Shine a light on shadow apps

ConductorOne Docs

Configure access requests

Use the access requests settings on an application's access control tab to configure who can request the entitlement, who will review the request, and how the new access will be provisioned.

An application’s App directory controls page is where you can view the current access request settings for all of the application’s entitlements and make changes to how individual entitlements are requested and provisioned.

To reach the App directory controls page, navigate to an application’s page and click Configure in the App directory controls section at the top of the page.

The app access entitlement gets special treatment. A user must be granted this entitlement to get access to the application itself. Because it’s so fundamental, ConductorOne treats it a little differently than other entitlements and doesn’t list it in the Entitlements table on the App directory controls page. Instead, you’ll find controls to manage the access request and provisioning settings for app access on the Overview tab.

Set the request policy for an entitlement

ConductorOne applies request policies using this order of precedence:

  1. The entitlement’s configuration
  2. The application’s configuration

In other words, if a request policy is set on the entitlement, it overrules the policy set on the application.

If you want to make sure this entitlement uses a specific request policy, set it on the entitlement. If the entitlement can be requested using the policy set on its application, you do not need to set a policy here.

To learn more about creating custom request policies, go to Create policies.

To set a request policy for the entitlement:

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Configure in the App directory controls section at the top of the page.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement, go to the Overview tab and click the pencil icon in the App access requests section of the page
    • For any other entitlement, go to the Entitlements tab and select Edit access requests from the more actions () menu

  4. Use the Policy dropdown to locate and select the request policy that this entitlement should use.

  5. Click Save.

The entitlement’s request policy is set. This policy will be used whenever users request access to the entitlement.

Enable emergency access on an entitlement

To learn more about emergency access, go to Enable emergency access requests.

By default, entitlements do not support emergency access requests. You must switch on emergency access availability and set an emergency access request policy for each entitlement that you want to allow users to request emergency access to.

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Configure in the App directory controls section at the top of the page.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement, go to the Overview tab and click the pencil icon in the App access requests section of the page
    • For any other entitlement, go to the Entitlements tab and select Edit access requests from the more actions () menu

  4. Enable Emergency access.

  5. Use the Emergency access policy dropdown to choose the request policy to be used for emergency access requests to this entitlement.

    You must set an emergency access policy in order to use emergency access requests. If you do not set a policy here and attempt to save your changes, emergency access will be automatically disabled on the entitlement.

  1. Click Save.

The entitlement is now available for emergency access requests.

Set a time limit on an entitlement

To support least privilege access, you can choose to set a time limit on entitlements so that users are granted access for only a certain duration. At the end of the time limit, the user’s access will be automatically revoked.

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Configure in the App directory controls section at the top of the page.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement, go to the Overview tab and click the pencil icon in the App access requests section of the page
    • For any other entitlement, go to the Entitlements tab and select Edit access requests from the more actions () menu

  4. Enable Max grant duration.

  5. Set the maximum time limit for this access.

  6. Click Save.

The time limit is now set. When access to this entitlement is granted, it will be automatically revoked once the time limit elapses. The user granted the access will see the entitlement on the Expiring page in their App directory section, where they can ask for an extension if necessary.

Add an entitlement to an existing request catalog

Make an entitlement available for users to request by adding it to one or more request catalogs. To learn more about setting up and using request catalogs, see Create request catalogs.

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Configure in the App directory controls section at the top of the page.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement, go to the Overview tab and click the pencil icon in the App access requests section of the page
    • For any other entitlement, go to the Entitlements tab and select Edit access requests from the more actions () menu

  4. Use the Request catalogs dropdown to select one or more catalogs you want to add the entitlement to.

  5. Click Save.

The entitlement is now included in the request catalog. Users who have access to the request catalog will see the entitlement as an option when they browse their available access or fill out the request access form in ConductorOne or on the Slack app.

Configure how an entitlement is provisioned

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Configure in the App directory controls section at the top of the page.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement, go to the Overview tab and click the pencil icon in the Account provisioning area of the screen
    • For any other entitlement, go to the Entitlements tab and select Edit provisioning from the more actions () menu

  4. Select the provisioning method you want this entitlement to use when giving a user access to this entitlement.

    • Connector: This option uses the integration connector to automatically provision the access. Not all connectors support provisioning, and the configuration and permissions of the integration must be set up to allow provisioning where it is supported. If you choose this option but automatic provisioning via the connector isn’t available, ConductorOne will fall back to manual provisioning and assign the provisioning task to the application owner.

    • Manual: This option prompts you to select a designated human provisioner or provisioners who will manually update the user’s access. When access to the entitlement is granted, a provisioning task will be assigned to the provisioner you set here. (If multiple provisioners are set, each will be assigned the same task, each will receive a notification, but just one needs to complete the task.) You also have the option to enter instructions about how to provision this entitlement. These instructions will be included in the provisioning task.

    • Delegated: This option creates a binding between two entitlements, so that when one is granted, the user automatically receives access to the second entitlement as well. This in effect delegates the provisioning method to the bound entitlement. When using this option, select the entitlement from the dropdown that will grant access to the entitlement you’re configuring.

      Here’s a more in-depth explanation of how this works:

      • You configure provisioning on Entitlement A, choosing Delegated and selecting Entitlement B from the dropdown.

      • ConductorOne creates an entitlement binding for you between Entitlement B and Entitlement A. To see the binding’s details, navigate to either entitlement’s details page and click Bindings.

      • Entitlement B has been configured to use its connector for provisioning. When a user requests access to Entitlement B and their request is approved, the connector automatically adds access to both Entitlement B and Entitlement A to the user’s application account.

    ConductorOne automatically creates the binding for you. You’ll see the proposed change to the entitlement’s bindings whenever you make a change to delegated provisioning, both when the change is automatically creating a new binding for you, and when a binding will be removed if you change the provisioning strategy from delegated to manual or connector-based.

    • Webhook: This option prompts you to select a webhook. Before you can use this option you must configure a webhook on the Webhooks tab of the Settings page. Whenever a user is granted access to the entitlement, the webhook will automatically fire. You can use webhooks to automate provisioning workflows for approved access, such as creating a Jira or ServiceDesk ticket or making an API call.