Access Builder: Request Tag Memberships
What’s New
The Access Builder module now supports tag membership requests. Users can request to join a tag through Access Builder; identified tag owners or owner groups review the request and approve or deny it. Approved memberships can be revoked later by the same approvers.
Tags are user groups in Britive used to grant privileges and permissions across the platform — profile access, secret access, policy assignments. Granting a tag membership grants every privilege the tag holds.
How It Works
Administrator marks a tag as requestable
In the Identity Management → Tags section, the administrator enables the tag for Access Builder.
Administrator assigns tag owners
One or more tag owners (individual users) or owner groups (other tags) are designated as approvers for the tag.
User submits a request
The user opens Access Builder, searches for the tag, and submits a membership request.
Tag owner reviews
The tag owner or owner group receives the request and approves or denies it.
Membership is granted
On approval, the user is added to the tag and inherits every privilege the tag holds — profile access, secret access, policy assignments.
Membership can be revoked
Any approver can revoke the membership later. The user loses the tag’s privileges immediately.
Setup and Usage
Make a tag available for request through Access Builder:
Open the tag
In the Britive admin console, navigate to Identity Management → Tags and open the tag you want to make requestable.
Enable “Is Requestable?”
Toggle Is Requestable? on. This surfaces the tag inside Access Builder.
Assign owners
Add tag owners (individual users) and/or owner groups (other tags whose members can approve on behalf of the group). Owners do not need to be members of the tag they own — ownership and membership are independent.
Notes
Revocation is immediate. When a tag membership is revoked, the user loses every privilege the tag grants at that moment. Active checkout sessions tied to the tag’s profiles are not retroactively revoked — they continue until session expiry.
All approvals and revocations are audit-logged.
Tag requests respect the same policy framework as profile requests — justification, ITSM ticket, and time-of-access conditions all apply.