Inside DigitalOcean’s SOX Compliance Playbook

ConductorOne docs

Configure access requests

Manage access requests by setting app-level and entitlement-specific access request configuration rules.

📋 Your access request configuration workflow

ConductorOne applies access request settings using this order of precedence:

  1. The entitlement’s configuration
  2. The application’s configuration

In other words, if you specify the configuration (such as the access profile, policy, and max grant duration) for a specific entitlement, these settings overrule the configuration set for the application as a whole.

Because of this design, here’s how to go about configuring access requests:

  • If all the entitlements in the app can use the same configuration: Configure the app, do not configure individual entitlements.

  • If most of the entitlements in the app can use the same configuration, but there are a few special cases: Configure the app, then configure the special-case entitlements.

  • If none of the entitlements in the app can use the same configuration: Do not configure the app, configure each entitlement separately.

Set app-level access request rules

The Entitlement configuration rules area of an application’s page is where you can view the current default access request rules for all of the application’s entitlements.

  1. In the navigation panel, click Applications. On the Managed apps tab, select an application.

  2. Click Edit in the Entitlement configuration rules area of the page.

  3. In the configuration rules pane, click the toggle to Enable configuration rules.

    When enabled, this setting allows you to set the default configuration for the entitlements on this app. If this disabled, you must configure each entitlement separately.

  4. Select the resource types that you want your configuration rules to apply to. This list is customized to show the resource types that exist in your selected app.

    The entitlements of any resource types that you do not select here but want users to be able to request must be configured individually.

  5. Use the Request policy dropdown to locate and select the the request policy that will apply to the entitlements of your selected resource types.

  6. Use the Access profiles dropdown to add the the entitlements of your selected resource types to one or more access profiles.

  7. If a time limit should apply to grants of entitlements of your selected resource types, click the Max grant duration toggle and select the time limit.

    At the end of the time limit, the user’s access will be automatically revoked.

  8. If the entitlements of your selected resource types should be available for emergency access requests, click the Emergency access toggle and select the emergency access policy that will apply to these requests.

  9. Finally, check the box at the bottom of the screen to acknowledge that you understand that these settings will be applied to all entitlements of your selected resource types.

  10. Click Apply.

That’s it! The new settings are applied, and a summary is shown in the Default access request rules section of the page.

Configure access request settings on an individual entitlement

Use this process to set up entitlements that are not included in the app-level settings, or that should override the app-level settings and use custom access request settings.

  1. In the navigation panel, click Applications.

  2. On the Managed apps tab, select an application and click the Entitlements tab.

  3. Locate the entitlement, and select Edit access requests from the more actions () menu.

  4. In the access requests pane, you’ll see any settings that are currently applied to the entitlement. Add or edit these as necessary:

    1. Use the Access profiles dropdown to add the the entitlements of your selected resource types to one or more access profiles.

    2. Use the Request policy and Revocation policy dropdowns to locate and select the the policies that will be used for this entitlement.

    3. If a time limit should apply to grants of this entitlement, click the Max grant duration toggle and select the time limit. At the end of the time limit, the user’s access will be automatically revoked.

    4. If the entitlement should be available for emergency access requests, click the Emergency access toggle and select the emergency access policy that will apply to these requests.

  5. Finally, if you want to preserve these settings from being overwritten by future updates to the app-level settings, click the Lock configuration toggle.

  6. Click Save.

That’s it! The entitlement’s access request settings are updated. If you locked the configuration, the entitlement’s entry in the summary table now shows a lock icon in the Access requests column.

Set how an entitlement is provisioned

Once access is granted, it must be provisioned. Set how each entitlement in the app will be provisioned, and ConductorOne will automatically apply the settings and update the access request task accordingly.

What happens if I don’t set provisioning for an entitlement? If you do not make any provisioning selections for an entitlement, ConductorOne will default to its Automatic setting, which means attempting to provision using the connector, and falling back to manual provisioning (assigned to the application owner) if connector provisioning fails.

  1. In the navigation panel, click Applications.

  2. On the Managed apps tab, select an application and click the Entitlements tab.

  3. Locate the entitlement, and select Edit provisioning from the more actions () menu.

  4. Select the provisioning method this entitlement will use:

    • Connector: This option uses the connector to automatically provision the access. Not all connectors support provisioning, and the configuration and permissions of the connector must be set up to allow provisioning where it is supported. If you choose this option but automatic provisioning via the connector isn’t available, ConductorOne will fall back to manual provisioning and assign the provisioning task to the application owner.

    • Manual: This option prompts you to select a designated human provisioner or provisioners who will manually update the user’s access. When access to the entitlement is granted, a provisioning task will be assigned to the provisioner you set here. (If multiple provisioners are set, each will be assigned the same task, each will receive a notification, but just one needs to complete the task.) You also have the option to enter instructions about how to provision this entitlement. These instructions will be included in the provisioning task.

    • Delegated: This option creates a binding between two entitlements, so that when one is granted, the user automatically receives access to the second entitlement as well. This in effect delegates the provisioning method to the bound entitlement. When using this option, select the entitlement from the dropdown that will grant access to the entitlement you’re configuring.

      Here’s a more in-depth explanation of how this works:

      • You configure provisioning on Entitlement A, choosing Delegated and selecting Entitlement B from the dropdown.

      • ConductorOne creates an entitlement binding for you between Entitlement B and Entitlement A. To see the binding’s details, navigate to either entitlement’s details page and click Bindings.

      • Entitlement B has been configured to use its connector for provisioning. When a user requests access to Entitlement B and their request is approved, the connector automatically adds access to both Entitlement B and Entitlement A to the user’s application account.

      ConductorOne automatically creates the binding for you. You’ll see the proposed change to the entitlement’s bindings whenever you make a change to delegated provisioning, both when the change is automatically creating a new binding for you, and when a binding will be removed if you change the provisioning strategy from delegated to manual or connector-based.

    • Webhook: This option prompts you to select a webhook. Before you can use this option you must configure a webhook on the Webhooks tab of the Settings page. Whenever a user is granted access to the entitlement, the webhook will automatically fire. You can use webhooks to automate provisioning workflows for approved access, such as creating a Jira or ServiceDesk ticket or making an API call.

    • External ticketing: This option

  5. Click Save. The Entitlements table’s Provisioned by column updates to show your chosen method.

THat’s it! When access to this entitlement is granted, the provisioning method you’ve selected will be used.