Overview
Access Request Management provides a self-service interface (like an "App Store") for users to request access to applications, data, or roles. Instead of emailing a helpdesk or tapping a shoulder, users select what they need, provide business justification, and the system routes the request for approval.
The primary value is frictionless security. Users get access faster through automation, while the organization captures the "who, what, when, and why" for every permission granted. It shifts provisioning from an IT burden to a governed business process.
Architecture
Reference Pattern: Request-Approval-Provisioning
The flow moves from the catalog (User Experience) to the workflow engine (Governance) to the fulfillment layer (Execution).
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Catalog Structure | Technical Roles, Business Roles | Business Roles | Users shouldn't request "AD Group 123"; they should request "Marketing Analytics Access". |
| Approval Chain | Manager Only, Owner Only, Multi-stage | Manager + Owner | Manager confirms "need"; Owner confirms "feasibility/license". |
| Fulfillment | Fully Automated, Manual Ticket | Automated (SCIM) | Manual fulfillment is the bottleneck. Automate top 20% of apps. |
| Duration | Permanent, Time-bound | Time-bound (Sunset) | Default to 90 days or 1 year for sensitive access. Force renewal. |
| Emergency Access | Same flow, Separate flow | Emergency Workflow | "Break glass" needs faster approval but higher logging/audit. |
Implementation
Phase 1: Service Catalog Basics
- Centralize all access requests into one portal (IGA or ITSM).
- Define top 10 most requested applications.
- Implement simple Manager Approval workflow.
- Goal: Stop "drive-by" requests via email/Slack.
Phase 2: Integration & Automation
- Connect catalog to IGA/AD for automated group membership updates.
- Implement multi-stage approvals for sensitive apps.
- Enforce mandatory justification fields.
- Goal: Reduce fulfillment time from days to minutes.
Phase 3: Intelligent Access
- Implement "Segregation of Duties" (SoD) checks during the request.
- Recommend access based on peer group ("People like you have this").
- Auto-expiry dates for project-based access.
- Goal: Prevent toxic combinations and access creep at the source.
Risks
- Catalog Bloat: Thousands of technical entitlements visible to users. Users get confused and pick wrong items.
- Approval Fatigue: Managers approving requests they don't understand.
- SoD Violations: Granting a request that conflicts with existing access (e.g., Requesting "Pay Vendor" when you have "Create Vendor").
- Shadow IT: Users bypassing the catalog because it's too slow or complex.
KPIs
- Average Approval Time: Time taken for approvers to act (Target: < 24 hours).
- Auto-Approval Rate: Percentage of low-risk requests (e.g., birthright) processed without human touch.
- Fulfillment Accuracy: Percentage of requests successfully provisioned on the first try.
- User Satisfaction (CSAT): User rating of the request experience.
