Skip to main content
The access request workflow can be split into three phases.

1. Request

Users can request accesses on-demand using the shortcut /request or a button on the home tab of the AccessOwl Slack app. Here’s how it works:
  1. Only if you don’t have a manager set: You’re asked to provide the name of your manager.
  2. By default access requests need to be approved by your direct manager.
  3. After approval, provisioning requests with all the necessary details are sent to the responsible application admins or to AccessOwl for automated provisioning.
Access requests can be denied/rejected by the manager or application admin. However, you will be kept up-to-date via Slack messages about the request status.

Special Request Type: No Permission Selection Required

For certain applications, you may not want users to choose their own permission level. Instead, let them describe the access they need in a freeform text field. The application admin can then review the request and assign the correct permission level.

Setup

To set up an application to not require a permission selection, open the apps roles/permission and unselect the following checkbox: Request without Permission

Example

Mandatory Objects

Some applications have mandatory objects that must be requested before other permissions can be granted. If you try to request access without including the required mandatory objects, you’ll see a validation error listing the roles/permissions you need to include.
If you already have access to the mandatory object, you can request additional permissions without including it again.

2. Approval

AccessOwl offers different options for approval policies, which are managed by your AccessOwl Org Admins. The default option is manager approval. A manager will be asked to approve your access request. They have the option to either approve or deny. You will receive a notification after the approver has made a decision.

3. Provisioning

The final step is the creation of the requested access. Depending on whether the application is managed by an internal application administrator or via an integration of AccessOwl, there are two options:
After the access has been approved, the application administrator receives a notification in Slack. They have the option to grant or reject the access. You will be informed when the application administrator has finished the task. If rejected, you will also be provided with a rejection reason.

Pending Dependency Status

When you request multiple permissions and some depend on mandatory objects, your requests may show a Pending dependency status. This means the request has been approved but is waiting for the mandatory object to be provisioned first. Once the mandatory object is granted, dependent requests will automatically proceed to provisioning.
If a mandatory object request is denied or rejected, all dependent requests waiting on it will be automatically cancelled.