Manage application access requests

Enabling the Workflow feature for an application allows end users to send requests for access to the application to designated users or roles for approval. Approvers can grant access to the application permanently or for a specified time window. Granting access to the application means the users receive the View, Run, and Automatically Deploy permissions.

Configure a request and approval workflow

As a member of the sysadmin role or a role with the Role Management administrative right, you can configure roles for all other users. Initially, only the members of the sysadmin role have the ability to enable a “request and approval” workflow and can configure the workflow for selected applications, specify the users or roles with authority to approve access requests, and identify the role or roles to which users will be assigned if their request is approved.

At a high level, the steps involved in configuring a workflow are these:

  • Create one or more roles that can enable a “request and approval” workflow.
  • Create one or more roles that can approve access requests for the applications that have a “request and approval” workflow.
  • Select an application and click Workflow to select the role into which requesters who are approved will be placed.
  • Select the user or role with authority to approve requests.

If the Requestor’s Manager is the only approver in the approver list and the user has no manager, the request will be approved. If this is not desirable, verify that your users have a manager (refer to Add CyberArk Cloud Directory Users for more information) or add other users or roles to the approver list.

Create roles for workflow administration

The first few steps in configuring the “request and approval” workflow are optional and involve creating one or more roles for users who are allowed to define a “request and approval” workflow for applications and the roles that can approve access requests. These steps are optional because you can choose to only allow members of the sysadmin role to be the users permitted to configure a workflow and members of the sysadmin role can assign approval authority to individual users without creating any approval roles. In most cases, however, creating roles for different sets of users provides greater flexibility and helps to reduce the number of requests left pending an approval.

If you don’t create any intermediary roles with the appropriate administrative rights to enable a workflow, only members of the sysadmin role will be able to configure any “request and approval” workflow you might want to implement.

In most cases, if you are configuring a request and approval workflow for applications, you should create at least one role for users who are allowed to add, modify, or remove applications and who have permission to change which roles are assigned to a specific applications. If you don’t create a role with the Application Management and Role Management rights, only members of the sysadmin role can configure the “request and approval” workflow for applications.

To configure roles that can enable a workflow

  1. Log in to the Identity Administration portal.
  2. Click Core Services > Roles.

  3. Click Add Role or select an existing role to display the role details.

    If you are creating a new role, you must provide at least a unique name for the role.

  4. Click Members, then click Add.
  5. Type a search string to search for and select users and groups for this role.
  6. Click Administrative Rights, then click Add.

  7. Select the appropriate rights, then click Add.

    For example, if you are creating a role with permission to enable a workflow for access to applications, select Application Management and Role Management. You can select any additional rights you want included in this role, but you must select at least one of the required administrative rights.

  8. Click Save to save the role.

Create roles for approvers

You can assign approval authority to individual users. However, in most cases, creating “approver” roles for different sets of users provides greater flexibility and helps to reduce the number of requests left pending an approval. If you don’t create any intermediary roles with the appropriate administrative rights to approve access requests, only members of the sysadmin role will be able to approve access requests. You can follow the same steps described in Create roles for workflow administration to create roles for approvers.

Keep in mind that if you are creating a role with permission to approve access requests for applications, you should include the Application Management and Role Management rights. You can select any additional rights you want included in this role.

Configure Workflow

As a member of the sysadmin role or a role with Application Management and Role Management administrative rights, you can configure a request and approval workflow for any application.

  1. In the Identity Administration portal, click the Apps tab, then select a specific application for which you want to configure a request and approval workflow.

  2. Click Workflow, then select Enable workflow for this application.

  3. Click Add (above) and select an Approver Type from the list (below).

    4. If you choose Requestor’s Manager, you will also need to choose an option for how to handle the request if the user has no manager:

  4. Click Add again to finish adding the approver type to the list.

  5. If you want to have more than one approval before access to the app is granted, repeat the previous two steps.

    Adding steps can be repeated as many times as desired to reflect the required steps in your approval process.

    When multiple approval steps are added, approval is needed from all listed approvers before access is granted. A rejection at any level results in the request being rejected. If the requester’s manager is not known, the request proceeds to the next step as though it had been approved. The next approver in the list is notified that the manager was not known, and therefore there has not yet been any approval or rejection of the request.

  6. Click Save.

    After you have configured the workflow for an application, users can request access to the application through the User Portal.

Request access to an application

Any user with an account in CyberArk Identity can request access to applications with workflow enabled. No special privileges are required to make requests.

  1. Sign in to the Identity User Portal.

  2. Go to Applications and click Add Apps.

  3. In the app catalog, find the app you want to request and click Request.

    The Request button is only available for apps that have the "request and approval" workflow enabled.

  4. Select Permanent or Windowed in the Assignment Type drop-down menu.

    Assignment type Description

    Permanent

    If the request is granted, you will have access to the app for an indefinite time period, or until it is revoked by an administrator.

    Windowed

    If the request is granted, you will have access to the app for the specified window, or until it is revoked by an administrator.

  5. (Optional) For a Windowed assignment type, select a start and end date and time.

  6. Type the business reason for your request and click Submit. An email notification is sent directly to the designated approver.

    You can now click the Requests tab in the User Portal to see the status of your request.

    When you request is approved or rejected, you receive an email notification. If your request is approved, the email includes a link to open the User Portal.

View request details

You can view the status and history of your requests in the User Portal.

If you have the appropriate administrative rights, you can also view requests in the Identity Administration portal.

The Requests tab is only available if you have made a request, or if you are a designated approver for a request.

The Requests tab includes the following information about each request:

Name

Description

Description

A brief summary of the request, including the type of access or app requested.

Status

The current status of the request, either Pending, Approved, Rejected, or Failed.

You can review the request details to see why the request failed. A request may fail for one of the following reasons:

  • If the email address for the approver or requester is invalid.

  • If the request duration has expired. For example, if a request to use the root account was approved for a duration of 60 minutes, and the requester did not login to use the account within 60 minutes.

Posted

The date and time of the most recent request activity.

Approver

  • If the request is pending, this is the user or role designated to approve the request.

  • If the request is resolved, this is the user who approved or rejected the request.

Requester

The user who submitted the request.

Latest Log Entry

The most recent information recorded for the request.

Respond to application access requests

There are no special privileges required to respond to requests. Anyone with access to CyberArk Identity can be designated as an approver.

If you are a designated approver for requests, you receive an email notification for requests. You can click the View Request link in the email to view the request details and the options to approve or reject the request.

  • Click Approve to approve the request and grant access to the application.

    If you click OK to continue with the approval, the request details are updated with the date and time the request was resolved and the approved status.

  • Click Reject to reject the request and type the reason you are rejecting the request.

    If you click OK to continue with the rejection, the request details are updated with the reason the request was rejected, the date and time the request was resolved, and the rejected status.

After you respond to the request, the Requests tab is also updated with the latest activity and email is sent to the requester as notification of your response to the request.

  1. Access the request details by clicking View Request in the email notification, the Requests tab in the User Portal, or selecting Core Services > Requests and then clicking the request in the Identity Administration portal.

    The Approve Request window appears.

  2. Click either Approve or Reject to respond to the request.

    1. Click Approve to approve the request and grant the requester the necessary permissions to the object.

      The Approve Request window appears.

    2. Select either Permanent or Windowed in the Assignment Type drop-down menu.

      • Permanent - Grants the user access to the app for an indefinite time period, or until you revoke access.
      • Windowed - Grants the user access to the app for the specified window, or until you revoke access.

    3. (Optional) Select the start and end date and time if the approval is for a windowed assignment type.

      You can select a windowed approval regardless of the assignment type requested by the user. For example, you can approve access for a windowed time period if the user requested permanent access, or you can change the time window if the user requested windowed access.

    4. Click Submit.

      The request details are updated with the date and time the request was resolved and the approved status.

    Click Reject to reject the request and type the reason you are rejecting the request. If you click Submit to continue with the rejection, the request details are updated with the reason the request was rejected, the date and time the request was resolved, and the rejected status.