ensure that all rules match those of the OktaAdmin Console app.

  • OktaAccess Requests Resource Catalog:

    Ensure that all rules match those of the Okta Dashboard app.

Also, ensure that you don't have rules that require Prompt for re-authentication or Prompt for factor for the these apps. See Configure an app sign-on policy.

Access Requests integrations Integrate Slack or Microsoft Teams with Access Requests to perform additional actions.
Create an access request condition Define which users can request access to specific apps, how long should they have access for, and who should approve their access request. The conditions you create are in an inactive state by default and must be enabled for them to take effect.
Enable a condition Enable your new access request condition so that it's active.

Maintenance tasks

As a super admin or a user with both access requests admin and app admin roles, complete these tasks after your initial setup, as needed:

Admin task

Description

Manage conditions Enable, disable, view, edit, delete, or change the priority order of a condition.
Manage approval sequences Modify an existing approval sequence to add or remove tasks and questions. Changes to a sequence impact all access request conditions that use the sequence.

Request types

Initial setup tasks

As a super admin or access requests admin, follow this sequence of configuration tasks to start using Access Requests:

Admin task

Description

Request types Introduction to request types and its components.
Configure your Okta org for request types Configure settings and items in Okta that you'll need to use in request types.
Create an Access Requests team Create teams to determine who can configure new requests and manage existing ones.
Create a configuration list Create configuration lists to allow teams to automate end user’s access to resources. Configuration lists also control the specific options available to the end users as a request gets processed.
Access Requests integrations Integrate Jira, ServiceNow, Slack, or Microsoft Teams with Access Requests to perform additional actions, or use synced information.
Create a request type Create a request type, which is a customizable no-code structure that defines and automates how a user is granted access through a request.
Manage requests Understand the steps admins or assignees need to do to manage a request after it’s submitted. They must always be members of the Access Requests team that owns the request type for the request that’s being used.

Maintenance tasks

As a super admin, complete these tasks after your initial setup, as needed:

Admin task

Description

Generate the Past Access Requests report View who has requested access to resources and related data points, including whether access was granted and by whom.

End-user experience

Understand user tasks from an admin perspective:

User task

Description

Create requests Understand how your requesters can submit requests using methods like Access Requests web app, Slack, and Microsoft Teams. Requesters can request access to an app directly from their dashboard if you've set up conditions for the app.
Manage requests Understand the steps that request assignees need to do to manage a request that’s managed by condition or request type.
Manage tasks Understand how request approvers approve or deny a request from the Access Requests web app. The request can be managed by condition or request type.

Limits

There are several limits applicable to your organizations, conditions, request types, and requests. Refer to the following tables.

Organizations

You can have a maximum of 100,000 users in your organization.

Conditions

Limit Maximum
Conditions for each app 100
Groups used to define the requester scope in a condition 100
Unique groups used to define the requester scope for all conditions in an org 100
Entitlement bundles in access scope for a condition 100
Steps in an approval sequence 10

Questions within a question step

5

Request types

Limit Maximum
Active request types in each organization 500
Tasks in each request type 100
Fields in each request type 100
Applications used 5,000
Groups used 15,000
Configuration lists 100
Items for a configuration list 1,000

Requests

Limit Maximum
Open or Pending requests per organization 10,000
Resolved requests per organization

(This only counts requests that are accessible within the application.)

50,000
Tasks per request 100
Fields per request 100
Followers per request 100
Updates per request 500
Request list filter values 25