Limiting the use of the Request Center to a specific Team

How can we limit the use of the Request Center to only the IAM team?

• In IIQ, we use WorkGroups to determine who can use Manage User Access.
• In ISC, the global options only allow us to choose None, Managers, or Everyone.

Since we use ServiceNow for requesting access, we do not want end users to be able to use the ISC Request Center. However, we need our IAM team to use it.

I tried using a Segment for this. Segment for All Users that was scoped to a single entitlement. I thought that would limit All Users to only being able to request that single entitlement. However, because none of the other entitlements, access profiles, and roles are in a Segment, the users could still request everything else. Because of the thousands of permissions in ISC, it is not scalable to add all permissions to an IAM Segment to restrict who can request them.

How can we limit the use of the Request Center to only the IAM team?

Unfortunately, there isn’t a configurable way to turn off Request Center for a selection of users. You could check with Support to see if they can do it on the backend.

Otherwise, as you stated, you would need to add all the items that are currently Requestable to an IAM Segment.

If only the IAM team is using the Request Center, I would hope that most of your Access Profiles, Entitlements and Roles are setup to not be requestable. If that is the case, it shouldn’t be hard to add the items to an IAM Segment, but you would need to make sure to add any new requestable items to the segment as you create them.

I talked to support, but they said they couldn’t help.

The issue we have with adding all the access to segments is scalability. We could, technically, but that’s be a lot of manual work. I’d be open to an automated way of adding new entitlements, AP’s and Roles to a pre-defined segment, but I’m not sure how to go about that.

Thanks for the update. From what I understand, using a segment is the best way to control visibility in the Request Center. By grouping all entitlements, access profiles, and roles into a segment and assigning it only where needed, we can ensure that access items are only visible to the right group. This should help us achieve the restriction we’re looking for.

Hi Gopi. Grouping all entitlements, APs, and roles would be thousands of existing permissions. Then we would need to do that for every permission that created in the future. That would be tons of manual work. Any idea how that could be automated?

Here’s a way

1. Use ISC APIs to pull the list of all entitlements, APs, and roles.
2. Script logic (e.g., in Python/PowerShell) to automatically add them to a dedicated segment.
3. Schedule the script (daily/weekly) so that any newly created permission gets added to the segment automatically.
4. Assign the segment only to the intended group, so others won’t see those items in the Request Center.

Example Scenario

1. A new access profile called “Salesforce_Admin” is created.

2. Your nightly script runs → calls GET /v3/access-profiles → detects “Salesforce_Admin”.

3. Script patches the segment All_Permissions_Segment with this new AP ID.

4. Next day, only users tied to the segment can see and request “Salesforce_Admin”.

Hope this works. If so, let me know.

To add to Gopi’s thread.

You can use Filters on the APIs to grab the items that are requestable.

List Entitlements
GET https://{{tenant}}.api.{{domain}}.com/v2025/entitlements?filters=requestable eq true

List Access Profiles
GET https://{{tenant}}.api.{{domain}}.com/v2025/access-profiles?filters=requestable eq true

List Roles
GET https://{{tenant}}.api.{{domain}}.com/v2025/roles?filters=requestable eq true

Then iterate through each item to see if the Segment is populated. If it isn’t populated, use PATCH to add the segment ID to the item.

[
  {
    "op": "replace",
    "path": "/segments",
    "value": ["<ID of your Segment>"]
  }
]