Shine a light on shadow apps

ConductorOne Docs

Configure entitlement request settings

Use the access requests settings on an entitlement's details page to configure who can request the entitlement, how long they can request it for, and how the request will be reviewed.

Set a request policy for the entitlement

ConductorOne applies request policies using this order of precedence:

  1. The entitlement’s configuration
  2. The application’s configuration

In other words, if a request policy is set on the entitlement, it overrules the policy set on the application.

If you want to make sure this entitlement uses a specific request policy, set it on the entitlement. If the entitlement can be reviewed using the policy set on its application (this is the default request policy setting), you do not need to set a policy here.

To learn more about creating custom request policies, go to Create policies.

To set a request policy for the entitlement:

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Entitlements.

  3. Select an entitlement. On the Details tab, in the Access requests area of the page, click Edit.

  4. Use the Policy dropdown to locate and select the request policy that this entitlement should use.

  5. Click Save.

The entitlement’s request policy is set. This policy will be used whenever users request access to the entitlement.

Entitlement bindings and access requests

Entitlements can be bound to each other. There are two types of bindings: Incoming (one entitlement is granted by another entitlement) and Outgoing (one entitlement grants another entitlement)

To view any bindings in effect, click the Bindings tab on the entitlement’s details page.

Go to Add a manual binding to learn more about setting up and working with entitlement bindings.

Enable emergency access on an entitlement

To learn more about emergency access, go to Enable emergency access requests.

By default, entitlements do not support emergency access requests. You must switch on emergency access availability and set an emergency access request policy for each entitlement that you will allow users to request emergency access to.

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Entitlements.

  3. Select an entitlement. On the Details tab, in the Access requests area of the page, click Edit.

  4. Enable Emergency access.

  5. Use the Emergency access policy dropdown to choose the request policy to be used for emergency access requests to this entitlement.

    You must set an emergency access policy in order to use emergency access requests. If you do not set a policy here and attempt to save your changes, emergency access will be automatically disabled on the entitlement.

  1. Click Save.

The entitlement is now available for emergency access requests.

Set a time limit on an entitlement

To support least privilege access, you can choose to set a time limit on entitlements so that users are granted access for only a certain duration. At the end of the time limit, the user’s access will be automatically revoked.

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Entitlements.

  3. Select an entitlement. On the Details tab, in the Access requests area of the page, click Edit.

  4. Enable Time limit for this grant.

  5. Set the maximum duration limit of the entitlement grant. Options range from one hour to one month.

  6. Click Save.

The time limit is now set. When access to this entitlement is granted, it will be automatically revoked once the time limit elapses. The user granted the access will see the entitlement on the Expiring page in their App directory section, where they can ask for an extension if necessary.

Add an entitlement to an existing request catalog

Make an entitlement available for users to request by adding it to one or more request catalogs. To learn more about setting up and using request catalogs, see Create request catalogs.

  1. In the navigation panel, open Apps and click Applications.

  2. Navigate to the entitlement you want to add to a catalog:

    • Click the application’s name
    • Click the Entitlements tab
    • Locate the entitlement and click its name

  3. In the Access requests section of the entitlement’s details page, click Edit.

  4. Use the Request catalogs dropdown to select one or more catalogs you want to add the entitlement to.

  5. Click Save.

The entitlement is now included in the request catalog. Users who have access to the request catalog will see the entitlement as an option when they fill out the request access form in ConductorOne or on the Slack app.