Create an access request condition for a resource collection

Early Access release. See Enable self-service features.

Access Requests conditions help you streamline the process of requesting access to a resource collection.

Before you begin

  • Sign in to the Admin Console as a super admin or as a user with both access requests admin and app admin roles.
  • Read Considerations.
  • To define access level using entitlement bundles, enable Governance Engine for the app and create entitlements and bundles.
  • To streamline access requests for admin roles, see Govern Okta admin roles and Access Requests for admin roles instead.

Start this task

  1. In the Admin Console, go to Identity GovernanceResource Collections.
  2. Search for the collection that you want to create an access condition for. Click View for that collection.
  3. Go to the Access Requests tab.
  4. Optional. To allow a user to request access on behalf of another user, complete these steps:
    1. Click Settings and click Enable request on behalf of to enable it. This setting is applicable to all conditions for this resource collection.
    2. Grant this permission to all users or limit it so that only the user's manager can request access on their behalf.
    3. Click Save.
    4. Navigate back to the Access Requests tab.
  5. Click + Create condition.
  6. Enter a name for the condition.

  7. In the Requester scope section, select one of the following options to define the user who can request access:

    • Everyone in the organization
    • Specific groups
  8. The Access level is selected by default.
  9. In the Access duration section, enable the toggle and select one of the following options:
    • Specify expiration now: Indicate when the users' access expires.
    • Ask requester to specify expiration: Allow users to specify how long they need access. You must configure a Maximum duration to limit their options.
  10. In the Approval Sequence section, click Select sequence.
  11. Select an existing approval sequence by clicking Select for that sequence. Alternatively, you can also click New sequence to create a sequence and then select it. See Configure an approval sequence.
  12. Click Create. This condition is in an inactive state by default.
  13. Use the drag-and-drop handle for a condition to move it and define its priority over other conditions. Okta only considers the priority order for the condition after you enable the condition.
  14. Optional. Enable a condition to use it. Check that the items you've referenced in a condition are active or available. If any of these items are deactivated or deleted, the condition becomes invalid when you enable it or when a requester submits a request.

Assign the Okta Access Requests app to approvers so they can act on a request. See Assign a single app to groups or Assign applications to users.

User experience

If a requester meets the criteria for more than one condition, the condition with the highest priority determines which approval sequence is used to approve the request. If their group memberships change and they no longer meet the conditions, they can't request the groups, entitlements, or bundles that are governed by those conditions. Their existing assignments aren't affected.

To understand the experience for requesters, request assignees, and approvers, see Create requests, Manage requests, and Manage tasks.

Related topics

Manage access request conditions

Configure an approval sequence