Requests
Requests are used to request changes to access controls, such as adding or removing an entitlement, and creating or updating a group.
Requestable changes
Section titled “Requestable changes”Requests allow users to request changes to access controls and to make it possible to use Oblique to manage access controls at scale: by managing access to resources, managing teams, and defining owners of objects. They are not intended for administrative management of Oblique, such as adding new integrations. As such, not every change is requestable.
Oblique supports requests for the following changes:
| Target | Action | Description | Support |
|---|---|---|---|
User | CREATE | Import a user. | ❌ Unsupported |
Team | CREATE | Create a team group. | ✅ Supported |
Team | DELETE | Delete a team group. | ⏳ Coming soon |
TeamProfile | UPDATE | Update a team group’s description. | ⏳ Coming soon |
TeamMember | CREATE | Add a user to a team group. | ✅ Supported |
TeamMember | DELETE | Remove a user from a team group. | ✅ Supported |
TeamOwner | CREATE | Add an owner to a team group. | ⏳ Coming soon |
TeamOwner | DELETE | Remove an owner from a team group. | ⏳ Coming soon |
Group | CREATE | Create an attribute-based group. | ❌ Unsupported |
Group | DELETE | Delete an attribute-based group. | ❌ Unsupported |
GroupOwner | CREATE | Add an owner to an attribute-based group. | ⏳ Coming soon |
GroupOwner | DELETE | Remove an owner from an attribute-based group. | ⏳ Coming soon |
Resource | CREATE | Import or create a resource. | ❌ Unsupported |
Resource | UPDATE | Change a resource’s management mode. | ❌ Unsupported |
ResourceOwner | CREATE | Add an owner to a resource. | ⏳ Coming soon |
ResourceOwner | DELETE | Remove an owner from a resource. | ⏳ Coming soon |
Entitlement | CREATE | Create an entitlement. | ✅ Supported |
Entitlement | UPDATE | Edit an entitlement. | ✅ Supported |
Entitlement | DELETE | Revoke an entitlement. | ✅ Supported |
Integration | CREATE | Add an integration. | ❌ Unsupported |
Integration | UPDATE | Update an integration to allow resource creation. | ❌ Unsupported |
ServiceAccount | CREATE | Create an API key. | ❌ Unsupported |
ServiceAccount | DELETE | Revoke an API key. | ❌ Unsupported |
Admin | CREATE | Add an Admin. | ❌ Unsupported |
Admin | DELETE | Remove an Admin. | ❌ Unsupported |
Owner | UPDATE | Change the organization Owner. | ❌ Unsupported |
Required checks
Section titled “Required checks”When creating a request, any required checks will be listed under Review. A check is a requirement for the change request to be applied, and could include an approval from a specific user or group.
By default, a request has a check that requires the change to be approved by the owner of the object being directly affected by the request, or by an Oblique Admin:
- A request to join or leave a team group needs to be approved by a user who is a team owner or an Oblique Admin.
- A request to create a team group needs to be approved by a user who is a team owner or an Oblique Admin.
- A request to grant access to a resource needs to be approved by a user who is a resource owner or an Oblique Admin.
A requestor cannot select themselves as a reviewer. However, if the requestor passes the check requirements for their own request, it will be automatically applied when it is created.
Each check only needs a single approval.
Create a request
Section titled “Create a request”To create a request, navigate to the action you wish to take. There is no separate request page, but rather, access changes will generate a request. As part of the request, you will need to:
- Fill in necessary information for the request. For example, the team’s name, description, and members for a team group request.
- Assign reviewers for the request and ensure these reviewers pass the required checks.
- (Optionally) Disable auto-apply for the request. By default, a request will be automatically applied once all checks pass.
Read the documentation for more detailed instructions for each request type.
Assign reviewers
Section titled “Assign reviewers”When creating a request, checks will be listed under Review.
A reviewer is automatically selected for a check in the following priority order:
- The requestor, if they have approval permissions
- An object owner, who is randomly selected if multiple owners exist
- An Oblique Admin, who is randomly selected if multiple Admins exist
The requestor can change the assigned reviewer by selecting a different person from the list of eligible reviewers. Select the dropdown with the list of reviewers, and then select the desired reviewers.
If the selected list of reviewers is insufficient for the checks, the check will not show an associated reviewer. To add reviewers, select the appropriate reviewer from the list of options under Select reviewers, or choose Add reviewer to add a reviewer for passing each check.
You can add multiple reviewers to a request. You can add or edit reviewers both before and after creating the request.
You can notify reviewers via Slack of new requests assigned to them for review.
You can also copy a link to the request to share with a reviewer out of band:
- From the request detail page, select More.
- Select Copy link.
Enable auto-apply for a request
Section titled “Enable auto-apply for a request”Both the requestor and reviewers (including Oblique Admins) can change auto-apply behavior for a request.
You can enable auto-apply for a request until it is approved.
- Navigate to the request you wish to enable auto-apply for.
- Select Enable auto-apply.
Disable auto-apply for a request
Section titled “Disable auto-apply for a request”Both the requestor and reviewers (including Oblique Admins) can change auto-apply behavior for a request.
You can disable auto-apply for a request until it is approved.
- Navigate to the request you wish to disable auto-apply for.
- Next to the Auto-apply badge, select Disable.
Approve a request
Section titled “Approve a request”You can only approve a request if you have the permissions necessary to approve it. You do not need to be assigned as a reviewer to approve a request.
To approve a request, navigate to the request you wish to approve. You can navigate to a request directly, e.g., from a URL shared with you, or by going to the Requests page and selecting the request from the list.
- Review the request from the request detail page. You can see request details including when the request was made, by who, and any required justification or checks. You can see the change details under the Changes tab, and the access changes this will have under the Access Changes tab. You can also see the timeline and summary of the request under Activity.
- Select Approve.
- (Optionally) Fill in a comment to include with the approval.
- Select Approve.
Apply a request
Section titled “Apply a request”By default, once a request passes all checks, it is automatically applied in your environment.
If auto-apply is disabled, you can apply the request manually:
- Navigate to the request detail page.
- Select Apply.
Close a request
Section titled “Close a request”You can close a request if it is no longer needed. Both the requestor and reviewers (including Oblique Admins) can close a request.
- Navigate to the request you wish to close.
- Select More.
- Select Close request.
Close an obsolete request
Section titled “Close an obsolete request”Oblique will automatically close a request if it is obsolete, that is, if it has been made redundant by another request that already makes the same change.
See the state of a request
Section titled “See the state of a request”You can see the state of a request in multiple places:
- On the request detail page, the state is displayed in the header underneath the request title.
- On the Requests page, the state is displayed in the request row.
See the history of a request
Section titled “See the history of a request”The timeline of a request, including open requests, is displayed on the request detail page under Activity. This shows the history of the request, including when it was created, when any changes to the request were made (checks passed or request applied, closed, or marked as obsolete) and by who, and any comments.
You can also see the timeline of requests affecting a user, group, or resource from the user, group, or resource’s detail page.
Changes to the request state are also recorded in audit logs.
See requests assigned to you
Section titled “See requests assigned to you”You can see requests assigned to you on the Requests page.
The Requests page has three tabs, filtered to show different requests:
- Todo: Open requests you are a reviewer for
- Open: All open requests, including both requests you are and are not assigned as a reviewer for
- Closed: Closed requests