Create an access request condition

Early Access release. See Enable self-service features.

Access Requests conditions help you streamline the process of requesting access to an app.

Before you begin

  • Sign in to the Admin Console as a super admin or as a user with both access requests admin and app admin roles.

  • Enable the Access request conditions and Resource catalog feature.

  • To define access level using entitlement bundles, enable Governance Engine for the app and create entitlements and bundles.

  • To use the Call Okta Workflows action, ensure that you have the following setup:

    1. Enable the Okta Workflows actions in Access Requests feature for your org.

      Early Access release. See Enable self-service features.

    2. Set up delegated workflows. See Delegated flows and Build a delegated flow. Make sure that the delegated flows you need are active in the Workflows Console.

    3. Create a custom admin role with the following configuration:

      1. The role has the Run delegated flow permission.

      2. The resource set contains at least one delegated flow that needs to be executed.

      3. This role and the resource set are assigned to the Okta Access Requests OAuth application.

    4. See Create an admin assignment using a role.

    5. Check that the Run a workflow toggle is enabled.

      1. In the Access Requests console, go to Settings Integrations.

      2. Click Edit connection on the Okta tile.

      3. Check that the Run a workflow toggle is enabled. If not, enable it.

  • To use a requester's manager as approver, ensure that the managerId user attribute in Okta is set as the Okta username or email address of the user's manager. Otherwise, the request's assignee has to manually specify an approver for the request.
  • To use the group owner as an approver in requests, consider the following:
    • If you want to assign group owners as approvers for a request type, ensure that you have group owners configured in Okta. See Group ownership.
    • If there are multiple group owners, only one group owner needs to review and take action on the request. So if a group member approves or revokes access for a request, the request is marked as completed for all owners.
    • If the number of group owners within a group is greater than 10, then requests are randomly assigned to 10 group owners.
  • To streamline access requests for admin roles, see Govern Okta admin roles and Access Requests for admin roles instead.

Start this task

  1. In the Admin Console, go to ApplicationsApplications.

  2. Select an app and go to the Access requests tab on the app’s profile page.

  3. Click + Create condition.

  4. In the Requester scope section, select one of the following options to define the user who can request access:

    • Everyone in the organization
    • Specific groups
  5. In the Access level section, select one of the following options to define the level of access to the app that users can request:

    • Only app: Select this option to provide the default access to the app to users.

    • Groups associated with the app: Select the groups that users can request. Groups that are assigned or pushed to the application can be selected. Each group appears as an option that the user can pick.

      This option doesn’t appear if you’ve enabled Governance Engine for the app.

    • Entitlements associated with the app: Select the bundles that the user can request.

      This option is only available if you’ve enabled Governance Engine for the app. Check that you’ve created at least one entitlement bundle that you can use in the condition.

  6. In the Access duration section, enable the toggle and specify when the user's access expires (if their request is approved). Requester-defined access duration isn’t supported.

  7. Click Create. This condition is in an inactive state by default.

  8. Use the drag-and-drop handle for a condition to move it and define its priority over other conditions. Okta only considers the priority order for the condition after you enable the condition.

  9. Optional. Enable a condition to use it. Check that the items you've referenced in a condition are active or available. If any of these items are deactivated or deleted, the condition becomes invalid when you enable it or when a requester submits a request.

After you create a condition, set its approval sequence. See Configure an approval sequence.

Assign the Okta Access Requests app to approvers so they can act on a request. See Assign a single app to groups or Assign applications to users.

User experience

When you enable Governance Engine for an app, Okta removes the access expiration for any user whose access was granted by a condition. Consider updating these users' access expiration manually. See Manage user entitlements.

If a requester meets the criteria for more than one condition, the condition with the highest priority determines which approval sequence is used to approve the request. If their group memberships change and they no longer meet the conditions, they can't request the groups, entitlements, or bundles that are governed by those conditions. Their existing assignments aren’t affected.

To understand the experience for requesters, request assignees, and approvers, see Create requests, Manage requests, and Manage tasks.

Related topics

Manage access request conditions

Configure an approval sequence