Recently someone asked if Okta Identity Governance (OIG) Access Requests could be setup so a manager could supply additional information for the request. Their use case, the requester wants access to an application but they don’t know the role they need, so the manager would select the role at the approval stage. Short answer – Yes!
Request Types (or access request flows) normally comprise a series of questions to setup the request followed by approval and action steps to perform the change. The default is to assign the questions to the requester, but you can assign them to their manager or anyone else know to OIG Access Requests.
Let’s look at an example – an employee needs wiki access, but their manager (who is the approver) will need to select the role and put in a comment relating to that role selection.
For this I created four groups in Okta to represent roles (they would be assigned to the”wiki” app with the relevant role): Wiki-Consumer, Wiki-Reviewer, Wiki-Editor and Wiki-Admin.
I then created a sublist in OIG Access Requests for these four group roles. This sublist was used as a Dropdown question in a new Request Type and assigned to the Requester’s manager. I also added a required Text field for Manager Notes, also assigned to the Requester’s manager.
Note the icon to the right of the Questions? The single person in a circle icon is the requester, the org chart icon is requester’s manager (you can see it for the Manager Approval step also).
When a user requests access, they are prompted to answer their question (“Request Justification”) and then Submit new request.
The request is submitted and proceeds to the outstanding questions.
The manager would see that they need to answer some questions also (highlighted by the numbered circle beside the Questions tab in the right pane).
The view shows the question(s) already answered and the outstanding questions – one is the list of roles that can be selected and the other is the notes for a manager to enter.
They select/enter the answers and Update.
Once the answers are submitted, the manager then approves the request and the access is provisioned.
As always you see the answers to the questions in the transcript of the request, but in this case we see the first was answered by the requester, and the other two by their manager.
The Slack experience is slightly different for the manager with an additional section highlighting Your questions in addition to Your tasks. The message sent to Slack highlights the questions to be answered.
But as it’s running the same Request Type, the flow and questions are the same.
Thus, using a standard out-of-the-box feature in OIG Access Requests, you can setup an Access Request flow to get an approver (or someone else) to supply additional information to a flow.