Access Request

Overview

../_images/access-request-ov-0.png

Workflow

  • A user requests for an access. Access is commonly known as role or user role.
  • The request is sent to the user’s manager for approval.
  • The manager can either approve or reject the request.
  • The user can cancel the request before his/her manager takes action.
  • Administrator can also perform cancel operation on the request on behalf of user.

Request Status

There are 3 states for an Access Request life-cycle - In Progress, Completed and Cancelled.

In Progress

A request enters In Progress state upon a user submitting an access request.

Completed

When a manager approves or rejects a request, it reaches Completed state. This is the end state.

Cancelled

Note

A request can be cancelled through the Request Tracking page .

A request can only be cancelled when it is still in In Progress state. When a user or an administrator cancels a request, it reaches Cancelled state. This is the end state.

Request On Behalf

Note

Only user with Key User or HR role can request on behalf.

../_images/access-request-ro-0.png

To request on behalf, a Key User or HR navigates to Users under the main menu User Management. Select a user and click on the Request On Behalf Of button.

Request Approval

Note

Only user with Manager role can approve a request.

../_images/access-request-ra-0.png

A manager select a request and click on the View Detail button.

../_images/access-request-ra-1.png

A manager clicks on Approve button to approve the selected request. To reject a request, a manager needs to leave a comment on why the request is rejected and clicks on the Reject button.

Request Approval via Email

Important

Customization is required. Please follow the instructions below.

A manager can perform request approval via email. This feature is not enabled by default. An administrator can enable this feature in Administrator mode.

../_images/access-request-ra-2.png
  • Login to Welle Console and enter Administrator mode
  • Navigate to Settings - Governance
  • Navigate to Email Templates tab
  • Navigate to Access Request section
  • Enable Request Approval via Email
  • Click on the content for Request Approval Email Template
../_images/access-request-ra-3.png
  • The above is the default email template for Request Approval
../_images/access-request-ra-4.png
  • Instead of asking manager to login to the portal to approve/reject, replace that with the approval and rejection hyperlinks
  • Use the keyword ${finalApprovalURL} for approval hyperlink
  • Use the keyword ${finalRejectURL} for rejection hyperlink

Third-Party Approver

During Access Request, a role might require additional level of approval. Third-Party approver can be defined.

../_images/access-request-ra-5.png

Note

Only users with Manager role can be a third-party approver.

Request Tracking

Hint

An administrator can cancel any request that is still In Progress when in Administrator Mode.

../_images/access-request-rt-0.png

When a request is still in In Progress state, a user can cancel it by clicking on the Cancel button.

../_images/access-request-rt-1.png

The user is required to leave a comment on why the request has to be cancelled, likewise for an administrator.

../_images/access-request-rt-2.png

When a role requires additional level of approval, that request will consist of 2 approvers as shown.

Note

Read more about Third-Party Approver.

Role & Department

When a role is assigned to a department, only users from the same department will see this role in Access Request page. More than one department can be assigned to a role. If no department is assigned, this role will not appear for all.

../_images/access-request-rd-2.png

This feature enforces Separation of Duties (SOD). Users will not be allowed to request for roles that are not relevant to their job functions.

Note

Read more about assignment of department to role in Configuration > Provisioning > Roles.

../_images/access-request-rd-3.png

Request with Additional Information

When input is required from user during Access Request, custom user attribute can be used to stored this additional information.

For example, a staff wants to request for Wifi access.

../_images/access-request-rd-4.png

For better security, the network team requires that the staff to key in the MAC address of her laptop.

../_images/access-request-rd-5.png

This can be achieved by the following steps:

  • Enable Access Request
  • Key in meaningful text label. e.g. Please key in MAC address
  • Choose a Custom User Attribute that is not in use

Important

Each custom user attribute can only be assigned to 1 role.

The following will appear when the staff requests for Wifi access in Access Request page.

../_images/access-request-rd-6.png

Further customization is also possible.

../_images/access-request-rd-7.png

Note

Read more about Customizing Web UI.

Role Discrepancy

During nightly reconciliation process, the accounts in target system should be able to correlate with IDM users in Welle. The correlation attributes are typically employee ID or username.

../_images/access-request-rd-0.png

In addition, a reconciliation process will determine if the roles requested by users on the IDM can correlate with the accesses (access rights/roles) created on target systems.

At times, when an administrator manually assigns an access right to a user on the target system, Role Discrepancy occurs. The manager will be notified in the Request Approval page to make a decision to either approve or reject the alerted role.

../_images/access-request-rd-1.png