Skip to main content

Access-Request Settings

Access-request settings are used for customizing access-request workflows, such as defining what type of data may be provided with new access requests, and what access-request details may be modified by approving application owners. Access-request settings are available on the Settings→Access Requests page. Note that some of the settings are only available when certain other settings have been set to a specific value.

note

When application owners approve access requests, the possible approval actions are determined by the access-request-setting values as they are during approval. In some situations, reconfiguring access requests may make it impossible to properly approve access requests created with other access-request settings. For example, changing the destination mode also changes the possible destination types that approving application owners can set for access requests, which will likely make it impossible to approve the destination originally requested in the access request.

General

Allow specifying key path

If enabled, application owner may specify the path to a specific key file.

Require ticket when creating Access Request

If enabled, application owners may optionally specify a ticket number and a reason for authorization when creating access requests.

Show key options page during creation

When checked, application owners may optionally include information about desired access restrictions, such as allow-from and command restrictions.

Source

Allowed source hosts

Define which hosts may be selected as source hosts. Possible choices are:

  • All: Allow all the hosts that are managed by Key Manager. Also allows users to authorize external accounts by providing their own public key.
  • Require application permissions: Allow those hosts that belong to an application managed by the application owner. This option also allows users to authorize external accounts by providing their own public key.
  • Use tag: Allow those hosts that have been tagged with the specific tag. The specific tag is to be specified in the setting Show hosts with tag. This option also allows users to authorize external accounts by providing their own public key.
  • Only external (user gives public key): Only allows users to authorize accounts by providing their own public key.

Allowed source accounts

Specifies which accounts (on the allowed source hosts) can be chosen as source accounts. Possible values are:

  • All: No restrictions. Application owners can choose any accounts.
  • Use tag: Only allow those accounts that have a specified tag. The tag is to be specified in the setting Show accounts with tag.
  • All except: Allow all the accounts except the specified accounts. The disallowed accounts must be specified by account name under the Show all accounts except setting. When specifying multiple accounts, use commas to separate individual account names.

Allow external source (user to upload public key)

If enabled, allows user to provide their own public key.

Show previously uploaded keys (external source)

If enabled, any previously uploaded public keys can be viewed when creating access requests.

Destination

Destination mode

Specify the available destination choices. Possible values are:

  • Only hosts allowed: Hosts may be selected as destinations.
  • Only host groups allowed: Host groups may be selected as destinations. To use this option, you must have set up external account-provisioning services (such as Ansible) for provisioning user accounts.
    note

    Access requests to host groups only add authorizations to those hosts that are present in the target host group when the request is executed. Authorizations are not automatically added to hosts that are later added to the host group. Similarly, authorizations are not automatically removed from hosts that are later removed from the host group.

Allowed destination hosts

Define which hosts may be selected as source hosts. The possible values are:

  • All: Application owners can choose any hosts from the Key Manager managed environment. Application owners may also describe external hosts.
  • Require application permissions: Only allow those hosts that belongs to an application managed by the application owner. Application owners may also describe external hosts.
  • Use tag: Only allow those hosts that have a specified tag. Application owners may also describe external hosts.
  • Only external: Application owners may only describe external hosts.

Allowed destination host accounts

Specifies which accounts (on the allowed source hosts) can be chosen as destination accounts. The choices are identical to those available for the Allowed source accounts setting.

Expiration settings

Expiration mode

Specifies how validity periods can be defined in access requests. Possible values are:

  • No expiration: Authorizations created from access requests are always valid.
  • Requester selects: Authorizations created from access requests are valid for a set timespan. The timespan can be set by the application owner who created the access request. The timespan may later be modified by application owners who approve the request.
  • Only default value used: Authorizations created from access requests are valid for the duration specified by the Default expiration time setting.

Default expiration time

The default time of validity, specified in number of days (from the day the request is made).

Allow open dates (no start or no ending)

If checked, open-ended validity periods may be defined by omitting the start or the end date from an access request. When unchecked, access-request validity periods must be defined with both a starting and an ending time.

You can also define custom fields for eliciting additional information during access-requests creation. For more information about custom fields, see Custom Fields.