FAQs

FAQs, quick fixes, and official info on every feature.
Can't find your question here, try our support forums.

  1. Home
  3. FAQ

Got questions? This way.

FAQs, quick fixes, and official info on every feature.
Can't find your question here, try our support forums.

  • Getting Started
  • Managing Access Requests & Approvals
  • User Authentication
  • Role-based Access
  • CIAM
  • User Self-Service
  • Integration Management
  • Identity Lifecycle Management (ILM)
  • Segregation of Duties (SoD)
  • Access Certification
  • Analytics & Reporting
  • Dormant Account Management
  • E-Signature
  • Policy Management
  • CIEM
General

Getting Started:

To get familiar with the product dashboard after logging into the AccessFlow portal, visit the product tours section available on the top navigation bar. It offers interactive, step-by-step tutorials that provide an overview of dashboard elements.

To view your profile details in AccessFlow, click on the user icon available on the top navigation bar, then select the profile section. Under the profile section, you can check your personal details.

Yes, AccessFlow supports the delegation of tasks to subordinates or reportees. AccessFlow offers two types of delegation: ServiceNow platform-level delegation and AccessFlow-specific delegation. However, only one type of delegation can be enabled at a time. For AccessFlow-specific tasks, only "Review" type delegation is supported. In addition, users with system admin role can view “All delegates” by clicking on the user profile dropdown available in the top right corner of AccessFlow portal. 

To request access to enterprise resources through AccessFlow, you have two different paths.

  • Go to the Home page and click on the "New Access Request" button. For more granular access, click the "+" icon under different category tiles in the "My Access" section on the Home Page.
  • Alternatively, you can click on the "Manage Access" option in the left navigation panel. to submit add/revoke access requests.

To learn more about the access request/approval process in AccessFlow, please visit the “Managing Access Requests & Approvals” section in FAQs.

There are two options to check pending requests in AccessFlow. You can either click on the “My Requests” option available in the left side navigation panel to view pending and closed requests. Alternatively, you can check the "My Request" section on the home page to view your recently requested access requests.

In AccessFlow, the Wishlist section allows you to save access permissions that you might want to request at a later date. This feature is designed for your convenience, enabling you to keep track of permissions you may need in the future.

To view your wishlisted access permissions in AccessFlow, click on the "Wishlist" option available in the top navigation bar.

To review or approve access permissions, click on the "Reviews & Approvals" section in the top navigation panel. You can approve requests individually or all at once. On the Reviews & Approvals page, you can also filter requests by risk level, request ID, user, date, etc.

To view data visualizations of your IAM activities, click on the “Reports” option available in the left navigation panel. AccessFlow supports persona-driven dashboards and reports, providing dedicated views for IAM admins, app owners, managers, employees, and GRC officers.

To seek help from the IT support team for access-related issues, click the "Need Help" section in the left navigation bar.

AccessFlow offers a link inclusion feature on the "Manage Access" page that allows users to copy and share links preserving the Category-Entity-Permission hierarchy. This capability is conveniently accessed through icons located next to each Entity and Permission. By clicking on the respective icon, you can easily copy the link and share it with other users who have access to AccessFlow.

On the top right corner of the "Manage Access" page, there is a toggle on/off button that allows you to access the link inclusion feature. By toggling this button, you can activate the functionality to copy and share links for specific access requests.

Access Management

Managing Access Requests & Approvals

Below are the steps to request access to a specific application/system:

  • Go to AccessFlow homepage and click on “New Access Request” button.
  • Click on the categories available under “My Access” section to request access to a specific application and select all the fields.
  • Finally, click on the Submit button to raise the access request.

 

Alternatively, click on the “Manage Access” option available in the left navigation bar. On the “Manage Access” page, select a particular category, application, and permission, along with access start, end date, and additional attachments if needed. Now, click on “Submit” or “Wishlist” button to request access later.

You can add as many users as possible in a single access request. However, the ideal number is 10 users per request.

Users can choose the access start date and end date with AccessFlow’s out-of-the-box capability. Access capabilities based on days (Monday through Friday), hours (10 am to 5 pm), etc. can also be easily customized based on client needs.

Below are the steps to revoke user access:

  • Click on the “Manage Access” option available in the left navigation bar.
  • On the “Manage Access Page,” click on the “Remove Access” option. Now, input the name of the user or users in the search bar to view all the permissions held by that user.
  • Either select a specific permission or all the permissions, add necessary attachments, and click on the “Remove Access” button.
  • To submit bulk access/revoke requests, click on the “Browse Catalog” option available in the left navigation panel.
  • Now click on “Bulk Access/Revoke Request” catalog listed under “Other Access Requests.” Now either select “Add Access” or “Remove Access” option.
  • Download and fill the excel file with relevant employee details and re-upload it on the portal.
  • Add necessary attachments and submit the request.

Add or remove access requests can be immediately approved by the direct managers, IT admins, or other relevant users (as per your organizational setup) within a few minutes via the AccessFlow web or mobile interface after receiving timely alerts via email.

To enable or disable the option to request access for that application, you or the application owner need to submit a request under Browse Catalog > AccessFlow Configuration Requests > Enable/Disable Access Request for an Entity.

To get access similar to your team members, follow the below steps:

  • Click on the Browse Catalog option available in the left navigation panel.
  • Now click on the “AccessFlow Copy Request” catalog available under the Access Request Support section to raise an access request with permissions similar to those your team members have.

You can raise an assistance request by clicking on the "Need Help?" option in the left navigation panel.

To raise general access requests, perform below steps:

  • Click on the “Need Help?” option available in the left navigation panel.
  • Now select General Inquiry as the inquiry type and then type your specific issue and submit the request.
  • Upon receiving the request, the ServiceDesk/AccessFlow team will assign the ticket to the appropriate team.

Escalated Requests highlight the requests pending for approval beyond a defined threshold (organization-level control) and have been escalated to a higher level for approval.

To request access to a service account, perform below steps:

  • Click on the Browse Catalog option available in the left navigation panel.
  • Now click on Request Special Privileged Account under the Other Access Requests section. This will allow you to gain access to service accounts.
  • Click on the Browse Catalog option available in the left navigation panel
  • Now select the Access Request Order Guide catalog under the Access Request Support section.

You can raise a request for a password reset by following below steps:

  • Click on the Browse Catalog option in the left navigation panel
  • Now click on the Password Reset catalog under the Access Request Support section to reset your password.

The configuration manager can request a new access permission for an entity/application by following the below steps:

  • Click on the Browse Catalog option in the left navigation panel
  • Now select “Permission Level Configuration Rules” catalog under the AccessFlow Configuration Requests section to create new Permissions or deactivate older permissions.

Yes, you can select multiple access permissions on the Access Request Page. Click on the "Add to List" button for each permission you need. Once you have added all the required permissions to your list, click on "Submit" to raise simultaneous requests for multiple permissions.

  • Click the "View All" option under the "My Requests" section on Home Page.
  • Now select a particular access request. You will be redirected to the AccessFlow ticket page.
  • The access approver details will be available on this page.
Access Management

User Authentication

AccessFlow uses ServiceNow's single sign-on (SSO) for user authentication. When logging in or approving access requests, you will be authenticated through ServiceNow SSO, which validates your credentials.

Yes, AccessFlow can work with various third-party SSO providers such as Okta and OneLogin, provided the ServiceNow platform compatibility. AccessFlow can redirect users to third-party platforms for authentication, where they can sign in with their valid credentials.

Integrating SSO with AccessFlow offers multiple benefits, such as robust security through centralized authentication, a more straightforward login experience through one set of credentials, and less administrative burden associated with password management.

If you experience issues, make sure to double-check your credentials first. Still, if the problem persists, get in touch with your IT administrator or support team for more assistance.

Access Management

Role-based Access

Role-based access control (RBAC) in AccessFlow allows for precise and secure access control by assigning roles to users based on their job responsibilities. This ensures that users have the appropriate level of access to perform their duties effectively.

Yes, administrators can conveniently create, modify, or disable role definitions directly within AccessFlow. This can be done without needing to access the native instance, making role management simpler and more efficient. AccessFlow provides a dedicated catalog under the Browse Catalog page where administrators can easily manage user roles.

Yes, AccessFlow automatically grants, modifies, and revokes access as employees join, switch job roles, and leave the organization based on their job roles using the RBAC functionality. This helps you streamline access management and maintain a superior user experience.

The nested RBAC feature in AccessFlow allows users to create hierarchical structures, where certain user roles or titles can have subcategories associated with them. These subcategories will have their own specific permissions, allowing for a more granular and organized approach to access control. In other words, any user with access to the parent role will have access to permissions held by nested/child roles by default. For example, with nested RBAC arrangement, a user with a manager role in your organization can also hold “Team Lead” role permissions.

Access Management

Customer Identity and Access Management (CIAM)

Customer Identity and Access Management (CIAM) capability helps enterprises manage access for external identities, such as B2B partners, suppliers, and vendors, from the AccessFlow portal directly. 

Customers can register through their existing ServiceNow Customer Service Management (CSM) module (if available) or the AccessFlow self-service registration page with capabilities like password reset. Both options require users to fill out personal details during registration. Once the information is submitted, the system creates a customer record and assigns the appropriate user roles.

Customers need to provide their First Name, Last Name, Business Email, and Business Code. This information is essential to create a user account and grant appropriate access.

After a user completes the registration form, an AccessFlow request (AFR) ticket is generated. This ticket is sent for approval, where an assigned approver reviews and either approves or rejects the request. Once approved, the user account is created, and the appropriate roles are assigned.

User accounts are created based on the system property settings. If ServiceNow Customer Service Management (CSM) module is enabled, data will be stored in the CSM table; otherwise, it will be stored in the AccessFlow tables.

AccessFlow portal provides a customer-accessible catalog where B2B partners can raise access requests. Once a request is raised, it is processed through a two-step approach, involving the hosting company and the fulfillment team to ensure accurate access management. For example, if Genpact raises a ticket on the Access Management page of AccessFlow, Alcor Solutions (hosting company) will receive that ticket. Subsequently, Alcor's customer agent will raise the actual ticket, and the AccessFlow team (fulfillment group) will fulfill the ticket.

AccessFlow ensures data privacy by restricting non-primary contacts of customers to view only their own data. Primary contacts can view data for their entire customer account, while admins have access to account-specific reports, maintaining a high level of data security.

Access Management

User Self-Service

AccessFlow allows managers and application owners to approve access requests and perform monthly, quarterly, and yearly access reviews. AccessFlow is transparent in showing account dormancy, enabling approvers to make informed decisions. Additionally, they can perform password resets, view dashboard visualizations for access activities, and update their account details through self-service catalogs.

IAM admins have access to powerful self-service catalogs that allow them to create, modify, and revoke Segregation of Duties (SOD) rules, role qualifier settings, user role definitions, access certification campaign settings, and user access groups. This enables efficient management of access controls and reduces the IT burden significantly.

Access Management

Integration Management

A) Out-of-the-box integrations:

  • ERP (On-premises Oracle 12.x and future versions, SAP S/4 HANA)
  • Microsoft Elantra (Formerly Azure Active Directory)
  • Active Directory
  • Cloud Suites (AWS and Google Workspace)
  • Middleware Platforms (MuleSoft and Dell Boomi)

 

B) Other Integrations:

Integrations with the systems/platforms mentioned below are feasible and have been tested by the AccessFlow team. In addition to these systems, AccessFlow can also integrate with other on-premises, legacy, and cloud applications, given the availability of APIs or connectors. 

  • HCM Systems (PeopleSoft, Greenhouse, One Model, and Workday)
  • Cloud Apps (Webex, Box, Oracle Fusion Cloud)
  • Identity Providers (Okta and OneLogin)
  • LMS (Saba LMS and LinkedIn Learning)
  • Data Analytics (Snowflake and Tableau)
  • CRM (Salesforce and Anaplan)
  • Miscellaneous (Bridge, Concur, Arena, Marketo, Legal Tracker, and Revpro)
  • Other on-premises, legacy, and cloud apps, given the availability of APIs or connectors

Yes, AccessFlow supports seamless collaboration with the ServiceNow GRC Module. However, the customer must have individual licenses for both AccessFlow and ServiceNow GRC.  If you have a GRC license, you can toggle this feature on or off directly within the AccessFlow portal. From the AccessFlow portal itself, you can create, view, and raise GRC policy exceptions, perform risk assessments, and track GRC dashboards easily. This collaboration allows you to efficiently manage GRC activities alongside your IAM tasks within AccessFlow.

AccessFlow is coupled with ServiceNow Configuration Management Database (CMDB). It can seamlessly fetch data from ServiceNow CMBD to manage access across various categories/classes, including applications, databases, network drives, SharePoint sites, role-based access groups, and entitlements. Further, AccessFlow can easily manage access for thousands of other on-premises, legacy, and cloud apps - provided the availability of APIs.

Identity Governance and Administration

Identity Lifecycle Management (ILM)

Yes, AccessFlow supports automated Identity Lifecycle Management (ILM). It can automatically grant, adjust, or revoke access as employees join, switch job roles or departments, and leave the organization.

  • To submit a user onboarding request in AccessFlow, navigate to the Browse Catalog page and select the User Onboarding Form.
  • The details of the new employee that are requisite are first name, surname, email ID, reporting manager, and job title. Fill in these details and then submit the form.
  • This triggers the setup of the user's identity and accounts in various systems and their birthright accesses based on their roles.
  • To submit a user offboarding request in AccessFlow, go to the Browse Catalog page and select the User Offboarding Form.
  • Enter the details of the employee, such as name and offboarding type, and add necessary attachments and submit the form.
  • AccessFlow will automatically revoke the user's accounts and permissions across various systems, ensuring a secure and compliant offboarding process.
  • To submit a movers access management request in AccessFlow, navigate to the Browse Catalog page.
  • Select the dedicated catalog for Movers Access Management. Input the required details, including the user's name, previous job role, new job title, and the respective start and end dates.
  • Add necessary attachments and submit the request.
Identity Governance and Administration

Segregation of Duties (SoD)

AccessFlow's Segregation of Duties (SoD) capabilities are designed to prevent a single person from having conflicting permissions that could lead to fraudulent activities or errors. Access requesters can view the SoD conflicts in real time on the Manage Access page while requesting conflicting permissions.

To create an SoD rule in AccessFlow, follow these steps:

  • Click on the Browse Catalog option available in the left navigation panel.
  • Select the SoD Rules Configuration catalog.
  • Choose "Create" as the Request Type.
  • Select two or three conflicting permissions, along with their associated environment and category.
  • Specify the start and end dates for the SoD rule.
  • Provide a business justification, necessary attachments, and submit the request.

 

To modify an existing SoD rule in AccessFlow:

  • Choose "Modify" as the Request Type.
  • Select the existing SoD rule you wish to modify.
  • Adjust the conflicting permissions as needed.
  • Provide a business justification and necessary attachments, and then submit the request.

 

To disable an SoD rule in AccessFlow:

  • Choose "Disable" as the Request Type.
  • Select the existing SoD rule you want to disable.
  • Provide a valid business explanation, add necessary attachments, and submit the request.

To raise a SoD exception in AccessFlow:

  • Click on the Browse Catalog option in the left navigation panel.
  • Select the SoD Exceptions catalog.
  • Enter the username and the relevant SoD rule.
  • Specify the exception start and end dates.
  • Input business justification, add necessary attachments, and submit the request.

To track SoD breaches in AccessFlow, you have two options:

  • Click on the SoD Breaches option in the left navigation panel.
  • On the SoD breaches page, you can track total breaches, application-wise breaches, and My Reportee breaches if you act as a manager in the system.
  • You can also filter breaches by ID, stage, date, and other criteria to get a detailed view of SoD violations.
  • Click on the Browse Catalog option in the left navigation panel.
  • Now click on the "Schedule a SoD Breaches Evaluation" catalog.
  • Select the SOD scan level - application level, manager level, and system level.
  • Select the preferred scheduled date
  • Provide business justification, add necessary attachments, and submit the request.
Identity Governance and Administration

Access Certification

AccessFlow supports various types of access certification to ensure individuals have appropriate access based on their job roles. These include:

  • User-wise access certification
  • Application-wise access certification
  • Application-wise user access certification
  • Privileged access certification
  • Service account certification

To request user access certification in AccessFlow, perform below steps:

  • Click on the Browse Catalog option in the left navigation panel.
  • Select the "Request for User Access Attestation" catalog.
  • Choose the username from the dropdown menu.
  • Provide business justification and attach any necessary documents.
  • Submit the request.

To initiate a privileged access certification campaign in AccessFlow, follow the below steps:

  • Go to the Browse Catalog option on the left navigation panel.
  • Select the "Request for Privileged Access Attestation" catalog.
  • Choose the type of privileged access control and associated permissions you want to certify.
  • Provide business justification and attach any necessary documents.
  • Submit the request.

To configure certification campaign settings in AccessFlow, perform below steps:

  • Click on the "Attestation Campaign Configuration" catalog in the Browse Catalog page.
  • To create a new campaign, select "create" as the Request Type.
  • Enter the campaign name, select the attestation type (e.g., user-wise, application-wise, privileged access-wise, service account-wise), choose the scheduling option (daily, weekly, etc.), and set the start and end dates.
  • Submit the request.

To modify a certification campaign in AccessFlow, follow the below steps:

  • Select the "Attestation Campaign Configuration" catalog under the Browse Catalog page.
  • Choose "modify" as the request type.
  • Select the campaign name and adjust the configuration settings (attestation type, start date, end date, etc.).
  • Submit the request.

To disable a certification campaign:

  • Select "disable" as the request type.
  • Choose the campaign name.
  • Input the start and end dates.
  • Submit the request.
Identity Governance and Administration

Analytics & Reporting

AccessFlow offers reporting and analytics capabilities through its dedicated "Reports" option available on the left navigation panel. These capabilities include persona-driven dashboards designed for various users, such as IT admins, team managers, application owners, compliance officers, and end users.

AccessFlow provides six different administrative dashboards, including those for app owners, admins, access certification, privileged certification, external access visibility, and legacy applications. To access these dashboards, click on the "Reports" option in the left navigation panel.

Under the General category, AccessFlow offers four dashboards: User, Manager, SAP (User), and Oracle (User) Dashboards. The accessibility of these dashboards depends on your role within the organization. To access them, select the “Reports" option in the left navigation panel.

The Access Visibility feature in AccessFlow provides a dedicated page to check user access permissions. It offers a comprehensive view that allows administrators to assess and manage user access effectively. To access this feature, click on the "Access Visibility" option in the left navigation panel.

Yes, the Access Visibility feature supports granular visibility by offering three dedicated filters:

  • User-wise filter: Displays permissions held by individual users.
  • Entity-wise filter: Lists users holding specific permissions within the application.
  • Role-wise filter: Lists permissions held by specific roles.

 

Additionally, you can export these detailed insights in CSV format to support audit and compliance activities.

Identity Governance and Administration

Dormant Account Management

The Dormant Account Management feature in AccessFlow helps app owners log the inactivity of user accounts within their applications. During access attestations, it alerts managers or access approvers if an account or permission has been inactive for a certain period. The dormancy status is highlighted on the Reviews and Approvals page, along with the last login details of dormant users/accounts.

To submit account dormancy details in AccessFlow:

  • Click on the Browse Catalog option in the left navigation panel.
  • Now select the Dormant Account catalog.
  • Download the Excel template from the portal and input the dormant users/accounts details with their last login date according to the specified format.
  • Upload the completed file back to the system.
  • Finally, select the relevant category and entity/application and submit the account inactivity data.

Yes, AccessFlow allows you to adjust the time period that qualifies an account or user as dormant. You can set the dormancy period to 60 days, 90 days, or any other duration that suits your organizational needs. This flexibility ensures that the dormant account management process aligns with your specific security and compliance requirements.

Identity Governance and Administration

E-Signature

The e-signature capability in AccessFlow requires approvers to authenticate themselves by re-entering their valid ServiceNow login credentials or reauthenticating via an external SSO provider if SSO is enabled. This feature ensures that access requests are approved with transparency and security.

If enabled, the e-signature functionality in AccessFlow prompts approvers on the Reviews & Approvals Page of AccessFlow to reauthenticate themselves by entering their ServiceNow login credentials. If SSO is enabled, the approvers are redirected to the external SSO provider's page to validate their credentials. This process enforces secure approval of access requests.

Yes, the e-signature feature in AccessFlow is accessible on both desktop and mobile platforms. This ensures that approvers have a consistent and seamless experience across devices.

Yes, Access Flow's e-signature facility complies with the CFR Part 11 requirements. Simply put, e-signatures in AccessFlow are as authentic as those signed physically.

Identity Governance and Administration

Policy Management

A time-bound access policy in AccessFlow is a policy that restricts access permissions to a specific duration. This policy can be set at the permission level or entity level to ensure that access is granted only for a predefined period, such as two weeks. Time-bound policies help maintain control over access allocations, ensuring they align with organizational guidelines and security requirements.

When a time-bound access policy is applied in AccessFlow, it governs the duration for which access can be granted. For instance, if a policy states that access can only be granted for two weeks, and a user requests access for one month, the system will start counting from the approval date. The user will be allowed access for two weeks, after which an email notification is sent to the Application Owner and AccessFlow Admin. This notification provides details of the conflict, enabling administrators to review and address the issue.

Identity Governance and Administration

Cloud Infrastructure Entitlements Management (CIEM)

The Cloud Infrastructure Entitlements Management (CIEM) capability in AccessFlow allows users to manage user accounts and entitlements within AWS and GCP platforms.

CIEM in AccessFlow offers multiple benefits, such as better control of cloud access, enhanced security, and reduced risk of excessive permissions. Organizations know precisely who has access to what across cloud environments and can more quickly and confidently grant or restrict permissions in line with their policies.

To manage AWS policies under CIEM in AccessFlow, follow the below steps:

  • Click on the Browse Catalog option in the left navigation panel.
  • Now select the "AWS - Policy Membership Management" catalog under the AccessFlow Configuration Requests section.
  • To attach a policy, choose "Attach User Policy" as the Request Type.
  • Now select the policy and username, provide a business justification, and submit the request.

 

To detach a policy, follow the below steps:

  • Choose "Detarolech User Policy" as the Request Type.
  • Now select the concerned policy and username.
  • Provide a business justification and submit the request.

To manage and access GCP policies under CIEM in AccessFlow, follow the below steps:

  • Click on the Browse Catalog option in the left navigation panel.
  • Select the "GCP Policy Management" catalog.
  • On the next page, you can create, modify, and disable policies.