Prerequisite
We recommend reading the "Applications Catalog Settings" article.
Overview
As a Torii admin, you can configure what will happen when employees request access to apps in the catalog.
Torii supports the following capabilities:
- Open an email app (system default), inviting the employee to send an email with the request to an application owner
- Redirect the user to another portal (e.g., Jira service desk where he can submit access requests)
- Run automation (recommended) - The Application Catalog admin can configure a workflow (policy) per application to be triggered when the "request access" button is clicked.
View and customize the "Request Access" process.
- From the App Catalog, go to the General Settings tab >> REQUEST ACCESS TO AN APPLICATION.
First, enable the "Request Access" button to streamline your employees' requests for the applications you publish in the catalog.
Under the Action dropdown, you will find the 3 options as described above:
Compose mail | Open link (redirect) | Run automation policy.
We recommend using the Run automation policy if you want to set rules customized per app. - In the image below, you can see that Torii recognized two policy (workflow) types:
- 18 apps configured with a default policy - This is a default policy configured by Torii, resulting in an email notification sent to the app owner to request access to the selected app.
- 5 apps configured with a custom policy - Torii enables you to create a customized policy per application. In the example, you can see that two custom policies were made by the Torii admin (super-user).
- Click the View and edit policies button to view or customize your application policies, meaning what will be the workflow triggered after the user clicks "Request access".
When will you build custom policies?
In some cases, Torii's default workflow (send an email to the app owner) is sufficient; however, in some cases, you might want to customize the "Send Request" behavior, for example:
- You might want to define instant provisioning for apps whose automatic onboarding is supported in Torii and send emails to owners for the rest of the apps.
- You might want to provision cheap or free apps immediately and ask for budget owner approval prior to provisioning a license for expensive apps.
- Most apps might require provisioning approval from app owners, while apps tied to cost centers might require provisioning approval from budget owners.
How to view and edit access policies
Click the View and edit policies button (step 3 above) to see all policies.
- You will be referred to the Request Access Policies tab (you can also access it directly from the page).
Under "Default request access policy," you will see the apps with default Torii workflow (email notification to app manager).
Click the name of the policy to see the workflow behind it.
Note that You can always edit the default policy actions if the out-of-the-box policy does not match your organizational processes. - By name, you can recognize apps with customized workflow
- You can select if you want to enable or disable the workflow. Pay attention - the default policy cannot be disabled.
- The configured workflow will be displayed once clicking on the Policy name.
How to configure a new policy?
- Click on Add new custom policy button.
- Select the application to which you want to create custom automation and click on "Add new custom policy".
- Configure the policy (workflow) for this specific app. As mentioned above, you can utilize actions such as "Request approval" and email the app or budget owner before provisioning the application. Additionally, automatic actions are available, such as immediate provisioning (e.g., creating a Jira cloud user) or ticket creation (e.g., creating a Freshservice ticket) if Torii does not support app provisioning out of the box.
- Once you configure a new policy for the app, it will move from the "configured with default policy" list, to the "configured with custom policy" list
Watch this video - 🎥 Request Access Policies
Q&A
Q: Can I edit my default policy?
A: Yes. Open the policy (workflow) and edit the actions. Once you edit the default policy, it will apply to all apps which do not have custom policies.
Q: What happens if the custom policy is invalid?
A: The default policy will take over and run once an access request is submitted.
Q: What happens if I deactivate a custom policy?
A: The default policy will take over and run once an access request is submitted.
Q: Where can I see the history of app request submissions?
A: Click the Triggered counter and open the policy log. You will see a list of submitted requests. Custom policies log will list requests for dedicated apps. The default policy log will list requests for all apps which do not have a custom policy.
Q: What happens if an access request policy encounters an error?
A: If Slack notifications are enabled in Workflows, you will receive a Slack notification regarding the access request policy error. If you don't have Slack notifications enabled in Workflows, the error will be shown in the Action log which is found by clicking on the number in the Triggered column.
Q: Is the "Compose email" button action different from Torii's default automation policy?
A: Yes. Selecting "Compose email" as a button action results in opening the email client with an email template when an employee clicks the "Request access" button in the catalog. It's up to the employee to send a request and it is not monitored in Torii.
The default automation policy sends an email automatically on the employee's behalf. The employee does not need to perform any manual action. Moreover, this automatic action is registered in Torii and can be viewed in the default policy log, making it easier for auditing.
Q: For the "Compose email" button action, how to Make the "Request Access to an Application" Open Your Email Client?
A: The "Request access to an application" feature on the Application Catalog utilizes the browser capabilities to open a desktop email client (like Outlook), or a web-based email client (like Gmail), by using a "mailto-link."
Chrome browsers support mailto-links by default, but some browsers might have been configured to disallow opening mailto-links. Here's an example of a mailto-link so you can verify if your browser is configured correctly: open email client test
To ensure Chrome opens email links, follow these steps:
Step 1
Copy and paste chrome://settings/handlers
to Chrome's address bar, and make sure the "Allow sites to ask to become default handlers" toggle is on.
Step 2
Go to Google Mail, click on the handlers button, and choose "Allow"
Step 3
Copy and paste chrome://settings/handlers
to Chrome's address bar, and make sure you see mail.google.com
listed.
Additional Application Catalog articles
- Introduction to Application Catalog - Admin
- Applications Catalog Settings
- How to Use the Application Catalog - User Guide
- Application Catalog Communication