Agentic access provisioning helps organizations deliver the right app access to employees at the right time, with minimum manual effort for IT teams. Once you define the essentials — your applications, their entitlements, and the access policies that govern them — Atom takes over. When someone requests access, the provisioning agent autonomously interprets the request, evaluates eligibility, manages any required approvals, and provisions access accordingly.
With agentic access provisioning, employees can:
Request access conversationally through Atom
Discover what entitlements they have or are eligible for
Receive access instantly when policies allow it, or follow an approval process when required
Admins can:
Define applications, entitlements, and policies centrally
Automate access provisioning using identity providers like Okta or Entra
Trigger manual provisioning through service requests when needed
Set up approval policies that notify stakeholders to review access requests
Monitor access grants and changes through auditing
NOTE: This guide helps you configure application access end-to-end. To learn more about the key constructs behind agentic provisioning, read the Understanding agentic access provisioning guide.
Configuring application access
Managing your applications
Applications refer to the tools and systems your organization provides to employees such as Salesforce, HubSpot, ChatGPT or Cursor.
The Applications page lists all the apps you can configure for provisioning.
Navigate to Settings in the left navbar and click on Applications under Access management.
If you've integrated an identity management platform (IdP) like Okta or Entra, this page will be automatically populated with your applications from that IdP.
Click on Add to manually add a new application.
Give the app a name, assign an app owner, and upload a logo as needed.
Once an application is set up, you can configure its policies, entitlements, and provisioning rules using the Access policies, Entitlements, Users, and Settings tabs.
Creating access policies
Access policies decide which users should get access to an application. You can create multiple policies for a single application to cater to various teams and roles within your organization.
For example, say your organization uses Salesforce.
The Sales team may need Standard User access.
The Finance team may need Marketplace Viewer access.
The Marketing team may only need Read-only access.
Instead of managing this manually, you can create three separate access policies, each mapping a different user segment to the entitlements they need. When users from these teams request access through Atom, the correct policy is automatically applied.
To create an access policy for an application:
Choose the application from the Applications page and click on the Access policies tab.
Click on Add at the top right to create a new policy, or edit one of the existing policies.
Define the audience for the policy. This determines which users the policy applies to.
Configure the approval requirements for this policy:
Pre-approved: Users get access to the app without an approval workflow
Approval required: Access is granted only after the request is reviewed by designated approvers. You can define the approvers by selecting the right approval policy — this could be the app owner, org admins, reporting manager, or a custom policy.
For example, the Salesforce Read-only access policy for the Marketing team may require their Reporting Manager's approval.
Turn on Require business justification to prompt users for a reason when they request access and log the justification automatically.
Click Next to choose the entitlements for this policy. Learn more about defining entitlements.
Publish the policy to make it available for employee access requests.
Defining entitlements
Entitlements describe the specific level or type of access a user can receive within an application.
For example, an app like Salesforce might have entitlements like:
View accounts – Allows users to view account records.
Edit accounts – Allows users to create or update account records.
View opportunities – Allows users to view opportunity records.
Edit opportunities – Allows users to create or update opportunity records.
Export reports – Allows users to export report data.
Manage dashboards – Allows users to create and modify dashboards.
Access Marketplace – Allows users to use Salesforce Marketplace features.
Modify all data – Grants full administrative control across Salesforce objects.
For the Marketing team, the Read-only access policy would include View accounts, View opportunities, and Export reports.
To add a new entitlement to an application:
Navigate to the Entitlements tab in an application and click on Add. You can also add a new entitlement while setting up an access policy.
Provide a name and description that clearly describe what this entitlement allows a user to do. Click on Next.
Choose the provisioning method, which defines how access is granted. Entitlements can be provisioned by:
Adding to an Okta group — Atom adds the user to a specified Okta group.
Adding to an Entra group — Atom provisions access via Azure AD.
Creating a service request — Atom creates a ticket for an agent to fulfil access manually. You must select the workspace where the request will be created.
This allows you to automate provisioning where possible while still supporting applications that require manual steps.
If you’re provisioning access through a service request, use Add a question to collect additional details from the user. This ensures the agent has all the information they need upfront.
Click on Save. Once saved, the entitlement becomes available for policies and employee access requests.
Setting provisioning rules
Each application includes settings to help administrators manage ownership and handle situations where a user qualifies for more than one policy.
Navigate to the Settings tab within an application.
Update the application name, owner or the logo as required.
Choose the priority rule under Policy conflict handling to decide which policy should apply when a user qualifies for multiple audiences. You can prioritize by:
Policy severity — Applies the policy with the highest severity.
Latest policy — Applies the most recently created policy.
Segment specificity — Applies the policy targeting the most specific user segment.
Enable Self-service with Atom to have Atom apply your configured access policies during conversational access requests.
Click on Update.
Understanding grants and auditing
Every access grant—whether automated or manual—is logged for compliance. The Users tab gives you a clear view of who currently has access and how that access was provisioned. For each user, you can see:
Which entitlement they were granted
Their access status
When the entitlement was last granted
Which team or workspace provisioned the access
This helps admins quickly understand who has access to the application and where that access came from.
Audit logs also capture changes to applications, entitlements, policies and approval policies to ensure full transparency and manage access reviews easily.
Requesting and managing access with Atom
Once configuration is complete, employees can request and manage access conversationally through Atom. They can:
Request access to an app
Ask what they’re eligible for
Check what entitlements they have or what they need
View reasoning trails for access decisions
For example, if the user says:
“Can I get access to Salesforce Marketplace?”
Atom reviews the policies, confirms eligibility, checks for approvals, and provisions based on the defined method.“What access do I have in HubSpot?”
Atom lists existing entitlements and policy context.“I need view-only access to Gong.”
Atom identifies the read-only entitlement and guides the user through approval or justification steps.
Atom uses the policy logic you've defined, ensuring access remains consistent and governed.
Agentic access provisioning streamlines access management for end-users, app owners, and IT teams. By defining applications, entitlements, and policies, you create a secure, scalable foundation for automated provisioning that reduces manual work and improves governance.