Access Requests for admin roles

Early Access release. See Enable self-service features.

Govern Okta admin roles is generally available if you're subscribed to Okta Identity Governance. Otherwise, depending on your org's eligibility, Govern Okta admin roles might not be available. Contact your account executive or customer success manager for more information.

Use Okta Access Requests to streamline the process of requesting access to admin role bundles. It delivers a simplified and frictionless approach that automatically routes user requests to one or more approvers for action.

Access requests allow you to eliminate the following challenges that are common in more traditional workflows:

  • Poor requester experience

  • Risk of human error

  • Decreased IT productivity

  • Complex and rigid workflows

  • Audit and compliance deficiencies

  • Accumulation of privileged access

Personas

Persona Description
Super admin A user with a standard super admin role assignment.
Requester Any user in the org who requests access.
Approver Any user in the org who is assigned an approval task.
Request assignee A super admin who is assigned to manage a request's administrative aspects like unassigned tasks or reassigning approvers.

Request setup

As a super admin, streamlining access requests is a four-step process:

  1. Pair an admin role with a resource set to create an admin role bundle.

  2. Configure access request conditions:
    1. Define who can request access, specify the admin role bundles that they can request, and how long the access should be granted for. When the access request expires, the user's access is automatically revoked.

    2. Set up an approval sequence that governs the information a requester or approver needs to provide and define who should approve or deny the access request.

    3. An approval sequence is a series of steps (questions, approval tasks, and custom tasks) that occur in a sequential order where each step must be completed before the next one is initiated. For a requester to get access, all tasks must be completed successfully with all approvers granting approval.

  3. Enable the condition.

  4. Optional. On the Settings page, indicate whether users can request admin access on behalf of other users. You can grant this permission to all users or limit it to managers only. This is applicable for all conditions that manage access requests for admin role bundles.

After you enable a condition, eligible requesters can simply request admin access from their dashboard. They can select from the available admin role bundles, enter the required information, and submit the request. Once they submit a request, the approval sequence is triggered and approvers are assigned and notified that they have a task that needs an action from them. After the approvers complete their tasks, users are granted or denied access automatically based on the approver's decision.

In a situation where a task in the request gets unassigned, the request assignee (super admin) for that request can manage the request from the Okta Access Requests web app.

Considerations

  • Administrator roles come with a lot of privileges. To limit access to admin roles, it's a good idea to restrict the number of users and groups who can request them.

    • Groups: Limit requesting access to admin roles to groups that have 100 members or less.

    • Users: Limit the number of users (potential requesters or approvers) assigned to Okta Access Requests to 100,000.

  • If you're already subscribed to Identity Governance, note that access requests for admin role bundles are more constrained than access requests for other resources, such as apps, groups. Here's how the admin role bundle access requests differ:

    • Super admins must use access request conditions and sequences to govern admin role bundle access requests. Request types in Okta Access Requests console don't support admin role bundle access requests.

    • Admin role bundle access requests are set to private by default and can't be changed.

    • Requests can't be viewed or edited using the Access Requests public API.

    • Requester experience:

      • Questions for the requester and requester's responses can't be updated after the requester has responded.

      • A requester can still cancel their request if approvers or other task assignees haven't taken any action on it.

      • File uploads aren't allowed in admin role bundle access requests.

    • Request assignee experience:

      • Only a request assignee with the super admin can reassign tasks and questions to a different user.

      • Only super admin can manage admin role bundle access requests. Access request admins can't view or manage admin role bundle access requests unless they are the requester, approver, or task assignee.

      • Request attributes like Team and Request Type aren't visible on the Request details view.

    • Approver experience:

      Approvers and task assignees get notifications for an admin role bundle request in the Access Requests web app, email, Slack, or Microsoft Teams. However, approving admin role bundle access requests can be done only from the Access Requests web app. Approving these requests using email, Slack, or Microsoft Teams isn't supported.

Next step

Create an admin role bundle