User Access Request¶
Quick Summary
Manages the full lifecycle of user access - onboarding, modification, and offboarding - for both standard and privileged accounts. Carries a formal approval workflow through the Change Advise Board to satisfy FedRAMP and CMMC access control requirements.
The User Access Request (UAR) ticket type is the formal mechanism for managing user access within the authorization boundary. Every access change, whether provisioning a new account, adjusting permissions, or removing access for a departing user, flows through this ticket type to maintain the audit trail required by FedRAMP AC-2 (Account Management) and CMMC AC.L2-3.1.1 (Authorized Access Control).
Request Categories¶
UARs are split into two tracks depending on the level of access being requested:
- Standard User Access - regular user accounts with baseline permissions
- Privileged User Access - elevated or administrative accounts that carry additional risk and scrutiny under FedRAMP AC-6 (Least Privilege) and CMMC AC.L2-3.1.5 (Least Privilege)
Within each track, the following request types are available:
| Request Type | Purpose |
|---|---|
| New User Onboarding | Provision access for a new user joining the environment |
| User Modification | Adjust permissions, roles, or access scope for an existing user |
| User Offboarding | Remove or disable access for a departing user |
Approval Workflow¶
By default, user access requests follow a two-stage approval workflow: the Change Advise Board (CAB) reviews and approves the request on the technical side first, then a designated end user with the Access Approver role provides final organizational sign-off. This two-stage process ensures both technical validation (is the access appropriate for the role?) and organizational authorization (does management approve this access?).
Privileged access requests carry additional weight in this process. Granting administrative or elevated permissions requires clear justification and is subject to stricter review, consistent with the principle of least privilege.
Approval processes are highly customizable to suit your organization's needs. See the Approval Processes admin guide for configuration details.
Compliance Context¶
User access requests directly support several overlapping control requirements across FedRAMP and CMMC:
| Control Area | Requirement |
|---|---|
| Account Management (FedRAMP AC-2) | Formal process for creating, enabling, modifying, disabling, and removing accounts |
| Access Enforcement (FedRAMP AC-3 / CMMC AC.L2-3.1.1) | Access granted only through an approved, documented process |
| Least Privilege (FedRAMP AC-6 / CMMC AC.L2-3.1.5) | Users receive only the minimum access necessary for their role |
| Personnel Termination (FedRAMP PS-4) | Timely revocation of access upon separation |
| Personnel Transfer (FedRAMP PS-5) | Access reviewed and adjusted when users change roles |
The UAR ticket itself becomes the evidence artifact; auditors can trace any user's access back to an approved request with a documented justification and approval chain.
Relationship to Change Requests¶
User access requests are also managed through the broader Change Request process, ensuring access control changes carry the same formal approval and documentation as system changes. The UAR ticket type provides the specialized fields and workflow for access-specific details, while the change request framework provides the governance structure.
See the User Access Requests end-user guide for details on submitting access requests, and the User Access Area overview for managing UARs as an agent.