US English (US)
FR French
DE German
PL Polish
SE Swedish
FI Finnish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

English (US)
US English (US)
FR French
DE German
PL Polish
SE Swedish
FI Finnish
  • Log in
  • Home
  • Identity Governance and Administration (IGA)
  • IGA solution library
  • Processes and use cases
  • Use case library
  • Access right management

Self-Service: Request access rights

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Service Management
    Matrix42 Professional Solution Matrix42 Core Solution Enterprise Service Management Matrix42 Intelligence
  • Identity Governance and Administration (IGA)
    IGA overview IGA solution library
  • Platform
    ESM ESS2 ESS Efecte Chat for Service Management Integrations Add-ons
  • Release Notes for M42 Professional, IGA, Conversational AI
    2026.1 2025.3 2025.2 2025.1 2024.2 2024.1 2023.4 2023.3 2023.2 2023.1 2022.4 2022.3 Release Information and Policies
  • Other Material
    Terms & Documentation Guidelines Accessibility Statements
  • Services
+ More

    • Service Management

    • Identity Governance and Administration (IGA)

    • Platform

    • Release Notes for M42 Professional, IGA, Conversational AI

    • Other Material

    • Services

Self-Service: Request access rights

Self-Service: Request access rights 


This use case is part of access right management (ARM) process and in this article is described detailed use case for how end-users are able to request access rights from Matrix42 Self-Service. This article also contains information how use case is configured and examples how customer is able to expand it. 

When the use case is delivered, it contains three (3) possibilities to request access rights, 

1. Request access rights to myself (available to all end-users)

2. Request access rights to my subordinate (available to managers)

3. Request access rights to external users (available to managers)

Please notice, that IGA packages (Starter, Growth, Enterprise) has affect to the use case and relating functionalities such as user lifecycle management, toxic combinations, etc. 


Use case in nutshell, 

1. Manager or user requests access rights from Matrix42 Self-Service

2. Approver(s) approves request(s) in the Matrix42 Self-Service

3. Access right(s) are automatically added to user or manual request is sent for adding the access right(s) manully

4. Manager and user can see their own request history from Matrix42 Self-Service

5. IGA Admin can manage access right information, request catalog and visibility for the access rights which are published into Matrix42 Self-Service from IGA solution.

6. All auditing details are available for reporting (by using ready-made reports and dashboards or IGA admins can easily create own reports)





Use case description


This use case can also related to other processes and use cases, which has been marked

* User lifecycle management
**Governance
***Automation & provisioning
****Expanded access right management



 Description

Overview

This use case describes how user can request additional entitlements or business roles and what are outcomes for that request. 

User and manager can request additional entitlements or business roles for him/herself (request access rights).

Manager can request additional entitlements or business roles for subordinate or for external subordinate (request access rights for my subordinates or request access rights for external users)

Operators

IGA solution
Self-Service 
Manager
User
IGA admin

Prerequisites

Access rights needs to be published to Self-Service. Manager - subordinate relations needs to be existing in IGA solution. 

Result

The request is appropriately approved and send to provisioning process. All audit details are saved and can be reported. User and manager can follow up request status in Self-Service.

Operating chain
  1. User opens “Request access rights for myself” or manager opens “Request access rights for my subordinate or request access rights to external users" service from Matrix42 Self-Service.

  2. Manager chooses subordinate(s) (internal or external, depending which service manager has opened)

    • User can only request access rights for him- / herself

  3. User / manager chooses based on pre-defined category’s what access rights are needed (you can select several access rights to the shopping cart):

    • Access Right Category 1 (Customer can define values)

    • Access Right Category 2 (Customer can define values)

    • Application (list of related applications)

    • Access Right (list of application related entitlements)

    • Business roles (list of entitlement related business roles)

  4. User / manager can add start and end date (if required) for how long access right is valid for the user

    • If entitlement has access right validation defined, it will overwrite validation dates added to the request

  5. User / manager adds mandatory justification and selects submit.

  6. Manager advocates

    • If manager declines request, audit information is saved, user is notified, and process ends. 

    • If manager is requesting additional access rights for subordinate, no separate advocate is needed. 

  7. Approver approves in Self-Service

    • If there is approver added to the requested entitlement, request needs second level approval

    • If approver declines request, audit information is saved, user is notified, and process ends.

  8. IGA solution checks if any ***Toxic Combination rule applies and informs user or manager rule to be applied. 

  9. IGA solution receives the access right request and starts provisioning process

    • Request can be manually provisioned (managed manually)

    • Request can be automatically provisioned 

    • Request can be combination of automatic + manual provisioning, when automatic part is implemented first (before generating admin task to IGA Admin). 

  10. Access right records (audit details) are saved, and process ends. 

Self-Service 

Request access rights for myself
Request access rights for internal Users
Request access rights for external Users

If user lifecycle management add-on is included, request access right service can also be shown in "onboard internal users" and "onboard external users" bundle orders. 
Self-Service reporting User can see own active access rights
Manager can see own and subordinates active access rights
User can see own open requests
Manager can see own open requests
Manager can see request waiting for approval
Approver can see request waiting for approval
Approver can see own approval history
User can see own request history
Manager can see own request and approval history
IGA admin reporting IGA admin can create new reports, views and dashboards or they can review, update and remove ready-made views, reports and dashboards. 
IGA admin can also decide if only active requests are reported, or is also history data included, 
  • All requests made from Self-Service
  • Request waiting for approval / requests waited approval xx time
  • Declined / approved requests
IGA admin actions
  • IGA admin maintains access right request catalog, entitlements and business role information (approval levels, visibility in Self-Service)
  • Reviews IGA admin tasks in case there are issues with the process
  • Bypasses approval requests (if allowed)
  • Reporting

Messages

User can see own open requests and their status, and request history from Matrix42 Self-Service portal, so it is highly recommended that email notifications are added to IGA solution in further development phase and try to guide users to portal at the first phase. Email notifications can be also added by IGA Admin.

Delete

Expansion possibilities


Expansion possibilities are categorized in three category, but it is always important to validate if requested change has affect to the delivery schedule or work estimations. 


Category Description
Small 
(less than hour) 		Small changes does not usually affect to the delivery schedule or work estimations and these changes can be done also by IGA admins, 
  • Attribute naming 
  • Info text's, 
  • Background, logo's, language
  • Changes to email content
Medium 
(0,5 - 2 work days) 		Medium changes can be for example, 
  • New services to Self-Service
  • New connector (new customer directory)
Large
(more than 2 work days) 		Large changes usually takes longer time, since they require more detailed definition-, and testing work. Those can be for example, 
  • Complex approval process
  • Customer specific use cases



Delete

Relations & configuration instructions 


Relations to other use cases, 

Manage entitlements - use case for IGA admins to be able to define different settings to single access right group (entitlement), such as approvers, visibility in Self-Service, description etc. 

Manage applications - entitlement needs to always be related to application, so its highly recommended to create manually or import customers application list to IGA solution.

Manage request catalog - users to be able request access rights from Self-Service, IGA admin needs to build categories for the request catalog.

Approval - use case for different approval types.

Delegation - use case for delegating approval responsibilities to other users.

Provisioning - is used when group memberships are created.

Manage admin tasks - use case for IGA admins to be able to get notifications in case there is a need for manual actions.

Audits and reports - ready-made reports and dashboards for monitoring access right requests.



Relations to other data cards, 

IGA Service Request
IGA Identity Storage*
IGA Work Period*
IGA Entitlement
IGA Business Role
IGA Access Right Record
IGA Account
IGA Toxic Combinations**



Configuration instructions:

  1. Publish service "Request Access Right for Subordinate" in ESS

  2. Publish service "Request Access Rights for External Users" in ESS

  3. Publish service "Request Access Rights for Myself" in ESS

  4. Configure EPEtask called "[Directory] IGA Service request: Verify, Add, Remove"
    • Configure the connection settings and after that Test connection from the EPEtask
    • Define user and group filters and settings
    • No need to change user identity mappings

  5. Configure EPEtask called "[Directory] IGA Access Right Record: Remove or Add group"
    • Configure the connection settings and after that Test connection from the EPEtask
    • Define user and group filters and settings
    • No need to change user identity mappings

  6. Go to IGA Access right record and workflow called "1.0 Access right ending"
    • Publish the workflow

  7. Go to IGA Access right record and workflow called "2.0 Add or remove group membership"
    • Publish the worklfow

  8. Go to IGA service request and workflow called "2.0 Manager Adds Rights to Others Workflow"
    • Publish the workflow

  9. Go to IGA service request and workflow called "2.3 Users Add Rights for Themselves" 
    • Publish the workflow


Unit testing instructions: 

  1. Test Request Access right services from ESS
    • Create IGA request catalog and entitlements and publish them into Self-Service
    • Create test users with work period(s), both manager and user level. 
    • Create subordinates to the manager and make sure that manager information can be found from work periods.
    • Create test request, both manual and automatic type
    • Check the IGA Service Request from ESM
    • If automatic, check the group memberships from the Directory that new group is added to the user
    • If manual, check that IGA Admin Task is created to correct support group
  2. If you are working with an environment where user can have multiple work periods:
    • Request the same entitlement from ESS for two (or more) different work periods that the user has
    • Check that an active access right record for each work period is created
Delete

System and user approval testing instructions


In this chapter are described preparations tasks and testing instructions for system testing and user approval testing phases.

Delete

Preparation tasks for both phases


1. Manage entitlements, manage request catalog, manage IGA users and approval related test cases are successfully tested and preparation tasks are implemented (same test users are used for testing access right requests and approvals).

2. Test users are created and there are existing manager - subordinate relations


Testing instructions,

Test case Testing steps Outcomes
Request access rights for yourself (login as user)


Request manual and automatic provisioning type of entitlements

Request business roles 

Check that status is updated correctly in the front page after declining or approving the request (notice polling time)

Check that My requests is showing request history correctly
Request access rights for your subordinate and approve requests made by your subordinate (login to Self-Service as manager)


Approve requests waiting for approval

Decline some of the requests waiting for approval

Request automatic and manual provisioning type of entitlements 

Request business roles

Check that status is updated correctly in the front page after declining or approving the request (notice polling time)

Check that approvals is showing request history correctly 

Request access rights for your external subordinates (login to Self-Service as manager) 


Request automatic and manual provisioning type of entitlements 

Request business roles

Approve access right requests (login to Self-Service as entitlement or business role approver) 


Approve requests waiting for approval

Decline requests waiting for approval

Check that request status is updated correctly in the front page after declining or approving the request (notice polling time)

Check that approval history is showing correctly
Login to IGA solution as IGA admin


Validate that IGA service request is created correctly

Validate from the directory that group-membership connection is made correctly

Validate that reports, dashboards and views are showing auditing details correctly

Validate that entitlement data card is showing group-membership connection correctly

Validate that users IGA account data card is showing group-membership connection correctly

Validate that manual access right requests are created correctly (either IGA admin task generated to the support group or email sent for manual actions)
Delete






access rights self-service

Was this article helpful?

Yes
No
Give feedback about this article

Table of Contents

Related Articles

  • Self-Service: Remove access rights
  • Self-Service: Approvals

Copyright 2026 – Matrix42 Professional.

Matrix42 homepage


Knowledge Base Software powered by Helpjuice

0
0
Expand