Announcing Identity Lifecycle Management

ConductorOne docs

Automate onboarding access requests

Automatically create bundle access requests for users who match an enrollment rule. Ideal for onboarding and other cases when users are joining an organization.

How does enrollment work?

A catalog is a resource in the ConductorOne app. When you assign a user the enrollment entitlement for the catalog resource (via an auto-enrollment rule or by manually adding users on the catalog’s setup page), they are enrolled in the catalog and automatically request its full bundle of access, all without either the user, their manager, or the IT team needing to create a single access request manually.

Are enrolled users immediately granted the full catalog bundle?

It depends. When a user is assigned the enrollment entitlement for the catalog, a request task is created. Based on the request policy set on the catalog, the request might be auto-approved, or it might need one or more human reviewers to sign off.

Once the user’s request for access to the enrollment entitlement is granted, ConductorOne will automatically create access request tasks for each item in the catalog. Based on the request policies on each individual entitlement, this access might be automatically approved, or it might require human intervention to review, approve, and provision.

If a bundle is made up of low-risk access, you can set the policies on the catalog itself and the entitlements within it to automatically approve these requests, essentially granting users who are added to the catalog the full bundle of access immediately.

Set up catalog auto-enrollment

  1. Follow the instructions in Create request catalogs to set up a catalog and add the relevant entitlements.

  2. On the Setup tab, in the Self-service area of the page, click Edit.

  3. Enable Allow enrollment request. This makes the catalog’s enrollment entitlement available for access requests.

  4. Click Save.

  5. Switch to the Enrollment tab. In the Access requests area of the page, click Edit.

  6. Set the policies that will be used on review and revocation tasks for this catalog’s enrollment entitlement.

    When a user matches an auto-enrollment rule or is added manually, ConductorOne creates a request task for their access to the catalog’s enrollment entitlement. The user will not be added to the list of enrolled users until this request task is complete.

    If you don’t set a request policy here, the catalog will use the default policy set on the ConductorOne app.

  7. In the Auto-enrollment rule area of the page, click Edit.

  8. Enable the rule, then select one or more entitlements from the dropdown. Users who are currently granted any of the entitlements you select will be enrolled in the catalog.

    If you don’t want to start enrolling users immediately, leave the rule disabled and save your progress. You can enable the rule whenever you’re ready.

  9. If necessary, in the Excluding box, add any users who should not be enrolled in this catalog, even if they currently have, or are later granted, the entitlements in the rule.

  10. Click Save.

Request tasks are immediately created for the users who match your auto-enrollment rule. Users added to the exclusion list automatically request the catalog’s excluded from rule entitlement. While request tasks await approval, you’ll see a count of pending enrollments above the Enrolled members area of the screen. Click pending enrollments to see the pending users and jump to the open tasks.

If you need to manually add users to the catalog who do not match the rule, click Enroll users.

As request tasks are approved, users will be added to the Enrolled users area of the page, and ConductorOne will create bundle access requests for the full contents of the catalog.

Frequently asked questions about catalog enrollment

How often does the auto-enrollment rule sync?

A new sync is kicked off each hour. Click Sync now to manually start a sync at any time.