Shine a light on shadow apps

ConductorOne Docs

How to set up self-service access

Follow our step-by-step guide to setting up self-service access requests with ConductorOne.

Why set up self-service access requests?

Self-service access requests automate the access request process, with benefits for everyone involved:

  • For your organization: Enforce security policies and help to achieve least privilege and establish an audit trail

  • For your IT team: Less time spent routing access requests means increased productivity and more time to focus on more strategic tasks

  • For your colleagues: Quickly get access without having to wait for IT to process a ticket or decipher an email

đź“‹ Before you begin

Except where noted, a ConductorOne user with the Super Admin user role must complete this process. Go to Assign user roles to learn more.

Before you begin, make sure you’ve completed these setup tasks:

  1. Sign up for ConductorOne using your SSO provider, connect your user directory, and map key user attributes.

  2. Set up each of the applications your colleagues will be able to request access to.

  3. If you want to create and approve access requests in Slack, follow the instructions to Set up the ConductorOne Slack app.

Step 1: Create request policies

Policies are sets of instructions for how an access request process should proceed and the reviewers involved.

If you haven’t already done so, create request policies that follow your organization’s access control rules and best practices by following the instructions in Create policies. Make sure to choose the Request policy type when prompted.

Conditional policies. You can write conditional request policies in which a certain reviewer flow or action (like auto-approval of a request) is triggered if the requestor meets the criteria you specify. For an introduction to conditional policies and more information on using them, see Add conditional policy rules.

Step 2: Apply policies

Once you’ve created the policies, apply them to the entitlements your colleagues will request. ConductorOne applies request policies using this order of precedence:

  1. The entitlement’s configuration

  2. The application’s configuration

In other words, if an entitlement policy is set, it overrules the application policy. Keep this in mind when deciding where to apply your request policies.

Apply policies to be used for self-service access requests in this order:

  1. Apply policies to applications. If all (or most) entitlements for an application should be requested using a single policy, apply that policy to the application as a whole. Follow the instructions in Set application-level policies.

  2. Apply policies to specific entitlements. If you need to apply a request policy with a more in-depth review process to certain sensitive entitlements, follow the instructions in Set the request policy for an entitlement.

Step 3: Configure provisioning

Once approved, new access can be provisioned (added to the user’s account) in four ways:

  • Connector: The ConductorOne integration connector automatically provisions the access. Not all connectors support provisioning, and the configuration and permissions of the integration must be set up to allow provisioning where it is supported. If you choose this option but automatic provisioning via the connector isn’t available, ConductorOne will fall back to manual provisioning.

  • Manual: A designated human provisioner manually updates the user’s access in the relevant application. When access to the entitlement is granted, ConductorOne creates a provisioning task and assigns it to the provisioner.

  • Delegated: A binding between two entitlements is created, so that when one entitlement is granted, the user automatically receives access to the second entitlement as well. This in effect delegates the provisioning method to the bound entitlement.

  • Webhook: When a user is granted access to the entitlement, the webhook will automatically fire. You can use webhooks to automate provisioning workflows such as creating a Jira or ServiceDesk ticket or making an API call.

Go to Configure how an entitlement is provisioned to learn more about each provisioning type and to view instructions on how to set the provisioning strategy for each entitlement.

Step 4: Create request catalogs

ConductorOne users with either the Super Admin or Access Request Admin user role can create and edit request catalogs. Go to Assign user roles to learn more.

Make an entitlement available for users to request by adding it to one or more request catalogs. To learn more about setting up and using request catalogs, see Create request catalogs.

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Access controls.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement shown at the top of the page, click the pencil icon

    • For any other entitlement, click the actions (…) menu and select Edit access requests

  4. Use the Request catalogs dropdown to select one or more catalogs you want to add the entitlement to.

  5. Click Save.

The entitlement is now included in the request catalog. Users who have access to the request catalog will see the entitlement as an option when they browse their available access or fill out the request access form in ConductorOne or on the Slack app.

Step 5: Set your colleagues up for success

Request access for yourself

Here’s a quick video that you can share with your colleagues demonstrating how to request new access through the ConductorOne web app:

If your organization uses Slack, here’s a video on how to request and approve new access there:

If you’d rather share written instructions, find our documentation on using the Browse access page and the Request access form in the ConductorOne web app and Slack.

Request access for others

Most users can only their own access, but there are a few exceptions:

  • Managers can request access for the members of their team

  • ConductorOne users with either the Access Request Helpdesk or Access Request Admin role can request access for anyone

These users see an option to request new access others at the top of the Browse access page and the Request access form in the ConductorOne web UI and Slack.

Review and approve access requests

Request tasks are assigned to reviewers based on the request policy governing the requested app or resource.

Here’s our documentation on how to Review access grant requests, which you can share with your impacted colleagues.

Success!

That’s it! By following these steps, you’ve set up self-service access requests using ConductorOne and helped to ensure your colleagues can more quickly and efficiently get the access they need, when they need it.

Thanks for joining us in this how-to guide!