Share This Article
Securing the modern cloud environment requires two distinct but complementary strategies.
On the one hand, the majority of your users are granted access to the resources they need automatically based on their role or attributes. And using those resources is fairly straightforward; log in with your provisioned account and off you go.
But there are many edge cases you have to consider differently. Some resources are subject to strict least privilege policies. Others have unique licensing cost controls, or critical compliance mandates, that require you to develop and maintain a governed process to distribute access. And on top of all of that, access in these cases often needs to be timebound or scrutinized in ways most access does not.
If every request for these sensitive resources results in a chaotic, manual email thread, IT loses velocity and risks security gaps.
JumpCloud has you covered.
For the majority use case, JumpCloud leverages Dynamic Groups to ensure efficient, instant provisioning. But when you need something more elaborate and controlled, JumpCloud Access Request is needed.
JumpCloud Access Requests allows IT administrators to design automated, and auditable, approval workflows for your most sensitive resources—ensuring the right access goes to the right people, instantly, and with the necessary oversight.
This article will walk you through the core components and flow types in JumpCloud Access Request, showing you exactly how to configure the perfect approval pathway for every resource in your environment, from low-risk SaaS tools to mission-critical infrastructure.
1. Defining Your Approval Type: Manual and Automatic Control
The first decision in setting up a flow is determining the inherent risk of the resource being requested. JumpCloud offers two fundamental types of approval flows:
| Approval Type | When to Use It | Benefit |
| Manual | For critical, high-risk resources (e.g., finance system access, AWS roles, production infrastructure) where granular review and justification are mandatory. | Enforces strict governance: Provides a mandated security gate, upholding least privilege and generating a clear, defensible audit trail required for SOC 2, ISO 27001, and other compliance frameworks. |
| Automatic | For low-risk access (e.g., internal wiki, training portals) where users can self-serve, but you still need an audit log of the action. | Maximizes IT velocity: Reduces the admin burden for low-risk requests, ensuring employees get immediate access without sacrificing audibility. |
2. Assigning Approvers by Role, Group, or Resource: Dynamic Delegation
For any manual flow, JumpCloud allows you to designate approvers based on their relationship to the request, the resource, or their organizational role.
This is how you build dynamic, multi-stage, and sequential workflows.
The Four Dynamic Approver Types
- Requestor’s Manager:
- The Workflow: JumpCloud automatically pulls the manager information defined in the user’s details (often synced directly from an HRIS). This is the fastest, most scalable way to implement departmental oversight.
- The Why: Ensures a user’s direct supervisor signs off, verifying the access is legitimate for their role.
- Resource Owner:
- The Workflow: Assigns the approval to a specific user who “owns” or manages the resource (e.g., the DevOps lead for a specific AWS role).
- The Why: Delegates security decisions to the subject matter expert who understands the resource’s context and risk profile.
- Administrator:
- The Workflow: Allows you to assign one or more specific JumpCloud Administrators.
- The Why: Ideal for centralized IT or security teams who need final sign-off on extremely sensitive access requests.
- User Group:
- The Workflow: Any member of the designated User Group can approve the request.
- The Why: Can be used for team-based approvals where any member of the Security Operations Team can handle the queue, preventing bottlenecks if one individual is out of office.
3. Defining the Approval Hierarchy: The Requirement Logic
Once you have identified who should approve the request, you must define how their approval is counted. This is the crucial step that dictates whether your flow is a simple one-step approval or a complex sequential pipeline.
JumpCloud offers three primary requirement configurations:
| Requirement Logic | Flow Description | Compliance/Security Impact |
| At least one approver type | The request is approved as soon as any single approver (e.g., the Manager or the Resource Owner) clicks “Approve.” | Best for speed and simple compliance. One signature is sufficient for lower-risk critical items. |
| All approver types | Every designated approver must approve the request before it is granted. Approvals can happen in any order (parallel stage). | Ideal for high-risk, two-person rule resources where both managerial and security approval are needed simultaneously. |
| All approver types, in specific order | This creates a sequential, multi-stage workflow. The Manager must approve first, then the Resource Owner, then the Administrator, and so on. | The gold standard for strict compliance and Zero Trust. This enforces a true chain of custody and review process. |
4. Connecting Approval to Access: User Group Assignment
JumpCloud’s Access Request provides the ability to directly connect the approval process to access provisioning.
In the final step of creating your flow, you designate the User Group Assignment.
- Once the request is fully approved (manual flow) or automatically processed (automatic flow), the requesting user is instantly and automatically added to the specific JumpCloud User Group associated with that resource. Based on the resource type, the final fulfillment of access may require additional configuration.
- Through this, the user gains access immediately, eliminating the final manual step of the IT administrator assigning the group membership.
To understand more about managing approval flows, check out our help article.
Move Beyond Manual Tickets, Start Automating Governance
If your access management strategy still relies on emails, spreadsheets, or slow help desk tickets, you are creating friction for users and security gaps for your organization.
JumpCloud Access Request moves beyond simple gating; it allows you to architect access governance tailored to the unique security needs of every resource. By leveraging dynamic approver types, defining sequential stages, and enabling automatic fulfillment via User Groups, you transform a manual chore into an automated, auditable, and compliant flow.If you are new to JumpCloud and ready to see how fast and secure access requests can be, sign up for a free trial today.
