Configure Self Service approval workflow

After the Self Service feature is enabled, configure the approval workflow to give business application owners the ability to grant user access and assign entitlements. This action shifts the work of handling user app requests from your IT group to business application owners.

This workflow can't be used with apps that have required personal attributes.

About admin roles for this task

You must have at least one of the following roles:

  • Super admin
  • App admin

Read-only admins can see the approval workflow for individual app integrations but can't make any changes.

Before you begin

The super admin must enable the Self Service feature globally. See Enable Self Service request feature.

Start this task

To configure an app integration so that users can add it with the Self Service feature:

  1. In the Admin Console, go to Applications > Applications. Use the Search bar or scroll to find the app integration you want to configure.
  2. Click the app integration from your results.
  3. Click the Assignments tab.
  4. In the SELF SERVICE section, click Edit. The panel also shows the current Self Service status for the app integration.

    If you haven't enabled the Self Service feature globally on your org, when you click Edit, Okta displays a message that Self Service can't be configured for this app integration. Click Go to self service settings to enable the feature.

  5. In the Requests section, select Yes to allow users to request this app integration for their End-User Dashboard.

  6. Optional. Enter a note for the requester that describes the integration or give instructions to the user making the request. The maximum length is 500 characters.

  7. In the Approval section, select Required.

    If you decide to change an app integration's approval status from Required to Not Required, any outstanding approval requests are deleted. For admins, a Deleted message appears in the Okta System Logs. Okta doesn't notify end users of the request deletion.

  8. For Send app requests to, specify a user or group to approve app requests.

    1. Select Users or Groups from the dropdown list.

    2. Enter the user or group name in the field. Select the matching user or group from the list.

      Groups designated as approvers can't contain more than 100 members.

    3. Select the approver rights from the Entitlements dropdown list.

      • Hidden: The approver can't view the account attributes.
      • Read: The approver can view but can't modify the account attributes.
      • Write: The approver can edit the account attributes.
    4. Optional. Create an approval chain by adding more users or groups. To change the order of the approvers, click the dotted handle to the left of the step number and drag that line to the desired position. An approval chain can't exceed ten levels, and you can't enter the same user or group more than once.

      A best practice is to set up the approval chain to satisfy any provisioning requirements for the app integration.

      If the app integration supports provisioning and has required attributes that need to be specified when assigned, then at least one of the approvers needs to edit and set these user attributes.

      If the app integration doesn't support automated provisioning, the final approval step can also serve as the provisioning step. Select an admin who can provision the user account in the external application account as the final approver. This admin can then provision the user account and approve the request, giving the end user immediate single sign-on access through the app integration.

  9. For If request is approved, specify which email notifications Okta sends when the request is approved. The requester is automatically notified in their dashboard when Okta adds the app integration to their dashboard.

    Select any combination of the following options:

    • Send email to requester: Select this option to send an approval notification to the requester.

    • Send email to approvers: Select this option to send an approval notification to the approvers.

    • Send email to others..: Select this option to send an approval notification to the email addresses you provide.

  10. For If request is denied, specify which email notifications Okta sends when the request is denied. The requester doesn't receive a notification in their dashboard if their request is denied.

    Select any combination of the following options:

    • Send email to requester: Select this option to send an approval notification to the requester.

    • Send email to approvers: Select this option to send an approval notification to the approvers.

    • Send email to others..: Select this option to send an approval notification to the email addresses you provide.

  11. For Approver must respond within, select the window of time that each approver has available to respond to the request. Select one of the following values from the dropdown list:

    • 1 Week: Each approver has 1 week to respond to an approval request.

    • 30 Days: Each approver has 30 days to respond to an approval request.

    • Custom time period: Specify the length of time in days or weeks that each approver has to respond to an approval request.

    The configurable time window applies to each step in the approval chain. For example, if you specify one week as the approval time and there are multiple approvers, each approver is given a week to respond. If there are three approvers, then the entire chain could take three weeks to approve.

    When an approval request runs out of time, Okta cancels the request and doesn't grant the end user access to the requested app. Okta logs requests that run out of time differently than requests that get explicitly denied.

  12. For If request expires, specify which email notifications Okta sends when the request expires. Select any combination of the following options:

    • Send email to requester: Select this option to send a request expiration notification to the requester.

    • Send email to approvers: Select this option to send a request expiration notification to the approvers.

    • Send email to others..: Select this option to send a request expiration to the email addresses you provide.

    Admins can use request windows to set up a service-level agreement (SLA) for requests, and expiration notifications can handle situations in which an approver is unavailable. Okta recommends that you notify your support organization about the request windows and approval chain for the app integration so that they can follow up with the requester and manually approve the request if needed.

  13. Click Save.

Next steps

Add app integrations as an end user

Handle app integration requests