docs/documentation/platform/pam/access-requests/overview.mdx
Some accounts are sensitive enough that simply having access to them should not be enough to use them. A production database or a domain admin account should be reachable only by people who are already trusted, but even for them, each individual use should clear an extra checkpoint. Access requests add that checkpoint: before a member can launch a session on a gated account, their access has to be approved.
Approval sits on top of the access a member already holds. Two layers apply to a gated account:
A gated account needs both. A member requests access on an account they can already use, an approver signs off, and the member's access opens for the duration they asked for. When the duration runs out, the access closes again.
<Note> A member can only request access on an account where they already hold use access. If they cannot already launch a session on the account, there is nothing for them to request. </Note>Whether an account is gated comes down to the template it uses.
graph TD
P["Product Admin
builds a template with
Require Approval enabled"]
O["Folder Admin
onboards the account
with that template"]
S["Folder Admin
seats approvers on the
folder's Approvals tab"]
G["Gated account"]
P --> O --> G
S --> G
See [Account Templates](/documentation/platform/pam/templates/overview) for the full list of template settings.
Approvers must be members of the folder, so the picker only offers people who already belong to it. An approver does not need use access to the account: approving is a governance action, not an access action.
From My Access, a member sees every account they can reach. Gated accounts show Request Access instead of Launch.
To request, the member picks the account and provides a reason and a duration, both fixed at submission. The account then shows Pending Approval until it clears.
Once approved, the account moves into the member's approved access with a Launch button and a countdown to expiry.
Approvers are notified by email and in the app when a request needs them. From Approval Requests, an approver sees the requests waiting on them, each showing the requester, account, folder, reason, and duration.
They approve or reject the request. A single approval from any one of the folder's seated approvers clears it; it does not have to come from a specific person.
Every request carries the reason and duration set by the requester and moves through a small set of states.
| State | What it means |
|---|---|
| Pending Approval | Filed and waiting on an approver. |
| Approved | An approver signed off. The access it asked for is now active and the member can launch sessions. |
| Expired | The requested duration ran out and the access closed on its own. |
| Rejected | An approver declined the request. No access was granted. |
| Revoked | Active access was ended early by a Folder Admin before its duration ran out. |
graph LR
P["Pending Review"] -->|approved| A["Approved / Active"]
P -->|declined| R["Rejected"]
A -->|duration ends| E["Expired"]
A -->|ended early| V["Revoked"]
Rejected, expired, and revoked requests stay in the list so the audit trail stays complete.