Access Requests

This guide explains how client-dedicated identities are created through the access request flow. When a client user needs access to a platform, they submit a request that your agency reviews and approves – and AccessHive handles the rest.

Time to complete: About 3 minutes to read; approving a request takes under a minute.

Before you start
  • At least one platform must be connected and in Operational state. See Platform Connections.
  • To approve or reject requests, you need the Admin or Agency Owner role.
  • To use managed provisioning for approved requests, your Google Workspace (GWS) identity source must be connected. See Google Workspace Setup.

Client detail page showing the Access Requests tab with pending requests

Client-dedicated identities vs. agency identities

Access requests create client-dedicated identities, which are different from the agency identities you create through the wizard. Here is how they compare.

Agency identity Client-dedicated identity
Created by Agency admin through the wizard Automatically when an access request is approved
Scoped to Agency-wide or a specific platform A specific client and platform
One per Platform (owned by the agency) Client + platform combination
Use case Agency operations and shared team access Isolated access for a specific client’s team
Why client-dedicated identities matter

Client-dedicated identities ensure each client has isolated credentials. Revoking one client’s access does not affect other clients or your agency’s own accounts.

How the request flow works

sequenceDiagram participant Client as Client User participant Admin as Agency Admin participant System as AccessHive participant GWS as Google Workspace Client->>System: Submit access request System->>Admin: Notify: new request pending Admin->>System: Approve request System->>System: Create client-dedicated identity System->>GWS: Provision domain user (if managed) GWS-->>System: User created System-->>Client: Access granted notification
  1. A client user submits an access request specifying the platform and justification.
  2. AccessHive notifies your agency admin that a new request is pending.
  3. The admin reviews the request and approves or rejects it.
  4. On approval, AccessHive creates a client-dedicated identity and starts provisioning.
  5. Once provisioning completes, the client user receives a notification that access is ready.

Request statuses

Each access request moves through a lifecycle of statuses.

Status What it means
Pending The request is waiting for an admin to review it
Approved The admin approved the request and the identity is being provisioned
Provisioned The identity is ready and credentials are available
Rejected The admin denied the request
Expired The request timed out without any action being taken

Reviewing and approving requests

Step 1 – Open the access requests queue

Navigate to Clients, select the client, and click the Access Requests tab. All pending requests appear here.

Access Requests tab on a client showing pending requests with status and progress

Step 2 – Review the request details

Each request shows the requester’s name, the target platform, the identity type, and the justification provided by the client user.

Step 3 – Approve or reject

Click the actions menu (three dots) on a request row to Approve or Reject. Both options let you add an optional reason that the client user will see.

Client detail page showing the Access Requests tab with request actions

Step 4 – Wait for provisioning to complete

After approval, AccessHive creates the identity and provisions it (including creating a Google Workspace domain user if managed credentials are involved). The client user is notified once the identity is ready.

Requests expire if not acted on

Pending requests that are not reviewed within the configured timeout period are automatically marked as Expired. The client user can resubmit a new request if needed.

Something went wrong?

Access request is stuck at Approved but not Provisioned

The background provisioning job may still be running or may have encountered an error. Open the identity detail page to check which step is pending. Use the Retry Provisioning button if it has been more than a minute. See Troubleshooting.

Client user did not receive the access granted notification

Verify that the client user’s email address is correct in their profile. Check the identity detail page to confirm the status has reached Provisioned. If provisioning is still in progress, the notification has not been sent yet. See Troubleshooting.

Request expired before I could review it

The timeout period is configurable in your agency settings. Ask your agency owner to increase the expiration window under Settings > Access Requests. The client user can submit a new request in the meantime. See Troubleshooting.

For more troubleshooting scenarios, see the full Troubleshooting Guide.

What’s next?

  • Create identities manually – Use the wizard to create agency-owned identities. See Creating Identities.
  • Manage credentials – Reveal, rotate, and update credentials on approved identities. See Managing Credentials.
  • Set up role templates – Define reusable access patterns to streamline future requests. See Role Templates.
  • Assign identities to clients – Manage client-identity relationships. See Client Management.