Automate onboarding access requests
How does enrollment work?
An access profile is a resource in the ConductorOne app. When you assign a user the enrollment entitlement for the access profile resource (via an auto-enrollment rule or by manually adding users on the access profile’s setup page), they are enrolled in the access profile and automatically request all of its access, all without either the user, their manager, or the IT team needing to create a single access request manually.
Are enrolled users immediately granted the full access profile?
It depends. When a user is assigned the enrollment entitlement for the access profile, a request task is created. Based on the request policy set on the access profile, the request might be auto-approved, or it might need one or more human reviewers to sign off.
Once the user’s request for access to the enrollment entitlement is granted, ConductorOne will automatically create access request tasks for each item in the access profile. Based on the request policies on each individual entitlement, this access might be automatically approved, or it might require human intervention to review, approve, and provision.
If an access profile contains low-risk access, you can set the policies on the access profile itself and the entitlements within it to automatically approve these requests, essentially granting users who are enrolled in the access profile all of its access immediately.
Set up access profile auto-enrollment
Follow the instructions in Create access profiles to set up an access profile and add the relevant entitlements.
On the Setup tab, in the Requests area of the page, click Edit.
Enable Allow enrollment. This makes the access profiles’s enrollment entitlement available for access requests.
Click Save.
Switch to the Enrollment tab. In the Access controls area of the page, click Edit.
Set the policies that will be used on review and revocation tasks for this access profile’s enrollment entitlement.
When a user matches an auto-enrollment rule or is added manually, ConductorOne creates a request task for their access to the access profile’s enrollment entitlement. The user will not be added to the list of enrolled users until this request task is complete.
If you don’t set a request policy here, the access profile will use the default policy set on the ConductorOne app.
In the Auto-enrollment rule area of the page, click Edit.
Enable the rule, then select one or more entitlements from the dropdown. Users who are currently granted any of the entitlements you select will be enrolled in the access profile.
If you don’t want to start enrolling users immediately, leave the rule disabled and save your progress. You can enable the rule whenever you’re ready.
If necessary, in the Excluding box, add any users who should not be enrolled in this access profile, even if they currently have, or are later granted, the entitlements in the rule.
Click Save.
Request tasks are immediately created for the users who match your auto-enrollment rule. Users added to the exclusion list automatically request the access profile’s excluded from rule entitlement. While request tasks await approval, you’ll see a count of pending enrollments above the Enrolled members area of the screen. Click pending enrollments to see the pending users and jump to the open tasks.
If you need to manually add users to the access profile who do not match the rule, click Enroll users.
As request tasks are approved, users will be added to the Enrolled users area of the page, and ConductorOne will create access requests for the full contents of the access profile.
Frequently asked questions about access profile enrollment
How often does the auto-enrollment rule sync?
A new sync is kicked off each hour. Click Sync now to manually start a sync at any time.