As a member of the System Administrator role or a role with the Role Management administrative right, you can configure roles for all other users. Initially, only the members of the System Administrator role have the ability to enable a request and approval workflow, specify the users or roles with authority to approve access requests, and specify whether the workflow whether the workflow and approval authority applies globally for all accounts, applies only for selected account and system combinations, or applies globally except where there are account-specific restrictions.
At a high level, the steps involved in configuring a workflow are these:
- Create one or more roles that can enable a request and approval workflow.
Members of the System Administrator role can enable workflow globally for all accounts. Users with the Privileged Access Service Administrator or Privileged Access Service Power User administrative right can enable workflow and select an approver for specific accounts where they have the Grant and Edit permissions.
Create one or more roles that can approve access requests for accounts.
Create one or more roles that can request access to privileged accounts.
Any member of a role with the Privileged Access Service Administrator or Privileged Access Service Power User right can request access to any account where workflow is enabled. The appropriate permissions are granted if the request is approved.
Determine whether to enable the workflow globally for all accounts, individually for specific accounts, or a combination of both.
Enable the workflow option where appropriate and select the user or role with authority to approve requests.