title: Access Catalog Overview category: Access Catalog tags: catalog, self-service, access-request, portal priority: Normal
Access Catalog Overview
The Access Catalog is IdentityCenter's self-service portal where authenticated users browse available resources and submit access requests. Located at /catalog, it provides a governed, auditable alternative to ad-hoc access requests via email or helpdesk tickets.
What is the Access Catalog?
The Access Catalog is a curated directory of resources that users can request access to. It acts as the front door to your organization's identity governance process, connecting end users with the approval workflows that control access provisioning.
| Concept | Description |
|---|---|
| Catalog | The browsable collection of all requestable resources |
| Resource | An individual item that can be requested (group, role, application) |
| Request | A user's formal submission to gain access to a resource |
| Approval Workflow | The chain of approvals a request must pass through |
| Provisioning | The automated action that grants access after approval |
Resource Types
The catalog supports multiple types of requestable resources:
AD Groups
Active Directory groups synced from your connected domains. When a request is approved and provisioned, the user is added to the AD group.
| Property | Description |
|---|---|
| Group Name | The display name from Active Directory |
| Description | The group's AD description attribute |
| Scope | Domain Local, Global, or Universal |
| Type | Security or Distribution |
| Member Count | Current number of members |
Business Roles
Organizational roles defined within IdentityCenter that map to one or more AD groups. Requesting a business role grants all underlying group memberships.
| Property | Description |
|---|---|
| Role Name | The configured business role name (e.g., "IT Admin") |
| Category | Executive, IT, Security, Compliance, Operations |
| Mapped Groups | The AD groups included in this role |
| Description | What access this role provides |
For details on creating and managing roles, see Business Roles.
Applications
Registered applications with defined access levels. Application access may correspond to specific AD groups or may trigger external provisioning.
| Property | Description |
|---|---|
| Application Name | The registered application name |
| Access Levels | Available tiers (e.g., Read Only, Contributor, Admin) |
| Owner | The designated application owner |
| Description | What the application does and who typically needs it |
Risk Level Display
Every resource in the catalog is assigned a risk level that helps users and approvers understand the sensitivity of the access being requested.
| Risk Level | Display | Description | Typical Approval |
|---|---|---|---|
| Low | Green badge | Standard access with minimal risk | Single manager approval |
| Medium | Yellow badge | Moderate sensitivity or elevated privilege | Manager + resource owner |
| High | Red badge | Privileged, sensitive, or compliance-critical | Multi-level with security review |
Risk levels are configured by administrators when cataloging resources. They influence:
- Which approval workflow is triggered
- How prominently the risk is displayed to the requester
- Whether additional justification is required
- SLA urgency for approvers
Category Browsing and Search
Browsing by Category
Resources are organized into categories for easy discovery:
| Category | Examples |
|---|---|
| IT Infrastructure | VPN Access, Server Admin, Network Management |
| Applications | CRM, ERP, HR System, DevOps Tools |
| Security | Security Operations, Incident Response, Audit |
| Finance | Financial Reporting, AP/AR, Budget Planning |
| Collaboration | SharePoint Sites, Teams Channels, Distribution Lists |
| Custom | Organization-specific categories defined by admins |
Searching
The catalog provides a full-text search across resource names, descriptions, categories, and tags. Users can also filter by:
- Risk Level -- Show only Low, Medium, or High risk resources
- Category -- Narrow to a specific category
- Resource Type -- Groups, Roles, or Applications
- Availability -- Resources the user does not already have
Integration with Approval Workflows
Every resource in the catalog is linked to an approval workflow. When a user submits a request:
- The catalog identifies the appropriate workflow based on the resource and its risk level
- The request enters the workflow and is routed to the first approver
- Approvers are resolved dynamically (see Approver Resolution)
- The request progresses through the approval chain
- Upon final approval, provisioning is triggered automatically
- The user is notified of the outcome
[User Browses Catalog] --> [Submits Request] --> [Workflow Triggered]
|
[Approver 1] --> [Approver 2] --> [Provisioned]
|
[Denied] --> [User Notified]
Resources without a linked workflow cannot be requested. Administrators must assign a workflow to each resource before it appears in the catalog.
Who Can Access the Catalog
The catalog is available to all authenticated users. Access control is applied as follows:
| Audience | What They See |
|---|---|
| All Users | Resources available to their department, location, or role |
| Managers | Same as above, plus the ability to request on behalf of their reports |
| Administrators | Full catalog view with configuration options |
Catalog visibility rules allow administrators to restrict which resources appear for which users. For example, IT-specific tools can be hidden from non-IT departments.
MyRequests Page
After submitting a request, users track its progress on the MyRequests page.
Request Statuses
| Status | Description |
|---|---|
| Draft | Request started but not yet submitted |
| Pending Approval | Request is waiting for one or more approvers |
| Approved | All approvers have approved; provisioning is pending |
| Provisioned | Access has been granted |
| Denied | One or more approvers denied the request |
| Cancelled | The requester or an admin cancelled the request |
| Expired | The request expired before all approvals were received |
MyRequests Features
- View all past and current requests
- Filter by status, date, or resource
- See the current position in the approval chain
- View approver comments and decision history
- Cancel a pending request
- Resubmit a denied request with updated justification
Catalog Administration
Administrators manage the catalog from Administration > Access Catalog:
| Action | Description |
|---|---|
| Add Resource | Register a new AD group, role, or application in the catalog |
| Edit Resource | Update name, description, risk level, category, or workflow |
| Remove Resource | Remove a resource from the catalog (does not delete the AD group) |
| Set Visibility | Control which users or departments can see and request a resource |
| Assign Workflow | Link a resource to an approval workflow |
| Review Requests | View and manage all pending, approved, and denied requests |
Best Practices
- Curate thoughtfully -- Only include resources that users should be able to self-service request; not every AD group belongs in the catalog
- Write clear descriptions -- Users should understand what access a resource provides before requesting it
- Assign accurate risk levels -- Risk levels drive workflow routing; inaccurate levels lead to under- or over-governed access
- Keep the catalog current -- Remove resources that are no longer relevant; add new ones as applications and groups are created
- Use categories -- Well-organized categories reduce the time users spend searching
- Test the user experience -- Periodically browse the catalog as a standard user to verify that the experience is intuitive
Next Steps
- Requesting Access -- Step-by-step guide for end users
- Business Roles -- Define organizational roles for the catalog
- Workflow Designer -- Build approval workflows for catalog resources
- Workflow Triggers -- Automate workflow execution
- Access Reviews Overview -- Periodic certification of granted access
- Policies Overview -- Policy-based governance for cataloged resources