Access Request & Approval Workflow
Build an internal tool where staff request access to a system, folder, or app, and it auto-routes to the right approvers - manager plus the data/app owner - with a full audit trail, segregation-of-duties warnings, and a clean grant task for IT before anything is provisioned.
A login-protected access-request tool: staff pick a system and access level, the app auto-routes the request to the required approvers (manager + data/app owner, plus an extra owner sign-off on high-risk), captures each approval with a reason, warns on segregation-of-duties conflicts, dedupes duplicate open requests, and produces an approved grant task for IT plus an access register and CSV export - with a hard rule that nothing becomes an IT grant task until every required approval is in.
Before you start
- A free Vercel account
- A free Supabase account
- A free Resend account (and a sender address you can use)
- A catalog sheet of systems/roles with their approvers and risk level (CSV/Google Sheet)
- A staff/manager list (CSV/Google Sheet)
The problem this kills
Someone emails the help desk: "Can I get access to the finance shared drive?" And then the guessing begins. Who's allowed to approve that? Does her manager need to sign off, or the drive owner, or both? Is this high-risk access that needs an extra blessing? Did anyone check she doesn't already have a conflicting permission? Three days later IT grants it off a forwarded thread with no record of who actually said yes - and at audit time, nobody can prove it.
In most teams "access requests" are a swamp of tickets, Slack pings, and forwarded emails. Approvals stall because nobody's sure it's their turn. High-risk access slips through with one casual "sure." Segregation-of-duties rules (the person who creates a vendor shouldn't also be able to pay it) get violated by accident. The same request gets entered twice. And when the security auditor asks "show me who approved this access and why," you're scrolling through six months of chat history.
This tool replaces the ticket swamp with a clear, enforced routing process - and a clean, provable record of every access decision.
What you'll build
A small internal web app, just for your team, that:
- Lets staff self-serve a request: pick a system, folder, or app and the access level they need, and write a short business justification.
- Reads your access catalog - your list of systems/roles, who owns each one, and its risk level - and auto-routes the request to the right approvers: the requester's manager plus the data/app owner.
- Adds an extra owner sign-off automatically when the access is high-risk, so the riskiest grants get the most scrutiny.
- Warns about segregation-of-duties (SoD) conflicts - flags when the new access would collide with access the person already has (e.g., "can create payments" + "can approve payments").
- Captures each approval or rejection with a reason, recorded against the logged-in approver.
- Dedupes so the same person can't have two open requests for the same system at once.
- Turns a fully-approved request into a clean grant task for IT, and keeps a living access register.
- Exports the grant tasks and the access register as CSV - the exact columns your IT/provisioning process expects.
What's inside the Implementation Plan
The plan is a single markdown file you paste into Claude Code (a free AI coding agent). It walks the agent through building the whole tool, step by step, each step ending with a ready-to-paste prompt.
The most important part: the plan opens by interviewing you about your business. Before it writes a single line, the agent asks how access requests reach you today, what's in your systems catalog, who the approvers and owners are, how you define risk levels, your real naming and code conventions, your typical and peak volumes, your exact approval rules, and your messy edge cases (a system with no owner, a contractor with no manager, a conflicting-access pair you care about). It reads a short tailored spec back to you, you confirm it, and only then does it build - so you get a tool shaped to your access process, not a generic template you have to bend to fit.
Inside you'll find:
- The discovery interview and how the agent turns your answers into the data model.
- The full build: database, login, the request form, the routing engine, the approval screens, the SoD warnings, the email flow, the grant-task hand-off to IT, and the access register.
- The hard human approval gate and the high-risk extra-sign-off logic.
- Verification steps so you can prove it works, and the CSV-export fallback so it's fully usable even before you connect it to your identity/provisioning system.
The governance it includes (this is the point)
This isn't a toy. The plan builds in the controls an IT security team actually needs:
- Login so only your team can see or touch anything.
- Row-level security so people only ever see their own organization's requests and approvals.
- A complete audit trail - every request, route, approval, rejection, SoD warning, and grant is logged with who and when.
- A hard human-in-the-loop gate - the AI routes and drafts, but real approvers must sign off; nothing becomes an IT grant task automatically, and high-risk access needs the extra owner sign-off.
- Duplicate guards so the same person can't open two requests for the same system, and the same access isn't granted twice.
Who it's for
IT security and IAM (identity & access management) coordinators, IT help-desk staff, and application/data owners who are tired of approving access over email and can never prove who said yes. If your access requests keep getting stuck in tickets and Slack, and you want a real, auditable self-service workflow without hiring a developer or buying a heavyweight IAM platform - this is for you. You don't need to write code. You need your systems catalog, your staff/manager list, and an afternoon-to-a-weekend.
You've got this - paste the first prompt and let the agent interview you.