Purpose
Provide end-user assistance content for the Permission Change Center, including a Help card, FAQs, embedded in-product guidance (microcopy, tooltips, validation, banners), and quick-resolution steps for high-frequency errors.
Help Card (Need Help)
Title: Need help with permission changes?
What you can do here:
- Request new access or modify existing permissions
- Set a start and end date for temporary access
- Track request status and see required approvals
- Revoke or downgrade access you no longer need
Before you start:
- Confirm the resource name or ID (e.g., project, repository, application)
- Select the exact role or permission set you need
- Prepare a clear business justification
- If requesting on behalf of a user or team, ensure you have delegation rights
Approvals and timing:
- Most requests require owner or manager approval
- Sensitive roles (admin, write, production) may require additional approvals
- Processing times vary by resource and policy; you will be notified of updates
Security and compliance:
- Changes are logged for audit
- Temporary access is recommended for elevated permissions
- Your justification is visible to approvers and auditors
Need more help?
- Review the FAQs below
- Contact support with your request ID
FAQ
-
What is a permission change?
A request to add, remove, or modify a user’s access to a resource (e.g., assigning a role, granting a permission set, or changing access duration).
-
Who can submit a request?
Any authenticated user can request access for themselves. Requests on behalf of others may require delegation or admin rights, depending on policy.
-
Can I request temporary access?
Yes. Select a start and end date. Temporary access is recommended for elevated roles.
-
Why do I need to provide a justification?
Approvers and auditors use it to verify business need and ensure least-privilege access.
-
How long will my request take?
It depends on required approvals and provider processing. You will receive notifications at each stage.
-
What if my request is denied?
You will see the denial reason in the request details. You can edit and resubmit, or contact the approver for guidance.
-
Can I request access for a team or group?
If enabled by policy. Otherwise, submit individual requests or contact your admin.
-
What if I cannot find my resource?
Use the resource ID if available. If still missing, choose “Resource not listed” and provide details, or contact the resource owner.
-
What is the difference between role and permission set?
A role is a predefined collection of permissions. A permission set may be a more granular group. Choose the smallest set that meets your need.
-
Can I change or cancel a submitted request?
Yes, while it is pending. Open the request and select Cancel or Edit.
-
How do I track my request?
Go to My Requests. Use filters for status, resource, or date. Select a request to view approval steps and activity.
-
What happens when temporary access expires?
Access is automatically removed. You will be notified before expiration and can request an extension if needed.
-
Will this cause downtime?
Permission changes typically do not cause downtime. Some systems may require a short propagation window.
-
Are changes audited?
Yes. All changes, approvals, and revocations are recorded and searchable by authorized users.
-
How are conflicts handled (e.g., multiple roles)?
The most restrictive policy applies unless explicitly allowed. Conflicts are shown during review with recommended actions.
Embedded In-Product Guidance (Microcopy)
Page titles and summaries:
- Permission Change Center: Request, track, and manage access changes
- New Request: Specify resource, role, justification, and duration
Primary actions:
- Request access
- Modify access
- Revoke access
- Submit for approval
- Save as draft
- Cancel request
Field labels and help text:
- Resource: Search by name or ID. Example: “billing-api-prod” or “PRJ-12345”
- Role/Permission set: Choose the least-privilege option that meets your need
- Assignee: User who will receive the access. Default is you
- Duration: For temporary access, set start and end. Permanent access requires justification
- Justification: Explain business need, scope, and impact. Avoid sensitive data
- Approver (optional): Suggest an approver if known. Final routing follows policy
Tooltips and info banners:
- “Sensitive role”: This role grants elevated privileges and requires additional approval
- “Conflicting roles”: Selected role overlaps with existing permissions. Consider removing redundant access
- “Policy hint”: Your organization recommends temporary access for write/admin roles
Validation messages:
- Resource is required
- Role is required
- Assignee is required
- Start date must be today or later
- End date must be after start date
- Duration exceeds policy limit of {X days}
- Justification must be at least {N} characters
- You have a pending request for this resource and role. Edit the existing request instead
Empty states:
- No requests yet: Submit your first access change to get started
- No matches found: Adjust your search or enter the resource ID
- No approvals required: This request will be auto-processed based on policy
Status and toasts:
- Submitted: Your request {REQ-ID} was submitted and routed for approval
- Approved: Your request was approved. Applying changes now
- Changes applied: Access granted. Propagation may take up to {X minutes}
- Denied: Your request was denied by {Approver}. View details
- Revoked: Access removed as requested
- Auto-expired: Temporary access expired on {date}. Re-request if needed
Confirmation dialogs:
- Confirm revoke: Removing this access immediately. Continue?
- Confirm cancel: This will withdraw the request. Continue?
- Confirm overwrite: You already have a similar role. Replace with the new role?
Inline review cues for approvers:
- Risk summary: Elevated scope, temporary access requested, justification length
- Impact preview: Resources affected, groups changed, potential conflicts
- Decision options: Approve, Deny, Request changes. Add a comment for audit
High-Frequency Error Resolution Steps
- Error: “Insufficient privileges to request this change”
- Likely cause: You lack delegation or requestor rights for the assignee or resource
- Fix (requestor): Submit for yourself, or ask a manager/owner to submit. If you need delegation, request it from the admin
- Fix (admin): Grant request-on-behalf permission or adjust policy for the user’s group
- Error: “Resource not found”
- Likely cause: Typo, wrong environment (dev/prod), or the resource is not onboarded
- Fix (requestor): Verify the exact name/ID; switch environment filter; try the ID if name fails
- Fix (owner/admin): Onboard the resource to the directory or sync metadata; confirm visibility settings
- Error: “Role/permission set unavailable”
- Likely cause: Role is deprecated, renamed, or restricted by policy
- Fix (requestor): Select an alternative role or submit with “Cannot find role” notes
- Fix (admin): Restore or map deprecated roles; update catalog; add migration guidance
- Error: “Duration exceeds policy limit”
- Likely cause: Requested end date beyond allowed maximum
- Fix (requestor): Shorten the duration or request permanent access with stronger justification
- Fix (admin): If business-justified, update policy or add an exception workflow
- Error: “Pending duplicate request”
- Likely cause: Existing open request for same resource/role/assignee
- Fix (requestor): Edit the existing request to change dates or justification; cancel if no longer needed
- Fix (admin): Merge or close duplicates; communicate consolidation to requestor
- Error: “Approval routing failed”
- Likely cause: Missing resource owner, invalid approver configuration, or directory sync delay
- Fix (requestor): Provide a suggested approver and resubmit later if prompted
- Fix (admin): Assign a fallback owner; repair approver groups; trigger a directory sync and requeue
- Error: “Policy conflict detected (role overlap or assignment cap)”
- Likely cause: New role conflicts with existing roles or exceeds assignment limits
- Fix (requestor): Remove redundant access or select a non-conflicting role
- Fix (admin): Update conflict rules; define allowed combinations; raise caps if compliant
- Error: “MFA required to approve or apply change”
- Likely cause: Sensitive change requires step-up authentication
- Fix (requestor/approver): Complete MFA and retry the action
- Fix (admin): Verify MFA policy enforcement and ensure the user’s MFA enrollment is active
- Error: “Provisioning failed at provider”
- Likely cause: External system error, rate limit, or invalid mapping
- Fix (requestor): Wait and retry if prompted; check status for details
- Fix (admin): Review provider logs; verify role-to-group mappings; retry with backoff; open a ticket with the provider if persistent
- Error: “License or seat unavailable”
- Likely cause: No available license for the requested role/application
- Fix (requestor): Choose a different role or request a license via the designated process
- Fix (admin): Allocate additional licenses or define a waitlist; notify the requestor
- Error: “Session expired”
- Likely cause: Inactivity or token expiry
- Fix (requestor/approver): Sign in again and resume from My Drafts or My Requests
- Error: “Invalid justification”
- Likely cause: Too short or contains restricted content
- Fix (requestor): Provide specific business purpose, scope, and timeframe. Do not include secrets or personal data
- Fix (admin): Adjust minimum length or content rules if needed
Operational tips (for admins/owners):
- Keep the resource catalog and role mappings current to reduce “not found” and “unavailable” errors
- Define fallback approvers and escalation paths
- Enforce least privilege by favoring temporary elevated access with clear maximum durations
- Monitor audit logs and provisioning failure rates to identify systemic issues
Style and Tone Guidance (for product copy)
- Use concise, action-oriented language
- Prefer concrete labels over jargon (e.g., “Role” instead of “Entitlement artifact”)
- Surface policy constraints early (e.g., duration limits) to prevent rework
- Provide next steps in every error message
- Avoid blame; suggest user and admin paths to resolve
This content is designed to be pasted into your product UI and documentation with minimal modification. Replace placeholders such as {REQ-ID}, {X minutes}, and {N} with runtime values or policy settings.
