> ## Documentation Index
> Fetch the complete documentation index at: https://docs.serval.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Policies

> Control access duration, justification requirements, and approval workflows

Access policies define the rules that govern how users request and receive access to applications and resources. Create reusable policies to maintain consistent access controls across your organization.

***

## Understanding Access Policies

When creating or editing an access policy, configure the following settings to manage duration, and approvals needed for roles.

<CardGroup cols={2}>
  <Card title="Policy Name" icon="heading">
    Descriptive name that indicates when the policy should be used (e.g., "High Security", "Standard Access")
  </Card>

  <Card title="Policy Description" icon="align-left">
    Detailed explanation of what the policy covers and when to apply it
  </Card>

  <Card title="Max Access Length" icon="clock">
    Maximum duration users can keep access before automatic revocation (options: indefinite, hours, days, weeks, months)
  </Card>

  <Card title="Recommended Access Length" icon="calendar">
    Suggested duration to guide users toward shorter access periods while still allowing maximum if needed
  </Card>

  <Card title="Require Business Justification" icon="message">
    Toggle on to require users to explain why they need access; Serval evaluates reasonableness based on guidance settings
  </Card>

  <Card title="Require Confirmation for Requests Made on Behalf of Others" icon="user-check">
    Toggle on to add verification step when someone requests access for another user
  </Card>

  <Card title="Require Approval" icon="users">
    Select specific users, groups, or special members (like user's manager) who must approve requests
  </Card>

  <Card title="Allow Self-Approval" icon="circle-check">
    Toggle whether approvers can approve their own access requests
  </Card>

  <Card title="Multiple Approval Steps" icon="layer-group">
    Add sequential approval requirements where each step must be completed before the next begins
  </Card>

  <Card title="Impact Preview" icon="warning">
    View how many applications and roles will be affected by policy changes before saving
  </Card>
</CardGroup>

<Note>
  If you add multiple approvers in a single step, any one of them can approve the request. For sequential approvals, add multiple approval steps.
</Note>

<Tip>
  Approvers can modify the requested duration when approving. For example, if a user requests 2 hours of access, an approver can approve for 30 minutes instead. This gives approvers flexibility to grant appropriate access based on the specific request context.
</Tip>

<Frame caption="Edit access policy settings">
  <img src="https://mintcdn.com/serval/1MkNvweOjUDMFgE8/images/Screenshot2025-11-21at11.03.09PM.png?fit=max&auto=format&n=1MkNvweOjUDMFgE8&q=85&s=d89d9b2617df6d7431320219f374ca5d" alt="Access policy editor with duration, justification, and approval settings" width="3430" height="1906" data-path="images/Screenshot2025-11-21at11.03.09PM.png" />
</Frame>

***

## Create an Access Policy

<Steps>
  <Step title="Click Create Policy">
    Click "Create policy" or select an existing access policy to modify
  </Step>

  <Step title="Name the policy">
    Enter a policy name and description. Use descriptive names like "General Access" or "Temporary Admin Access" that indicate when the policy should be used.
  </Step>

  <Step title="Set access duration">
    Choose indefinite or time-limited access for Max Access Length. Optionally set a Recommended Access Length to guide users toward shorter access periods while still allowing them to request the maximum if needed.

    <Tip>
      Use time-limited access for elevated permissions like admin roles. Use indefinite access for standard user roles.
    </Tip>
  </Step>

  <Step title="Configure justification and confirmation">
    Toggle on "Require business justification" to require users to explain why they need access. Serval will evaluate whether the justification is reasonable based on your guidance settings.

    Toggle on "Require confirmation for requests made on behalf of others" to add verification when someone requests access for another user.
  </Step>

  <Step title="Set up approvals">
    Add approval steps by selecting approvers. You can require approval from specific users, groups, or special members like the user's manager.

    For each approval step, configure:

    * Who can approve (individual users or groups)
    * Whether approvers can self-approve their own requests
    * Whether any one approver can approve, or if all must approve

    Add multiple approval steps for sensitive access by clicking "Add approval step". Approvals happen sequentially—the second step only begins after the first is complete.

    <Note>
      If you add multiple approvers in a single step, any one of them can approve the request. For sequential approvals, add multiple approval steps.
    </Note>
  </Step>

  <Step title="Preview impact">
    Check how many roles will be affected by this policy before saving.
  </Step>

  <Step title="Save the policy">
    Click "Save policy" to make it available for role configuration. You'll see which applications will be affected by the new policy.
  </Step>
</Steps>

***

## Manage Access Policies

Once created, access policies can be managed centrally and applied to multiple roles across your organization.

To access policy management, navigate to the relevant team, click the "..." button, and select "Access Policies."

<AccordionGroup>
  <Accordion title="Set a default policy" icon="star">
    Choose a default policy that applies to new roles automatically to ensure consistent baseline access controls.
  </Accordion>

  <Accordion title="Edit existing policies" icon="pen">
    Modify policy settings. Changes apply to all roles using that policy, making it easy to update access controls organization-wide.
  </Accordion>

  <Accordion title="View policy usage" icon="eye">
    See which roles currently use each policy to understand the impact before making changes.
  </Accordion>

  <Accordion title="Apply policies to roles" icon="link">
    Add or remove roles that the policy should apply to. Reuse policies across similar access patterns for consistency.
  </Accordion>

  <Accordion title="Add new policies" icon="plus">
    Set up new standard policies for your organization to be used across any number of roles.
  </Accordion>
</AccordionGroup>

***

## Best Practices

<CardGroup cols={2}>
  <Card title="Start strict, relax as needed" icon="shield">
    Begin with tighter controls and loosen them based on feedback. It's easier to remove friction than add security later.
  </Card>

  <Card title="Use time limits for elevated access" icon="timer">
    Temporary access to admin or sensitive roles reduces security risk and ensures cleanup happens automatically.
  </Card>

  <Card title="Group similar roles under one policy" icon="layer-group">
    Create policies for access patterns, not individual roles. This makes management easier as you scale.
  </Card>

  <Card title="Review policies regularly" icon="rotate">
    Audit which policies are in use and whether they still match your security requirements.
  </Card>
</CardGroup>

***

## Extensions and Modifications

Users can request extensions or reductions to their active access. These modification requests follow the same approval workflow as initial requests:

* **Extensions require approval** if configured in the access policy
* **Approvers can modify durations** when approving extension requests
* **Users can amend requests** before approval (the final requested duration is what the approver sees)
* **No approval required?** If no approval procedure is configured, requests and extensions auto-approve with the requested duration

<Note>
  If a user amends their request multiple times before approval, only the final amendment is submitted for approval. Earlier amendments are automatically superseded.
</Note>
