Shine a light on shadow apps

ConductorOne Docs

Enable emergency access requests

Emergency access (also known as "break glass" access) is a system for granting expedited access approval in the event of an emergency or incident when access is urgently needed.

What’s an emergency access request?

In emergency situations, some employees might need immediate access to resources and systems that they don’t normally have access to. In order to get these employees the access they need, companies create expedited access review procedures (sometimes called “break glass” procedures in reference to the “break glass in case of fire” signs on alarms and fire safety equipment).

Use ConductorOne’s emergency access request feature to support and expedite this kind of emergency access request while adhering to your company’s emergency access procedures.

The process works like this:

  1. ConductorOne admins enable select entitlements to accept emergency access requests.

  2. Each entitlement that supports emergency access is assigned an emergency access policy.

  3. When an emergency arises, a user requests access to an entitlement through ConductorOne and selects Emergency access on the request form in the web app or Slack. You can also request emergency access through Cone, the ConductorOne CLI too.

  4. The request uses the entitlement’s assigned emergency access policy to route the request through the emergency access review process.

  5. The user is granted emergency access to the needed entitlement and can work to solve the crisis.

How are emergency access requests shown in the ConductorOne app?

When requesting access in ConductorOne, the Emergency access toggle is shown when a user has selected an entitlement with emergency access enabled.

A completed request access form in ConductorOne for 1 hour of access to an AWS admin role, showing the emergency access toggle present and enabled.

Emergency access requests are shown with a thunderbolt icon in all task lists, including on the Tasks, Requests, and Open requests pages.

Two request tasks in a task table, one showing a thunderbolt icon next to the request icon.

A badge at the top of the request task’s details page also shows that the request is for emergency access.

A task details page showing the 'Emergency access requested' badge in the header.

Can an open access request be escalated to emergency access? Yes, it can! If a request for standard non-emergency access is open, but emergency access is needed, go to the request and click Escalate to emergency access. When using Cone, escalate a task by running cone task escalate.

Enable emergency access requests

This task requires the Super Administrator role in ConductorOne.

Step 1: Create emergency access policies

When a request for emergency access is created, the request bypasses the request policy set on the entitlement or application and uses a designated emergency access policy instead. You must set an emergency access policy in order to allow emergency access on the entitlement.

You can use any existing request policy as the emergency access policy, but you might want to create dedicated emergency access policies to be used in this situation.

To create an emergency access policy, follow the directions in Create policies.

Tips for creating emergency access policies:

  1. Make sure to choose the Request policy type.
  2. Give your emergency access policy a name that indicates that this policy is used for emergency access requests.
  3. Consider creating multiple emergency access policies with a range of levels of required review before access is granted, which you can match to each entitlement based on its level of sensitivity.

Step 2: Set up emergency access on an entitlement

By default, entitlements do not support emergency access requests. You must switch on emergency access availability and set an emergency access request policy for each entitlement that you will allow users to request emergency access to.

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Entitlements.

  3. Select an entitlement. On the Details tab, in the Access requests area of the page, click Edit.

  4. Enable Emergency access.

  5. Use the Emergency access policy dropdown to choose the request policy to be used for emergency access requests to this entitlement.

    You must set an emergency access policy in order to use emergency access requests. If you do not set a policy here and attempt to save your changes, emergency access will be automatically disabled on the entitlement.

  1. Click Save.

The entitlement is now available for emergency access requests.

Repeat this process on each entitlement that you want to make available for emergency access requests.

Step 3: Educate users about emergency access requests

Now that emergency access is set up, users can make an emergency access requests for the entitlements you’ve enabled, and reviewers will be asked to review emergency access requests. We recommend sharing information about your company’s emergency access procedures with your impacted colleagues, including:

  • When it’s appropriate to request emergency access
  • The entitlements available for emergency access
  • The emergency access review process
  • Who emergency access reviewers are and how the emergency access request process differs from normal access requests
  • When and how to escalate an open non-emergency request to an emergency access request

This way, teams and reviewers will be prepared to efficiently utilize emergency access requests before a critical issue arises.