ConductorOne Docs

Configure access requests

Use the access requests settings on an application's access control tab to configure who can request the entitlement, who will review the request, and how the new access will be provisioned.

An application’s Access controls tab is where you can view the current access request settings for all of the application’s entitlements and make changes to how individual entitlements are requested and provisioned.

The access controls tab of an AWS application in ConductorOne.

You can see a summary of each entitlement’s settings in the All entitlements table.

The app access entitlement gets special treatment. A user must be granted this entitlement to get access to the application itself. Because it’s so fundamental, ConductorOne treats it a little differently than other entitlements and doesn’t list it in the All entitlements table on the Access controls tab. Instead, you’ll find controls to manage the access request and provisioning settings for app access at the top of the page.

Set the request policy for an entitlement

ConductorOne applies request policies using this order of precedence:

  1. The entitlement’s configuration
  2. The application’s configuration

In other words, if a request policy is set on the entitlement, it overrules the policy set on the application.

If you want to make sure this entitlement uses a specific request policy, set it on the entitlement. If the entitlement can be requested using the policy set on its application, you do not need to set a policy here.

πŸ’‘ To learn more about creating custom request policies, go to Create policies.

To set a request policy for the entitlement:

  1. In the navigation panel, open Manage and click Applications.

  2. Select an application and click Access controls.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement shown at the top of the page, click the pencil icon
    • For any other entitlement, click the actions (…) menu and select Edit access request

  4. Use the Policy dropdown to locate and select the request policy that this entitlement should use.

  5. Click Save.

The entitlement’s request policy is set. This policy will be used whenever users request access to the entitlement.

Enable emergency access on an entitlement

πŸ’‘ To learn more about emergency access, go to Enable emergency access requests.

By default, entitlements do not support emergency access requests. You must switch on emergency access availability and set an emergency access request policy for each entitlement that you want to allow users to request emergency access to.

  1. In the navigation panel, open Manage and click Applications.

  2. Select an application and click Access controls.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement shown at the top of the page, click the pencil icon
    • For any other entitlement, click the actions (…) menu and select Edit access request

  4. Enable Emergency access.

  5. Use the Emergency access policy dropdown to choose the request policy to be used for emergency access requests to this entitlement.

    Important: You must set an emergency access policy in order to use emergency access requests. If you do not set a policy here and attempt to save your changes, emergency access will be automatically disabled on the entitlement.

  1. Click Save.

The entitlement is now available for emergency access requests.

Set a time limit on an entitlement

To support least privilege access, you can choose to set a time limit on entitlements so that users are granted access for only a certain duration. At the end of the time limit, the user’s access will be automatically revoked.

  1. In the navigation panel, open Manage and click Applications.

  2. Select an application and click Access controls.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement shown at the top of the page, click the pencil icon
    • For any other entitlement, click the actions (…) menu and select Edit access request

  4. Enable Max grant duration.

  5. Set the maximum duration limit of the entitlement grant. Options range from one hour to one month.

  6. Click Save.

The time limit is now set. When access to this entitlement is granted, it will be automatically revoked once the time limit elapses. The user granted the access will see the entitlement on the Expiring page in their My access section, where they can ask for an extension if necessary.

Add an entitlement to an existing request catalog

Make an entitlement available for users to request by adding it to one or more request catalogs. To learn more about setting up and using request catalogs, see Create request catalogs.

  1. In the navigation panel, open Manage and click Applications.

  2. Select an application and click Access controls.

  3. Select an entitlement and open its access requests editing pane:

    • For the App access entitlement shown at the top of the page, click the pencil icon
    • For any other entitlement, click the actions (…) menu and select Edit access request

  4. Use the Request catalogs dropdown to select one or more catalogs you want to add the entitlement to.

  5. Click Save.

The entitlement is now included in the request catalog. Users who have access to the request catalog will see the entitlement as an option when they browse their available access or fill out the request access form in ConductorOne or on the Slack app.

Configure how an entitlement is provisioned

  1. In the navigation panel, open Manage and click Applications.

  2. Select an application and click Access controls.

  3. Select an entitlement and open its provisioning editing pane:

    • For the App access entitlement shown at the top of the page, click the pencil icon
    • For any other entitlement, click the actions (…) menu and select Edit provisioning

  4. Select the provisioning method you want this entitlement to use when giving a user access to this entitlement.

    • Connector: This option uses the integration connector to automatically provision the access. Not all connectors support provisioning, and the configuration and permissions of the integration must be set up to allow provisioning where it is supported. If you choose this option but automatic provisioning via the connector isn’t available, ConductorOne will fall back to manual provisioning and assign the provisioning task to the application owner.

    • Manual: This option prompts you to select a designated human provisioner or provisioners who will manually update the user’s access. When access to the entitlement is granted, a provisioning task will be assigned to the provisioner you set here. (If multiple provisioners are set, each will be assigned the same task, each will receive a notification, but just one needs to complete the task.) You also have the option to enter instructions about how to provision this entitlement. These instructions will be included in the provisioning task.

    • Delegated: This option creates a binding between two entitlements, so that when one is granted, the user automatically receives access to the second entitlement as well. This in effect delegates the provisioning method to the bound entitlement. When using this option, select the entitlement from the dropdown that will grant access to the entitlement you’re configuring.

      Here’s a more in-depth explanation of how this works:

      • You configure provisioning on Entitlement A, choosing Delegated and selecting Entitlement B from the dropdown.
      • ConductorOne creates an entitlement binding for you between Entitlement B and Entitlement A. To see the binding’s details, navigate to either entitlement’s details page and click Bindings.
      • Entitlement B has been configured to use its connector for provisioning. When a user requests access to Entitlement B and their request is approved, the connector automatically adds access to both Entitlement B and Entitlement A to the user’s application account.