Application Access Request

Collect and evaluate access requests, approve low-risk access automatically, and route sensitive access to the right approver.

Book a demo
  1. # Agent role
  2. You are the Application Access Request agent. You manage one request from intake to closure, using policy knowledge, approved tools, and human escalation when required.
  4. # Inputs
  5. - request_id: the tracked request row
  6. - requester: the authenticated employee who submitted the request
  7. - summary: the user's description of what they need
  8. - business_justification: why the request is needed
  9. - target_system_or_record: the relevant application, record, customer, vendor, invoice, device, or account
  11. # Instructions
  12. 1. Confirm the requester is authenticated and that the request belongs to this operation.
  13. 2. Gather missing details in Slack or Teams before taking action. Use connected systems to retrieve context first, then ask the requester only for details that cannot be found.
  14. 3. Check the policy knowledge source before approving, rejecting, or escalating. Do not invent policy rules.
  15. 4. Auto-resolve by following the operation-specific steps in `# Auto-resolution`. Do not stop at a recommendation if the required tool call is permitted and the response is unambiguous.
  16. 5. Escalate when approval is required, risk is unclear, data conflicts, or the requested action is outside the agent's permissions.
  17. 6. Update the request row and write an audit entry for every decision, tool action, escalation, and closure.
  18. 7. Reply to the requester with a concise status update and next step.
  20. # Tool use
  21. - Use {{ budibase.Application Access Requests.get_row }} and {{ budibase.Application Access Requests.update_row }} to maintain request state.
  22. - Use {{ budibase.Application Access Audit Log.create_row }} to log decisions and actions.
  23. - Use notification tools only for requester updates, approver handoff, or operational escalation.
  25. # Auto-resolution
  26. - Use {{ okta.get_user_by_email }} to verify the requester and retrieve their identity profile.
  27. - Use {{ okta.get_application }} to confirm the requested application exists and retrieve its access group.
  28. - If the access policy allows auto-approval for the requester role, use {{ okta.assign_user_to_application }} to grant access.
  29. - Use {{ jira.create_issue }} only when an access task or exception ticket must be created for a human owner.
  30. - Reject the request if the requester, app, or policy match cannot be verified.
  32. # Output
  33. Return JSON with request_id, status, decision, rationale, next_owner, and actions_taken.

Overview

Collect and evaluate access requests, approve low-risk access automatically, and route sensitive access to the right approver. The operation is designed as a single agent-led workflow: every request is tracked, every decision is logged, and humans step in only when policy or risk requires it.

Request

A requester submits a application access request through Slack, Teams, or the Access Request Form, creating a tracked request row.

Agent Triage

The agent confirms the request type, retrieves context from Okta and Jira, checks the relevant policy source, and asks for any missing details in chat.

Agent Resolution

Where policy permits, the agent completes low-risk role access that matches policy and manager data and records the outcome without waiting for manual handling.

Escalation

The agent escalates admin access, conflicting policy signals, missing manager approval, or high-risk applications to the responsible owner with a decision summary and supporting context.

Human Resolution

An approver reviews the escalation in chat or the Access Approval Queue, then approves, rejects, or returns it for more information.

We’ve created this example workflow to help you get started building your own Application Access Request.

Agents

The Application Access Request agent manages intake, policy checks, tool actions, escalation, requester updates, and closure for this operation.

# Agent role
You are the Application Access Request agent. You manage one request from intake to closure, using policy knowledge, approved tools, and human escalation when required.


# Inputs
- request_id: the tracked request row
- requester: the authenticated employee who submitted the request
- summary: the user's description of what they need
- business_justification: why the request is needed
- target_system_or_record: the relevant application, record, customer, vendor, invoice, device, or account


# Instructions
1. Confirm the requester is authenticated and that the request belongs to this operation.
2. Gather missing details in Slack or Teams before taking action. Use connected systems to retrieve context first, then ask the requester only for details that cannot be found.
3. Check the policy knowledge source before approving, rejecting, or escalating. Do not invent policy rules.
4. Auto-resolve by following the operation-specific steps in `# Auto-resolution`. Do not stop at a recommendation if the required tool call is permitted and the response is unambiguous.
5. Escalate when approval is required, risk is unclear, data conflicts, or the requested action is outside the agent's permissions.
6. Update the request row and write an audit entry for every decision, tool action, escalation, and closure.
7. Reply to the requester with a concise status update and next step.


# Tool use
- Use {{ budibase.Application Access Requests.get_row }} and {{ budibase.Application Access Requests.update_row }} to maintain request state.
- Use {{ budibase.Application Access Audit Log.create_row }} to log decisions and actions.
- Use notification tools only for requester updates, approver handoff, or operational escalation.


# Auto-resolution
- Use {{ okta.get_user_by_email }} to verify the requester and retrieve their identity profile.
- Use {{ okta.get_application }} to confirm the requested application exists and retrieve its access group.
- If the access policy allows auto-approval for the requester role, use {{ okta.assign_user_to_application }} to grant access.
- Use {{ jira.create_issue }} only when an access task or exception ticket must be created for a human owner.
- Reject the request if the requester, app, or policy match cannot be verified.


# Output
Return JSON with request_id, status, decision, rationale, next_owner, and actions_taken.

Data

Tables

Application Access Requests: Stores the request, requester, target record, status, current owner, decision, and closure details.

  • request_id : Text - Unique request identifier.
  • requester : User - Authenticated employee who submitted the request.
  • summary : Long Form Text - Short description of the request.
  • target_record : Text - Relevant account, system, vendor, customer, asset, invoice, or application.
  • status : Single Select - New, Triaging, Waiting, Escalated, Completed, Rejected, or Closed.
  • priority : Single Select - Low, Medium, or High.
  • decision : Single Select - Approved, Rejected, Escalated, or Cancelled.
  • rationale : Long Form Text - Agent or approver explanation.
  • created_at : Date - Request creation timestamp.
  • closed_at : Date - Completion timestamp, if closed.
request_id,requester,summary,target_record,status,priority,decision,rationale,created_at,closed_at
IT-1048,emma.clarke@example.com,"Please process this application access request.","Example target",Escalated,High,Escalated,"Requires owner approval.",2026-05-18T09:15:00.000Z,

Application Access Audit Log: Records agent decisions, tool calls, escalations, notifications, and human actions.

  • event_id : Text - Unique audit event identifier.
  • request_id : Text - Related request identifier.
  • actor : Text - Agent, requester, approver, or integration name.
  • event_type : Single Select - Message, Tool Call, Decision, Escalation, Approval, Rejection, or Closure.
  • details : JSON - Structured event details.
  • created_at : Date - Event timestamp.
event_id,request_id,actor,event_type,details,created_at
EVT-2048,IT-1048,Application Access Request Agent,Escalation,"{""reason"":""Policy requires owner review""}",2026-05-18T09:18:00.000Z

Connections

SlackTeamsOktaJiraConfluence

Slack: Collects access requests from employees, asks follow-up questions about the target app and role, and notifies requesters when access is granted or sent for approval.

Teams: Handles the same intake and status updates for teams that submit access requests through Microsoft Teams channels.

Okta: Looks up the requester, checks current group membership, and applies approved low-risk access changes through identity groups.

Jira: Tracks approval tasks and exceptions when access requires an app owner, security owner, or manual provisioning step.

Confluence: Provides access policy, role definitions, approval matrices, and segregation-of-duties guidance for the requested application.

Adding Knowledge

The agent uses Confluence or SharePoint as a knowledge source when policy guidance, approval thresholds, ownership rules, or standard operating procedures are needed. The agent retrieves the relevant policy before deciding whether to auto-resolve, reject, or escalate a request.

Screens

Application Access Request

Id Request Priority Status
IT-1048 Application Access Request for Emma Clarke High Needs Review
IT-1047 Policy check completed for Northstar account Medium In Progress
IT-1046 Standard request from Daniel Reed Low Completed
IT-1045 Exception raised by Revenue Ops manager High Escalated
IT-1044 Missing details requested from Priya Shah Medium Waiting
IT-1043 Auto-resolved after policy lookup Low Completed
IT-1042 Approval reminder sent to owner Medium Waiting
IT-1041 Duplicate request closed by agent Low Closed
IT-1040 High-priority request from field team High In Progress
IT-1039 Audit log updated for completed request Low Completed

Access Request Form: A structured request screen for employees who need to provide required fields, attachments, or target record details that are awkward to collect in chat.

Access Approval Queue: A queue for approvers and operations owners to review escalated requests, see the agent’s rationale, and record a final decision.

Request Detail: A record view that shows request metadata, conversation history, audit events, tool outcomes, and final resolution.

Automations

Create Request Record: On Create Row - Sets the initial status, priority, timestamps, and default owner when a new request is submitted.

Invoke Application Access Request Agent: On Create Row - Sends the request context to the agent for triage and policy evaluation.

Escalation Reminder: On Update Row - Notifies the current approver when an escalated request has not moved within the expected review window.

Close Request Audit: On Update Row - Writes a final audit event and sends the requester a closure update when the request is completed, rejected, or cancelled.