Create an access request condition

Early Access release. See Enable self-service features.

This page explains the process of creating an Access Requests condition. Access Requests conditions help you streamline the process of requesting access to an admin role bundle.

Before you begin

  • Ensure that you’re signed in to the Admin Console as a super admin.
  • Ensure that you have the admin role bundles you need. See Create an admin role bundle.
  • Read Considerations.
  • To use a requester's manager as approver, ensure that the managerId user attribute in Okta is set to the Okta username or email address of the user's manager. Otherwise, the request's assignee has to manually specify an approver for the request.
  • To use a group or group owner as an approver in requests, take the following considerations into account:
    • If the owner of a group in Okta is another Okta group, this group must be pushed to Access Requests for it to be used as an approver.
    • If you want to assign group owners as approvers for an approval sequence, ensure that you have group owners configured in Okta. See Group ownership.
    • If there are multiple groups or group owners, only one member of the group needs to review and take action on the request. If a group member approves or revokes access for a request, the request is marked as completed for all owners.
    • If you assign more than 10 groups or group owners within a group as approvers, then requests are randomly assigned to those 10 groups or group owners for approval.

Start this task

  1. In the Admin Console, go to SecurityAdministratorsGovernance.

  2. Click Access request.
  3. Click + Create condition.
  4. In the Requester scope section, select groups to define which users can request access to the admin role.
  5. In the Access level section, select an admin role bundle that users can request.
  6. In the Access duration section, enter when the user’s access should expire after their access request is approved.
  7. In the Approval sequences section, click Select sequence.
  8. On the Approval sequence page, you can do either of the following steps:
    • Create a sequence
    • Select an existing sequence

    To create a sequence, complete the following steps:

    1. Click + Create sequence.
    2. Click Edit on the title bar and enter a name and description for the sequence. Ideally, enter a name that’s self-explanatory and reusable because an approval sequence can be associated with multiple access request conditions.
    3. To create questions for the requester to answer, complete the following steps:
      1. Click any node after the Trigger card to add a step.
      2. Select Questions for Requester.
      3. Follow the prompts and enter information as required.
      4. Optional. Click Add question to add more questions.

      Questions for the requester always appear after the Trigger card even if you create them after a different card.

    4. To assign the request to an approver, select the Approval card and pick an approver from the Assign to dropdown menu.

      You must define two approvers for each access request condition that governs admin roles.

    5. Optional. To add another step in the sequence, click the node after a card and select a step type, such as Approval, Question, or Custom task.
    6. Click Save, and then go back to the Access Request condition page.

    To select an existing sequence, complete the following steps:

    1. Click a sequence to select it.
    2. Optional. Click Refresh to get the most recent changes made to an approval sequence.
    3. Click Select sequence.

      You can edit an approval sequence but can’t delete it.

  9. Click Create. The access request condition that you create is in an inactive state by default.
  10. Optional. Use the drag-and-drop handle for a condition to move it and define its priority over other conditions. Okta only considers the priority order for the condition after you enable the condition.
  11. Optional. Enable the condition to use it.

Check that items you've referenced in a condition, such as groups and bundles, are active or available. If any of these items are deactivated or deleted, the condition becomes invalid when you enable or disable it or when a requester submits a request.

If a requester meets the criteria for more than one condition, the condition with the highest priority determines which approval sequence is used to approve the request. If their group memberships change and they no longer meet the conditions, they can't request admin role bundles that are governed by those conditions. Their existing admin role assignments aren’t affected.

Okta automatically assigns the Okta Access Requestss app to requesters defined in the condition when you enable it. However, you must assign the Okta Access Requests app to approvers for them to approve or deny a request. See Assign a single app to groups or Assign applications to users.

To understand the experience for requesters and approvers, see Request admin role assignmentManage requests and Manage tasks.

Related topics

Manage access request conditions

Create a campaign