Get started with Access Requests
Before you begin, determine the method you want to use to configure and manage access requests:
The setup, maintenance tasks, and limits vary for each method.
Ensure that you've allowlisted the standard Okta IPs for your orgs before accessing Access Requests. See Allow access to Okta IP addresses.
Conditions
To manage access requests to resources from the Admin Console using conditions, you must be a super admin or have either of the following admin roles and permissions combinations:
- 
                                                            Both access requests admin and app admin roles 
- 
                                                            A combination of the access request admin role with View apps and Manage apps permissions 
To manage access requests for admin roles, see Access Requests for admin roles and Get started instead.
Initial setup tasks
Follow this sequence of tasks to configure conditions for an app:
| Admin task | Description | 
|---|---|
| Access request conditions | Introduction to access request conditions. | 
| Required app assignments | All users in the org are implicitly assigned to the Okta Identity Governance app. All users are automatically assigned to the Okta Access Requests app when they use Access Requests for the first time. The app is also automatically assigned to admins when they're assigned the admin role that provides them access to Access Requests. Check that the admins were assigned the Okta Access Requests app. If the app wasn't assigned automatically or the user was unassigned, you must assign the app to the user to avoid errors. | 
| Optional. Set up a new app sign-in policy. | These steps are optional. For a better user experience, modify the app sign-in policy for the  Okta Identity Governance app. Ensure that all rules match those of the Okta Dashboard app. See Clone an app sign-in policy | 
| Access Requests integrations | Integrate Slack or Microsoft Teams with Access Requests to perform additional actions. | 
| Configure settings | Configure settings that apply to all access requests associated with the resource, such as Request on behalf of and conflicts among Separation of duties rules. | 
| Create an access request condition | Define which users can request access to specific apps, how long should they have access for, and who should approve their access request. The conditions you create are in an inactive state by default and must be enabled for them to take effect. | 
| Enable a condition | Enable your new access request condition so that it's active. | 
Maintenance tasks
Complete these tasks after your initial setup, as needed:
| Admin task | Description | 
|---|---|
| Manage conditions | Enable, disable, view, edit, delete, or change the priority order of a condition. | 
| Assign delegate from the Admin Console | Super admins can assign another user as a delegate to complete governance tasks for them. Governance tasks include access request approvals, questions, and tasks as well as access certification campaign review items. Also, see Governance tasks for delegates. | 
| Manage approval sequences | Modify an existing approval sequence to add or remove tasks and questions. Changes to a sequence impact all access request conditions that use the sequence. | 
Request types
To manage access requests to resources from the Admin Console using request types, you must be a super admin or access requests admin.
Initial setup tasks
Follow this sequence of configuration tasks to start using Access Requests:
| Admin task | Description | 
|---|---|
| Request types | Introduction to request types and its components. Use Access request conditions first if you're new to Access Requests or want to manage access to admin roles. If an access request is managed by request types, you can't use it to assign groups that grant Okta admin roles. Okta invalidates request types that assign these groups when you create or edit the request type. Users get an error if they request a group that grants Okta admin role. See Govern Okta admin roles or Access Requests for admin roles. | 
| Configure your Okta org for request types | Configure settings and items in Okta that you'll need to use in request types. | 
| Create an Access Requests team | Create teams to determine who can configure new requests and manage existing ones. | 
| Create a configuration list | Create configuration lists to allow teams to automate end user's access to resources. Configuration lists also control the specific options available to the end users as a request gets processed. | 
| Access Requests integrations | Integrate Jira, ServiceNow, Slack, or Microsoft Teams with Access Requests to perform additional actions, or use synced information. | 
| Create a request type | Create a request type, which is a customizable no-code structure that defines and automates how a user is granted access through a request. | 
| Manage requests | Understand the steps admins or assignees need to do to manage a request after it's submitted. They must always be members of the Access Requests team that owns the request type for the request that's being used. | 
Maintenance tasks
Complete these tasks after your initial setup, as needed:
| Admin task | Description | 
|---|---|
| Assign delegate from the Admin Console | Super admins can assign another user as a delegate to complete governance tasks for them. Governance tasks include access request approvals, questions, and tasks as well as access certification campaign review items. Also, see Governance tasks for delegates. | 
| Generate the Past Access Requests report or Past Access Requests (Conditions) report | View who has requested access to resources and related data points, including whether access was granted and by whom. | 
End-user experience
Understand user tasks from an admin perspective:
| User task | Description | 
|---|---|
| Create requests | Understand how your requesters can submit requests using methods like Access Requests web app, Slack, and Microsoft Teams. Requesters can request access to an app directly from their dashboard if you've set up conditions for the app. | 
| Manage delegates | Understand how reviewers can assign a delegate or review a delegate that you, an admin, assigned for them. | 
| Manage requests | Understand the steps that request assignees need to do to manage a request that's managed by condition or request type. | 
| Manage tasks | Understand how request approvers approve or deny a request from the Access Requests web app. The request can be managed by condition or request type. | 
Limits
There are several limits applicable to your orgs, conditions, request types, and requests. Refer to the following tables.
Organizations
By default, all orgs can have a maximum of 100,000 users actively engaging with access requests. Contact your Account Executive or Customer Success Manager for questions about specific user limits for your org.
Conditions
| Limit | Maximum | 
|---|---|
| Number of approval sequences for an org | 250 | 
| Conditions for each app | 100 | 
| Groups used to define the requester scope in a condition | 100 | 
| Unique groups used to define the requester scope for all conditions in an org | 100 | 
| Entitlement bundles in access level for a condition | 100 | 
| Unique groups in access level for a condition | 100 | 
| Number of users allowed in a group that's referenced in a condition (if the condition is for managing admin role bundles) | 200 | 
| Steps in an approval sequence | 10 | 
| Questions within a question step | 5 | 
Request types
| Limit | Maximum | 
|---|---|
| Active request types in each organization | 500 | 
| Tasks in each request type | 100 | 
| Fields in each request type | 100 | 
| Number of characters in the JSON representation of each request type | 100,000 | 
| Applications used | 5,000 | 
| Groups used | 15,000 | 
| Number of users in a pushed group | 25,000 | 
| Configuration lists | 100 | 
| Items for a configuration list | 1,000 | 
Requests
| Limit | Maximum | 
|---|---|
| Open or Pending requests for an organization | 10,000 | 
| Resolved requests for an organization (This only counts requests that are accessible within the application.) | 50,000 | 
| Tasks in a request | 100 | 
| Fields in a request | 100 | 
| Followers in a request | 100 | 
| Updates in a request | 500 | 
| Request list filter values | 25 | 
