Get started with Access Requests
To manage access requests to resources, you must be a super admin or an access requests admin.
To manage access requests for admin roles, see Access Requests for admin roles and Get started instead.
Before you begin, determine the method you want to use to configure and manage access requests:
The setup, maintenance tasks, and limits vary for each method.
Ensure that you've allowlisted the standard Okta IPs for your orgs before accessing Access Requests. See Allow access to Okta IP addresses.
Conditions
Initial setup tasks
As a super admin or a user with both access requests admin and app admin roles, follow this sequence of tasks to configure conditions for an app:
|
Admin task |
Description |
|---|---|
| Access request conditions | Introduction to access request conditions. |
| Required app assignments | All users in the org are implicitly assigned to the Okta Access Requests Resource Catalog app.
When they use Access Requests for the first time, users are automatically assigned to the Okta Access Requests app. This app is also automatically assigned to admins when they're assigned the admin role that provides them access to Access Requests. Check that the admins were assigned the Okta Access Requests app. If the app wasn't assigned automatically or the user was unassigned, you must assign the app to the user to avoid errors. |
|
Optional. Modify your app sign-on policy |
These steps are optional. For a better user experience, modify the existing app sign-on policy for the Okta Access Requests Resource Catalog app. Ensure that all rules match those of the Okta Dashboard app. See Configure an app sign-on policy.
|
| Access Requests integrations | Integrate Slack or Microsoft Teams with Access Requests to perform additional actions. |
| Configure settings | Configure settings that apply to all access requests associated with the resource, such as Request on behalf of and conflicts among Separation of duties rules. |
| Create an access request condition | Define which users can request access to specific apps, how long should they have access for, and who should approve their access request. The conditions you create are in an inactive state by default and must be enabled for them to take effect. |
| Enable a condition | Enable your new access request condition so that it's active. |
Maintenance tasks
As a super admin or a user with both access requests admin and app admin roles, complete these tasks after your initial setup, as needed:
|
Admin task |
Description |
|---|---|
| Manage conditions | Enable, disable, view, edit, delete, or change the priority order of a condition. |
| Manage approval sequences | Modify an existing approval sequence to add or remove tasks and questions. Changes to a sequence impact all access request conditions that use the sequence. |
Request types
Initial setup tasks
As a super admin or access requests admin, follow this sequence of configuration tasks to start using Access Requests:
|
Admin task |
Description |
|---|---|
| Request types | Introduction to request types and its components. |
| Configure your Okta org for request types | Configure settings and items in Okta that you'll need to use in request types. |
| Create an Access Requests team | Create teams to determine who can configure new requests and manage existing ones. |
| Create a configuration list | Create configuration lists to allow teams to automate end user's access to resources. Configuration lists also control the specific options available to the end users as a request gets processed. |
| Access Requests integrations | Integrate Jira, ServiceNow, Slack, or Microsoft Teams with Access Requests to perform additional actions, or use synced information. |
| Create a request type | Create a request type, which is a customizable no-code structure that defines and automates how a user is granted access through a request. |
| Manage requests | Understand the steps admins or assignees need to do to manage a request after it's submitted. They must always be members of the Access Requests team that owns the request type for the request that's being used. |
Maintenance tasks
As a super admin, complete these tasks after your initial setup, as needed:
|
Admin task |
Description |
|---|---|
| Generate the Past Access Requests report or Past Access Requests (Conditions) report | View who has requested access to resources and related data points, including whether access was granted and by whom. |
End-user experience
Understand user tasks from an admin perspective:
|
User task |
Description |
|---|---|
| Create requests | Understand how your requesters can submit requests using methods like Access Requests web app, Slack, and Microsoft Teams. Requesters can request access to an app directly from their dashboard if you've set up conditions for the app. |
| Manage requests | Understand the steps that request assignees need to do to manage a request that's managed by condition or request type. |
| Manage tasks | Understand how request approvers approve or deny a request from the Access Requests web app. The request can be managed by condition or request type. |
Limits
There are several limits applicable to your orgs, conditions, request types, and requests. Refer to the following tables.
Organizations
You can have a maximum of 100,000 users in an org.
Conditions
| Limit | Maximum |
|---|---|
| Number of approval sequences for an org | 500 |
| Conditions for each app | 100 |
| Groups used to define the requester scope in a condition | 100 |
| Unique groups used to define the requester scope for all conditions in an org | 100 |
| Entitlement bundles in access level for a condition | 100 |
| Unique groups in access level for a condition | 100 |
| Number of users allowed in a group that's referenced in a condition (if the condition is for managing admin role bundles) | 200 |
| Steps in an approval sequence | 10 |
|
Questions within a question step |
5 |
Request types
| Limit | Maximum |
|---|---|
| Active request types in each organization | 500 |
| Tasks in each request type | 100 |
| Fields in each request type | 100 |
| Applications used | 5,000 |
| Groups used | 15,000 |
| Number of users in a pushed group | 25,000 |
| Configuration lists | 100 |
| Items for a configuration list | 1,000 |
Requests
| Limit | Maximum |
|---|---|
| Open or Pending requests for an organization | 10,000 |
| Resolved requests for an organization (This only counts requests that are accessible within the application.) |
50,000 |
| Tasks in a request | 100 |
| Fields in a request | 100 |
| Followers in a request | 100 |
| Updates in a request | 500 |
| Request list filter values | 25 |