Source: https://manu-tests-all-orgs.docs-staging.pageloop.ai/product/identity-access/access-management/overview

# Access management overview

Atomicwork's Identity Governance & Administration (IGA) turns access from a manual, ticket-driven chore into an autonomous, governed workflow. You define your applications, their entitlements, and the policies that govern them once — and Atom takes over from there: interpreting requests, checking eligibility, running approvals, provisioning access, and revoking it the moment its window closes.

A few principles shape how it works. Access is **time-bound by default** — permanent access has to be configured deliberately, so the secure path is the default path. Expired grants are **revoked automatically** by an hourly agent run, so nothing lingers after it's needed. Employees **request in plain language** through Atom rather than filing forms. And every grant, automated or manual, is **logged for compliance** with a full provision-to-revoke timeline.

This page is the overview. Step-by-step setup lives in **[Setting up agentic access provisioning](/docs/10-access-management/setting-up-agentic-access-provisioning)**, and time-bound access is covered in **[Just-in-Time access management](/docs/10-access-management/just-in-time-access-management)**.

## How it works

1. **Define applications & entitlements**

   Add the tools your organization uses (Salesforce, HubSpot, Cursor…) and describe the specific levels of access — _View accounts_, _Edit opportunities_, _Read-only_ — that each one offers. If you've connected an IdP like Okta or Entra, your apps populate automatically.
2. **Set access policies**

   Map user segments to the entitlements they should get, and decide whether access is pre-approved or requires review. One app can carry many policies — Sales gets _Standard User_, Finance gets _Marketplace Viewer_, Marketing gets _Read-only_.
3. **Employees request through Atom**

   Someone asks _"Can I get access to Salesforce Marketplace?"_ Atom finds the matching policy, confirms eligibility, and routes any required approval — all in the conversation.
4. **The agent provisions access**

   On approval, the IGA agent grants the entitlement via the configured method — adding the user to an Okta or Entra group, or opening a service request for manual fulfilment.
5. **Access expires on its own**

   For time-bound grants, the agent records an expiry timestamp and deprovisions automatically when the window closes. The employee gets a heads-up first, with a one-click option to request an extension.

## Built for both sides of the desk

**For employees**, access becomes conversational. They can request access to any app through Atom, ask what they're eligible for or already have, and get access instantly when policy allows or follow a clean approval path when it doesn't. Before a grant is revoked they receive an expiry reminder they can extend in one click, and they can even ask by category — "design apps", "sales tools", "infra apps".

**For admins**, the work moves from fulfilling tickets to setting policy. You define applications, entitlements, and policies centrally; automate provisioning through Okta or Entra (or fall back to service requests); and set approval policies that notify the right stakeholders. Atomicwork also recommends policies generated from your existing access patterns, and every grant and change is visible through the Access Grants dashboard and audit logs.

## Just-in-Time access

Granting permanent access to every application an employee touches is a security risk your team shouldn't have to carry. Just-in-Time (JIT) access lets you set exactly how long a user can hold an entitlement — and revokes it automatically when that window closes. Turning on **Allow access extension requests from expiry notifications** lets users buy more time without filing a fresh request; the extension flows through the same policy you already defined.

The minimum JIT duration is **6 hours**, the industry standard. New policies default to time-bound access — permanent access must be turned on deliberately.

## Common questions

**What happens when a grant expires?** The IGA agent deprovisions the entitlement automatically on its hourly run, records the deprovision timestamp, and closes out the grant. Users are notified before revocation, so nothing disappears without warning.

**Can I revoke access before the JIT window closes?** Yes — from **Settings → Access Management → Access Grants**, open any grant and revoke it manually at any time. Useful when someone changes roles or leaves a project early.

**How do I track who has access to what?** The Access Grants dashboard lists every active and inactive grant, filterable by application, user, entitlement, status, or expiry date. Each grant opens a full timeline of when access was provisioned and deprovisioned.

**What if a user qualifies for more than one policy?** Set a conflict rule per application under **Settings**: apply the highest-severity policy, the most recently created one, or the one targeting the most specific segment.

## Go deeper

- [Setting up agentic access provisioning](/docs/10-access-management/setting-up-agentic-access-provisioning)

  Configure applications, entitlements, access policies, and provisioning rules end to end.
- [Just-in-Time access management](/docs/10-access-management/just-in-time-access-management)

  Set durations, expiry notifications, and extensions, and monitor active grants.
