Access Requests: How to Assign, Track & Govern On-Demand Access

When users require more access than was provided to them, they submit an access request. Access requests are a staple of any professional IT environment. But how do you ensure that access requests are processed smoothly, implemented correctly and fully documented? Read our guide to learn the best practices for managing access requests.

What Are Access Requests?

An access request is the formal or informal process by which a user requests additional privileges in an IT environment – either for themselves or on behalf of another user. For example, users may request access to files, folders, apps or other digital resources. The request is then approved by the relevant stakeholder and the change is implemented either automatically or by IT staff.

Access requests are a common event in any professional setting and one of the core features in identity & access management. Responsibilities can change and employees sometimes need access that exceeds their original job function to deal with new tasks. However, if access requests are not properly managed, they can lead to uncontrolled privilege creep.

Why Are Access Requests Necessary?

During the onboarding process, new users are given all the access intended for their job. This can be done manually, but ideally organizations want to streamline provisioning through permission roles and role-based access.

But jobs change and eventually the access given on day one will not be enough to keep up with new tasks and responsibilities. Perhaps a user is assigned to a special project, has to fill in for an unavailable colleague or needs to collaborate with another department.

When users need more access than they currently have, they submit an access request. This gives organizations the flexibility they need to adjust to new situations and changing responsibilities. However, it is important to ensure that the access request process is implemented correctly to achieve the right balance between seamless and secure access.

How Do Access Requests Work?

Although the access request process may sound simple, it can actually be broken down into multiple stages, each of which requires a structured and streamlined approach.

  • 1

    Request: As the first step, the user submits a request for additional access. In a mature workflow, requests should be submitted through a dedicated channel, such as a ticket system or even a self-service platform. In a less sophisticated environment, requests could be sent via email or internal chats.

  • 2

    Approval: Before access can be granted, it must be approved by the right stakeholder – typically the person responsible for data, app or system in question. Ideally, the request should be forwarded directly to the stakeholder, allowing them to grant or deny access without delay.

  • 3

    Provisioning: If the request was approved, the change in user access must now be carried out. Automated, zero-touch provisioning is the easiest way to implement the change, but is not always possible – for example if a request involves hardware or physical access tokens. In this case, completion should still be tracked and logged through a ticket system.

  • 4

    Logging: To ensure full visibility into user access, the outcome of each request must be logged – including who requested access, who approved access and when it was granted. Denied requests must likewise be recorded to provide a complete picture of user activity.

  • 5

    Auditing: Just because a request was approved does not mean the user needs access forever. To prevent access from persisting longer than intended, user privileges must reviewed regularly. This can be best achieved by tasking the stakeholder who originally approved access to check whether it is still required. Alternatively, orgs can use temporary access with a pre-defined end date.

Where Do Access Requests Fit Into a Mature Access Control Strategy?

Access requests are a normal part of IT operations. A successful governance strategy must support end users by providing them with a secure and streamlined process for requesting access when they need to.

The primary focus in access control should be the automation of recurring workflows like the onboarding of new users. With role-based access control, organizations can make sure that every user receives the exact level of access intended for their position and that permissions are automatically updated when roles change.

However, even when baseline access for different departments, locations and job functions is assigned automatically, users will still need additional permissions to deal with short term projects and similar scenarios. This is why a successful governance strategy must support access requests and ensure they are properly managed.

Security Concerns: Preventing Privilege Creep

Privilege creep, also known as privilege sprawl or permission creep, is the process of users accumulating more and more access over time. Put simply, permission creep happens when users receive new access but old and outdated access is never removed.

Why is this an issue? Because the more access a user has, the more risk the organization faces if their account is compromised or they become an insider threat. To mitigate this risk, organizations must ensure that users only have access that they absolutely need – a best practice also known as the Principle of Least Privilege.

Access requests can be one of the biggest drivers of privilege creep. Without detailed logs and regular audits, there’s a good chance users request access once and never have it revoked. This is why it’s so important to track and review permissions granted through access requests.

Best Practices for Access Requests

1

Automate User Lifecycles

Access requests are an essential component of governing IT environments, but they should not be the primary way you grant access to users. The automation of user lifecycles allows you to provide every user with the right privileges for their role in the organization. Plus, it lets you automatically update access whenever user roles change.

Role-based provisioning and deprovisioning is a great way to manage baseline access, which reduces the total number of access requests users need to submit. If your staff receives the right privileges by default, that means fewer adjustments later on.

2

Delegate Requests to Data Owners

Access requests are often directed at IT staff since they have the power to make the desired change. But IT admins don’t know whether a person really needs access. That question can be best answered by the data owner, i.e. the person in charge of that particular resource.

Delegating requests to data owners speeds up approvals and frees up your IT team for more important tasks. Combine delegation with automated provisioning and you get approval workflows that automatically update access when a request is granted.

This approach gives stakeholders across different departments more autonomy to manage access to their own data. Combined with change tracking and auditing, this allows for quick approvals, seamless access and strong security.

3

Log All Requests and Changes

When it comes to access requests, you need to take a long-term perspective. It’s not enough to provide an employee with the resource they asked for: You need to maintain a complete picture of who has access to what.

This requires logging every access request and its outcome, regardless of whether the request was granted or denied. This level of meticulous reporting is impossible to achieve manually and another reason why orgs should design their approval workflows to be as hands-off as possible – with both changes and change tracking carried out automatically.

4

Audit User Access Regularly

Requests should only be granted for as long as a user actually needs access the data or resource in question. Sometimes requests will have a clear end date, other times it will be less obvious how long a project is going to take.

To prevent users from retaining access longer than necessary, it is important to conduct periodic user access reviews. These are audits during which the person who approved access either confirms that it is still needed or flags it for removal.

But in order to check access, reviewers need to be reminded which requests they have granted, meaning you need to collect and compile information on previous access requests and prepare a checklist of review items. Alternatively, use a reporting and auditing solution to automate the process.

tenfold: Streamline Access Requests With No-Code Governance

You are looking for simple and secure way to manage access requests in your organization? tenfold, our no-code solution for access governance provides everything you need for streamlined approval workflows, automated provisioning and detailed audit logs!

User-Friendly Self-Service

Our self-service portal allows users to request additional access or password resets using a sleek, intuitive UI. Requests are automatically forwarded to the data owner you have designated for a resource, letting them grant access with just a few clicks.

Our self-service interface is both easy to use and easy to manage, providing a visual editor that lets you create custom workflows ranging from simple yes or no requests to multi-stage approvals with alternate paths and outcomes.

Automated Provisioning

When a data owner approves an access request, tenfold automatically updates user access to reflect the change. This means users can start working within minutes of a request being processed, without the need to wait for IT staff to take action.

Full Change Tracking

tenfold records every step of the access request process, from who requested which resource to who approved it and when it was implemented. This comprehensive log means you’re always in the loop about who has access and can easily pull reports for audits.

Streamlined Reviews

tenfold regularly prompts data owners to re-check access requests they have granted and automatically removes permissions do not pass the review. Create and customize your own access review policies to match your security and compliance needs, including the ability to set different review intervals for more sensitive apps and data.

Book Your Free Demo Today!

Want to learn more about tenfold and how it can take the hassle out of access requests for your org? Schedule a personal demo with one of our experts for a detailed walkthrough of our software, its easy setup and wide range of features.

Govern Identities & Data Access With Ease: Learn How tenfold Can Help

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.