--- title: Manage access requests description: Before end users can request access to resources in Advanced Identity Cloud, you must: component: pingoneaic page_id: pingoneaic:identity-governance:administration/access-request-configure canonical_url: https://docs.pingidentity.com/pingoneaic/identity-governance/administration/access-request-configure.html keywords: ["access requests", "configure access requests", "requestable resources", "access catalog", "resource owners", "scopes", "request for others"] section_ids: configure-scopes-to-resources: Configure scoping rules to resources enable-scopes: Enable scopes view-scopes: View scopes add-scopes: Add scopes edit-scopes: Edit scopes make-resources-requestable: Define resources that can be requested applications-requestable: Applications entitlements-requestable: Entitlements roles-requestable: Roles add-owners-to-resources: Add owners to resources add-app-owners: Application owners add-entitlement-owners: Entitlement owners add-role-owners: Role owners configure-glossary-attributes: Optionally, create and configure glossary attributes example-glossary-with-access-requests: Example of using glossary attributes with access requests configure-access-requests-for-others: Configure access requests for other end users configure-all-users-to-see-all-other-users: "Use case 1: Configure all end users to see all other end users" configure-all-users-to-see-subset-of-other-users: "Use case 2: Configure all end users to see a subset of other end users" configure-managers-to-request-for-their-directs: "Use case 3: Configure only managers to request for their directs" --- # Manage access requests Before end users can request access to resources in Advanced Identity Cloud, you must: 1. [Configure scoping rules to resources.](#configure-scopes-to-resources) 2. [Define resources that can be requested in the access catalog.](#make-resources-requestable) 3. [Add an owner to each resource.](#add-owners-to-resources) 4. [Review and modify access request workflows.](workflow-configure.html) 5. Optionally, [create and configure glossary attributes.](#configure-glossary-attributes) 6. [Configure access requests for other end users.](#configure-access-requests-for-others) ## Configure scoping rules to resources Identity Governance allows you to centrally manage end-user access to resources across your company using *scopes*. *Scoping* refers to the rules defining who can access which resource. After a resource has been granted, a delegated administrator or user is expected to control who can do what. The main goals of *scoping* are: * Controlling resources that are available to a user. * Controlling which end users a user can see. * Controlling the actions a user can take either on the resource or the user. Administrators can create and manage filtering rules to ensure users have access to only the resource required. ### Enable scopes By default, scopes are disabled in Identity Governance. You can enable scopes globally across the Identity Governance configuration settings using the API. Use `PUT iga/commons/config/iga_global` with a payload of `enableScoping:true`: | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | In the this example, replace \ with an access token created with the `fr:iga:*` service account scope. Learn more in [Get an access token](../../developer-docs/authenticate-to-rest-api-with-access-token.html). | ``` curl \ --request PUT \ --header "Authorization Bearer " \ --header "Content-Type: application/json" \ --header "Accept-API-Version: resource=1.0" \ --data '{ "enableScoping": true }' "https:///iga/commons/config/iga_global" ``` ### View scopes * In the Advanced Identity Cloud admin console, click Governance > Scopes. The page appears with a list of scopes. If no scopes are present, the page displays a [icon: add, set=material, size=inline] New Scopes button. ![Identity Governance scopes.](../_images/governance-scopes.png) * 1 Click Governance > Scopes on the Advanced Identity Cloud end-user UI. * 2 Click the [icon: add, set=material, size=inline] New Scope button to add a new scope. * 3 Search scopes. Search by scope name, status, or description (case-insensitive). * 4 Name: Name of the scope. This is a required field. * 5 Status: Current status of the scope, either `Inactive` and `Active`. You can sort the list in ascending or descending order by clicking the up or down triangles. * 6 Ellipsis ([icon: more_horiz, set=material, size=inline]). Click to edit, deactivate (if active) or activate (if inactive), or delete the scope. ### Add scopes 1. In the Advanced Identity Cloud admin console, click Governance > Scopes. 2. Click the [icon: add, set=material, size=inline] New Scopes. 3. On the New Scope Details page, enter the scope details, and then click Next: | Field | Description | | ---------------------- | -------------------------------------------------------------------------------------- | | Name | Enter a name for your scope. Follow any naming convention established by your company. | | Description (Optional) | Enter a general description for the new scope. | 4. On the New Scope Applies to page, do the following: 1. Use the filter to define which users should have this scope. Select or enter the properties, and then click [icon: add, set=material, size=inline] to add the filter. | Field | Description | | --------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Select entitlements if `Any` or `All` conditions are met. | Select either Any or All. | | Select a property | Values include:- \_id - accountStatus - city - cn - country - descriptions - frIndexedDate\[1-5] - frIndexedString\[1-5] - frUnindexedDate\[1-5] - frUnindexedString\[1-5] - givenName - mail - password - passwordExpirationTime - passwordLastChangedTie - postalAddress - postalCode - profileImage - sn - stateProvince - telephoneNumber - userName | | Connector | Values include:- contains - does not contain - is - is not - starts with - ends with | | Attribute Value | Enter an attribute. | 2. Click Next to continue. 5. On the New Scope Access page, select the applications, entitlements, or roles that users can access: | Field | Description | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------- | | Applications | Select one of the following:- All Applications - Applications matching a filter. The page displays a filter to match the applications. | | Entitlements | Select one of the following:- All Entitlements - Entitlements matching a filter. The page displays a filter to match the entitlements. | | Roles | Select one of the following:- All Roles - Roles matching a filter. The page displays a filter to match the roles. | 1. Click Save. The Scopes page displays the new scope. ### Edit scopes 1. In the Advanced Identity Cloud admin console, click Governance > Scopes. 2. On the Scopes page, click the ellipsis ([icon: more_horiz, set=material, size=inline]) for a policy, and then click Edit to change any aspect of a scope. 1. Click Save to keep your changes. 2. Click Deactivate to disable the scope, or click Activate to enable the scope for use. 3. Click Remove to remove the rule from the policy. ## Define resources that can be requested By default, end users in Advanced Identity Cloud can only request access to a resource. Resources are applications, entitlements, or roles that are marked as `Requestable` in the access catalog. You can make applications, entitlements, or roles requestable in Identity Governance. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Authoritative applications aren't requestable and are limited to read-only access. These apps onboard new identities, modify existing identities, or remove identities when needed. When there's a requirement to both read from and write to an application like a directory service, customers can define two apps: one authoritative and the other targeted for non-authoritative purposes. | ### Applications To make applications requestable: 1. From the Advanced Identity Cloud admin console, go to Applications. 2. Select an application. The application must be a target application. 3. On the Details tab, toggle the Requestable box. 4. For every target application you want to make requestable, repeat steps 2 - 3. ### Entitlements To make entitlements requestable: 1. From the Advanced Identity Cloud admin console, go to Entitlements. 2. Select an entitlement. 3. On the Details tab, toggle the Requestable box. 4. For every entitlement you want to make requestable, repeat steps 2 - 3. ### Roles To make roles requestable: 1. From the Advanced Identity Cloud admin console, go to Manage > Alpha realm - Roles. 2. Select a role. 3. On the Details tab, toggle the Requestable box. 4. For every role you want to make requestable, repeat steps 2 - 3. ## Add owners to resources Before an end user can request access to a resource, you must associate it to an *owner*. Owners are the individuals responsible for monitoring who has access to the resource (applications, entitlements, and roles). When an end user requests access to a resource, Identity Governance sends the request to the owners for approval. In access requests, the owner is referred to as the *approver*. When the owner approves the access request, Identity Governance provisions the resource to the end user. ### Application owners To assign owners to applications in Advanced Identity Cloud: 1. From the Advanced Identity Cloud admin console, go to Applications. 2. Select an application. The application must be a target application. 3. On the Details tab, click the Owners field, and add as many owners as you desire. 4. Repeat steps 2 - 3 for every target application. ### Entitlement owners After you [load entitlements](entitlements.html#load-entitlements-onboard) into Advanced Identity Cloud, they display in the Entitlements section. To assign owners to entitlements in Advanced Identity Cloud: 1. From the Advanced Identity Cloud admin console, go to Entitlements. 2. Select an entitlement. 3. On the Details tab, click the Entitlement Owner field, and select an owner. 4. Repeat steps 2 - 3 for every entitlement. ### Role owners To assign owners to roles in Advanced Identity Cloud: 1. From the Advanced Identity Cloud admin console, go to Manage > Alpha realm - Roles. 2. Select a role. 3. On the Details tab, click the Role Owner field, and select an owner. 4. Repeat steps 2 - 3 for every role. ## Optionally, create and configure glossary attributes [Governance glossary attributes](glossary.html) enable you to attach custom attributes to applications, entitlements, or roles. When configuring resources that your end users can request access to, consider creating searchable governance glossary attributes. These attributes enable end users to filter and select a resource when requesting access. ### Example of using glossary attributes with access requests An example of using a governance glossary attribute would be to assign a risk level to each role, indicating the level of sensitivity associated with the resources granted to end users. This risk level attribute lets end users efficiently filter and search for roles based on their desired risk level when requesting access. 1. From the Advanced Identity Cloud admin console, click Glossary. 2. Click Role > + Role Glossary Item. 3. Enter the following values: | Field | Value | | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | | Name | `riskLevel` | | Display Name | `Risk Level` | | Description | `The level of risk associated with granting this resource to a user. The higher the risk, the more sensitive the resource.` | | Type | `String` | | Enumerated Values | Enable and create the following in the text and value fields:- `Low` - `Medium` - `High` | | Show advanced settings > Searchable | `Enable`. This enables the end user to search and filter on the attribute when requesting access to the role. | 4. Click Save. 5. Populate each role in Advanced Identity Cloud with either `Low`, `Medium`, or `High`. To do this, navigate to Manage > Alpha realm - Roles and populate newly created role attribute `Risk Level`. ## Configure access requests for other end users Identity Governance provides the ability for end users to enter requests for other end users. Administrators can configure if all end users can see all other end users, all users can see only a subset of other end users, or only managers can see their direct reports. To accomplish the ability to enter access requests for other end users, administrators must give end users an internal role with `view` privileges and configure `read` access to attributes (`userName`, `givenName`, `sn`, and `mail`) to other end users. While organization owners and administrators get these privileges from the PingIDM configuration targeted to only their organization's members, other end users outside of the organization don't have access to these privileges. As a result, end users only see List is empty when clicking Other Users and aren't able to select any end users. ![The new request access modal with other end users displaying List is empty.](../_images/access-request-other-users.png) There are three use cases available to set up other end users: * [Use case 1: Configure all end users to see all other end users](#configure-all-users-to-see-all-other-users) * [Use case 2: Configure all end users to see a subset of other end users](#configure-all-users-to-see-subset-of-other-users) * [Use case 3: Configure only managers to request for their directs](#configure-managers-to-request-for-their-directs) ### Use case 1: Configure all end users to see all other end users To configure Identity Governance so that end users can see all other end users, you can add an internal role with `view` privileges and set the `userName`, `givenName`, `sn`, and `mail` attributes to `read` access. 1. Create a new internal role: 1. In the Advanced Identity Cloud admin console, log in to Advanced Identity Cloud as a tenant administrator. 2. Click Identities > Manage > Internal Roles > [icon: add, set=material, size=inline] New Internal Role. 3. In the New Internal role modal, enter the following: * Name. Enter a descriptive name for the internal role. * Description. (Optional) Enter a description for the internal role. 4. Click Next. 2. Set the internal role permissions: 1. In the Internal role permissions modal, select Alpha realm - Users. 2. Click [icon: add, set=material, size=inline] Add. The permissions for View, Create, Update, and Delete are displayed. 3. Keep View selected. 4. For attribute permissions, click Show advanced. 5. Click set all attributes, and select None. 6. For the following attributes, set the permission to `Read`: * `userName` * `givenName` * `sn` * `mail` 7. Click Next. > **Collapse: Details** > > ![Internal role attribute permissions modal](../_images/governance-internal-role-attribute-permissions.png) 3. Configure a filter for the role: 1. In the Dynamic internal role Assignment modal, click A conditional filter for this role. 2. On the filter, select the following properties: * Select Any. Specifies when to apply the rule if the conditions are met. * Select an attribute like Username. * Select is present. Specifies the existence of the property or not. 3. Click Next. > **Collapse: Details** > > ![Dynamic internal role assignment modal](../_images/governance-dynamic-internal-role-assignment.png) 4. Set an time constraint on the internal role: 1. In the Time Constraint modal, leave the default as-is. 2. Click Save. The new internal role is created. All users will now have the ability to see all other end users. > **Collapse: Details** > > ![Internal role created - requestForAll](../_images/governance-internal-role-requestForAll.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The one side effect to this procedure is that the end user's UI displays `Alpha Realm - user` on the left navigation bar, which can be useful as a company-wide address book or when you want to add attributes, such as `telephoneNumber`.![Alpha realm-user nav menu on hosted account page](../_images/governance-end-user-alpha-realm-user-nav.png) | ### Use case 2: Configure all end users to see a subset of other end users This case is when you want the end users to see a subset of end users that match an attribute, such as `department` or `city`. 1. Repeat the steps 1 – 2 in [Use case 1: Configure all end users to see all other end users](#configure-all-users-to-see-all-other-users). 2. Configure a filter for the role: 1. In the Dynamic internal role Assignment modal, click A conditional filter for this role. 2. On the filter, select the following properties: * Select Any. Specifies when to apply the rule if the conditions are met. * Select City. An attribute name. * Select is. Specifies the relationship between the attribute and its value. * Enter {{attribute}}. Curly braces indicates that the end user's current property. For example, you can use `{{city}}` indicating the end user's `city` of work be included in the decision. This filter rule enables the manager to make requests for any other end users whose `city` matches the manager's `city` property. If you want to specify end users in a different city from the manager's city, you can use, for example, `{{Denver}}` to indicate the manager can see direct reports located in `Denver`. 3. Click [icon: add, set=material, size=inline], and then click Add Rule. 4. Click Next. > **Collapse: Details** > > ![Dynamic internal role assignment modal matching the manager's city property with any users from the same city.](../_images/governance-dynamic-internal-role-assignment-2.png) ### Use case 3: Configure only managers to request for their directs The third use case is to configure the system so that only managers can request for their direct reports. One solution is to use a multivalued attribute to hold the value of the manager ID for each user. 1. In the Advanced Identity Cloud admin console, log in to Advanced Identity Cloud as a tenant administrator. 2. Create a managed object. A *managed object* is an identity-related data object managed in the IDM admin console: 1. Click Native Consoles > Identity Management. 2. Go to Configure > Managed Objects. 3. On the Managed Objects page, click Alpha\_user. 4. Scroll down, and click the pencil icon ([icon: pencil, set=fa]) next to frindexedMultivalued1 to edit it. 5. On the frindexedMultivalued1 page, enter the following values: | Field | Value | | ---------------------- | ------------------------------------------ | | Readable Titles | Enter `managerID`. | | Description | Enter a description of the managed object. | | Show advanced options. | Click the link to display more options. | | Viewable | Click to disable it. | | User Editable | Click to disable it. | | Virtual | Click to **enable** it. | 6. Click Save. > **Collapse: Details** > > ![The frIndexedMultivalued1 attribute configuration](../_images/governance-frindexedMultivalued1.png) 7. Click the Query Configuration tab, enter the following, and then click Save. | Field | Value | | ------------------------------ | ----------------------------------- | | Referenced Relationship Fields | Enter `["manager"]`. | | Referenced Object Fields | Enter the referenced object, `_id`. | | Flatten Properties | Click to enable it. | > **Collapse: Details** > > ![Query configuration for the frIndexedMultivalued1 attribute.](../_images/governance-frindexedMultivalued1-query-config.png) 3. Now, set up a manager on each end user using a relationship-derived virtual property (RDVP). RDVPs are calculated based on relationships and relationship notifications. Here you create an RDVP to query end users ("reports") who have a manager expressed in the `_id` property. Learn more in [Relationship-derived virtual properties](../../idm-objects/managed-object-virtual-properties.html#relationship-derived-virtual-properties). Create a new internal role called `RequestDirects`: 1. In the Advanced Identity Cloud admin console, log in to Advanced Identity Cloud as a tenant administrator. 2. Click Identities > Manage > Internal Roles > [icon: add, set=material, size=inline] New Internal Role. 3. In the New Internal role modal, enter the following, and then click Next. * Name. Enter a descriptive name for the internal role. Enter `RequestDirects`. * Description. (Optional) Enter a description for the internal role. 4. Set the internal role permissions: 1. In the Internal role permissions modal, select Alpha realm - Users. 2. Click [icon: add, set=material, size=inline] Add. The permissions for View, Create, Update, and Delete are displayed. 3. Keep View selected. 4. For attribute permissions, click Show advanced. 5. Click set all attributes, and select None. 6. For the following attributes, set the permission to `Read`: * `userName` * `givenName` * `sn` * `mail` 7. Click Administer only a subset of Alpha realm - Users by applying a filter. 8. Click Advanced Editor, and enter `/frIndexedMultivalued3 eq "{{_id}}"`. 1. Click Next. > **Collapse: Details** > > ![Internal role settings for request directs.](../_images/governance-internal-role-permissions-requestDirects.png) 9. In the Dynamic Internal role Assignment modal, click Next. 10. In the Time Constraint modal, click Save. 5. Create an RDVP and make it queryable: 1. Click Native Consoles > Identity Management. 2. Go to Configure > Managed Objects. 3. On the Managed Objects page, click Alpha\_user. 4. Click edit ([icon: pencil, set=fa]) in the frindexedMultivalued2 row. 5. On the frindexedMultivalued2 page, enter the following values: * Readable Titles: `reportsIDs` * Description: Enter a description of the managed object. 6. Click Show advanced options. 7. Click Viewable to disable it. 8. Click User Editable to disable it. 9. Click Virtual to enable it. You're using `frIndexedMultivalued2` as a virtual RDVP. > **Collapse: Details** > > ![frIndexedMultivalued2 example.](../_images/governance-frindexedMultivalued2.png) 10. Click Query Configuration. 11. In the Referenced Relationship Fields field, enter `["reports"]`. This relationship property is used to calculate the RDVP. 12. In the Referenced Object Fields field, enter `_id`. This property is used to hold the returned value when the RDVP is calculated. In this example, this would be `_id`. 13. Click Flatten Properties to enable it. 14. Click Save. The Managed Object created message appears. 6. Reset the `RequestDirects` internal role: 1. Click Manage Identities > Internal Roles > RequestDirects. 2. In the RequestDirects modal, click Privileges. 3. Click the ellipsis icon ([icon: more_horiz, set=material, size=inline]) next to the \[.label]#View privilege. 4. In the Edit Privilege modal, click Show advanced, and then click Advanced Editor. 5. In the Assign user based on if query evaluates to true: field, enter the condition `/frIndexedMultivalued2 pr`. 6. Click Save. The new RDVP allows an end-user's direct reports to be updated virtually whenever the RDVP is recalculated due to a change. > **Collapse: Details** > > ![frIndexedMultivalued2 RDVP with updated condition.](../_images/governance-frindexedMultivalued2-rdvp.png)