Access Requests

Access Manager is designed for self-service access requests by an AuthUser. A user's manager, system owner, or an Access Manager administrator can also request access on the user's behalf.

An AuthUser can view a list of available approvable relationships that they can request access to.

Approval Chains

Each approvable relationship has a default ApprovalChain that has one or more ApprovalPolicy(s) that specify which users or groups need to provide approval before access is provisioned. The default ApprovalChain is designed to specify the full series of approvals needed for any user.

If a user is a member of a pre-approved group that should have access to a system, either automatically without an ApprovalTransaction or with reduced number of approvals, one or more ApprovalChain(s) can be added to an approvable relationship that have a list of ApprovalPolicy(s) specify which AuthGroup the user must be a member of to use that ApprovalChain.

When a user requests access to an approvable relationship, Access Manager will loop through the associated ApprovalChain(s) and check if the AuthUser is a member of an AuthGroup that is associated with one of the ApprovalChain(s). If no match is found, the default ApprovalChain for the approvable relationship will be used.

Approval Flows

When the ApprovalChain is determined, an ApprovalFlow is created with ApprovalFlowTransaction child records. The ApprovalFlow is the sequence of users or groups that must approve access. An ApprovalFlowTransaction is the audit log entry of who needs to approve and what date and time they approved or denied the request.

The ApprovalFlow uses template metadata from the ApprovalChain and creates ApprovalFlowTransactions using template metadata from the ApprovalPolicy(s) attached to the ApprovalChain.

User Experience Access Request Concept Art