| Requestor scope | Specific users/groups, directory members, connected organizations, or other supported external populations. | The wrong people discover a package, or intended users cannot see the correct policy in My Access. | Test eligible and ineligible identities, tenant hint, hidden status, catalog enabled state, and policy visibility. |
| Questions and justification | Collect only decision-useful, non-sensitive information with owners, retention expectations, and answer choices. | Approvers receive vague answers, sensitive data is placed in a request, or automation cannot interpret the response. | Sample requests, privacy review, required/optional state, localized wording, export, and decision usefulness. |
| Approval stages | Manager, sponsor, resource owner, external sponsor, alternate approvers, duration, and escalation route. | Approvers are unavailable, self-approve, lack context, or allow requests to expire silently. | Positive/negative routing, multiple approvers, timeout, alternate approver, notification, and audit history. |
| Assignment duration | On-date, number of days/hours, or never; requested period; extension; maximum end date; business reason. | Temporary access becomes effectively permanent or an extension bypasses the intended sponsor decision. | Start/end timestamps, time zone, expiry event, extension request, denial, and post-expiry resource removal. |
| Access review | Reviewer, recurrence, duration, decision helpers, justification, nonresponse action, and result application. | A review records decisions but does not remove access, or reviewer selection has a conflict of interest. | Reviewer assignment, decision samples, nonresponse test, apply-results outcome, removal, and exception evidence. |