Skip to content

Request Selectors

A Request Selector is a configuration that assigns an approval process to a user attempting to access an action. Prior to their ability to access this action, they must first submit a request that requires approval, after which, their access to this action will be granted for a limited time.

Request Selectors can be configured on specific Space actions or to individual Assets, or multiple via inheritance.

Creating a New Request Selector

Creating Space Level Request Selectors

Space level Request Selectors enable an approval process to be assigned to specific actions configured on Spaces.

To enable Space-level Request Selectors:

  1. Log in with an Administrator or Request Manager account.
  2. Navigate to Management > Request Selectors and click the Add button.

  3. Click on the parameter name for details about each or follow the guidance provided here:

    1. Request Form: This is the Request Form for this selector that will define its approval process. Please note that only enabled request forms will be available for selection.
    2. Operations: List of operations that could be assigned for a request selector. The following operations are available:
      • Space Manage Permissions: An operation to manage space permissions.
      • Space Manage Policy: An operation to manage segmentation policies.
    3. Targets: List of users or groups that are required to submit an approval request based on the request selection requirements.
    4. Time: Defines the time when the request selector is applicable. The following options are available; Work hours, After hours, Weekend, Holiday.
    5. Exclusive: Exclusive is an indicator that the access request to the operation is granted for exclusive use after request approval. Exclusive use means that only the approved user will have access to the approved operation or action until the request is completed.
      • Unavailable: The use of the Exclusive option is not available for selection and will be disabled.
      • Optional: The use of the Exclusive option is configurable by the requester during the submission process. They may request exclusive access or not on their submitted request form.
      • Required: The use of the Exclusive option is not available for selection and will be forced to exclusive.

  4. Click the Save button to complete this configuration.

Creating Asset Level Request Selectors

Asset level Request Selectors enable an approval process to be assigned to specific actions configured on an Asset or multiple Assets using inheritance.

To enable Space-level Request Selectors:

  1. Log in with an Administrator or Request Manager plus Asset Role: Asset Manager or higher account on the asset where a selector is to be configured.
  2. Navigate to the asset (Container or Asset), select Manage > Request Selectors and click the Add button.

  3. Click on the parameter name for details about each or follow the guidance provided here:

    1. Request Form: This is the Request Form for this selector that will define its approval process. Please note that only enabled request forms will be available for selection.
    2. Operations: List of operations that could be assigned for a request selector. The following operations are available:
      • Space Manage Permissions: An operation to manage space permissions.
      • Space Manage Policy: An operation to manage segmentation policies.
    3. Targets: List of users or groups that are required to submit an approval request based on the request selection requirements.
    4. Time: Defines the time when the request selector is applicable. The following options are available; Work hours, After hours, Weekend, Holiday.
    5. Exclusive: Exclusive is an indicator that the access request to the operation is granted for exclusive use after request approval. Exclusive use means that only the approved user will have access to the approved operation or action until the request is completed.
      • Unavailable: The use of the Exclusive option is not available for selection and will be disabled.
      • Optional: The use of the Exclusive option is configurable by the requester during the submission process. They may request exclusive access or not on their submitted request form.
      • Required: The use of the Exclusive option is not available for selection and will be forced to exclusive.
    6. Require MFA: Require MFA requires the user to successfully perform a MFA challenge prior to executing their request (i.e. request service access or unlock password).
      • Not Required: when selected, the user is not required to perform a MFA challenge.
      • Required: when selected, the user is required to perform a MFA challenge.

  4. Click the Save button to complete this configuration.

Require MFA Actions

When a Request Selector includes the Require MFA requirement, the user performing the action will first be required to successfully respond to a MFA challenge. Depending on their configured MFA provider as defined in the tenant's MFA Rules, this may include entering a OTP (one time password code), responding to a Push notification, entering a number matching value, or another successful challenge response.

This section will detail the user experience for each supported Require MFA provider and the steps required to complete their challenge.

Note

As referenced in subsequent sections, the Confirm button is represented by a round green check-mark icon positioned on the right side of the input field. Require MFA - Confirm Button

TOTP

When prompted, enter the TOTP code from your application and click the Confirm button to validate the code.

  • When valid, you will receive a Success message. Close the message and prompt to continue.
  • When invalid, you will receive an Error message. Check the code and click the Confirm button to try again.

Require MFA - TOTP challenge

Entra ID (Azure SAML)

When prompted, first enter your Entra ID password into the Password field. Next, decide if you want to use OTP or Push (with number matching) for the second factor challenge.

  • When using OTP, enter the One-time password code from your Microsoft Authenticator app into the Push or OTP field and click the Confirm button.
    • If valid, you will receive a Success message. Close the message and prompt to continue.
    • If invalid, you will receive an Error message. Check the code and click the Confirm button to try again.

Require MFA - Entra ID OTP challenge

  • When using Push (with number matching), leave the Push or OTP field blank and click the Confirm button. On the next page, you will be presented with the Number required for number matching in the Microsoft Authenticator app. Enter this displayed Number in the MS Authenticator app to complete this challenge. Once the number is validated in the App, click the Confirm button on this prompt to validate the challenge.
    • If valid, you will receive a Success message. Close the message and prompt to continue.
    • If invalid, you will receive an Error message. Check the code and click the Confirm button to try again.

Require MFA - Entra ID Push challenge

Note

It is assumed that all Entra ID (Azure SAML) authentications required MFA, so defining a specific MFA Rule for these users is not required.

Duo Security

When prompted, decide if you want to use a Duo Passcode or Duo Push to respond to the MFA challenge.

  • If choosing to use a Duo Passcode, enter the Passcode from your Duo App into the Code field and click the Confirm button to validate the code.
    • If valid, you will receive a Success message. Close the message and prompt to continue.
    • If invalid, you will receive an Error message. Check the code and click the Confirm button to try again.

Require MFA - Duo Passcode challenge

  • If choosing to use Duo Push, leave the Code field blank and click the Confirm button to initiate the push notification to your Duo app. Approve the Duo Push notification to complete this MFA challenge response.
    • When Approved, you will receive a Success message. Close the message and prompt to continue.
    • When Denied, you will receive an Error message. Click the Confirm button if you want to try again.

YubiKey

When prompted, click on the Code field to make it active then use your hardware YubiKey device to auto populate this field with a valid code.

  • If valid, you will automatically receive a Success message (clicking Confirm is not required). Close the message and prompt to continue.
  • If invalid, you will receive an Error message. Activate your YubiKey to try again.

Require MFA - YubiKey challenge

Mail MFA

When prompted, leave the Push field blank and click the Confirm button to send an email to your email address that contains a MFA code. When the email arrives, enter the Verification Code from the email message into the Code field and click the Confirm button to validate the code.

  • If valid, you will receive a Success message. Close the message and prompt to continue.
  • If invalid, you will receive an Error message. Check the code and click the Confirm button to try again.

Require MFA - Mail MFA challenge

RADIUS HOTP

When prompted, first enter your 12Port login into the Username field, then enter the code from your RADIUS device into the Code field and finally click the Confirm button to validate the code.

  • If valid, you will receive a Success message. Close the message and prompt to continue.
  • If invalid, you will receive an Error message. Check the code and click the Confirm button to try again.

Require MFA - RADIUS HOTP challenge

RADIUS Confirm

When prompted, confirm the first factor authentication password, if required, and click the Confirm button. Next, type the code from your RADIUS device and click Confirm button to validate the challenge.

  • If valid, you will receive a Success message. Close the message and prompt to continue.
  • If invalid, you will receive an Error message. Check the code and click the Confirm button to try again.