Delegate access governance to access package managers in entitlement management
To delegate the creation and management of access packages in a catalog, you add users to the access package manager role. Access package managers must be familiar with the need for users to request access to resources in a catalog. For example, if a catalog is used for a project, then a project lead might be an access package manager for that catalog. Access package managers can't add resources to a catalog, but they can manage the access packages and policies in a catalog. When delegating to an access package manager, that person can then be responsible for:
- What roles a user has to the resources in a catalog
- Who will need access
- Who needs to approve the access requests
- How long the project lasts
They can create access packages and policies, including policies referencing existing connected organizations. Once their access packages are created, then they can have other users request or be assigned to those access packages.
In addition to the catalog owner and access package manager roles, you can also add users to the catalog reader role, which provides view-only access to the catalog, or to the access package assignment manager role, which enables the users to change assignments but not access packages or policies.
As a catalog owner, delegate to an access package manager
Tip
Steps in this article might vary slightly based on the portal you start from.
Follow these steps to assign a user to the access package manager role:
Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.
Tip
Other least privilege roles that can complete this task include the Catalog owner.
Browse to Identity governance > Entitlement management > Catalogs.
On the Catalogs page, open the catalog you want to add administrators to.
In the left menu, select Roles and administrators.
Select Add access package managers to select the members for these roles.
Select Select to add these members.
Remove an access package manager
Follow these steps to remove a user from the access package manager role:
Sign in to the Microsoft Entra admin center as at least an Identity Governance Administrator.
Tip
Other least privilege roles that can complete this task include the Catalog owner.
Browse to Identity governance > Entitlement management > Catalogs.
On the Catalogs page, open the catalog you want to add administrators to.
In the left menu, select Roles and administrators.
Add a checkmark next to an access package manager you want to remove.
Select Remove.