Understanding and Configuring Access Request Policies

Overview

Access Request Policies are a central part of EmpowerID’s access governance framework. They define how access requests are handled, what approval process is followed, and what restrictions or enhancements apply to the fulfillment of access. These policies are tightly integrated into the EmpowerID platform and support both routine and advanced use cases, including elevated access, just-in-time provisioning, and Privileged Access Management (PAM).

Every access request that goes through EmpowerID—whether initiated manually by a user or triggered automatically through a workflow—relies on Access Request Policies to determine key behaviors. These behaviors include:

Which approval flow policy governs the request
Whether the request must be time-bound
Whether the user can choose a custom access duration
Whether a business request must be created, or the access is auto-activated
Whether a delay is applied before fulfillment occurs
And, in privileged access scenarios, whether PAM-specific controls apply (like MFA, session launchers, or credential checkout)

Access Request Policies provide a layer of abstraction and control between the resource being requested and the workflow that fulfills the request. This allows organizations to standardize access request behavior across the enterprise while still tailoring policies to specific resources, roles, or risk levels.

Key Purposes of Access Request Policies

Assign an Approval Flow Policy to a resource
Control whether access is temporary and for how long
Define whether access should be granted immediately upon request or require manual approval
Support Just-In-Time access scenarios by enabling or disabling business request creation
Serve as a foundational element in self-service IAM, governed delegation, and privileged access workflows

Context Within EmpowerID

Access Request Policies are configured independently of the resources they control but are assigned to specific requestable objects, such as:

Groups
Management Roles
Applications
Business Roles and Locations

Once assigned, these policies define how requests for those resources are evaluated, routed, and fulfilled. They are also referenced in the IAM Shop when users browse for access, ensuring that the correct request behavior and approval chain are applied consistently.

This modular approach enables organizations to reuse and apply consistent access logic while simplifying administration. Instead of building separate workflows or approval processes for each resource, you define Access Request Policies once and assign them where needed.

Creating and Managing Access Request Policies

Access Request Policies in EmpowerID are created and managed through the platform’s configuration interface. These policies are essential for defining how access requests are approved and fulfilled for individual resources, such as groups, management roles, or other requestable objects. Administrators use these policies to enforce consistent request handling rules and streamline access governance.

Where to Create Policies

Access Request Policies are created in the Access Request Policies page within the administrative UI. To create a new policy:

Navigate to Access Request Policies.
Click the Add (+) button in the upper-right corner.
Complete the form to define the behavior and rules for the policy.

Policy Fields and Settings

Each Access Request Policy includes the following standard fields:

Name: The internal name used to reference the policy.
Display Name: The name shown in user-facing interfaces.
Description: A short description of the policy's purpose.

In addition to these basic fields, policies contain configuration options that define request behavior:

Approval Flow Policy: The selected approval flow policy determines who must approve requests tied to this access request policy. This is the most important setting and is required for the policy to function.
Fulfillment Delay (Hours): This optional setting allows administrators to define a waiting period after approval before the fulfillment workflow is triggered. This can be useful for coordinating access timing.
Create Business Request: When unchecked, this setting allows the access to be fulfilled immediately for users who are pre-approved, bypassing the business request process. When checked, access always goes through the standard approval and business request workflow.

Time Restriction Settings

For time-bound access, Access Request Policies support the following options:

Time Restrict Access: When enabled, the policy enforces time-limited access. This means users are granted access for a specified period only.
Default Duration (Minutes): The standard access duration granted when a request is approved (e.g., 480 minutes = 8 hours).
Maximum Duration (Minutes): The upper limit a user can request if allowed to choose a custom duration (e.g., 2880 minutes = 48 hours).
Allow Duration Selection: When enabled, users can choose how long they want access (up to the max duration). When disabled, users are restricted to the default duration only.

These controls are commonly used in scenarios involving elevated access, sensitive resource access, or Just-in-Time provisioning models.

Managing Existing Policies

Access Request Policies can be modified after creation to adjust approval flows, durations, or other behaviors. Changes take effect immediately for any future requests that use the updated policy. EmpowerID does not require republishing or versioning for Access Request Policies, unlike approval flow policies.

Administrators can also:

View where policies are assigned
Reassign policies to different resources
Deactivate policies if they are no longer needed

Applying Policies to Resources

Once an Access Request Policy is created, it must be assigned to the requestable resource. This is done through the resource's configuration screen, where administrators can choose the appropriate policy from a list.

For example:

A management role like “SSRS Administrator” can be linked to a policy that enforces time-restricted access and a two-step approval chain.
A group like “Finance Data Owners” may be assigned a policy that requires only manager approval with no time restriction.

By applying different policies to different resources, organizations can tailor the access request process to match the risk level, business ownership, and operational sensitivity of each resource.

Walkthrough: Creating and Configuring an Access Request Policy

This step-by-step guide walks through the process of creating a new Access Request Policy in EmpowerID, applying configuration settings, and assigning it to a resource. This type of policy is a foundational component in controlling how users request access, how those requests are routed for approval, and how access is fulfilled—especially in time-sensitive or high-risk access scenarios.

Step 1: Navigate to the Access Request Policies Page

Start by opening the EmpowerID web interface and navigating to the Access Request Policies page.

This is the central location for creating, editing, and managing policies that govern the access request lifecycle.
Access Request Policies are reusable and can be assigned to multiple resources to standardize how access is requested and approved.

Click the Add (+) button in the upper-right corner to begin creating a new policy.

Step 2: Define the Basic Policy Information

Fill in the following fields:

Name: This is the internal identifier used by the system (e.g., SSRSAdminAccessPolicy).
Display Name: This name is shown in user-facing interfaces and should clearly describe the purpose of the policy (e.g., SSRS Admin Elevated Access).
Description: A helpful note or label describing how or where the policy is used (e.g., “Used for granting temporary access to SSRS Administrator role with two-level approval”).

These identifiers help administrators maintain clarity when managing policies across different requestable objects.

Step 3: Assign an Approval Flow Policy

Select the appropriate Approval Flow Policy using the dropdown menu.

This controls the approval routing logic for requests using this policy.
For example, choosing a policy like Line Manager then Owner means EmpowerID will first send the request to the requester’s manager, followed by the resource owner.

This allows you to enforce separation-of-duties, apply business ownership, and maintain consistent authorization across different types of resources.

Note: This assignment is required—without it, the Access Request Policy cannot enforce approval behavior.

Step 4: Configure Time-Based Access Options (Optional)

Enable Time Restrict Access if access should be granted for a limited duration.

This option is used frequently for elevated access scenarios or privileged roles, where it's important to automatically revoke access after a specific timeframe.
When enabled, users are not granted permanent access, but rather a time-limited assignment.

Set:

Default Duration (Minutes): The amount of time access will be granted by default. Common durations include 240 minutes (4 hours) or 480 minutes (8 hours).
Maximum Duration (Minutes): The maximum length of access that can be requested. This provides an upper bound for requests.
Allow Duration Selection:
- Enabled: The user can select a duration up to the max.
- Disabled: The user is always assigned the default duration and cannot change it.

This setup is ideal for Just-In-Time (JIT) provisioning or compliance-driven access where auditability and expiration are critical.

Step 5: Configure Fulfillment Behavior (Optional)

Two key options affect how and when access is fulfilled:

Fulfillment Delay (Hours): Introduce a delay between approval and actual fulfillment (e.g., delay provisioning until a maintenance window). Leave blank for immediate execution.
Create Business Request:
- Enabled: The system creates a formal business request with approval tasks.
- Disabled: Access can be granted without human approval if the user is pre-approved. This enables automated access for low-risk scenarios or for workflows requiring no manual intervention.

Use these options to balance automation with approval oversight based on the sensitivity of the resource and user population.

Step 6: Save the Policy

Click Save to complete policy creation.

The policy now becomes available for assignment to resources.
You can reuse it across multiple roles, groups, or applications that require similar request handling behavior.

By following these steps, administrators can implement repeatable, governed access request policies that ensure access is properly approved, tracked, and revoked. Access Request Policies provide a scalable way to enforce both basic and advanced access management strategies across EmpowerID.

Overview​

Key Purposes of Access Request Policies​

Context Within EmpowerID​

Creating and Managing Access Request Policies​

Where to Create Policies​

Policy Fields and Settings​

Time Restriction Settings​

Managing Existing Policies​

Applying Policies to Resources​

Walkthrough: Creating and Configuring an Access Request Policy​

Step 1: Navigate to the Access Request Policies Page​

Step 2: Define the Basic Policy Information​

Step 3: Assign an Approval Flow Policy​

Step 4: Configure Time-Based Access Options (Optional)​

Step 5: Configure Fulfillment Behavior (Optional)​

Step 6: Save the Policy​