FI Finnish
SE Swedish
FR French
PL Polish
DE German
US English (US)

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

English (US)
FI Finnish
SE Swedish
FR French
PL Polish
DE German
US English (US)
  • Log in
  • Home
  • Identity Governance and Administration (IGA)
  • IGA solution library
  • Processes and use cases
  • Use case library
  • Extended access right management

Self-Service: Request Privilege Account

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Service Management
    Matrix42 Professional Solution Matrix42 Core Solution Enterprise Service Management Matrix42 Intelligence
  • Identity Governance and Administration (IGA)
    IGA overview IGA solution library
  • Platform
    ESM ESS2 ESS Efecte Chat for Service Management Integrations Add-ons
  • Release Notes for M42 Professional, IGA, Conversational AI
    2026.1 2025.3 2025.2 2025.1 2024.2 2024.1 2023.4 2023.3 2023.2 2023.1 2022.4 2022.3 Release Information and Policies
  • Other Material
    Terms & Documentation Guidelines Accessibility Statements
  • Services
+ More

    • Service Management

    • Identity Governance and Administration (IGA)

    • Platform

    • Release Notes for M42 Professional, IGA, Conversational AI

    • Other Material

    • Services

Self-Service: Request Privilege Account

Self-Service: Request Privilege Account


In this article is described use case for end-users requesting privilege account, which gives them possibility to activate it when needed from the Self-Service Portal.



Use Case Description


This use case is available only for IGA Enterprise package. 

Please notice, that managing Administration level accesses for example in AD, it needs domain admin level permissions to the service account, which IGA solution is using for writing data towards AD. 



 Description

Overview

This use case describes how users can request privilege account from the Self-Service Portal.

Operators

IGA solution
Self-Service Portal
Manager
User
IGA Admin
IGA Owner

Prerequisites

IGA Set Account Information datacard needs to be fulfilled for privilege account creation and IGA solution has needed write permissions to the directory or application. 

Result

User privilege account is disabled during account creation and after the creation user can activate it in "Activate Privilege Accesses" service or use "Request Privilege Accesses" service for adding more groups to the account. 

Operating chain requesting account
  1. User or Manager opens "Request Privilege Account" 

    • If user is requester, Manager needs to advocate request and possible Approvers needs to approve the request

    • If Manager is requester, there is no need for separate advocate, but possible Approvers needs to approve the request.

    • If Manager is the requester he or she chooses subordinate who needs privilege account

  2. User or Manager chooses directory and creates datacard according to privilege account type's (there needs to be IGA Set Account Information datacard for each one of the privilege account type's). Types can be for example, 

    • ADDomain Admin
      • This can be for example Domain Administrator

    • ADAdmin other
      • This can be for example OU Administrator

    • Azure ADAdmin
      • This can be for example Owner in Azure AD

    • Azure ADAdmin other
      • This can be for example User Access Administrator in Azure AD

    • OpenLDAP Admin
      • This can be for example OpenLDAP Administrator

    • Application Admin
      • This can be any of the applications Admin users, which IGA solution has been integrated

  3. User or Manager chooses (optional) start date and end date for privilege account validation

    • If dates are not chosen, IGA solution will create account immediately and end date will be validated from IGA Set Account Action datacard

  4. User or Manager adds mandatory justification and chooses Next

  5. On the next page user or Manager can request privilege access rights to be added to the account

    • User or Manager chooses application from the list

      • Only applications, which has privilege accesses (IGA Entitlement marked as privilege access) are shown in the list

    • User or Manager chooses needed privilege accesses from the list 

      • Only IGA Entitlements, which are marked as privilege accesses and are published to "Request Privilege Accesses" service

      • If User or Manager requests privilege accesses, and user does not have account for that directory or application, IGA solution will generate account according to request, but no additional privilege accesses are added

        • User or Manager can open "Request Privilege Accesses" service and choose correct entitlements

  6. User or Manager submits the request

  7. IGA solution creates IGA Service Request and starts provisioning process for creating new privilege account.

    • Privilege Account is always created as disabled (user needs to activate account from the Self-Service Portal service "Active Privilege Accesses", before it can be used)

  8. IGA solution waits until response from the directory or application has received, closes the IGA Request and sends status information to Self-Service Portal

  9. IGA Access Right Records are created and audit details are saved.

Related datacards

IGA Identity Storage
IGA Account
IGA Set Account Information
Application

Self-Service Portal services

Request Privilege Account
Delete

Configuration Changes


Customer can define these configuration changes, without them affecting the projects schedule or work estimations. 

1. Customer can define attributes, which are provisioned to the directory (and which attributes IGA solution reads from the directory)

Delete

Expansion Possibilities


In this chapter are listed expansion possibilities, but please notice that these might have affect to the projects schedule and work estimations, so these will always needs Efecte Consultants review before agreeing on implementation.


1. Customer can add email notifications, but content needs to come from the Customer and depending how many email notifications is required, it might have affect to the work estimations, but rarely to the schedule. 

If Customer has participated in all of the IGA training's, Customers IGA Module Admins can also easily add email notifications to the workflows. 


2. Customer can also define, that requested IGA Account and IGA Entitlements are provisioned to the directory or application, and in that case users privilege accesses are always valid and user can use them without any justifications. 

This changes also use cases, "Request Privilege Accesses", "Active Privilege Accesses" and "Manage Privilege Accesses". 

Delete

Relations and Configuration instructions


Relations to other use cases, 


Relations to other data cards, 


Configuration instructions:

  1. Publish bundle service "Request Privilege Account" in ESS

  2. Configure EPEtask called "[Directory] IGA Identity Storage: Create user"
    • Configure the connection settings and after that Test connection from the EPEtask
    • Define user and group filters and settings
    • No need to change user identity mappings

  3. Configure EPEtask called "[Directory] IGA Identity Storage: Update email"
    • Configure the connection settings and after that Test connection from the EPEtask
    • Define user and group filters and settings
    • No need to change user identity mappings

  4. Configure EPEtask called "[Directory] IGA Identity Storage: Update user"
    • Configure the connection settings and after that Test connection from the EPEtask
    • Define user and group filters and settings
    • No need to change user identity mappings

  5. Configure EPEtask called "[Directory] IGA Identity storage: Verify"
    • Configure the connection settings and after that Test connection from the EPEtask
    • Define user and group filters and settings
    • No need to change user identity mappings

  6. Go to IGA service request and workflow called "1.0 Create or Update User"
    • Publish the workflow

  7. Go to IGA Identity Storage and workflow called "1. Create or Update user to Directory"
    • Check the workflow node Set DN for verify to contain right DN
    • Publish the workflow

  8. Check IGA Set Account information data card settings for privilege account creation


System test instructions: 

  1. Test Request Privilege Account from ESS
    • Check IGA Service Request from ESM
    • Check that Privilege Account is created to Directory
    • Check that account is disabled in Directory and ESM
Delete

 

privilege account self-service

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Self-Service: Remove access rights
  • Self-Service: Request access rights

Copyright 2026 – Matrix42 Professional.

Matrix42 homepage


Knowledge Base Software powered by Helpjuice

0
0
Expand