New Features for the Access Request Conditions and Resource Catalog in Okta Identity Governance

IGA, OIG, OIG Access Requests 2 Minutes

Two new features have been introduced into the Access Request Conditions and Resource Catalog (aka RCAR) feature in Okta Identity Governance – Request on Behalf Of, and User-specified Access Duration. This article introduces these new features.

Request On Behalf Of

Okta Identity Governance introduced the ability to request access on behalf of another user into the older Request Types mechanism a while back. It has now been added to the newer Access Request Conditions and Resource Catalog feature.

This option is turned on at the application level – you don’t need to enable it across all apps. When you go into the Access requests tab for an app, you will see a new Settings button.

There is currently only on setting – Request on behalf of. When you enable it you are presented with two options – manager-only (i.e. a manager can request for their direct reports, based on the manager settings on user profiles) or anyone. The description is basically saying the requester must have the ability to request a app/group/entitlement that they are requesting for the requestee.

When a user (manager or anyone depending on the selection) selects an app and access level they can select who the access is for (including “Yourself”, the default value).

From here it will follow the standard steps in the Sequence associated with the Request Condition.

Even though the access has been requested by someone else, the request flowing through the Access Requests platform is treated as if it was raised by the requestee not the manager. So even if the manager had initiated the request, if there was a manager approval step in the flow, then the same manager would need to approve it.

The following figure shows a request raised by a manager (Monty), but is assigned to the requestee (Homer) as the requester. There is no indication it was requested by the manager.

Note that the settings apply to all Conditions for an app. There’s no way to apply request on behalf of for specific Conditions.

User-specified Access Duration

The second new feature is the ability for users to specify a duration for a requested access. Prior to this, the access duration was fixed within the Condition. Now there is an option to Ask requester to specify expiration.

When that option is selected, the administrator must specify a Maximum duration to limit the time the user can set.

When a user requests access, they see an additional set of fields For how long do you need access. This will control the timer duration built into the Condition.

These two additions are bringing parity from the old Request Type mechanism in Access Requests to the newer Access Request Conditions and Resource Catalog mechanism as it approaches General Availability later in the year.

For more information on the Access Request Conditions and Resource Catalog feature, see this introduction document on the Okta Identity Governance Product Hub. There is also an earlier post looking at Okta Privileged Access and the new feature, titled Managing Access in Okta Privileged Access with the new OIG Resource Catalog.

Published by David Edwards (IAmDavid)

I have been working in Identity Management for a quarter of a century, spending 22 years working on various IAM products at IBM and now three years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement. I have covered access management, single signon (desktop, web and federated), identity governance and administration (IGA), directories and directory integration, and privileged access management (PAM). I'm one of the few identity practitioners with experience with mainframes and legacy on-premise systems like SAP. And I love to write!

Published

One thought on “New Features for the Access Request Conditions and Resource Catalog in Okta Identity Governance

  1. Pingback: An Introduction to Resource Collections in OIG – IAMSE

Leave a Reply