6 Requesting Access

Oracle Identity Manager supports requesting for entities such as roles, application instances, and entitlements. You can request for these entities by using the access catalog.

This section describes the following topics:

• Requesting New Access

• Viewing Hierarchical Attributes of Entitlements

• Adding and Removing Catalog Items to and from the Cart

• Adding and Removing Grant Duration

• Managing Request Profiles

• Tracking a Request

• Deleting a Request

• Withdrawing a Request

• Closing a Request

• Requesting Access With Policy Violations

6.1 Requesting New Access

Based on permissions, you can request access for self or for other users by using the access catalog.

This section describes how to request access by using the access catalog in the following sections:

• Requesting Access for Self

• Requesting Access for Other Users

• Requesting Access By Using a Request Profile

• Keyword Search in the Access Catalog

• Specifying Application Instances in Entitlements Search

• Refining Search Results

6.1.1 Requesting Access for Self

You can request access for self by using the access catalog.

To request access for self:

1. Login to Oracle Identity Self Service.

2. In the Self Service tab, click the Request Access box, and select Request for Self. The Add Access page of the Request Access wizard is displayed. The Add Access page enables you to search and select the items you want to request for. This page consists of the following tabs:

   • Catalog: This tab enables you to search and add access (entities) to the request cart, and then create the request for access.

   • Request Profiles: This tab enables you to search and view request profiles, and add profiles to the cart. See Managing Request Profiles for information about request profiles.

3. Click the Catalog tab, if it is not already active.

4. Search for the entities that you want to request for self. To do so:

   1. Select any one of the following options:

      • All: To specify that all entities are being searched, such as roles, application instances, and entitlements.

      • Application: To specify that only application instances are being searched.

      • Entitlement: To specify that entitlements are being searched. While searching for entitlements, you can specify the associated application instances. When you select the Entitlement option, the Application list is displayed. For information about selecting one or more application instances, see Specifying Application Instances in Entitlements Search.

      • Role: To specify that only roles are being searched.

   2. In the Search field, enter a search keyword, and click Search.

      For information about search keywords that you can specify, see Keyword Search in the Access Catalog.

      The items that match the search criteria are listed. An icon is displayed with each catalog item that denotes whether the item is a role, application instance, or entitlement, as listed in Table 6-1.

      Table 6-1 Icons Denoting Catalog Item Type

      Icon	Item Type
      	Role
      	Application Instance
      	Entitlement

5. You can refine the catalog items to list all items or any one of the application instance, entitlement, or role entities. See Refining Search Results for more information.

6. To view the details of the catalog item, click the information icon for the item. The Detailed Information page is displayed that shows the attributes for the item.

   For application instances and entitlements, you can edit the values of the attributes in the Detailed Information page. To do so, click the information icon for the application instance or entitlement, modify the values of the attributes in the Detailed Information page, and click Apply.

   For roles, the attributes displayed in the Detailed Information page are read-only and cannot be modified. These attributes can only be edited by the Catalog Administrator. If Catalog Administrator wants to update any catalog attribute for role, then it can be done only from the role details page.

   After modifying or reviewing the attribute values, close the page.

7. To add a catalog item to the request cart, click Add to Cart for that item.

   To add multiple catalog items to the request cart, select multiple items by clicking the items while pressing the Ctrl key, and then click Add Selected to Cart.

   Note:

   If you switch workspace, then cart items are lost. For example, after adding items to the cart, if you click the Manage tab and then come back to Self Service again, then the items added to the cart are lost.

   The items are added to the cart. Scroll to the top of the page. The number of items added to the cart is displayed with the cart icon.

   To remove the selected items from the cart, see Adding and Removing Catalog Items to and from the Cart.

   When requesting access, each item in the cart can have its own temporal grant dates. If you want specific dates set for the cart items, then the dates must be set manually for each cart item. If no dates are entered, then the start date will default to the current date and the end date will be left empty indicating an indefinite access. See Adding and Removing Grant Duration for information about grant duration.

   Tip:

   To add items to the cart by using request profiles, click the Request Profiles tab. For information about request profiles and using request profiles to create a request, see Managing Request Profiles and Requesting Access By Using a Request Profile.

8. Click Next. The Checkout page is displayed.

9. In the Cart Details section, expand Request Information, if it is not already expanded.

10. In the Justification field, enter a justification for the request. This is for the approver to review the justification, and then approve or reject the request.

11. Expand Cart Items, if it is not already expanded. This section lists the catalog items that you selected and have been added to the request cart. For each item, one of the following icons represents the submission readiness of the item:

    • The icon denotes that the item is ready for submission.

    • The icon denotes that the item is not ready for submission.

    You can click the information icon for each item to display the details of the item in a pop-up window.

12. (Optional) If you want to remove any item from the cart, then click the cross icon for that item.

13. Click an item to display the request details of the item in the Request Details section. This section consists of the following tabs:

    • Grant Duration: This tab is represented by the icon and is displayed for all types of entities.

    • Details: This tab is represented by the icon and is displayed only for application instances and entitlements that require additional data.

14. Click the Grant Duration icon. The Grant Duration section provides options that enable you to control the duration when the access will be provisioned. To specify grant duration:

    1. Select the Grant will be effective immediately upon request completion option if you want the role, account, or entitlement to be provisioned immediately on request approval. By default, this option is selected.

    2. If the Grant will be effective immediately upon request completion option is not selected, then specify date values for the following fields:

       • Start Date: The start date when the role, account, or entitlement will be provisioned.

       • End Date: The end date when the role, account, or entitlement will be revoked.

       For detailed information about grant duration, see Adding and Removing Grant Duration.

15. Click the Details icon. The form associated with the application instance or complex entitlement is displayed. You can modify the attributes in this form. These attributes are the form fields of the application instance or complex entitlement, and is propagated to the target account after the provision/modify operation is completed.

    The Details icon is displayed only when you select a cart item that is an application instance or a complex entitlement.

16. Click Update. The values you entered for the selected cart item are updated in the cart.

17. Click Submit to submit the request.

    If the Identity Audit feature is enabled, then based on the Identity Audit rules configured, the Cart Items sections can display a warning for policy violations. For information about the policy violations displayed in the Cart Items section and how to mitigate the same, see Requesting Access With Policy Violations.

6.1.2 Requesting Access for Other Users

Based on permissions, you can request access for other users.

To request access for others:

1. Log in to Oracle Identity Self Service.

2. In the Self Service tab, click the Request Access box, and then select Request for Others. The Select Users page of the Request Access for Others wizard is displayed.

3. Search for the users for which you want to request access. You can perform a basic search or an advanced search for users.

   • To perform a basic search for users:

     1. If Advanced search is active, then click Basic. Otherwise, proceed to step 2.

     2. From the Search list, select an attribute based on which you want to search the users.

     3. In the Search field, enter a keyword for your search.

     4. Click the Search icon. The users that match the search keyword are listed in the Users pane.

   • To perform an advanced search for users:

     1. Click Advanced. A number of attributes are displayed based on which you can search the users.

     2. For one or more attributes, select the search operator from the lists, such as Starts With, Ends With, Equals, Does Not Equal, Contains, and Does Not Contain. For any date field, the search operators are Equals, Before, After, On or before, On or after, Between.

     3. Specify values for one or more attributes. The search result will be displayed based on the values that you specify for these attributes.

     4. Optionally, you can add fields to your search criteria by clicking Add Fields and selecting fields from the list. A cross icon is displayed with the added fields. You can click the cross icon to remove the added field.

     5. Click Search. The users that match the search criteria are listed in the Users pane.

   Note:

   If you switch from basic to advanced search and fill in search criteria and then switch back to basic search again, the basic search still has the criteria from the advanced search. It is now no longer a basic search. This issue is applicable to search screens for all entities that have basic and advanced search. For a description of this issue, see Advanced Search Parameters Do Not Reset After Switching to Basic Search in the Identity Management Release Notes for 11g Release 2 (11.1.2.3).

4. In the Users pane, you can view the details of each user by clicking the information icon for that user. The User Details dialog box displays the user attributes, and the roles, accounts, and entitlements assigned to the user. Click Close to close the User Details dialog box.

5. For each user that you want to select, click Add User. The user is added to the Selected Users pane.

6. Click Next. The Add Access page of the Request Access wizard is displayed.

7. Complete the steps in the wizard, as described in Requesting Access for Self.

6.1.3 Requesting Access By Using a Request Profile

You can request access by using a request profile.

To do so:

Note:

For information about request profiles, see Managing Request Profiles.

1. In the Request Access box of the Self Service tab, click the Request Access box, and select Request for Self. The Add Access page of the Request Access wizard is displayed.

2. Click the Request Profiles tab.

3. Click the request profile name that you want to use to create the request. The Cart Details page is displayed.

4. The Target Users section displays the usernames of beneficiaries for the request. You can click information icon against each user to view the details.

5. To add beneficiaries to the request:

   1. Click the Add icon. The Advanced Search for Target Users dialog box is displayed.

   2. Search and select one or more users that you want to add.

   3. Click Add Selected to add the selected users to the Selected Users list. Alternatively, click Add All to add all the users in the Selected Users list.

   4. Click Add. The selected users or beneficiaries are added to the Users section of the Request Cart Details page.

   You can also select a user that you want to remove from the list of beneficiaries, and click the Remove icon.

6. If required, in the Justification and Effective Date section, in the respective fields, specify a justification and effective date when the request will be active.

7. In the Cart Items section, select a cart item to display the details of the item.

8. After reviewing and modifying the details for each request in the cart, click Submit. If the Submit button is not active, then click Ready to Submit for each cart item with Not Ready to Submit status.

   The request is submitted for approval, and the Request Summary page is displayed with summary information, target user or beneficiary information, and request and approval details.

6.1.4 Keyword Search in the Access Catalog

Using keyword search in the access catalog, you can search on the basis of entity name, entity display name, or user-defined tags that administrator has provided for that catalog item. Here, entity refers to role, application instance, and entitlement.

Catalog keyword search has the following characteristics:

• Appending wildcard characters, such as asterisk (*) or percentage sign (%), is not required.

• Catalog keyword search does not support * or % sign as a prefix.

• Search is performed as if with the Begins With operator.

For example, if you are searching for a role with role name as Act Admin and display name as Accounts Administration, then you can specify the search keyword as Act or Acco or Accounts or Admin . Searching with *unts will not work.Any catalog UDF that is marked as searchable is displayed automatically on the catalog search form as an attribute, by using which you can search catalog items. See "Creating a Custom Attribute" in the Administering Oracle Identity Governance for information about marking a UDF as searchable.

6.1.5 Specifying Application Instances in Entitlements Search

When you search for entitlements in the access catalog, you can specify one or more associated application instances based on which you want to search the entitlements.

To do so:

1. Navigate to the Catalog tab in the Add Access page of the Request Access wizard, as described in Requesting New Access.

2. To specify an entity type to be searched, select the Entitlement option. The Application list is displayed.

3. Select an application instance based on which you want to search the entitlement. The number of selected application instance is shown in the Selected Apps link. This number of selected application instances is updated if you again select more application instances from the list.

4. (Optional) Instead of selecting the application instances one by one, you can search and select multiple application instances. To do so:

   1. From the Application list, select Search and select multiple. The Choose Applications dialog box is displayed.

   2. In the Search box, enter a keyword to search for the application instances you want to select.

   3. Click the search icon. The application instances that match the search keyword are displayed.

   4. Click Select for each application instance that you want to select.

      Note:

      You can select a maximum of 20 application instances at a time.

   5. If you want to remove application instances from your selection, then click Deselect for each application instance that you want to remove.

   6. To select or deselect all application instances at a time, you can click the Select All and Deselect All buttons respectively.

   7. Click OK. The application instances are selected.

5. (Optional) To remove the selected application instances, click the Selected Apps link, and then click the cross icons adjacent to the application instances that you want to remove. To remove all selected application instances, click Clear All.

You can Continue with the search by specifying a search keyword, as described in Requesting New Access.

6.1.6 Refining Search Results

You can refine your search results to make it more precise.

After searching for catalog items, as described in Requesting New Access, you can refine your search results to make it more precise. To do so, in the Categories section of the Catalog tab, select one or more categories to display the catalog items of those categories. You can select or deselect the Select All checkbox to display or hide all items belonging to the categories.

Categories are a way of organizing entities in the access catalog. Each catalog item is associated with one and only one category. Default categories of a catalog item can be roles, entitlements, or application instances. You can also define new custom categories by changing or updating the category of a catalog item in its detailed information page. For example, you can refine your search result to display catalog items belonging to the entitlements category only by selecting Entitlements in the Categories section.

6.2 Viewing Hierarchical Attributes of Entitlements

If viewing additional attributes for entitlements is configured, then the request details screen displays the additional attributes.

See "Configuring Hierarchical Attributes of Entitlements" in the Administering Oracle Identity Governance for information about configuring the display of additional attributes for entitlements.

To view the additional attributes for entitlements:

1. In the Catalog page, search for the catalog items that you want to view. The catalog items that are entitlements are displayed with an arrow icon. These are the entitlements that have XML files associated with them, as described in "Configuring Hierarchical Attributes of Entitlements" in the Administering Oracle Identity Governance.

   The arrow icon is not displayed for some catalog items because these catalog items do not have XML files associated with them.

2. Click the arrow icon. The additional details with the additional information or the technical glossary is displayed in a new tab. In the additional details tab, the child of the top node is shown. To view the details of the node, click the row.
3. Click the row to view the details. If additional details are present for the child node, then it is displayed on the right side.

   Breadcrumb icons are displayed at the top of the additional details popup. The texts in the breadcrumbs are hyperlinks. You can click the hyperlinks to navigate between the nodes.

6.3 Adding and Removing Catalog Items to and from the Cart

A request cart, also known as a cart, contains a set of catalog items that the user selects from the request catalog. Users can add catalog items to the request cart to submit a request for entities such as roles, entitlements, and application instances. The request cart does not persist across user sessions.

To add catalog items to the cart:

1. Open the access catalog, and search for the catalog items that you want to add to the cart. See Requesting New Access for the procedure to search for catalog items.
2. If required, narrow down your search result by selecting or deselecting one or more categories in the Categories section. You can select or deselect the Select All checkbox to display or hide all the items belonging to the categories.
3. Click Add to Cart on the catalog item that you want to request.

   You can also select multiple items from the catalog by following the standard multi-selection process for your system, then click Add Selected to Cart.

   The number of items added to the cart is displayed with the Cart icon at the top of the page.

4. On the top of the page, click Cart. The Request Cart window is displayed with a list of all the items that are added to the cart.
5. For each item that you want to remove from the cart, click Remove for that item.

   To remove all items from the cart, click Remove All.

6. Click Close.

6.4 Adding and Removing Grant Duration

The access catalog provides the Start Date and End Date fields for specifying the grant duration of roles, accounts, and entitlements to self or other users.

This section describes the following operations related to grant duration:

• Specifying Grant Duration

• Modifying Grant Duration

• Revoking Access

6.4.1 Specifying Grant Duration

Specifying grant duration for role/account/entitlements enable you to control the duration when the access will be provisioned.

When you add access to users, the grant duration fields have the following functionality:

• If both grant duration fields, Start Date and End Date, are specified, then it means that role/account/entitlement will be provisioned on the specified start date only, and it will be revoked on the specified end date.

• If only Start Date is specified, then role/account/entitlement will be provisioned on the specified start date, and there is no end date applicable for the access.

• If only End Date is specified, then role/account/entitlement will be provisioned immediately, and role/account/entitlement will be revoked automatically on end date.

• If both the grant duration fields are not specified, then role/account/entitlement will be provisioned immediately, and role/account/entitlement to entity remains with the user indefinitely.

• If the operation requires approval, then role/account/entitlement will be provisioned only after approval is done and start date is reached (if specified).

• If the operation does not require approval, then role/account/entitlement will be provisioned only after start date is reached (if specified).

• If the grant date is set to a future date, then the access is displayed in the following manner:

  • For roles: The Assigned on date is not displayed if a future start date is set.

  • For entitlements: The access is displayed with the Future Grant status in the user's entitlements tab.

  • For accounts: The account will be in disabled state until the start date is reached.

For information about specifying grant duration, see steps 13 and 14 of Requesting Access for Self for information about specifying grant duration when requesting roles/accounts/entitlements for self. The same steps apply for specifying grant duration while requesting access for other users.

6.4.2 Modifying Grant Duration

Start date can be modified only when roles/accounts/entitlements have not yet been provisioned. End date can be modified at any time.

Grant duration can be modified from the following sections in Identity Self Service:

• The My Access page: For information about modifying the grant duration fields from the My Access page, see Modifying Role Grant Duration, Modifying Entitlement Grant Duration, and Modifying Account Grant Duration.

• The User Details page: For information about modifying the grant duration fields from the User Details page, see Modifying Role Grant Duration, Modifying Entitlement Grant Duration, and Modifying Account Grant Duration.

• The Pending Approvals page: During the approval process of a request, the approver can modify the start and end dates. For details, see Modifying Grant Duration.

6.4.3 Revoking Access

Revoking access to an existing role/account/entitlement can be done immediately or in the future.

To revoke access immediately, select the role/account/entitlement from the corresponding table, and click Remove.

To revoke access on a future date, select the role/account/entitlement, from the Action menu, select Modify Grant Duration. In the Modify Grant Duration popup, set the End Date field to the date when the access should be revoked.

6.5 Managing Request Profiles

Request profiles are request carts that are saved for future reuse by the users. You can create a request profile, modify request profile and delete request profiles.

This section discusses the following topics:

• About Request Profile

• Creating a Request Profile

• Modifying a Request Profile

• Deleting a Request Profile

Note:

Creating, modifying, or deleting a request profile can be performed only by catalog administrators or system administrators.

6.5.1 About Request Profile

When you select catalog items for requesting, the items are added to a request cart. The request cart is similar to the shopping cart in web sites that sell products to customers. You can view the selected items in the cart, or edit the request cart to add or remove items.

Request profiles are request carts that are saved for future reuse by the users. The request cart is saved by the catalog administrator or system administrator so that the user can use it to request for entities without searching through thousands of catalog items.

6.5.2 Creating a Request Profile

You can create a request profile after adding catalog items to the cart.

To create a request profile:

1. Login to Oracle Identity Self Service.
2. Click the Self Service tab if it is not already active.
3. Click the Request Access box, and select Request for Self.
4. Select one or more catalog items, and click Add to Cart. The catalog items are added to the request cart.
5. Click Next. The Checkout page is displayed with the cart details. The selected catalog items are displayed in the Cart Items section.
6. Click the down arrow beside Save As, and then select Profile. The Save As Profile dialog box is displayed with a list of the items in the cart.
7. In the Profile Name field, enter a name for the request profile. This is a mandatory field.
8. In the Description field, enter a description of the request profile.
9. Click Save. The request profile is created.

Note:

If you create a request profile with cart items that have additional information and save the request profile, then the additional information is not saved.

6.5.3 Modifying a Request Profile

You can modify an existing request profile to update the cart items.

To modify a request profile:

1. Open the access catalog, and go to the Add Access page.
2. Click the Request Profiles tab.
3. Locate the request profile that you want to modify, and click Add to Cart. Click Next to move to the Checkout page.
4. Click Save As Profile. The Save as Profile dialog box is displayed.
5. In the Save Profile Name field, enter the name for the request profile that is being modified. If you enter a new name, then a new request profile is created. If you enter the name of an existing request profile, then that request profile is updated with the latest changes.
6. In the Description field, enter a description of the request profile.
7. Click Save. Depending on whether you have entered the name of an existing request profile or new name, the request profile is created or updated, respectively.

Note:

Values that you add or specify for Start Date, End Date, or Effective Date are not saved in a request profile.

6.5.4 Deleting a Request Profile

Delete the request profiles that are not required or are not in use.

To delete a request profile:

1. Open the Add Access page of the access catalog.
2. In the Request Profiles section of the Catalog page, click the cross icon in the row corresponding to the request profile.
3. In the Confirmation dialog box that is displayed, click Yes.

   The request profile is deleted.

6.6 Tracking a Request

You can search for requests that you want to track, view the details of the request. If you are the requester, then you can modify, submit, or delete the draft request.

This section describes how to search and track requests:

• Searching Track Request

• Tracking a Draft Request

6.6.1 Searching Track Request

Use the Track Requests page to perform simple and advanced search for requests.

To track a request:

1. In Identity Self Service, click the Self Service tab if it is not already active.

2. Click the icon in the Track Requests box. The Track Requests page is displayed.

3. Search for the requests you want to track. You can perform basic and advanced search for requests.

   To perform basic search for requests:

   1. From the Search list, select an attribute name based on which you want to specify the search parameter.

   2. In the Search box, enter a value for the selected attribute.

   3. Click the Search icon.

   To perform an advanced search for requests:

   1. Click Advanced.

   2. Select any one of the following:

      • All: On selecting this option, the search is performed with the AND condition. This means that the search operation returns requests that match all the search criteria that is specified.

      • Any: On selecting this option, the search is performed with the OR condition. This means that the search operation returns requests that match the search criterion that is specified.

   3. In the searchable request attribute fields, such as Request ID, specify a value. You can include wildcard characters (*) in the attribute value.

      For some attributes, select the attribute value from the lookup or drop down. For example, to search all requests with the Request Awaiting Approval status, from the Status list, select the Equals search operator, and then select Request Awaiting Approval from the adjacent list.

   4. For each attribute value that you specify, select a search operator from the list. For example, the following search operators are available for Request ID:

      • Starts with

      • Ends with

      • Equals

      • Does not equal

      • Contains

      • Does not contain

      For other fields, for example Status, Request Type, Beneficiary, and Requester, only Equals and Does not equal operators are available.

      For fields of date type, the search operators are:

      • Equals

      • Does not equal

      • Before

      • After

      • On or before

      • On or after

   5. To add a searchable request attribute to the Track Requests page, click Add Fields, and select the attribute from the list of attributes.

      For example, if you want to track all requests by a requester, then you can add the Requester attribute as a searchable field and specify a search condition.

   6. Optionally, click Reset to reset the search conditions that you specified. Typically, you perform this step to remove the specified search conditions and specify a new search condition.

   7. Click Search. The search results is displayed in a tabular format.

4. If the request search you performed displays a large number of records, then you can filter the request search result. To do so:

   1. From the Show list, select any of the following:

      • Requests Raised By Me: This is selected by default. Returns requests created by logged-in user.

      • Requests Raised For Me: Returns requests where login user exists as beneficiary or target user.

      • For Reportee: This option is available if the logged-in user is a manager of a user.

      • For User: This option is available if the logged-in user has been granted the User Administrator or the HelpDesk admin role.

      • All: Returns all requests in the search result. This option is available if the logged-in user has been granted the System Administrator role.

   2. To sort the requests in the search result by any of the columns such as Request ID or Status, click the Sort Ascending or Sort Descending arrows in the column. The requests in the search result are sorted by the selected column.

5. In the request search result, click a request to view the details of the request. The details of the request is shown in a page with the following information:

   • Summary information: This section shows general request details, such as request ID, request status, and effective date.

   • Target Users: This section lists the beneficiaries or target users for the request.

   • Related Requests: This section lists requests that are related to the open request, if any.

   • Request Details: This tab lists the requested catalog items. You can select an item to display a summary information of the item.

   • Approval Details: This tab displays the status of request approval by each approver to whom the request has been assigned.

     Note:

     HelpDesk users and beneficiaries can view request approval details. However, they cannot add comments or attachments on the request summary page.

6.6.2 Tracking a Draft Request

A requester can save a request for modifying, submitting, or deleting it later. This is useful if the requester is awaiting additional information before submitting the request.

Only the requester can modify, submit, or delete the draft request. Users such as system administrators and beneficiaries cannot view draft requests saved by others.

To track a draft request:

1. In the Self Service tab, click the icon in the Track Requests box. The Track Requests page is displayed.
2. From the Status list, select the Equals search operator, and then select Request Draft Created from the adjacent list.
3. In the Search Results region, from the Show list, select the Requests Raised by Me filter.
4. (Optional) Use any other search criteria as described in Tracking a Request.
5. Click Search. The search results is displayed in a tabular format.

   The draft request cannot be withdrawn or closed. To delete a draft request, select a request and click Delete Request.

   To open a draft request to modify or submit it, click the link in the Request ID column. In the Edit Draft Request page, you can click Submit to submit the draft request. If the Submit button is not active, select and edit each cart item in the Cart Items region, and then click Ready to Submit. To modify and save the request data, click Update Draft Request.

Note:

The request data saved in draft mode does not include sensitive information such as passwords, even if they were entered before saving the request as draft.

6.7 Deleting a Request

Delete the requests that are not required.

To delete a request:

1. In the Self Service tab, click the icon in the Track Requests box. The Track Requests page is displayed.
2. Search and select the request that you want to delete.
3. From the Actions menu, select Delete Request. Alternatively, you can click Close Request on the toolbar.
4. Click Yes in the confirmation message box. The request is deleted and a notification is sent to the beneficiary and requester of the request.

   Note:

   • Configuration of notification can be done in the human task of a SOA composite.

   • For more information about request-related tasks, such as approving a request, reassigning a task, and rejecting a task, see Using the Unified Inbox.

6.8 Withdrawing a Request

A request can be withdrawn by the requester, and only the requests that have not started the execution phase can be withdrawn. Also, beneficiaries cannot withdraw requests.

Requests having the following stages can be withdrawn:

• Obtaining Approval

• Approved

  Note:

  • Approved requests cannot be closed unless the request has the Request Awaiting Completion status.

  • Draft requests, which are in Request Draft Created status, cannot be withdrawn.

  • If a request is closed while the request is in the Obtaining Approval stage, then all the approvals that are still pending in the approver task list are removed.

To withdraw a request:

1. In the Self Service tab, click the icon in the Track Requests box. The Track Requests page is displayed.
2. Search for the requests that you want to withdraw. The search results display a list of requests that match your search criteria with a Withdraw Request button for each request.
3. For a request that you want to withdraw, click Withdraw Request. Alternatively, you can open the details of a request by clicking the request ID, and subsequently clicking Withdraw Request on the request details page.
4. Click Yes in the confirmation message box. The request is withdrawn and a notification is sent to the beneficiary and requester of the request. If the withdrawal is successful, then request moves to the Request Withdrawn stage. Any pending approval tasks associated with the request are canceled.

6.9 Closing a Request

Administrators can prematurely close any request that has not started the execution phase. This includes all requests waiting for approvals or has completed approvals but no operation has been started.

Requests with the following state can be closed:

• Obtaining Approval

• Approved

Note:

• Approved requests cannot be closed unless the request has the Request Awaiting Completion status.

• Draft requests, which are in Request Draft Created status, cannot be closed.

• If a request is closed while the request is in the Obtaining Approval stage, then all the approvals that are still pending in the approver task list are removed.

To close a request:

1. In the Self Service tab, click the icon in the Track Requests box. The Track Request page is displayed.
2. Search for the requests that you want to close. The requests that match the search condition are displayed in a tabular format.
3. Select the request that you want to close.
4. From the Actions menu, select Close Request. Alternatively, you can click the Close Request icon on the toolbar.
5. Click Yes in the confirmation message box. The request is closed and a notification is sent to the requester and target user of this request. When a request is closed successfully, the request moves to the Request Closed stage.

   Note:

   • Configuration of notification can be done in the human task of a SOA composite.

   • For more information about request-related tasks, such as approving a request, reassigning a task, and rejecting a task, see Managing Pending Approvals.

6.10 Requesting Access With Policy Violations

You can submit request with known access violations.

The following sections describe requesting access with policy violations:

• About Requesting Access With Policy Violations

• Migrating the Policy Violations and Submitting the Requesting

6.10.1 About Requesting Access With Policy Violations

When a request for access is submitted and the Identity Audit feature is enabled, the information in the request data is scanned to detect any possible access violations.

A violation occurs if the combination of the access currently assigned to a user along with the access being requested, matches an audit policy.

For example, consider an Identity Audit policy consisting of the following rule:

role[*].Role Name EQUAL AP Expense Approver
AND
role[*].Role Name EQUAL AP Merchandise Vendor Approver

The rule specifies that a user cannot have both the AP Expense Approver and the AP Merchandise Approver roles at the same time. If this situation occurs, then it is a policy violation.

If a violation is detected, the initial request is returned to the requestor, and the page is refreshed to indicate the violations.

Each cart item that is causing the violation is indicated with the icon, and an overall warning message is displayed. Clicking the message displays an overall view of all the violations detected.

It is still possible to submit the request with the known violations by clicking the Submit with Violations button.

Figure 6-1 shows the Checkout page that is indicating policy violations.

Figure 6-1 Policy Violation

Description of "Figure 6-1 Policy Violation"

6.10.2 Migrating the Policy Violations and Submitting the Requesting

You can take corrective steps to mitigate the requests with policy violations and submit the request.

Perform the following steps to mitigate the policy violations and submit the request:

1. In the Checkout page of the access catalog, click Policy Violations. The Policy Violations dialog box is displayed with the cart items that are causing the policy violation. It displays the policy name that is violated, the cause of the violation, the attributes that cause the violation, and the severity of the violation, as shown in Figure 6-2.

   Figure 6-2 The Policy Violations Dialog Box

   
   Description of "Figure 6-2 The Policy Violations Dialog Box"
2. Close the Policy Violations dialog box.
3. Click the cross icon with the cart items to remove the items causing the policy violation. In the example in this section, removing any one of the AP Expense Approver or AP Merchandise Vendor Approver roles will remove the policy violation.

   The policy violation icons and the policy violation warning are no longer displayed, and the Submit with Violations button changes to Submit.

4. Click Submit to submit the request.

   Alternatively, to submit the request with policy violations, click Submit with Violations.