OIG Access Requests – Public or Private?

IGA, OIG, OIG Access Requests 2 Minutes

If you have looked at Okta Identity Governance Access Requests, you will know that a request will contain the history of the activity, such as the questions asked and answered, approval steps performed and actions taken. Did you know that a request, with all this information, can be Public or Private?

Did you know that requests can be toggled between states?

If you do nothing, all requests in Access Requests will be public. This is the default state where anyone who has access to the Access Request UI can see the request, even if they aren’t the requester, approver or a member of the Team owning the request (to see more information on Teams and how they are used, see https://iamse.blog/2022/09/10/oig-access-requests-understanding-user-grouping/). This may not be the desired outcome.

There are two ways you can set requests as private – on each request or at the Team level.

First, let’s look at setting individual requests to private. You can do this from the request summary view or from within the request. From the summary view, select the “three vertical dots” icon and select the Make private option.

To do it within a specific request, again use the “three vertical dots” icon and select the Make private option.

You will see a popup indicating the request was marked as private and a message in the main body (history) saying the same thing.

If you look at the top of the request (or on the summary page, see above) you will see the private icon.

The second approach is to set this privacy setting at the Team level. When this is done, any requests owned by that Team will be automatically made private.

To do this, go to the Team and edit it (again with the “three vertical dots” icon).

On the Team edit screen, toggle on the Request privacy option and save.

Once this is done, any attempt to view a request by someone who is not the requester, an approver for the request nor an owning Team member, will not be able to see access the request.

You should consider whether you want your requests to be private or public. In most cases you would want the information to be private. To save end-users having to flag a request as private each time they raise a request (or a Team member having to do it each time) it’s recommended that you set privacy at the Team level.

Published by David Edwards (IAmDavid)

I have been working in Identity Management for a quarter of a century, spending 22 years working on various IAM products at IBM and now three years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement. I have covered access management, single signon (desktop, web and federated), identity governance and administration (IGA), directories and directory integration, and privileged access management (PAM). I'm one of the few identity practitioners with experience with mainframes and legacy on-premise systems like SAP. And I love to write!

Published

Leave a Reply