Manage access request workflows
When you configure access requests, you have the ability to manage workflows, an end-to-end sequence of Identity Governance actions that result in either approving or rejecting an access request. Administrators can configure workflows using the Identity Cloud’s Workflow UI or REST APIs.
Workflows give complete flexibility over all access request types by allowing you to define custom workflow definitions. For example, when an end user requests access to an application, you can specify the actions Identity Governance takes for the access request to be approved or rejected.
These actions could include:
-
Requiring more than one approval for the request. You could require an end user’s manager and the application owner to approve the request before Identity Governance provisions access to the end user.
-
If the access request is rejected, send an email to the end user stating their access request has been denied.
Identity Governance has default workflows that function as-is; however, you can customize the workflows to align with your organizational requirements. |
Access request types
Identity Governance requires a workflow for each access request type.
The following table displays the different access request types:
Access request type | Name in REST APIs | Description |
---|---|---|
Grant Application |
|
Request access to an application. |
Remove Application |
|
Request to remove access to an application for an end user. |
Grant Role |
|
Request access to an Identity Cloud provisioning role. |
Remove Role |
|
Request to remove access to a role from an end user. |
Grant Entitlement |
|
Request access to an entitlement (additional privilege inside an application). |
Remove Entitlement |
|
Request to remove access to an entitlement from an end user. |
Create workflows using the Workflow UI
To manage workflows, from the Identity Cloud admin UI, go to Workflows.
There is a default published
workflow for each access request type.
-
1 Every workflow has two states;
draft
andpublished
. You can only modify a workflow in thedraft
state. When you click New Draft, Identity Governance creates a copy of the existingpublished
workflow. -
2 If a workflow has an existing draft, click View Draft.
-
3 Click (ellipsis icon) to:
-
View the published workflow.
-
Import a JSON file to create or override an existing draft.
-
If there is an existing draft, delete the draft.
-
Workflow UI canvas
When you click a workflow, the workflow canvas displays.
-
1 Available Workflow UI nodes.
-
2 Perform orientation functions:
— Zoom in
— Zoom out
— Toggle fullscreen
— Auto layout nodes on the canvas
— When you select on or more nodes, the delete icon displays.
-
3 Toggle between the
draft
andpublished
states of a workflow. -
4 Click (ellipsis icon) to:
-
View Details — View metadata such as the state and workflow name.
-
Import — Upload a JSON file to create or override an existing draft.
-
Export — Download a JSON file of the workflow state.
-
Delete Draft — Only present when viewing the draft state of a workflow.
-
-
5 Switch between viewing the workflow through the canvas UI or through JSON.
-
6 Save or publish the existing workflow.
-
7 The Workflow UI canvas. Drag, drop, and connect nodes in the canvas to create your workflow.
When you click Publish in a workflow, it overrides the existing published version. Identity Governance prompts you to Download backup. Always download a backup in case of an error. |
Modify default workflow email templates
Identity Governance creates default email templates for access request-related features. For example, the Approval node references the default access request email templates.
You can create your own email templates and update the email templates the Approval node uses for notifications. |
-
From the Identity Cloud admin UI, go to Email > Templates.
-
View the following email templates and modify as necessary:
Some access request email templates use configurations set in the workflow definition for an access request type. The Notes column indicates if a template uses configurations. Email template name Description Request Assigned
Initial email to the approver(s) of a resource when an end user submits an access request.
Request Reassigned
Email to the new assignee when an approver forwards a request item.
Request Escalated
Email to an individual assigned as the escalation point of contact.
Request Reminder
Email to the approver(s) as a reminder that they have a request item to act on.
Request Expired
Email to the approver(s) when a request item expires. The end user defines the expiry of the access request when they submit the access request.
-
For each email template:
-
Click the desired template.
-
View the contents of the email.
-
If desired, update the email subject and body. For more information on customizing email templates, refer to Email templates.
To reference access request information in a variable in an email template, use syntax similar to the following:
request.user.userName
The variables you can reference depend on your tenant’s configurations; therefore, they’re specific to your organization.
To reference available attributes, from the Identity Cloud admin UI, go to Email > Template > Select template > Variables.
-
Create workflows using REST APIs
Identity Governance stores and saves workflow configurations in JSON format. You can manage the default workflow definitions for each access request type using REST APIs.
For an example of a JSON file, refer to Examples of workflows. |
Steps to manage workflow definitions using REST API
-
Retrieve the current default workflow configurations for access request types using
/auto/orchestration/definition
(GET).Save a copy of the default workflow for the access request type in case of an error with your updated workflow JSON file. -
Modify the default workflow to suit your needs.
-
Create a new default workflow definition for an access request type in a
draft
state using/auto/orchestration/definition?_action=create
(POST).Each access request type can only contain one workflow definition in the
draft
andpublish
states. One can exist in thedraft
state and thepublish
state. -
Validate the workflow definition before publishing using
/auto/orchestration/definition?_action=validate
(POST). -
Publish the workflow definition from its
draft
state using/auto/orchestration/definition?_action=publish
(POST).You cannot delete workflow definitions in the published state. -
Repeat steps 1-5 for each access request type desired.
For more information, learn about workflow APIs at Workflows.