Access Request Workflow
This is an Early Access feature. To enable it, please contact Okta Support.
The Access Request Workflow feature is a complete, multi-step approval workflow through which end users can request access to apps. Admins can designate approvers to grant users access for self-service applications.
This feature enhances Okta's provisioning solution, which typically is used by IT teams to automate account provisioning and SSO access for users on their first day of employment. Later, users need access to job-specific applications that are often beyond an IT team's purview. The Access Request Workflow feature allows business application owners — rather than IT — to grant users access to apps and assign entitlements in apps that require them.
Use Access Request Workflow to:
You can do all of this from the Okta Admin Dashboard. No programming or configuration files are required.
End User Experience
End users are shown a list of apps when they click Add Apps. Apps that do not require approval have an Add button; apps that do require approval have a Request button. Clicking Request opens a window through which users confirm their request. Users can enter an optional message to the approvers of up to 1,000 characters. Confirming the request changes the Request button to Requested. During the approval process, end users receive the messages and email notifications that you configure.
After users request an app, the first approver receives an email containing the request and a link. Following the link gives options to approve or deny the request.
In all cases, only the messages you enable in the setup are sent.
Approvers can check outstanding approvals in their queue at any time through their Okta Home Page by selecting the down arrow next to their user name and then selecting Tasks. Approvers can process any approvals from the list.
Group Approver Experience
If a group is specified as an approver, all members of the group receive email notifications and are asked to approve the request. When one member of the group approves or rejects the request, the step is complete, and the task is removed from all the other group members' queues.
After the approval is set up and an end user requests an app, Okta Admins can intervene in the approval process and perform any of the following actions:
To view, resend, or cancel a request
Note: If you override the approval process and assign the app immediately, the approval process stops. The user can access the app, and any existing workflow is deleted.
Admin Best Practices
Certain Admin actions can have an adverse effect on Access Request Workflows. Doing any of the following can cause issues with existing and subsequent access requests.
Before making any of these changes to applications or approvers, take action on any affected requests that are pending, and then disable approval for the app. After you make changes, you can enable approvals for the app again.
There are two parts to setting up an app to use this workflow. First, perform this procedure, then, configure the approval workflow.
There are two parts to setting up an app to use this workflow. First, configure the app for self service, then perform this procedure.
You can disable the various methods that end users can use to request apps.
When you disable this option (by deselecting it), these end user options are unavailable:
Workflow events are tracked in the System Log. The following items are tracked:
*Note: These items are triggered by the Okta system granting or denying access, not by actions of an approver.