Create an access request condition

Early Access release. See Enable self-service features.

Access Requests conditions help you streamline the process of requesting access to an admin role bundle.

Before you begin

  • Sign in to the Admin Console as a super admin or as a user with both access requests admin and app admin roles.

  • Enable the Access request conditions and Resource catalog feature.

  • To define access level using entitlement bundles, enable Governance Engine for the app and create entitlements and bundles.

  • To streamline access requests for admin roles, see Govern Okta admin roles and Access Requests for admin roles instead.

  • Configure any group owners that you plan to use as approvers. If the group owner is another group, push that group to Access Requests.

  • If you plan to use a requester's manager as an approver, set the managerId user attribute as their Okta username or email address.

Start this task

  1. In the Admin Console, go to SecurityAdministratorsGovernance.

  2. Click Access request.
  3. Click + Create condition.
  4. In the Requester scope section, select groups to define which users can request access to the admin role.
  5. In the Access level section, select an admin role bundle that users can request.
  6. In the Access duration section, enter when the user’s access should expire after their access request is approved.
  7. In the Approval sequences section, click Select sequence.
  8. To select an existing sequence, choose the one that you want and click Refresh to get its latest changes. Click Select sequence.
  9. To create a sequence, click + Create sequence.
    1. Click Edit on the title bar and enter a name and description for the sequence.
    2. To create questions for the requester to answer, click any node after the Trigger card and then select Questions for Requester. Follow the prompts and enter information as required.
    3. To assign a step to an approver, click any node after the Trigger card and then select the Approval card. Pick an approver from the Assign to dropdown menu. You must define two approvers for each access request condition that governs admin roles.
    4. To add another step in the sequence, click the node after a card and select a step type, such as Approval, Question, or Custom task.
    5. Click Save, and then go back to the Access Request condition page.
  10. Click Create. The access request condition that you create is in an inactive state by default.
  11. Optional. Use the drag-and-drop handle for a condition to move it and define its priority over other conditions. Okta only considers the priority order for the condition after you enable the condition.
  12. Optional. Enable the condition to use it.

Check that items you've referenced in a condition, such as groups and bundles, are active or available. If any of these items are deactivated or deleted, the condition becomes invalid when you enable it or when a requester submits a request.

If a requester meets the criteria for more than one condition, the condition with the highest priority determines which approval sequence is used to approve the request. If their group memberships change and they no longer meet the conditions, they can't request admin role bundles that are governed by those conditions. Their existing admin role assignments aren’t affected.

To understand the experience for requesters and approvers, see Request admin role assignmentManage requests and Manage tasks.

Related topics

Manage access request conditions

Create a campaign