Configure Access Requests

Getting started with Okta Access Requests is a straightforward process involving several steps.

Configure provisioning

The first step is to provision accounts for Okta users within Access Requests. This process is similar for most Okta applications. Generally, admins select either specific users or groups of users who can then sign in to Access Requests with their existing Okta credentials. By default, Access Requests provisions accounts for all Okta Super admins and access requests admins, but any other users or groups must be explicitly authorized.

  1. Access the Okta Admin Console.
  2. Go to Applications > Applications and click the Request Access app.
  3. Go to the Assignments tab, and click Assign.
  4. From the assignment window, identify users or groups.
  5. Click Assign.
  6. Click Done.

The system provisions accounts for the requested users.

Sync resources from Okta

Access Requests automatically groups logical representations of data as configuration items. Configuration items can include resources from within Access Requests or applications and groups synced from Okta. Request Types can reference configuration items to automate access to resources. For example, users might only be able to request access to applications available to their specific Okta groups.

The system syncs resources from Okta daily, but you can force Access Requests to sync immediately from the Access Requests Console.

This process is only available after Access Requests completes the initial sync with Okta.

It can take up to an hour for the initial sync to complete.

  1. From the Access Requests Console, go to Settings > Configuration.
  2. Identify a resource.
  3. Click the ellipses, and select Sync Now.

Push Okta groups to Access Requests

This process allows you to use your existing Okta groups and better model your organizational structure and business process within Access Requests. For example, an Access Requests team might want to assign specific approvals or tasks to members of an Okta group for review.

Users must already be provisioned to Access Requests before they can be pushed as part of an Okta group.

  1. Access the Okta Admin Console.
  2. Go to Applications > Applications and click the Okta Access Requests app.
  3. Go to the Push Groups tab, and click Push Groups.
  4. From the menu, select a search method.

    Method

    Action

    Find groups by name

    Allows you to select and sync a specific Okta group.

    1. From the search window, enter the name of an existing group.
      Note: Matching groups are displayed as you type.
    2. Select the matching group.
    3. Optional. Select Push group memberships immediately.
    4. Optional. Select a push action.
      Note: Use the Link Group action only if you’re pushing a group that was previously unlinked from Access Requests.
    5. Click Save.

    Okta syncs the group with Access Requests.

    Find groups by rule

    Allows you to create rules that sync one or more Okta groups.

    1. From the rule window, enter a name for the rule.
    2. Enter text to match to existing groups.
    3. Optional. Select Immediately push groups found by this rule.
    4. Click Save.

    Okta syncs any groups that match the criteria with Access Requests

Configure sign on policies

The next step is to configure a sign-on policy for Access Requests. This is an optional process but allows organizations to control access to Access Requests. Creating rules is straightforward and should be familiar to most Okta admins. You can define various If/Then style rules from drop-down menus or by using the Okta Expression Language. For details, see Okta Expression Language in Okta Identity Engine.

Create additional Access Requests admins

By default, any user with Okta Super Administrator permissions is also an Access Requests admin. When a Super Administrator is first assigned to Access Requests, their account is automatically assigned admin permissions within Access Requests.

Changes to Okta Super Administrator accounts aren’t automatically synced for users already assigned to Access Requests. You must manually reassign the application to the user after adding or removing the Super Administrator permissions within your Okta organization.

Changes to Okta Super Administrator accounts aren’t automatically synchronized for users already assigned to Access Requests. After adding or removing Super Administrator permissions, the account must sign out and sign in again before the role change syncs with Access Requests.

  1. From the Okta Admin Console, add the Super Administrator permission to a user.
    For more information, see Assign administrator permissions.
  2. Unassign the user from Access Requests.
  3. Reassign the user to Access Requests.

Next Steps

Create an Access Requests team