View requests of others

In the Identity Governance Access Request feature, is it only the Request Administrator role that can view requests and approvals of others?  Is there a way to give application owners to view requests for their applications, managers to view their downline reports, or a role for read only access to the requests and approvals so that some teams can see the status but not have the capability to act upon them?

  • 0  

    Hi Robert,

    From what I have learnt so far, it basically boils down to
    - Global authorizations: e.g. the admin role you describe, a "static" assignment either directly to the user or via group.
    - Runtime authorizations: evaluated for the logged-in user, based on the configuration/policies the user is referenced at application runtime.

    For users to request for others etc you would need to configure the request policy accordingly. The documentation is very text heavy without any real implementation examples (not only in this case). But you could try to start here:

    Configuring access requests
    https://www.microfocus.com/documentation/identity-governance/3.7/user-guide/b1o1y3gk.html

    Runtime authorizations in general:
    https://www.microfocus.com/documentation/identity-governance/3.7/user-guide/b16d32bh.html

    Runtime authorizations in access request
    https://www.microfocus.com/documentation/identity-governance/3.7/user-guide/b1ohdlvc.html

    Try searching for the term "other" or "others" to find references to the use cases you describe.

    Best regards,
    Philipp

  • 0 in reply to   

    Thanks for the reply.  I understand those two options.  We do have quite a few policies setup to allow folks to make requests on behalf of others.  What we are looking for is the ability to extend the ability for folks, such as service desk or owner of the application in question, to view the status of requests and who is needed for the next step of approval without also giving them the ability to approve on behalf of anyone.  The access request administrator role grants the ability to view all requests and approve any request on behalf of the approver.  I'm looking for a middle ground on viewing the status of requests only, with no ability to administratively approve.

  • 0   in reply to 

    Hi Robert,

    Thanks for the clarification!

    So you are looking for a more granular delegation of administrative tasks regarding access requests. Unfortunately, apart from the "mechanics" described for global and runtime authorizations, I don't know of any way to achieve "read-only" functionality for requests/approvals of others. We would also appreciate such a feature.
    Might be good to add this as an "idea" (in case anyone actually reads / considers this stuff, but that is another topic).


    Best regards,
    Philipp

  • 0   in reply to   

    Hi Robert,
    I was thinking of two "non-interactive" features that you could try to use to make this kind of information available to a wider audience in a "read-only" way:
    - Identity Reporting has an "Access Requests" report that allows you to include approval information. And there is also a CSV based "Detail" version available. You could schedule the reports and send them to the helpdesk, etc.
    - You could try using the Governance Insights to build a query that returns the information you need. Either users can use it via the UI or you could somehow provide the downloadable CSV in an automated way.

    Report:

    pdf

    Settings:

    Governance Insights:

    Best regards,
    Philipp