🔐 Access Request Management

User Permission and Access Management in IGA
And How Identity CoAnalyst Streamlines Requirements Gathering
70% Time Saved with ICA
10 Days Requirements Complete
Zero Missed Requirements
5+ Approval Workflow Types

What is Access Request Management?

Access Request Management in IGA is the process by which users or administrators request, approve, provision, and manage permissions to resources, applications, roles, and data. It serves as the exception-handling mechanism for access needs beyond automated lifecycle provisioning, providing governed, auditable pathways for users to obtain the access they need to perform their jobs.

Unlike automated joiner/mover/leaver processes that provision birthright and role-based access, access request management handles on-demand, exceptional, temporary, and elevated access scenarios through structured workflows with appropriate approvals and oversight.

Core Components of Access Request Management

Nine essential elements working together to manage user access

🛒 Self-Service Portal

  • Shopping cart experience for multiple requests
  • Search and browse access catalog
  • Role and entitlement descriptions
  • Visual approval requirement indicators
  • Request status tracking
  • Business justification templates

⚙️ Approval Workflows

  • Single-level approval (manager only)
  • Multi-level sequential approvals
  • Parallel approval routing
  • Risk-based approval determination
  • Conditional approval logic
  • SLA-based escalation

🚫 SoD Enforcement

  • Real-time SoD checking
  • Hard block for critical conflicts
  • Soft block with approval exceptions
  • Compensating controls
  • Time-limited exceptions
  • Continuous violation monitoring

Automated Provisioning

  • Connector-based provisioning
  • Real-time or near-real-time access
  • Workflow-based manual fulfillment
  • Error handling and retry logic
  • Rollback capabilities
  • Confirmation notifications

Access Certification

  • Scheduled certification campaigns
  • Risk-based review frequency
  • Manager and owner reviews
  • Usage data for informed decisions
  • Approve, revoke, modify outcomes
  • Automated remediation

⏱️ Temporary Access

  • Time-bound access with expiration
  • Project-based access grants
  • Contractor access management
  • Automatic expiration and revocation
  • Extension request workflows
  • Expiration reminder notifications

🚨 Emergency Access

  • Break-glass account procedures
  • Expedited approval workflows
  • Post-access review mandatory
  • Enhanced monitoring and recording
  • Automatic time limits (4-8 hours)
  • Incident documentation required

👥 Delegation

  • Managers request for direct reports
  • Executive assistants for executives
  • Help desk on behalf of users
  • Defined delegation relationships
  • Accountability with requester
  • Adjusted approval chains

📊 Analytics & Reporting

  • Request metrics and trends
  • Approval time tracking
  • Top requested items
  • SoD violation reports
  • Compliance reporting
  • Provisioning success rates

Request-Based Assignment Types

📝 Standard Access Requests

User-initiated requests through self-service portal with single approval workflow and standard provisioning timeline.

Examples: CRM access, reporting tools, shared drives

⚠️ High-Risk Access Requests

Elevated privileges requiring multi-level approval workflow with enhanced business justification and immediate certification.

Examples: Admin rights, financial systems, PHI/PII access

⏰ Temporary Access Requests

Time-bound access with automatic expiration, used for projects, contractors, or temporary assignments.

Examples: 90-day project access, contractor access, vacation coverage

🚨 Emergency/Break-Glass Access

Urgent access for business-critical situations with expedited approval or post-access review and enhanced monitoring.

Examples: Production emergencies, patient care emergencies, financial close

👤 Request on Behalf Of

Managers or authorized individuals requesting access for others with adjusted approval chains.

Examples: Manager for direct reports, executive assistants, help desk

Approval Workflow Types

Single-Level Approval

Manager approval only for low-risk, standard access with quick turnaround (hours).

Multi-Level Approval

Sequential approvals from multiple parties (Manager → App Owner → Security) for high-risk access.

Parallel Approval

Multiple approvers notified simultaneously with OR/AND logic for faster processing.

Risk-Based Routing

Approval chain determined by risk score: Low (Manager), High (Manager + Owner + Security + Compliance).

Example: Multi-Level Approval Workflow

High-Risk Financial System Access Request
User requests access to Financial Reporting System
IGA: Risk assessment → High Risk (Financial data)
Workflow: Sequential multi-level approval
1. Manager approval (validates business need)
2. Application Owner approval (confirms access level)
3. CFO approval (financial system oversight)
4. Compliance approval (regulatory check)
All approvals received within 5-day SLA
Automated Provisioning: Access granted within 2 hours
Quarterly recertification scheduled automatically
Result: Governed access with complete audit trail

The Challenge: Defining Access Request Requirements

Traditional requirements gathering is complex, time-consuming, and error-prone

❌ Without Identity CoAnalyst

  • 12+ weeks of meetings to define workflows
  • Stakeholders confused by IAM terminology
  • Incomplete approval workflow documentation
  • Missing SoD policy definitions
  • Vague or contradictory requirements
  • Endless email chains for clarification
  • Implementation teams struggle with specs
  • Critical requirements discovered too late

✓ With Identity CoAnalyst

  • Under 10 days to complete requirements
  • Natural language conversation interface
  • Complete approval workflow specifications
  • Comprehensive SoD policy capture
  • Clear, implementable requirements
  • AI-guided systematic questioning
  • Ready-to-implement specifications
  • Built-in expertise ensures coverage

⚡ How Identity CoAnalyst Assists

Transforming Access Request Requirements Gathering

ICA Captures Access Request Requirements Through Conversation

🗣️ Conversational Interface

No more intimidating spreadsheets. ICA asks questions in natural language, making it easy for non-technical stakeholders to provide requirements.

🧠 Built-In Expertise

ICA knows what questions to ask about approval workflows, SoD policies, temporary access, emergency procedures, and more.

🎯 Adaptive Questioning

ICA adapts follow-up questions based on your answers, exploring relevant scenarios and ensuring nothing is missed.

📋 Automatic Documentation

Professional requirements documents generated automatically, ready for implementation teams and IGA tool configuration.

ICA Conversation Example

Natural Requirements Gathering Conversation:
ICA: "Let's discuss how users request access in your organization. Do users typically request individual applications or do you use roles?"
Stakeholder: "We have roles for most standard access, but users sometimes need access to specific applications that aren't in their role."
ICA: "I understand you use a hybrid approach. Let me gather details on both:
For role-based requests:
• Who should approve role requests - just the manager or additional approvers?
• Should high-risk roles require different approvals than standard roles?
• Are there any role combinations that should be blocked (SoD conflicts)?
For individual application requests:
• Which applications should users be able to request directly?
• Who should approve application access - the user's manager or the application owner?
• Should some applications require security approval?
For approval timing:
• What's an acceptable timeframe for standard access approval?
• Do you need expedited workflows for urgent business needs?
• How should requests be escalated if approvers don't respond?"
Stakeholder provides clear answers in natural language...
ICA: "Great! Now let's talk about emergency situations. Do you ever have scenarios where users need immediate access for business-critical situations, like production outages or patient emergencies?"
Stakeholder: "Yes, we do have emergency situations occasionally."
ICA: "For emergency or break-glass access:
• What constitutes a valid emergency that justifies immediate access?
• Should emergency access require pre-approval or can it be granted with post-access review?
• How long should emergency access last before automatic revocation?
• Who should review the emergency access usage after the incident?
• Do you need enhanced monitoring or session recording for emergency access?"

ICA-Generated Requirements Documentation

Sample Output - Ready for Implementation:

ACCESS REQUEST MANAGEMENT REQUIREMENTS

1. SELF-SERVICE PORTAL CAPABILITIES

Portal Access:
- All active employees can access self-service portal
- Portal available via web interface and mobile app
- Integration with SSO (Okta)

Request Catalog:
- Role catalog with business-friendly names and descriptions
- Application catalog organized by business function
- Search and filter capabilities
- Shopping cart for multiple requests
- Risk ratings displayed (Low, Medium, High, Critical)

Business Justification:
- Required for all requests
- Free-text field (minimum 50 characters)
- Pre-populated templates for common scenarios

2. APPROVAL WORKFLOWS

Standard Access (Low/Medium Risk):
- Trigger: User requests role with risk level = "Low" or "Medium"
- Workflow: Manager approval only
- SLA: 2 business days
- Auto-escalation: Manager's manager after 2 days
- Auto-approval: After 2 escalations (6 days total)

High-Risk Access:
- Trigger: User requests role with risk level = "High" or "Critical"
- Workflow: Sequential approvals
  1. Manager approval
  2. Application Owner approval
  3. Security approval
- SLA: 5 business days total
- Enhanced justification required
- No auto-approval (manual decision required)

Financial System Access:
- Trigger: User requests access to financial applications
- Workflow: Sequential approvals
  1. Manager approval
  2. CFO approval
  3. Compliance approval
- SLA: 3 business days
- Annual recertification required

3. SEGREGATION OF DUTIES POLICIES

Policy #1: Purchase Request and Approval Segregation
- Conflicting Roles: "Purchase Requestor" + "Purchase Approver"
- Enforcement: Hard block (no exceptions)
- Rationale: Prevent self-approval of purchases

Policy #2: Development and Production Access Segregation
- Conflicting Roles: "Application Developer" + "Production Admin"
- Enforcement: Soft block
- Exception Process: CTO approval with business justification
- Exception Duration: Maximum 90 days
- Compensating Control: Enhanced session monitoring

4. TEMPORARY ACCESS

Contractor Access:
- Maximum Duration: Aligned with contract end date
- Extension Process: Requires contract renewal documentation
- Reminders: 30 days, 7 days, 1 day before expiration
- Auto-Revocation: On contract end date at 11:59 PM

Project-Based Access:
- Maximum Duration: 12 months
- Extension Process: Project sponsor approval required
- Review Frequency: Quarterly during project lifecycle
- Auto-Revocation: 30 days after project end date

5. EMERGENCY/BREAK-GLASS ACCESS

Emergency Criteria:
- Production system outage impacting operations
- Security incident requiring immediate response
- Patient care emergency (for healthcare apps)

Emergency Process:
- Requestor: Submit with incident number
- Approval: Post-access approval within 24 hours
- Duration: 8-hour maximum
- Monitoring: 100% session recording
- Post-Review: Mandatory within 48 hours

6. DELEGATION

Authorized Delegators:
- Managers for direct reports
- Executive assistants for assigned executives
- Help desk for standard access requests

Delegation Tracking:
- Original requester remains accountable
- Approval chain adjusted for delegation
- Audit trail captures both requester and beneficiary

7. RECERTIFICATION CAMPAIGNS

Standard Access: Annual review by manager
Privileged Access: Quarterly (Manager + Security)
Financial Access: Quarterly (Manager + CFO + Compliance)
Contractor Access: Before contract renewal
Emergency Access: Monthly + after each usage

Benefits of Using ICA for Access Request Requirements

⚡ Speed

  • Under 10 days vs. 12+ weeks
  • 70% time reduction
  • Faster time to implementation
  • Quick stakeholder engagement
  • Immediate documentation generation

✓ Completeness

  • Built-in expertise ensures coverage
  • No missed requirements
  • Comprehensive SoD policy capture
  • All approval workflows documented
  • Edge cases and exceptions covered

👥 User-Friendly

  • Natural language conversations
  • No intimidating spreadsheets
  • Non-technical stakeholders comfortable
  • AI adapts to responses
  • Clarifying questions in real-time

📋 Quality

  • Professional documentation
  • Consistent formatting
  • Implementation-ready specifications
  • Clear and unambiguous
  • Audit-ready trail

💰 Cost Savings

  • Reduced consultant costs
  • Lower IT administrative overhead
  • Fewer implementation delays
  • Reduced rework from gaps
  • $45,000+ saved per project

🔄 Platform-Agnostic

  • Works with any IGA tool
  • SailPoint, Saviynt, Okta compatible
  • Tool-neutral requirements
  • Easy to repurpose for migrations
  • Vendor-independent specifications

Stakeholder-Specific Benefits

👔 For Business Stakeholders

  • No IAM jargon, just business language
  • Describe workflows in your own words
  • No need to understand technical details
  • Quick 15-minute conversational surveys
  • AI interprets and translates to tech specs

💻 For IT Teams

  • Clear, implementable specifications
  • No ambiguity in requirements
  • Complete workflow definitions
  • SoD policies clearly documented
  • Ready for IGA tool configuration

📊 For Project Managers

  • 70% faster requirements phase
  • Reduced project timeline
  • Lower risk of scope creep
  • Complete documentation for planning
  • Easy stakeholder engagement

✅ For Compliance Officers

  • Audit-ready documentation
  • Complete approval trail definitions
  • SoD policies clearly specified
  • Regulatory requirements captured
  • Exception procedures documented