🔐 Access Request Management

User Permission and Access Management in IGA

Self-Service Approval Workflows SoD Enforcement Automated Provisioning

Overview

Access Request Management in IGA is the process by which users or administrators request, approve, provision, and manage permissions to resources, applications, roles, and data. It serves as the exception-handling mechanism for access needs beyond automated lifecycle provisioning, providing governed, auditable pathways for users to obtain the access they need to perform their jobs.

Unlike automated joiner/mover/leaver processes that provision birthright and role-based access, access request management handles on-demand, exceptional, temporary, and elevated access scenarios through structured workflows with appropriate approvals and oversight.

Core Components of Access Request Management

Nine essential components working together to manage user access

🛒 Self-Service Access Request Portal

The primary interface where users interact with the IGA system to request access.

  • Shopping cart experience for requesting multiple items
  • Search and browse comprehensive access catalog
  • Role and entitlement descriptions in business language
  • Visual indicators for approval requirements
  • Request status tracking and notifications
  • Pre-populated business justification templates
  • Cost center association for chargeback

Request-Based Assignment Types

Standard Access Requests

User-initiated requests through self-service portal with single approval workflow and standard provisioning timeline.

Examples: CRM access, reporting tools, shared drives

High-Risk Access Requests

Elevated privileges requiring multi-level approval workflow with enhanced business justification.

Examples: Admin rights, financial systems, PHI/PII access

Temporary Access Requests

Time-bound access with automatic expiration, used for projects or temporary assignments.

Examples: 90-day project access, contractor access, vacation coverage

Emergency/Break-Glass Access

Urgent access for business-critical situations with expedited approval or post-access review.

Examples: Production emergencies, patient care emergencies, financial close

Request on Behalf Of

Managers or authorized individuals requesting access for others with adjusted approval chains.

Examples: Manager for direct reports, executive assistants, help desk

Approval Workflows

Approval workflows define the routing, approval authorities, and business rules for access requests.

1️⃣ Single-Level Approval

  • Manager approval only
  • Used for low-risk, standard access
  • Quick turnaround (hours)

🔢 Multi-Level Approval

  • Sequential approvals from multiple parties
  • Manager → App Owner → Security → Data Owner
  • Each approver sees previous justifications
  • Used for high-risk or sensitive access

Parallel Approval

  • Multiple approvers notified simultaneously
  • Any one can approve (OR) or all must (AND)
  • Faster processing for multiple perspectives

🎯 Risk-Based Routing

  • Approval chain determined by risk score
  • Low risk: Manager only
  • High risk: Manager + Owner + Security + Compliance
  • Risk factors: data sensitivity, privilege level
Example Multi-Level Approval Flow:
User requests access to Financial Reporting System
IGA: Risk assessment → High Risk (Financial data)
Workflow: Sequential multi-level approval
1. Manager approval (validates business need)
2. Application Owner approval (confirms appropriate access level)
3. CFO approval (financial system oversight)
4. Compliance approval (regulatory requirement check)
All approvals received within 5-day SLA
Automated Provisioning: Access granted within 2 hours
Quarterly recertification scheduled automatically
Result: Governed access with complete audit trail

🚫 Segregation of Duties (SoD) Enforcement

SoD policies prevent users from obtaining conflicting access that could enable fraud or policy violations.

SoD Policy #1: Financial Self-Approval Prevention

Conflicting Roles: "Purchase Requestor" + "Purchase Approver"
Enforcement: Hard block (no exceptions allowed)
Rationale: Users cannot both request purchases and approve purchases

SoD Policy #2: Development and Production Segregation

Conflicting Roles: "Application Developer" + "Production Administrator"
Enforcement: Soft block with approval
Exception Process: CTO approval required with business justification
Exception Duration: Maximum 90 days with enhanced monitoring
Recertification: Monthly during exception period
Real-Time SoD Checking: Requests are evaluated against SoD rules before submission. Users are warned of conflicts before requesting, preventing incompatible role combinations at the source.

Access Recertification and Reviews

Ongoing validation that approved access remains appropriate through scheduled certification campaigns.

Access Type Certification Frequency Reviewer
Standard Access Annually Manager
Privileged Access Quarterly Manager + Security
Break-Glass Accounts Monthly Security + Compliance
Financial Systems Quarterly Manager + CFO
PHI/PII Access Quarterly Manager + Privacy Officer
Service Accounts Quarterly Service Owner
Contractor Access Before renewal Manager + Vendor Manager

⏱️ Temporary Access

  • Defined start and end dates
  • Automatic expiration and revocation
  • Email reminders before expiration (7 days, 1 day)
  • Extension request workflow if needed
  • Manager notification of upcoming expirations

👥 Delegation

  • Managers requesting for direct reports
  • Executive assistants for executives
  • Help desk on behalf of users
  • Defined delegation relationships
  • Accountability with original requester

📊 Request Analytics

  • Total requests by type and department
  • Average approval and provisioning time
  • Approval/denial rates
  • Top requested items
  • SoD violations and exceptions
  • Compliance reporting

Integration with IGA Components

🎭 Integration with RBAC (Role-Based Access Control)

Users request roles, not individual permissions. Roles abstract complexity from end users while enabling faster provisioning. Single role request grants all bundled entitlements automatically.

User requests "Sales Representative" role
Role includes: CRM + Sales Portal + Contract Management + Reporting
Single approval grants all bundled entitlements
Automated provisioning to all systems via connectors
Result: User productive with single request vs. 4 separate requests

🔄 Integration with Lifecycle Management (JML)

Automated birthright access during joiner, request-based for additional needs. Lifecycle changes trigger access reviews and recertification.

New Marketing Manager joins (Joiner)
Automated: Email, Office 365, Intranet, Marketing Team role
Day 5: Manager requests additional "Marketing Automation Admin" role
Approval: Marketing Director approves
Month 3: Manager transfers to Sales (Mover)
IGA: Revokes Marketing roles, initiates recertification

🔐 Integration with PAM (Privileged Access Management)

IGA handles approval workflow, PAM handles technical implementation. Time-bound privileged access with enhanced monitoring and post-access review.

Developer requests temporary production database admin access
IGA: Approval workflow (Manager + VP Eng + Security)
All approvals received
IGA notifies PAM: Grant access for 4 hours
PAM: Check out credentials, enable session recording
4 hours expire: IGA triggers auto-revocation
Post-access review: Manager reviews session recording

How Identity Co-Analyst (ICA) Supports Access Request Management

Access Request Requirements ICA Captures

ICA: "Let's discuss how users request access in your organization. Do users typically request individual applications or do you use roles?"
Stakeholder: "We have roles for most standard access, but users sometimes need access to specific applications that aren't in their role."
ICA: "I understand you use a hybrid approach. Let me gather details on both:
For role-based requests:
• Who should approve role requests - just the manager or additional approvers?
• Should high-risk roles require different approvals than standard roles?
• Are there any role combinations that should be blocked (SoD conflicts)?
For individual application requests:
• Which applications should users be able to request directly?
• Who should approve application access?
• Should some applications require security approval?
For approval timing:
• What's an acceptable timeframe for standard access approval?
• Do you need expedited workflows for urgent business needs?"

ICA-Generated Documentation (Sample Output):

ACCESS REQUEST MANAGEMENT REQUIREMENTS

1. SELF-SERVICE PORTAL CAPABILITIES
Portal Access: All active employees via web and mobile
Request Catalog: Role catalog with business-friendly descriptions
Business Justification: Required (minimum 50 characters)

2. APPROVAL WORKFLOWS
Standard Access: Manager approval only, 2-day SLA
High-Risk Access: Sequential approvals (Manager → App Owner → Security)
Financial Systems: CFO + Compliance approval required

3. SEGREGATION OF DUTIES POLICIES
SoD Policy #1: Purchase Requestor + Purchase Approver (Hard block)
SoD Policy #2: Developer + Production Admin (Soft block, CTO approval)

4. RECERTIFICATION CAMPAIGNS
Standard Access: Annual review by manager
Privileged Access: Quarterly review (Manager + Security)
Financial Access: Quarterly (Manager + CFO + Compliance)

ICA Benefits for Access Request Requirements:

  • ✓ Conversational capture of complex approval workflows
  • ✓ SoD policies defined in business language
  • ✓ Automated documentation generation (under 10 days vs. 12 weeks)
  • ✓ Platform-agnostic requirements work with any IGA tool
  • ✓ Stakeholder-friendly interface reduces intimidation

Benefits of Effective Access Request Management

🔒 Security Benefits

  • Governed access with approval oversight
  • Prevention of conflicting access (SoD)
  • Time-bound access reduces risk exposure
  • Complete audit trail for compliance
  • Emergency access properly controlled

⚙️ Operational Benefits

  • Self-service reduces help desk tickets
  • Automated provisioning speeds delivery
  • Clear approval accountability
  • Reduced manual errors
  • Better user experience

✅ Compliance Benefits

  • Documented approval chains for auditors
  • SoD policy enforcement
  • Regular access recertification
  • Audit-ready reports
  • Regulatory compliance (SOX, GDPR, HIPAA)

💰 Cost Benefits

  • Reduced IT administrative overhead
  • Faster access improves productivity
  • Fewer security incidents
  • License optimization through reviews
  • Lower audit costs

Best Practices for Access Request Management

Clear Access Catalog

Business-friendly role and application names with comprehensive descriptions, risk ratings, and approval requirements transparent to requestors.

Risk-Based Approvals

Low-risk access gets streamlined approvals, while high-risk access receives enhanced oversight with multiple approvers and privilege escalation controls.

Timely Provisioning

Define SLAs for approval and provisioning. Automate provisioning where possible with escalation for overdue approvals and notifications at each stage.

Regular Recertification

Frequency based on risk level. Provide reviewers with usage data, make certification easy and fast, and auto-revoke uncertified access after deadline.

Continuous Improvement

Monitor request patterns and approval times. Identify frequently requested items for potential role inclusion and streamline workflows based on metrics.

User Education

Train users on self-service portal, communicate approval processes clearly, provide guidance on business justification, and celebrate adoption success.