Identity Cloud

Manage access request workflows with orchestrations

When you configure access requests, you can manage the default workflows.

Workflows give you complete flexibility over all access request types by allowing you to define custom workflow definitions.

For example, when an end user requests access to an application, you can specify the actions Identity Governance takes for the access request to be approved or rejected.

These actions could include:

  • Requiring more than one approval for the request. You could require an end user’s manager and the application owner to approve the request before Identity Governance provisions access to the end user.

  • If the access request is rejected, send an email to the end user stating their access request has been denied.

Important aspects of workflows
  • Identity Governance provides default workflows for each access request type. Identity Governance also requires a workflow for each access request type; therefore, every access request type must have an associated workflow.

  • Each workflow has two states:

    • Draft — A staging state to validate a workflow before publishing. For a workflow to be live, you must publish it.

    • Published — The workflow is read-only and live.

  • You can create workflows using:

    • The Workflow UI — An intuitive UI that leverages ForgeRock’s widely known journey canvas. Easily create the workflows using nodes.

    • REST APIs

  • Workflows are saved in JSON format.

Identity Governance has default workflows that function as-is; however, you can customize the workflows to align with your organizational requirements.

Access request types

Identity Governance requires an orchestration worfklow for each access request type.

The following table displays the different access request types:

Access request type Name in REST APIs Description

Grant Application


Request access to an application.

Remove Application


Request to remove access to an application for an end user.

Grant Role


Request access to an Identity Cloud provisioning role.

Remove Role


Request to remove access to a role from an end user.

Grant Entitlement


Request access to an entitlement (additional privilege inside an application).

Remove Entitlement


Request to remove access to an entitlement from an end user.

Create workflows using the Workflow UI

To manage workflows, from the Identity Cloud admin UI, go to manage_accounts Orchestrations.

There is a default published workflow for each access request type.

governance orch dashboard
  • 1 Every workflow has two states; draft and published. You can only modify a workflow in the draft state. When you click add New Draft, Identity Governance creates a copy of the existing published workflow.

  • 2 If a workflow has an existing draft, View Draft displays.

  • 3 Click more_horiz (ellipsis icon) to:

    • View the published workflow.

    • Import a JSON file to create or override an existing draft.

    • If there is an existing draft, delete the draft.


When you click a workflow, the orchestration canvas displays.

governance orch canvas
  • 1 Available Workflow UI nodes.

  • 2 Perform orientation functions:

    zoom_in — Zoom in

    zoom_out — Zoom out

    fullscreen — Toggle fullscreen

    grid_on — Auto layout nodes on the canvas

    delete — When you select on or more nodes, the delete icon displays.

  • 3 Toggle between the draft and published states of a workflow.

  • 4 Click more_horiz (ellipsis icon) to:

    • View Details — Metadata such as the state and workflow name.

    • Import — Upload a JSON file to create or override an existing draft.

    • Export — Download a JSON file of the workflow state.

    • Delete Draft — Only present when viewing the draft state of a workflow.

  • 5 Switch between modifying the workflow through the canvas UI or through JSON.

  • 6 Save or publish the existing workflow.

  • 7 The Workflow UI canvas. Drag, drop, and connect nodes in the canvas to create your workflow.

When you click Publish in a workflow, it overrides the existing published version. Identity Governance prompts you to download Download backup. Always download a backup in case of an error.

View workflow in JSON

For technical users, Identity Governance provides the ability to view and download your orchestration workflow using JSON. From the Workflow UI canvas, toggle JSON.

governance orch json

Modify default orchestration email templates

Identity Governance creates default email templates for access request-related features. For example, the Approval node references the default access request email templates.

You can create your own email templates and update the email templates the Approval node uses for notifications.
  1. From the Identity Cloud admin UI, go to Email > Templates.

  2. View the following email templates and modify as necessary:

    Some access request email templates use configurations set in the workflow definition for an access request type. The Notes column indicates if a template uses configurations.
    Email template name Description

    Request Assigned

    Initial email to the approver(s) of a resource when an end user submits an access request.

    Request Reassigned

    Email to the new assignee when an approver forwards a request item.

    Request Escalated

    Email to an individual assigned as the escalation point of contact.

    Request Reminder

    Email to the approver(s) as a reminder that they have a request item to act on.

    Request Expired

    Email to the approver(s) when a request item expires. The end user defines the expiry of the access request when they submit the access request.

  3. For each email template:

    1. Click the desired template.

    2. View the contents of the email.

    3. If desired, update the email subject and body. For more information on customizing email templates, refer to Email templates.

      To reference access request information in a variable in an email template, use syntax similar to the following:


      The variables you can reference depend on your tenant’s configurations; therefore, they’re specific to your organization.

      To reference available attributes, from the Identity Cloud admin UI, go to Email > Template > Select template > Variables.

Create workflows using REST APIs

Identity Governance stores and saves workflow configurations in JSON format. You can manage the default workflow definitions for each access request type using REST APIs.

Steps to manage workflow definitions using REST API

  1. Retrieve the current default workflow configurations for access request types using /auto/orchestration/definition(GET).

    Save a copy of the default workflow for the access request type in case of an error with your updated workflow JSON file.
  2. Modify the default workflow to suit your needs.

  3. Create a new default workflow definition for an access request type in a draft state using /auto/orchestration/definition?_action=create (POST).

    Each access request type can only contain one workflow definition in the draft and publish states. One can exist in the draft state and the publish state.

  4. Validate the workflow definition before publishing using /auto/orchestration/definition?_action=validate (POST).

  5. Publish the workflow definition from its draft state using /auto/orchestration/definition?_action=publish (POST).

    You can’t delete workflow definitions in the published state.
  6. Repeat steps 1-5 for each access request type desired.

For more information, refer to identity orchestration APIs.

Copyright © 2010-2024 ForgeRock, all rights reserved.