PingOne Advanced Identity Cloud

Manage access request using workflows

When you configure access requests, you can implement workflows, an end-to-end sequence of Identity Governance actions that result in either approving or rejecting an access request. You can configure workflows using the Advanced Identity Cloud’s Workflow UI or REST APIs.

Workflows give complete flexibility over all access request types by allowing you to define custom workflow definitions. For example, when an end user requests access to an application, you can specify the actions Identity Governance takes for the access request to be approved or rejected.

These actions could include:

  • Requiring more than one approval for the request. You could require an end user’s manager and the application owner to approve the request before Identity Governance provisions access to the end user.

  • If the access request is rejected, send an email to the end user stating their access request has been denied.

Important aspects of workflows
  • Identity Governance provides default workflows for each access request type. Identity Governance also requires a workflow for each access request type; therefore, every access request type must have an associated workflow.

  • Each workflow has two states:

    • Draft — A staging state to validate a workflow before publishing. For a workflow to be live, you must publish it.

    • Published — The workflow is read-only and live.

  • You can create workflows using the following:

    • Workflow UI — An intuitive UI that leverages Ping Identity’s journey canvas. Easily create the workflows using nodes.

    • REST APIs

  • Workflows are saved in JSON format.

The out-of-the-box Identity Governance workflows do not currently support the approval of custom request types, like event-based requests. In this case, you can use workflows with custom scripted nodes that can handle event-based situations, such as user create or user update. For more information, refer to Examples of workflows.

Access request types

Identity Governance provides six out-of-the-box workflows for each access request type.

The following table displays the different access request types and out-of-the-box workflows:

Access request type Workflow name Description

Grant Application


Request access to an application.

Remove Application


Request to remove access to an application for an end user.

Grant Entitlement


Request access to an entitlement (additional privilege inside an application).

Remove Entitlement


Request to remove access to an entitlement from an end user.

Grant Role


Request access to an Advanced Identity Cloud provisioning role.

Remove Role


Request to remove access to a role from an end user.

Create workflows using the Workflow UI

To manage workflows, from the Advanced Identity Cloud admin UI, go to manage_accounts Workflows.

There is a default published workflow for each access request type.

The Workflow UI dashboard.
  • 1 Click New Workflow.

  • 2 Click Create Duplicate to make a copy of an out-of-the-box workflow. You cannot modify an out-of-the-box workflow but can only make a duplicate.

  • 3 Every workflow has two states; draft and published. You can only modify a workflow in the draft state. When you click add New Draft, Identity Governance creates a copy of the existing published workflow.

    • View the published workflow.

    • Import a JSON file to create or override an existing draft.

    • Duplicate the out-of-the-box workflow.

  • 4 If a workflow has an existing draft, click View Draft.

  • 5 Click ellipsis () to:

    • View the published workflow.

    • Import a JSON file to create or override an existing draft.

    • Duplicate the draft.

    • If there is an existing draft, delete the draft.

Workflow UI canvas

When you click a workflow, a blank workflow canvas appears with workflow nodes in the left pane, which you can drag-and-drop onto the canvas.

The Workflow UI canvas.
  • 1 Available Workflow UI nodes.

  • 2 Perform orientation functions:

    zoom_in — Zoom in

    zoom_out — Zoom out

    fullscreen — Toggle fullscreen

    grid_on — Auto layout nodes on the canvas

    delete — When you select on or more nodes, the delete icon displays.

  • 3 Toggle between the draft and published states of a workflow.

  • 4 Click more_horiz (ellipsis icon) to:

    • View Details — View metadata, such as the state and workflow name.

    • Import — Upload a JSON file to create or override an existing draft.

    • Export — Download a JSON file of the workflow state.

    • Delete Draft — Only present when viewing the draft state of a workflow.

  • 5 Switch between viewing the workflow through the canvas UI or through JSON.

  • 6 Save or publish the existing workflow.

  • 7 The Workflow UI canvas. Drag, drop, and connect nodes in the canvas to create your workflow.

When you click Publish in a workflow, it overrides the existing published version. Identity Governance prompts you to download Download backup. Always download a backup in case of an error.

View workflow in JSON

For technical users, Identity Governance provides the ability to view and download workflows using JSON. From the Workflow UI canvas, toggle JSON. If you want to export the workflow JSON, click ellipsis (), and then Export. You can make adjustments and re-import the JSON into Identity Governance.

If you are exporting an out-of-box workflow, Identity Governance pulls the UUID of the users or roles from the environment and uses it in the JSON file. Make sure to reset or update the approver values in the Approver node in the JSON.

The Workflow JSON UI.

Modify default workflow email templates

Identity Governance creates default email templates for access request-related features. For example, the Approval node references the default access request email templates.

You can create your own email templates and update the email templates the Approval node uses for notifications.
  1. From the Advanced Identity Cloud admin UI, go to Email > Templates.

  2. View the following email templates and modify as necessary:

    Some access request email templates use configurations set in the workflow definition for an access request type. The Notes column indicates if a template uses configurations.
    Email template name Description

    Request Assigned

    Initial email to the approver(s) of a resource when an end user submits an access request.

    Request Reassigned

    Email to the new assignee when an approver forwards a request item.

    Request Escalated

    Email to an individual assigned as the escalation point of contact.

    Request Reminder

    Email to the approver(s) as a reminder that they have a request item to act on.

    Request Expired

    Email to the approver(s) when a request item expires. The end user defines the expiry of the access request when they submit the access request.

  3. For each email template:

    1. Click the desired template.

    2. View the contents of the email.

    3. If desired, update the email subject and body. For more information on customizing email templates, refer to Email templates.

      To reference access request information in a variable in an email template, use syntax similar to the following:


      The variables you can reference depend on your tenant’s configurations; therefore, they’re specific to your company.

      To reference available attributes, from the Advanced Identity Cloud admin UI, go to Email > Template > Select template > Variables.

Create workflows using REST APIs

Identity Governance stores and saves workflow configurations in JSON format. You can manage the default workflow definitions for each access request type using REST APIs.

For an example of a JSON file, refer to Examples of workflows.

Steps to manage workflow definitions using REST API

  1. Retrieve the current default workflow configurations for access request types using /auto/orchestration/definition(GET).

    Save a copy of the default workflow for the access request type in case of an error with your updated workflow JSON file.
  2. Modify the default workflow to suit your needs.

  3. Create a new default workflow definition for an access request type in a draft state using /auto/orchestration/definition?_action=create (POST).

    Each access request type can only contain one workflow definition in the draft and publish states. One can exist in the draft state and the publish state.

  4. Validate the workflow definition before publishing using /auto/orchestration/definition?_action=validate (POST).

  5. Publish the workflow definition from its draft state using /auto/orchestration/definition?_action=publish (POST).

    You cannot delete workflow definitions in the published state.
  6. Repeat steps 1-5 for each access request type desired.

For more information, learn about workflow APIs at Workflows.

Copyright © 2010-2024 ForgeRock, all rights reserved.