Configure Self Service approval workflow

After the Self Service feature is enabled, configuring the approval workflow gives business application owners the ability to grant access and assign entitlements to end users. This action shifts the work of handling end user app requests from your IT group to business application owners.

About admin roles for this task

The administrator running this task must have at least one of the following roles:

  • Super admin for the Okta org
  • App admin for the Okta org

Read-only admins can see the approval workflow for individual app integrations, but can't make any changes.

Before you begin

The Super Admin must enable the Self Service feature globally. See Enable Self Service request feature.

The admin must sign in to the Okta Admin Console.

Start this task

To configure an app integration so that end users can add it using the Self Service feature:

  1. In the Admin Console, go to Applications > Applications. Find the app integration in your list of configured app integrations. Alternatively, you can use the Search bar to find the app integration if you have numerous configured app integrations.
  2. Click the app integration from your results to open the settings page.
  3. Click the Assignments tab.
  4. Click Edit in the SELF SERVICE section that appears on the right side. The panel also shows the current Self Service status for the app integration.

    Note

    If you haven't enabled the Self Service feature globally on your org, when you click Edit, Okta displays a message that Self Service can't be configured for this app integration. Click Go to self service settings to enable the feature.

  5. Choose whether end users can request this app integration for their End-User Dashboard.

    The screenshot shows the choices for allowing users to request an app integration.

  6. If you choose to allow end users to request the app, you also need to configure the following:

    • Note for requester: Use this field to describe the app integration or give instructions to the end user making the request. The maximum length is 500 characters.
    • Approval: Either Not Required or Required.

    The screenshot shows the options for the approval requirement.

    Note

    If you decide to change an app integration's approval status from Required to Not Required, any outstanding approval requests are deleted. For admins, a Deleted message appears in the Okta System Logs. Okta doesn't notify end users of the request deletion.

  7. If you decide to require an approval workflow, then configure the following options:

    • Send app requests to: Specify the users or groups that should receive the approval requests.

      To specify an individual user, enter their name in the selection field. A list of matches appears from which you can select the correct user.

      To specify a group, change the drop-down list to Groups and enter the group name. Groups designated as approvers can't contain more than 100 members.

      You can specify multiple individuals or groups to create an approval chain. An approval chain can't exceed ten levels, and you can't enter the same individual or group more than once.

      The Entitlements drop-down list specifies what rights the approver has to view or modify attributes in the requester's account. There are three choices:

      • Hidden: The approver can't view the account attributes.
      • Read: The approver can view but can't modify the account attributes.
      • Write: The approver can edit the account attributes.

      The screenshot shows the approver options for the access request workflow

      Tip

      A best practice is to set up the approval chain to satisfy any provisioning requirements for the app integration.

      • If the app integration supports provisioning and has required attributes that need to be specified when assigned, then at least one of the approvers needs to edit and set these user attributes.
      • If the app integration doesn't support automated provisioning, the final approval step can also serve as the provisioning step. Select an admin who can provision the user account in the external application account as the final approver. This admin can then provision the user account and approve the request, giving the end user immediate single sign-on access through the app integration.
      Note

      To change the order of the approvers, click the dotted handle to the left of the step number and drag that line to the desired spot in the order.

    • If request is approved: Specify any additional notifications for Okta to send when the request is approved. The requester is automatically notified in their dashboard when Okta adds the app integration to their dashboard. If you choose Send email to others..., you can enter any valid email address.
    • If request is denied: Specify any additional notifications for Okta to send when the request is denied. The requester doesn't automatically receive a notification if their request is denied. If you choose Send email to others..., you can enter any valid email address.

      The screenshot shows the notifcation options for approved and denied requests.

    • Approver must respond within: Specify the window of time that each approver has available to respond to the request. You can specify one week, 30 days, or a custom length.
      • When an approval request runs out of time, Okta cancels the request and doesn't grant the end user access to the requested app. Okta logs requests that run out of time differently than requests that get explicitly denied.
      • The configurable time window applies to each step in the approval chain. For example, if you specify one week as the approval time and there are multiple approvers, each approver is given a week to respond. If there are three approvers, then the entire chain could take three weeks to approve.
      • If request expires: Specify any additional notifications for Okta to send after the time window closes. If you choose Send email to others..., you can enter any valid email address.
      • Admins can use request windows to set up a service-level agreement (SLA) for requests, and expiration notifications can handle situations in which an approver is unavailable. Okta recommends that you notify your support organization about the request windows and approval chain for the app integration so that they can follow up with the requester and manually approve the request if needed.

      The screenshot shows the approval time window options for requests.

Next steps

Add app integrations as an end user

Handle app integration requests