Submitting Access Requests¶
Section: Web Portal | Article 25
Audience: All Users
Last Updated: 2026-04-07
Overview¶
RP-PAM uses a request-approve-provision model for privileged access. No user has standing access to sensitive resources. Instead, users request access for a specific duration, the request is reviewed (automatically or by a human approver), and access is provisioned only for the approved window.
This article walks through the access request process from the end user's perspective.
Prerequisites¶
| Requirement | Detail |
|---|---|
| RP-PAM account | An active user account with the pam_user role (or higher) |
| Portal access | Ability to reach the web portal (see Portal Overview) |
| MFA enrolled | If MFA is required, you must be enrolled before you can submit requests |
Step-by-Step: Submit an Access Request¶
Step 1: Navigate to Request Access¶
- Log in to the RP-PAM web portal.
- In the left sidebar, click Access > Request Access.
Step 2: Select a Resource¶
The resource catalogue shows all resources you are eligible to request access to.
- Search for the resource by name, type, or tag using the search bar.
- Filter by resource type if needed:
- AD Group Membership
- Entra ID Group Membership
- Server / RDP Access
- SSH Key Checkout
- Database Credential Checkout
- Click the resource to select it.
If you do not see the resource you need, contact your RP-PAM administrator. The resource may not be registered or you may not have eligibility.
Step 3: Choose a Duration¶
Select how long you need access. Available durations depend on the resource's policy.
| Option | Description |
|---|---|
| 1 hour | Short task or troubleshooting |
| 4 hours | Half-day work session |
| 8 hours | Full work day |
| 24 hours | Extended maintenance |
| Custom | Enter a specific duration (up to the policy maximum) |
Note: The policy for each resource defines the maximum allowed duration. If you select a duration longer than the maximum, the request is automatically reduced to the maximum.
Step 4: Provide Justification¶
Enter a clear reason for why you need access. Good justifications speed up approval.
Good examples: - "JIRA-4521: Need to add the new contractor to the VPN group for onboarding" - "Incident INC-0088: Database performance issue requires DBA access to run diagnostics" - "Scheduled maintenance window MW-2026-04-07: Patching production servers"
Poor examples: - "Need access" - "Testing" - "Manager said to"
Some policies require justification to include a ticket number. If the policy enforces this, the portal validates the format before allowing submission.
Step 5: Submit the Request¶
- Review the summary:
- Resource name
- Duration
- Justification
- Access window (start and end time)
- Click Submit Request.
- The portal confirms: "Request submitted successfully."
Via API¶
Linux:
curl -s -X POST http://localhost:7101/api/v1/access/requests \
-H "Authorization: Bearer $USER_JWT" \
-H "Content-Type: application/json" \
-d '{
"resourceId": "res-a1b2c3d4",
"durationMinutes": 240,
"justification": "JIRA-4521: Adding contractor to VPN group for onboarding"
}' | jq .
PowerShell:
$body = @{
resourceId = "res-a1b2c3d4"
durationMinutes = 240
justification = "JIRA-4521: Adding contractor to VPN group for onboarding"
} | ConvertTo-Json
$request = Invoke-RestMethod -Uri "http://localhost:7101/api/v1/access/requests" `
-Method Post `
-Headers @{ Authorization = "Bearer $userJwt" } `
-ContentType "application/json" `
-Body $body
$request | ConvertTo-Json
Response:
{
"requestId": "req-e5f6g7h8",
"status": "pending",
"resourceName": "VPN Access Group",
"durationMinutes": 240,
"submittedAt": "2026-04-07T09:00:00Z",
"expiresAt": null
}
What Happens After Submission¶
The request enters the approval flow defined by the resource's policy.
| Flow | What Happens | Typical Time |
|---|---|---|
| Auto-approve | Policy allows automatic approval for this user/resource/duration. Access is provisioned immediately. | < 10 seconds |
| Single approver | One designated approver must review and approve. | Minutes to hours |
| Multi-approver | Multiple approvers must approve (e.g., 2 of 3). | Minutes to hours |
| Manager approval | The requester's manager must approve. | Minutes to hours |
You receive a notification (email and/or portal notification) when your request is approved or denied.
Auto-Approved Requests¶
If the policy auto-approves, you see the status change to Approved immediately, and access is provisioned within seconds. The portal displays:
- "Access granted. Your access expires at [time]."
- Any credentials or connection details needed to use the access.
View Request Status¶
Using the Portal¶
- Navigate to Access > My Requests.
- View the list of all your requests.
| Status | Meaning |
|---|---|
| Pending | Waiting for approval |
| Approved | Access has been provisioned |
| Active | Access is currently in effect |
| Denied | An approver rejected the request |
| Expired | The access window has ended; access has been revoked |
| Cancelled | You cancelled the request before it was approved |
| Revoked | An admin revoked your access before it expired |
Using the API¶
Linux:
# List all your requests
curl -s http://localhost:7101/api/v1/access/requests/mine \
-H "Authorization: Bearer $USER_JWT" | jq '.items[] | {requestId, status, resourceName}'
# Get details of a specific request
curl -s http://localhost:7101/api/v1/access/requests/req-e5f6g7h8 \
-H "Authorization: Bearer $USER_JWT" | jq .
PowerShell:
# List all your requests
$requests = Invoke-RestMethod -Uri "http://localhost:7101/api/v1/access/requests/mine" `
-Headers @{ Authorization = "Bearer $userJwt" }
$requests.items | Select-Object requestId, status, resourceName | Format-Table
# Get details of a specific request
$detail = Invoke-RestMethod -Uri "http://localhost:7101/api/v1/access/requests/req-e5f6g7h8" `
-Headers @{ Authorization = "Bearer $userJwt" }
$detail | ConvertTo-Json -Depth 3
Cancel a Request¶
You can cancel a pending request that has not yet been approved.
Using the Portal¶
- Navigate to Access > My Requests.
- Find the pending request.
- Click the Cancel button (or the X icon).
- Confirm the cancellation.
Using the API¶
Linux:
curl -s -X POST http://localhost:7101/api/v1/access/requests/req-e5f6g7h8/cancel \
-H "Authorization: Bearer $USER_JWT" | jq .
PowerShell:
Invoke-RestMethod -Uri "http://localhost:7101/api/v1/access/requests/req-e5f6g7h8/cancel" `
-Method Post `
-Headers @{ Authorization = "Bearer $userJwt" }
Note: You cannot cancel a request that has already been approved and provisioned. To end active access early, contact an administrator to revoke it.
Renew Expiring Access¶
If your access is about to expire and you still need it, you can submit a renewal request. Renewals go through the same approval flow as new requests.
Using the Portal¶
- Navigate to Access > My Requests.
- Find the active request that is expiring soon (a clock icon appears on requests expiring within 1 hour).
- Click Renew.
- Select a new duration and update the justification if needed.
- Submit.
Using the API¶
Linux:
curl -s -X POST http://localhost:7101/api/v1/access/requests/req-e5f6g7h8/renew \
-H "Authorization: Bearer $USER_JWT" \
-H "Content-Type: application/json" \
-d '{
"durationMinutes": 120,
"justification": "JIRA-4521: Onboarding still in progress, need 2 more hours"
}' | jq .
PowerShell:
$body = @{
durationMinutes = 120
justification = "JIRA-4521: Onboarding still in progress, need 2 more hours"
} | ConvertTo-Json
Invoke-RestMethod -Uri "http://localhost:7101/api/v1/access/requests/req-e5f6g7h8/renew" `
-Method Post `
-Headers @{ Authorization = "Bearer $userJwt" } `
-ContentType "application/json" `
-Body $body
Access Expiry and Revocation¶
When access expires:
- RP-PAM automatically removes the provisioned access (e.g., removes you from the AD group, revokes the SSH key).
- The request status changes to Expired.
- You receive a notification that access has been revoked.
- The entire lifecycle is recorded in the audit log.
Troubleshooting¶
| Problem | Cause | Solution |
|---|---|---|
| Resource not visible in catalogue | You are not eligible for this resource | Contact your admin to add you to the resource's eligible users or groups |
| "Duration exceeds policy maximum" | Requested duration too long | Select a shorter duration; check the policy maximum with your admin |
| "Justification required" | Policy enforces a justification | Provide a meaningful justification (some policies require a ticket number) |
| Request stuck in "Pending" for hours | No approver available or notification missed | Contact your approver directly; admin can check the Approval Queue |
| Access not provisioned after approval | Module connectivity issue | Check module health in the portal; contact admin if module shows unhealthy |
| Cannot cancel request | Request already approved | Contact an admin to revoke the access instead |
Next Steps¶
- Approval Workflows -- Understand how policies and approvals work
- Web Portal Overview -- Navigate the portal
- AI Assistant Overview -- Use natural language to request access
RP-PAM v1.0.0 -- Copyright 2026 Ravenphyre. All rights reserved.