How can we help?

Search

[Labs] Configuring Access Request Policies

Merav Doron
Merav Doron
  • Updated

Overview

To fully control how users request and gain access to applications, you’ll need to configure:

  • Application visibility (which apps appear in the catalog)
  • Groups (who can request access)
  • Approval flows (how requests are approved)
  • Provisioning workflow (what occurs after the approval) 

Once a request is approved, the action taken (such as granting access) is handled by a provisioning workflow.

You can choose to fully customize this setup—or keep the default configuration.

 

How provisioning works

The App Access Catalog manages the request and approval process.

After a request is approved:

  • A provisioning workflow is triggered
  • This workflow handles the actual action (e.g., granting access, assigning a license)

Provisioning workflows are configured separately and determine what happens after approval.

 

Default behavior

By default, the App Access Catalog is configured as follows:

  • Visibility: Applications included in the catalog are based on your application filters
  • Approval flow: Set to Auto approval, meaning requests are approved automatically
  • Provisioning Workflow: Set to Default Provisioning workflow(with a send email action)
  • Groups: Set to Everyone, meaning all users can request access

You can modify any of these settings based on your organization’s needs.

 

Step 1: Define which applications appear in the catalog

Before configuring access, ensure the correct applications are visible in the catalog.

  1. Navigate to App Catalog
  2. Go to Access Request Policies tab  
  3. Review the “Visible in catalog apps” filter
  4. Ensure it includes all applications you want users to see

Only applications included in this filter will appear in the catalog.

CleanShot 2026-03-29 at 15.34.48.png

 

Step 2: Configure access request policies

Access request policies define how users request access to each application.

  1. Navigate to the Access request policies tab
  2. Edit an application's policy configuration
    1. Access Profile - Write a name which represent the access type of this policy (Employees will see this name when requesting access)
    2. Description(optional) - Will appear in the App Catalog and will assist the employee to fully understand this access type
    3. Approval flow - Can be Auto approval or Specific approval
    4. Provisioning workflow - Can be Default workflow or a custom workflow
    5. Groups - Can be Everyone or selected groups
  3. Click Save

 

Step 3: Define who can request access (Groups)

Within the Access Request Policy:

  • Select existing groups
  • Or create a new group directly from this screen using Create Group button

If no changes are made, the default remains Everyone.

 

Step 4: Define how requests are approved (Approval Flow)

Within the same Access Request Policy:

  • Select an existing approval flow
  • Or create a new approval flow directly from this screen

If no changes are made, the default remains Auto approval.

 

Best practices

  • Start with the default configuration, then refine as needed
  • Use groups to limit access for sensitive applications
  • Apply approval flows where oversight is required

 

Multiple policies per app:

You can configure multiple access profiles (policies) for a single application to support different access types or user groups.

When to use multiple policies:

  • Different user groups need different access levels (e.g., employees vs. contractors)
  • The same app requires different approval workflows based on access type
  • Your organization grants access through different provisioning workflows depending on the request context

How it works:

  • Each application can have multiple access profiles
  • Each profile has its own name, description, approval flow, provisioning workflow, and eligible groups
  • Users see all applicable profiles when requesting access to that app
  • When a user requests access, they select which profile matches their need

Example: An application might have two profiles:

  • "Standard Access" — Auto-approved, for all employees
  • "Admin Access" — Requires manager approval, for selected groups only

To add multiple policies to an app:

  1. Navigate to the Access request policies tab
  2. Click "New policy" / Duplicate existing policy
  3. Select an application
  4. Configure the new profile with its own name, approval flow, provisioning workflow, and eligible groups
  5. Click Save

 

Related Articles

[Labs] App Access Catalog - Approval flow

[Labs] App Access Catalog - Groups

 

 

 

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request