There seems to be no way to finely / custom-define the scope of which users can use access request, and which users can Request On Behalf Of others (except via Managers, or Everyone option):
Access Request seems to be a tenant-wide feature. And that if I have a Request On Behalf Of use case, I can only scope either Managers, or Everyone, can request for others.
In the Everyone case, that would mean, anyone can search for anyone’s name / existence via Access Request.
How are others getting around / avoiding this exposure scenario?
My understanding is that Segments only control the search-ability / visibility of access items (roles / access profiles / entitlements). It doesn’t control the search-ability / visibility of identities.
This statement from the doc:
“Admins can add access items to segments to make this access visible only to users included in these segments”
i.e. Segment is a viewability relationship between Identities and access items, but not between identities and identities.
We are ok with this. No one will request access for others unless it is required and of course we will have approvals configured for access items, so no problem for us.
Yes, there should have been some customization here apart from Managers or everyone request for others, you can create an idea for that.
The concern is that anyone / everyone authenticated in the tenant can lookup anyone’s existence in the tenant.
This also has some minor overlap with consent / preference management. Some users / identities don’t want / need to be searchable for access request use cases.
