AccessRequest
Manages formal requests for access to resources, roles, or permissions that require approval, implementing a complete workflow from request submission through review to final grant or denial. This entity handles scenarios where users need access beyond their current permissions - requesting a new role, access to sensitive data, temporary elevated privileges, or entry to restricted systems. Each request captures comprehensive justification including business need, duration required, specific resources needed, and risk acknowledgment. The approval workflow can be simple (single manager) or complex (multiple stakeholders, security review, legal sign-off), with configurable routing based on request type, risk level, and resource sensitivity. The entity tracks the complete lifecycle: draft, submitted, under review, approved/denied, provisioned, and expired. It supports emergency requests that bypass normal workflows with heavy auditing, time-boxed access that automatically expires, and conditional approvals with specific constraints. Requests can include attestations where requesters confirm understanding of policies, accept liability, or complete required training. The system handles delegation where managers can request on behalf of their teams, bulk requests for multiple users, and recurring requests for periodic access needs. This formal process is essential for compliance with regulations requiring documented access approval, maintaining zero-standing privileges, and providing evidence of proper authorization during audits.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| requestId | uuid | stored | Unique identifier for this access request | Required |
| requestType | string | enum | Category of access being requested Values: | Required |
| requester | User | stored | User making the request | Required |
| requestFor | User | stored | User who will receive the access (if different from requester) | Optional |
| requestedItems | string | stored | JSON array of requested access items Example: | Required |
| justification | string | stored | Business justification for the request Example: | Required |
| businessNeed | string | enum | Business driver for request Values: | Required |
| urgency | string | enum | Urgency level of the request Values: | Optional |
| requestedStartDate | DateTime | stored | When access should begin | Required |
| requestedEndDate | DateTime | stored | When access should expire | Optional |
| duration | string | stored | Requested duration (e.g., '30 days', 'permanent') Example: | Optional |
| status | string | enum | Current status of the request Values: | Required |
| submittedAt | DateTime | stored | When request was formally submitted | Optional |
| riskScore | integer | stored | Calculated risk score of granting access | Optional |
| riskFactors | string | stored | JSON array of identified risks Example: | Optional |
| approvalRequired | boolean | stored | Whether approval is needed | Optional |
| approvalChain | string | stored | JSON array of required approvers in order Example: | Optional |
| currentApprovalStep | integer | stored | Current position in approval chain | Optional |
| approvals | string | stored | JSON array of approval decisions | Optional |
| finalApprover | User | stored | Who gave final approval | Optional |
| approvedAt | DateTime | stored | When request was approved | Optional |
| deniedBy | User | stored | Who denied the request | Optional |
| deniedAt | DateTime | stored | When request was denied | Optional |
| denialReason | string | stored | Explanation for denial | Optional |
| provisionedAt | DateTime | stored | When access was actually granted | Optional |
| provisionedBy | User | stored | Who provisioned the access | Optional |
| actualStartDate | DateTime | stored | When access actually started | Optional |
| actualEndDate | DateTime | stored | When access actually ended | Optional |
| attestations | string | stored | JSON array of policy attestations Example: | Optional |
| conditions | string | stored | JSON conditions attached to approval | Optional |
| isEmergency | boolean | stored | Whether this is an emergency request | Optional |
| emergencyContact | string | stored | Contact for emergency requests | Optional |
| expiryNotificationSent | boolean | stored | Whether expiry warning was sent | Optional |
| renewalAllowed | boolean | stored | Whether request can be renewed | Optional |
| parentRequestId | uuid | stored | Original request if this is a renewal | Optional |
| createdAt | DateTime | stored | When request was created | Required |
| updatedAt | DateTime | stored | Last modification time | Optional |
| metadata | object | stored | Additional request data | Optional |
Examples
Example 1
{
"@type": "AccessRequest",
"requestId": "req_abc123",
"requestType": "role",
"justification": "Need production database access to investigate and resolve critical performance issues affecting customers",
"businessNeed": "operational",
"urgency": "high",
"requestedItems": "[{\"type\":\"role\",\"id\":\"role_dba\",\"scope\":\"production\"},{\"type\":\"permission\",\"id\":\"database.query_optimization\"}]",
"requestedStartDate": "2024-03-15T14:00:00Z",
"requestedEndDate": "2024-03-22T14:00:00Z",
"duration": "7 days",
"status": "approved",
"submittedAt": "2024-03-15T13:00:00Z",
"riskScore": 65,
"riskFactors": "[\"production_access\",\"database_admin\",\"temporary_elevation\"]",
"approvalRequired": true,
"approvalChain": "[{\"role\":\"manager\",\"user\":\"user_mgr_123\"},{\"role\":\"dba_team\"},{\"role\":\"security\"}]",
"currentApprovalStep": 3,
"approvals": "[{\"approver\":\"user_mgr_123\",\"decision\":\"approve\",\"timestamp\":\"2024-03-15T13:15:00Z\"},{\"approver\":\"user_dba_lead\",\"decision\":\"approve\",\"timestamp\":\"2024-03-15T13:30:00Z\",\"note\":\"Limited to read-only during first 24h\"},{\"approver\":\"user_security\",\"decision\":\"approve\",\"timestamp\":\"2024-03-15T13:45:00Z\"}]",
"finalApprover": "user_security",
"approvedAt": "2024-03-15T13:45:00Z",
"provisionedAt": "2024-03-15T14:00:00Z",
"provisionedBy": "system_auto_provisioner",
"actualStartDate": "2024-03-15T14:00:00Z",
"attestations": "[{\"policy\":\"production_access_policy\",\"agreed\":true,\"timestamp\":\"2024-03-15T13:00:00Z\"},{\"training\":\"database_security\",\"completed\":true,\"completedDate\":\"2024-03-01T00:00:00Z\"}]",
"conditions": "{\"readonly_first_24h\":true,\"audit_all_queries\":true,\"no_data_export\":true}",
"renewalAllowed": true,
"createdAt": "2024-03-15T12:30:00Z",
"metadata": {
"ticket": "INC-2024-4521",
"on_call": true
}
}Example 2
{
"@type": "AccessRequest",
"requestId": "req_emrg_789",
"requestType": "emergency",
"justification": "Critical security incident - need immediate access to investigate potential data breach",
"businessNeed": "emergency",
"urgency": "emergency",
"requestedItems": "[{\"type\":\"role\",\"id\":\"role_security_admin\"},{\"type\":\"permission\",\"id\":\"audit.full_access\"},{\"type\":\"permission\",\"id\":\"system.forensics\"}]",
"requestedStartDate": "2024-03-15T02:00:00Z",
"requestedEndDate": "2024-03-15T10:00:00Z",
"duration": "8 hours",
"status": "provisioned",
"submittedAt": "2024-03-15T02:00:00Z",
"riskScore": 95,
"riskFactors": "[\"emergency_access\",\"full_system_access\",\"off_hours\",\"bypassed_approval\"]",
"approvalRequired": false,
"isEmergency": true,
"emergencyContact": "+1-555-911-1234",
"provisionedAt": "2024-03-15T02:01:00Z",
"provisionedBy": "system_emergency_access",
"actualStartDate": "2024-03-15T02:01:00Z",
"actualEndDate": "2024-03-15T06:00:00Z",
"attestations": "[{\"policy\":\"emergency_access_policy\",\"agreed\":true},{\"acknowledgment\":\"post_review_required\",\"agreed\":true}]",
"conditions": "{\"full_audit\":true,\"video_recording\":true,\"post_incident_review\":\"required\"}",
"createdAt": "2024-03-15T02:00:00Z",
"metadata": {
"incident_id": "SEC-2024-CRITICAL-001",
"authorized_by": "CISO_on_call"
}
}