New Capability: Access Request Administration

Description

SailPoint® is thrilled to announce the launch of Access Request Administration in Identity Security Cloud!

Problem

Identity Security Cloud (ISC) allows users and approvers to manage Access Requests today, but administrative tooling has been underpowered and required API knowledge to use.

Users have had access to actions like cancelling, reassigning, and approving access requests that administrators did not have., and these administrators did not have a simple and quick path to access requests in a powerful user interface that granted them the parity they needed for managing their system.

Many customers have developed their own external tooling alongside Identity Security Cloud, highlighting the need for more seamless integration. By enhancing visibility and control over the flow of Access Requests, administrators can enjoy an even greater level of oversight and efficiency, empowering them to effectively manage their systems.

Solution

You spoke. We listened.

With the new Access Request Administration feature, administrators can view and manage all access requests across all of Identity Security Cloud and can enable in a timelier fashion the flow of governance activities. A singular user interface enables administrators to see, approve, reassign, remind, and cancel access requests as well as see a historical view of Access Requests. These administrators, as well as users they grant administrative or read only access, will have total visibility into all prior and pending Access Requests, and they will have the ability to remind, reassign, cancel, or overwrite approval for Access Requests pending both individual users as well as Governance Groups.

Who is affected?

  • IdentityNow customers licensed for Access Request functionality

  • Identity Security Cloud suites customers.

Important Dates

Access Request Administration will be available in production for all affected tenants the week of December 16, 2024.

11 Likes

It’s a good start, I really hope the plan is to add functionality to it.

  • Can’t search by any value or field, only by request ID.
  • Can’t sort by ‘access name’, ‘assigned to’, ‘access for’ or ‘requested by’
  • Workflow of access request shows MM/DD/YYYY - should also include HH:mm:ss
2 Likes

Hi @aaron_andrew,

Really glad to hear this announcement.

I find the feature very useful. The separate view for the requests submitted by logged in user (Request Center > View My Requests) and all requests (Admin > Dashboard > Access Request Administration) is a better user experience than loading all requests in one place. Is there a extract/generate report/download CSV option already in plan? If yes, that could help in reporting.

Hi Aaron,

This is very useful! Is it Possible to view/manage the access requests which are submitted through Rest API’s also using this feature?

Hi Amar -

That’s not in scope for this release, though it’d be doable with a query of the Access Request API. If you’re looking for some kind of export of access requests in a reportable format, I’d recommend opening an Idea in our Ideas portal to make sure the idea is tracked

Thanks!
Aaron

1 Like

Hi Jishnu -

Yep! All access requests, regardless of how they’re submitted (UI, API, Service Desk) are tracked here. If it hits the Access Request functionality in Identity Security Cloud, it’s reported.

Thanks,
Aaron

1 Like

Already mentioned this outside of this forum, but i also want to add here that I am very happy with this functionality and it will definitely be used by our operations team.
I do expect a lot of improvement requests from the customers/partners (myself included :slight_smile: ), but I think that in this case this is a good sign of this functionality being embraced by the customers, showing that this will really be used a lot. You can also see the amount of reactions and likes on this post to see this reflection.

I very much encourage SailPoint to keep continuing developing functionality that score high in this list: https://ideas.sailpoint.com/ideas?sort=popular

2 Likes

Thanks for the response @aaron_andrew, https://ideas.sailpoint.com/ideas/GOV-I-4051 submitted.

Any idea of when this will hit FedRAMP tenants? I had recently written a Retool app to do this that I was about to publish - but if it it’s going to be semi-soon for FedRAMP too then it’ll save me some work!

I had never heard of Retool before. Looks interesting.
@SailorKev Do you use it a lot for ISC?

Retool is a newly deployed product here and I’ve only looked into using it for two purposes so far:
(1) To publish Governance Group members
(2) For this example of seeing pending access requests, and approving/cancelling/re-assigning.

It’s kinda neat because a dummy like me can use it to link together data/actions via API calls and it makes it easy to put it into a table format and manipulate the data. In this case:
(1) An api all to get pending requests plunks the data into a visual table
(2) I made buttons (Approve, Cancel) to then send the POST api depending on which item you selected from the table
(3) Since re-assigning the access request requires the target’s Sailpoint uid, I had a ‘search’ button to use the Search api which would return an identity that you would click ‘re-assign’ and it would grab the uid from there and send the post.

I’m sure it can do plenty of advanced things, but I used it in the simple form to just get data and post data based on what you select from the first GET. This tutorial was the one I followed and is pretty straight forward and easy to understand for someone like myself : https://www.youtube.com/watch?v=t2ol9K9bSv4

2 Likes

Make sure to make use of the filter in the top right!

Oddly, we are not currently able to filter by requests in the “Error” status

Thank you @SailorKev !


You can filter by “Error” status by clicking on the “Pending” button.

Thanks for this. It’s greatly appreciated.

The status “pending” for requests does not always signify “really” pending requests.
Currently (I’m just guessing here) the view is generated from the list of events that combine into the overall flow that eventually results in access (or not).
However…Requests that for some reason get stuck in “Pending”, due to connector-issues, or an errorneous configuration at some point, seem to be stuck forever.
The Requests are “Pending”, when in reality the Identity actually did get their access in the target-system.
The Events that ended the flow when errors happened are never reconciled…due to their nature as events.
So the trick to using the feature is to know that some Requests may show as this some times misleading status of “pending”

But thank you again for making my day easier.

/Mikael

Hello @aaron_andrew and thank you for this enhancement. Very useful.
One question : Who can access/use this feature (based on user level permission) ?
→ Only admin people ? Or also “Helpdesk” or another user ?

Thank you and have a nice day

Hi Corentin -

Two user levels have access: Org Admin (also called a Global Admin or sometimes just Admin).

There’s two sub-admin user levels specific for this feature we’ve introduced, so you’re not locked in to giving it to everyone who has helpdesk, for instance: Access Request Admin Read Only, Access Request Admin Full Management.

Definitions for both can be found at the bottom of this doc: User Level Permissions - SailPoint Identity Services

I really like this new feature.
We have tested this user level on one of our colleagues that dont have any other Admin access to ISC. But then the meny bar disappear completely, so the user only gets to the welcome page and can’t press the request center or any other meny options. As soon as we remove the user level Access Request Read-Only Admin and the user log out and back in the meny bar is back again.

Anyone else have the same issue?

I think I was able to find the situation to recreate this. This is what that user is is seeing when the top menu goes away?