Requests
Requests are used to request changes to access controls, such as adding or removing an entitlement, and creating or updating a group.
Requestable changes
Section titled “Requestable changes”Requests allow users to request changes to access controls and to make it possible to use Oblique to manage access controls at scale: by managing access to resources, managing teams, and defining owners of objects. They are not intended for administrative management of Oblique, such as adding new integrations. As such, not every change is requestable.
Oblique supports requests for the following changes:
| Target | Action | Description | Support |
|---|---|---|---|
| User | CREATE | Import a user. | ❌ Unsupported |
| Team | CREATE | Create a team group. | ✅ Supported |
| Team | DELETE | Delete a team group. | ⏳ Coming soon |
| TeamProfile | UPDATE | Update a team group’s description. | ⏳ Coming soon |
| TeamMember | CREATE | Add a user to a team group. | ✅ Supported |
| TeamMember | DELETE | Remove a user from a team group. | ✅ Supported |
| TeamOwner | CREATE | Add an owner to a team group. | ⏳ Coming soon |
| TeamOwner | DELETE | Remove an owner from a team group. | ⏳ Coming soon |
| Group | CREATE | Create an attribute-based group. | ❌ Unsupported |
| Group | DELETE | Delete an attribute-based group. | ❌ Unsupported |
| GroupOwner | CREATE | Add an owner to an attribute-based group. | ⏳ Coming soon |
| GroupOwner | DELETE | Remove an owner from an attribute-based group. | ⏳ Coming soon |
| Resource | CREATE | Import or create a resource. | ❌ Unsupported |
| Resource | UPDATE | Change a resource’s management mode. | ❌ Unsupported |
| ResourceOwner | CREATE | Add an owner to a resource. | ⏳ Coming soon |
| ResourceOwner | DELETE | Remove an owner from a resource. | ⏳ Coming soon |
| Entitlement | CREATE | Create an entitlement. | ⏳ Coming soon |
| Entitlement | UPDATE | Edit an entitlement. | ⏳ Coming soon |
| Entitlement | DELETE | Revoke an entitlement. | ⏳ Coming soon |
| Integration | CREATE | Add an integration. | ❌ Unsupported |
| Integration | UPDATE | Update an integration to allow resource creation. | ❌ Unsupported |
| ServiceAccount | CREATE | Create an API key. | ❌ Unsupported |
| ServiceAccount | DELETE | Revoke an API key. | ❌ Unsupported |
| Admin | CREATE | Add an Admin. | ❌ Unsupported |
| Admin | DELETE | Remove an Admin. | ❌ Unsupported |
| Owner | UPDATE | Change the organization Owner. | ❌ Unsupported |
Required checks
Section titled “Required checks”When creating a request, any required checks will be listed under Review. A check is a requirement for the change request to be applied, and could include an approval from a specific user or group.
By default, a request has a check that requires the change to be approved by the owner of the object being directly affected by the request, or by an Oblique Admin:
- A request to join or leave a team needs to be approved by a user who is a team owner or an Oblique Admin.
- A request to create a team needs to be approved by a user who is a team owner or an Oblique Admin.
- A request to grant access to a resource needs to be approved by a user who is a resource owner or an Oblique Admin.
A requestor cannot select themselves as a reviewer. However, if the requestor passes the check requirements for their own request, it will be automatically applied when it is created.
Each check only needs a single approval.
Create a request
Section titled “Create a request”To create a request, navigate to the action you wish to take. There is no separate request page, but rather, access changes will generate a request. As part of the request, you will need to:
- Fill in necessary information for the request. For example, the team name, description, and team members for a team request.
- Assign reviewers for the request and ensure these reviewers pass the required checks.
- (Possibly) Fill in a justification for the request.
Read the documentation for more detailed instructions for each request type.
Assign reviewers
Section titled “Assign reviewers”When creating a request, checks will be listed under Review.
Select the appropriate reviewer from the list of options under Select reviewers, or choose Add reviewer to add a reviewer for passing each check. You can add multiple reviewers to a request. You can add or edit reviewers both before and after creating the request.
Optionally, copy a link to the request to share with a reviewer:
- From the request detail page, select More.
- Select Copy link.
Approve a request
Section titled “Approve a request”You can only approve a request if you have the permissions necessary to approve it. You do not need to be assigned as a reviewer to approve a request.
To approve a request, navigate to the request you wish to approve. You can navigate to a request directly, e.g., from a URL shared with you, or by going to the Requests page and selecting the request from the list.
- Review the request from the request detail page. You can see request details including when the request was made, by who, and any required justification or checks. You can see the change details under the Request tabs, and the access changes this will have under the Access Changes tab. You can also see the timeline of the request under Activity.
- Select More.
- Select Approve.
- (Optionally) Fill in a comment to include with the approval.
- Select Approve.
Apply a request
Section titled “Apply a request”Once a request passes all checks, it is automatically applied in your environment.
Close a request
Section titled “Close a request”You can close a request if it is no longer needed. Both the requestor and reviewers (including Oblique Admins) can close a request.
- Navigate to the request you wish to close.
- Select More.
- Select Close request.
Mark a request as obsolete
Section titled “Mark a request as obsolete”Oblique will mark a request as obsolete if it is superseded by another request.
See the state of a request
Section titled “See the state of a request”You can see the state of a request in multiple places:
- On the request detail page, the state is displayed in the header underneath the request title.
- On the Requests page, the state is displayed in the request row.
See the history of a request
Section titled “See the history of a request”The timeline of a request, including open requests, is displayed on the request detail page under Activity. This shows the history of the request, including when it was created, when any changes to the request were made (checks passed or request applied, closed, or marked as obsolete) and by who, and any comments.
You can also see the timeline of requests affecting a user, group, or resource from the user, group, or resource’s detail page.
Changes to the request state are also recorded in audit logs.
See requests assigned to you
Section titled “See requests assigned to you”You can see requests assigned to you on the Requests page.
The Requests page has three tabs, filtered to show different requests:
- Todo: Open requests you are a reviewer for
- Open: All open requests, including both requests you are and are not assigned as a reviewer for
- Closed: Closed requests