OIG Access Requests – Public or Private?

If you have looked at Okta Identity Governance Access Requests, you will know that a request will contain the history of the activity, such as the questions asked and answered, approval steps performed and actions taken. Did you know that a request, with all this information, can be Public or Private?

Did you know that requests can be toggled between states?

If you do nothing, all requests in Access Requests will be public. This is the default state where anyone who has access to the Access Request UI can see the request, even if they aren’t the requester, approver or a member of the Team owning the request (to see more information on Teams and how they are used, see https://iamse.blog/2022/09/10/oig-access-requests-understanding-user-grouping/). This may not be the desired outcome.

There are two ways you can set requests as private – on each request or at the Team level.

First, let’s look at setting individual requests to private. You can do this from the request summary view or from within the request. From the summary view, select the “three vertical dots” icon and select the Make private option.

To do it within a specific request, again use the “three vertical dots” icon and select the Make private option.

You will see a popup indicating the request was marked as private and a message in the main body (history) saying the same thing.

If you look at the top of the request (or on the summary page, see above) you will see the private icon.

The second approach is to set this privacy setting at the Team level. When this is done, any requests owned by that Team will be automatically made private.

To do this, go to the Team and edit it (again with the “three vertical dots” icon).

On the Team edit screen, toggle on the Request privacy option and save.

Once this is done, any attempt to view a request by someone who is not the requester, an approver for the request nor an owning Team member, will not be able to see access the request.

You should consider whether you want your requests to be private or public. In most cases you would want the information to be private. To save end-users having to flag a request as private each time they raise a request (or a Team member having to do it each time) it’s recommended that you set privacy at the Team level.

Leave a Reply