This playbook describes the technical steps required to configure the transition from discovery to access, ensuring that BI assets are findable and governed.
1. Select Access Request Processing Method
The initial step requires a global architectural selection to determine how Metric Insights handles incoming access requests.
Access Admin > System > System Variables and locate the following parameters:
- Internal Processing: Set ACCESS_REQUEST_VIA_WEBPAGE to "N". This configuration manages and fulfills requests within the Metric Insights Requests interface.
- External Form/Webpage: Set ACCESS_REQUEST_VIA_WEBPAGE to "Y" and specify the destination in the ACCESS_REQUEST_URL variable. This redirects users to a pre-defined external portal.
- Access Request API: Provide a valid endpoint in the ACCESS_REQUEST_URL variable to allow an external governance tool (e.g., SAP GRC) to receive request metadata and programmatically update Permissions.
Reference: Access Request Overview: Setting the Access Request Processing
1.1. Configure Access Request Profile
If requests should be routed automatically to an external ticketing/ITSM system instead of being handled through the methods above, configure an Access Request Profile. Currently only Freshworks is supported; ServiceNow support is planned for a future release. This requires the Manage User Access Requests Privilege.
- Create the profile: Go to Content Center > Profiles tab > [+ New Profile] and set the Profile Name, integration Type (Freshworks), API URL for your service desk endpoint, and API Token.
- Configure the request body template: In the JSON editor, define what's sent to Freshworks on each request, using placeholders to inject user and content details (e.g., {{user_email}}, {{element_name}}). The body must include quantity, email, and any custom fields configured for the Freshworks service item.
- Apply the profile to a Category: Go to Content > Categories > [Category Name] > Access & Ownership tab and select the Access Request Profile you configured. Requests from that category are then sent directly to Freshworks and will not appear in the internal Requests queue (see the final step below).
Reference: Configure Access Request Profile
2. Configure Global Visibility and Notification Variables
Define the default behavior for the platform to standardize the user experience.
- Global Discoverability Logic (NEW_CONTENT_IS_DISCOVERABLE): This variable determines the default state of the "Make Discoverable" toggle for all newly created Elements.
- Recommendation: Set to "N" if you prefer to manually vet which Reports are findable. Set to "Y" to promote a fully transparent catalog by default.
- Automated Notifications (SEND_ACCESS_REQUEST_DIGEST): This setting controls the delivery of email alerts.
- Action: Enable this to ensure Approvers are notified immediately when a user interacts with a discoverable Tile. If disabled, Approvers must manually check the Requests queue to identify new submissions.
- Action Button Standardization (ACCESS_REQUEST_BUTTON_TEXT): This variable defines the specific label for the request action across all discoverable Tiles.
- Action: Define a label that matches your internal terminology (e.g., "Request Access," "Apply for Permission," or "Contact Data Owner").
Reference: Access Request Overview: Optional Settings
3. Configure Element-Level Discoverability
After the global parameters are set, apply Discoverability settings to specific Reports or metrics via the Element Editor > Access & Ownership tab.
- Enable Visibility: Activate the "Make Discoverable to Users Without Access" toggle.
- Define Access Request Group: Select the specific user groups authorized to identify this Tile in the Catalog.
- Set Tile Blur Levels: Use the Preview Image Blur slider to obscure specific data values while maintaining the visual context of the visualization.
- Designate the Approver: Enter a functional email address in the Access Request Email field.
- If left null, the system defaults the Approver role to the System Administrator.
Reference: Setting Element's Discoverability: Set Element to be Discoverable
4. Configure Access Settings on Category
A few Discoverability settings live on the Category editor rather than the Element editor, and apply to every Element beneath that Category.
- Restrict Discoverability to Specific Groups: By default, discoverable content is visible to all users. To restrict it to specific Groups instead, set the system variable RESTRICT_DISCOVERABLE_CONTENT to "Y" (Admin > System > System Variables). Once enabled, go to Content > Categories > [Category Name] > Access & Ownership tab and select which Groups can discover content under that Category.
- Access Request Profile: An Access Request Profile can be assigned at the Category level via the same Access & Ownership tab, routing access requests for all Elements under that Category directly to the configured external system.
References:
5. Customize Access Denied Interface
This stage defines the interface presented to an unauthorized user upon selecting a discoverable Tile.
- Enable Custom Message: Activate "Use Custom Access Denied Message" in the Element Editor.
- Input Technical Instructions: Provide the specific requirements for access (e.g., "Access requires completion of Data Privacy Training").
- Inheritance: If no message is set, the system checks the parent Category before reverting to the system default.
Technical Reference: Access Request Overview: Customize Access Denied Message on the Element Editor
6. Fulfill and Grant Permissions
The final stage is the operational fulfillment of pending requests by the designated Approver.
- Access the Request Queue:
- Power Users (Approvers): Navigate to Content > Requests to view items assigned to their specific Elements.
- System Administrators: Navigate to Admin > Content > Content Center > Requests for global oversight of all system requests.
- Evaluate the Request: Review the requester's identity and any comments provided during the submission process.
- Define Access Scope: Before finalizing the approval, determine the breadth of access required:
- Single Element: Grant Permissions only to the specific requested Element.
- Entire Category: Use the drop-down menu to grant Permissions to the parent Category and all contained Elements. This is the standard practice if the user requires access to a full functional suite (e.g., all Sales Reports).
- Execute Approval: Select the grant action to update the user's Permissions immediately.
Requests routed to an external webpage, a direct API integration, or an Access Request Profile are fulfilled outside Metric Insights and never appear in this queue.
Reference: How to Process Access Requests