At Videoamp, Tuesday became access-request pileup day after the company grew from 100 to 500 employees. New hires started Monday, then IT spent Tuesday chasing missing details and approvals that should've been straightforward. That's where self-service portals cut the real waste: they force the request to come in with the app, role, owner, and approval path already attached. Once intake is clean, the rest of access work gets a whole lot easier.
The request itself isn't the hard part. Someone asking for Figma Editor, Salesforce Admin, or GitHub access is easy. What breaks is everything around it: missing context, unclear approvers, manual group changes, forgotten revocations, and the audit trail you have to rebuild three months later.
Key Takeaways:
- Self-service portals cut access workload by forcing every request through one intake path instead of Slack, email, Jira comments, and side conversations.
- The real win isn't a nicer request form. It's clean context, routed approvals, group-based provisioning, expiry, and evidence in the same workflow.
- If approval and provisioning still happen outside the ticket, you haven't fixed the access problem. You've just made intake prettier.
- Least privilege works better when it's automated by default, especially for temporary or elevated access.
- Access reviews should run where the work already lives, because auditors don't care how hard your team tried. They care whether the evidence is complete.
Why Access Requests Break Before Audit Season
Access requests break because the work is split across too many places. The employee asks in one place, the approval happens somewhere else, the access change happens in the identity provider, and the evidence gets copied into a spreadsheet later. At low volume, that feels manageable. At scale, it becomes a tax on every IT and security team.

The Bottleneck Starts With Where Requests Land
A workplace technology manager opens Jira at 9:12 AM and sees 41 new access tickets from onboarding. Half say "need access to analytics." A few are Slack screenshots pasted into comments. Three mention managers, but no app owner. One person asked for Admin because they didn't know Viewer existed. Now the team isn't just granting access. They're interpreting intent.

That's where the access request bottleneck really starts. Not in Okta. Not in Entra. Not in Google Workspace. It starts when the request doesn't contain enough context to make a fast decision. And frankly, most teams tolerate this for way too long because the volume feels annoying, not broken. Until it compounds.
At Videoamp, the pattern showed up on Tuesdays. New hires started Monday, then the IT queue filled up with access requests the next day. They had grown from 100 to 500 employees, and the issue wasn't that IT didn't care. The issue was that requests came in without enough detail, ownership was unclear, and every missing field created another back-and-forth. That is how self-service portals cut the first layer of work: they force the right inputs before a human ever touches the ticket.
Spreadsheets Make Reviews Look Cleaner Than They Are
Spreadsheet-driven access reviews usually look fine in the meeting. Rows, owners, tabs, dates, comments. Very official. But the spreadsheet isn't the system of record, and that matters a lot more than most teams admit.

A reviewer marks "revoke" in a spreadsheet. Someone else needs to remove the user from the right group. Another person needs to create a ticket or update one. Then someone needs to prove the removal happened. If one step gets missed, the spreadsheet says governance happened, but the access is still live. That's a dangerous gap.
The operational version of this is pretty ugly. Jira tickets for requests. Slack messages for approvals. Identity provider logs for changes. Spreadsheets for certification. It's like running finance with invoices in one system, payments in another, and audit evidence in screenshots. You can make it work. But you pay for it every quarter.
If your team is already doing access work in Jira, the next logical step is to stop rebuilding governance outside of it. The access workflow needs to carry the request, decision, change, and evidence together. If that idea feels painfully obvious, that's probably because you've lived the alternative. Learn more about Multiplier while the pain of scattered evidence is still fresh.
Policy Without Enforcement Turns Into Standing Privilege
Least privilege sounds great in a policy doc. Everyone agrees with it. No one argues for extra access forever. Yet if a human has to remember to remove access later, standing privilege wins more often than people want to admit.
That's why policy-heavy approaches often fail. They assume the control is the document, and it isn't. The control is the workflow that enforces the document when everyone is busy, tired, under pressure, or dealing with 100 other tickets. In my experience, that's the difference between "we believe in least privilege" and "we actually run least privilege."
There is a fair counterpoint here. Some companies need deep IGA systems because their environment is huge, heavily regulated, or deeply custom. That's valid. For a lot of mid-market and high-growth teams already running Jira Service Management, though, the bigger mistake is buying more policy machinery while the daily work still happens through Slack, Jira, and manual identity provider changes. Automation-first least privilege beats policy-heavy governance without operational enforcement.
How Self-Service Access Portals Cut Manual Work
Self-service portals cut manual work when they standardize intake, route approvals, trigger provisioning, enforce expiry, and preserve evidence in one flow. The portal matters because it turns messy human requests into structured operational data. Without that structure, IT still has to translate every request by hand.
Check Whether Intake Is Really the Bottleneck
Before changing the workflow, look at where your team is actually spending time. Most access teams assume provisioning is the bottleneck because logging into the identity provider feels like "the task." When you break it down though, the slowest part is often before provisioning: clarifying what the person needs, finding the approver, chasing the decision, and documenting why access was granted.
Here's a simple diagnostic. Pull 25 recent access requests from Jira. Not 200. Just 25. For each one, mark where the first delay happened. Was the app missing? Was the role unclear? Was the approver wrong? Was approval stuck? Was provisioning manual? Was evidence missing? You don't need a fancy model for this. You need the pattern.
The decision rule is clean: if more than 40% of the delays happen before approval, your intake is broken and you fix the request form first. If more than 40% happen after approval, your provisioning and revocation process is broken and you fix group mappings first. If the delays are spread across every stage, the workflow is fragmented, which is usually worse because no single fix will save you. Don't automate the loudest step. Automate the step that creates the most downstream work.
What surprised me the first time I saw this done well was how basic the fix looked. It wasn't a giant transformation project. It was a better request path, with sanctioned apps, clear roles, mapped approvers, and enough context to make a decision fast. Boring? Maybe. Effective? Very.
A quick audit should answer these questions:
- Which apps create the most repeat requests?
- Which roles get confused most often?
- Which approvers delay tickets the longest?
- Which access grants should expire automatically?
- Which requests create the most audit cleanup later?
Put Approved Apps in One Place First
A self-service portal only works if employees trust that it contains the apps they actually need. If the catalog is incomplete, people go back to Slack. If the roles are confusing, they pick Admin. If ownership is unclear, IT becomes the default approver. And now your portal is just another front door to the same old mess.
Start with the top 20 to 30 sanctioned apps that create the most access volume. Not every app in the company. Not the weird edge-case tool someone bought three years ago. Start with the apps that hit the queue every week: Slack, Zoom, Jira, GitHub, Salesforce, Figma, HubSpot, whatever your version of that list is. Each app needs a plain-English role menu. Viewer, Editor, Admin, Finance only, Contractor access. Words people understand.
At Luno, rapid growth pushed access requests across Slack, email, and Jira. They were approaching 1,200 employees and had hundreds of routine requests landing manually. IT had to chase managers and then manually assign Okta groups. After moving to a self-service app store in Jira with approval routing and automated provisioning, they cut IT workload on access requests by 80%. That number matters because it wasn't just faster clicking. The whole request shape changed.
A good app catalog is like a restaurant menu for access. If the menu is clear, customers don't walk into the kitchen asking what they can order. They pick from what you've approved, choose the right size, and the staff knows exactly what to make. Access works the same way. The catalog turns vague demand into a request the system can process.
Route Approval Based on Risk, Not Habit
A lot of companies route every access request through the same approval motion because that's how the workflow was set up years ago. Manager approval for everything. App owner approval for everything. Security approval for anything that looks scary. It feels controlled, but it creates unnecessary drag.
Risk-based approval is cleaner. Low-risk access can be auto-approved or sent to a manager. Sensitive systems should go to the app owner. Elevated roles may need a tighter path. The key is to stop treating every request like it carries the same consequence. A contractor asking for temporary access to a design file is not the same as an engineer asking for production admin rights.
The rule I like is pretty simple. If the access exposes customer data, financial systems, production environments, or admin controls, add explicit approval from the owner. If the access is common, low-risk, and role-based, don't make three people bless it. You'll just train employees to bypass the process.
Approval speed matters because people don't wait forever. They ask in Slack. They DM someone they know. They reuse someone else's access. Not maliciously most of the time. Just because they have a job to do. The portal has to be easier than the workaround. If it isn't, the workaround wins.
Approval design should usually separate requests into three buckets:
- Low-risk standard access: common apps and default roles tied to job function.
- Moderate-risk business access: systems with team data, customer context, or paid licenses.
- High-risk privileged access: admin roles, production systems, finance tools, and sensitive datasets.
Provision Through Groups So Access Can Be Reversed
The request portal is only half the system. Provisioning is where the workflow either becomes real or falls back on humans. If approval still means "someone from IT logs into Okta and adds the user," you haven't removed enough work. You've just moved the manual step later.
Group-based provisioning is the cleaner operating model. Each requestable role maps to one or more identity provider groups. When the request is approved, the user gets added to the group. When access ends, the user gets removed from the group. The identity provider stays authoritative, and the ticket captures what happened. Clean, reversible, and auditable.
There is a limitation here, and it's worth saying directly. Group-based provisioning works best for SSO apps where groups drive entitlements through the identity provider. If an app isn't connected, or access is granted manually inside the SaaS app, you may still need a human step. Fair enough. The point isn't to pretend every system can be automated on day one. The point is to stop treating manual work as the default for apps that can be governed through groups.
That shift changes the economics of access. A request that used to take 5 to 30 minutes becomes an approval plus a group change. A revoked entitlement doesn't need a separate cleanup task. The evidence doesn't need to be recreated later. When you multiply that across hundreds or thousands of requests, self-service portals cut a lot more than ticket volume. They cut the hidden work attached to every ticket.
Make Temporary Access the Default for Risky Roles
Standing access is often just expired temporary access that nobody removed. That's the uncomfortable part. Someone needed Admin for an incident. Someone needed finance system access for quarter close. Someone needed GitHub permissions for a short project. The business reason was valid at the time. Six months later, the access is still there.
Time-bound access fixes that by changing the default. Instead of asking, "Should we remember to remove this later?" the workflow asks, "How long should this access last?" One hour. Six hours. Twenty-four hours. Maybe longer depending on the role. The important part is that expiry is part of the request, not a reminder someone adds to a calendar.
This is where self-service portals cut security risk and operational work at the same time. The employee gets access fast. The approver has a clear reason and duration. The system removes access when the time is up. Security gets less standing privilege. IT gets fewer cleanup tickets. Everyone wins without turning every request into a debate.
Not every app should use time-bound access. Standard role access for a full-time employee probably doesn't need a one-hour timer. Elevated permissions should. Admin roles should. Break-glass style access should. If the role would make you nervous during an audit, it probably deserves an expiry.
A practical starting rule:
- Put all admin roles behind explicit approval.
- Require a duration for elevated access.
- Auto-revoke through identity provider group removal where possible.
- Record the grant and removal on the original ticket.
- Review exceptions monthly until the pattern is stable.
Run Reviews Where Evidence Already Lives
Access reviews fail when reviewers don't have enough context to make a real decision. A spreadsheet with names and apps isn't context. Reviewers need department, role, group membership, last login, and a clear action. Keep or revoke. Without that, reviews become rubber-stamping dressed up as compliance.
The better approach is to run reviews where the access history already lives. If requests, approvals, grants, and revocations are in Jira, then access certification should use that same operational record. The reviewer shouldn't need to hunt across tickets, identity provider logs, and spreadsheets to answer a basic question: does this person still need access?
Synthesia is a good example of why this matters at scale. They grew 4x and had access requests tracked through Slack channels and Notion boards. A four-person IT Ops team had to support more than 420 employees, which sounds impossible if everything stays manual. After moving access requests into Jira Service Management with automated workflows and Okta provisioning, 75% of requests became fully automated and they processed 3,800+ requests in a year. That's the kind of volume where manual evidence falls apart.
Access reviews need the same operating logic as access requests. Structured scope. Assigned reviewers. Usage context. Clear decisions. Enforced revocation. Evidence captured as part of the work. If any of those pieces sits outside the review workflow, audit prep becomes archaeology. Nobody joins IT because they love digging through old screenshots.
How Multiplier Makes Governance Jira Native
Multiplier makes access governance Jira native by keeping requests, approvals, provisioning actions, access reviews, and audit evidence tied to Jira Service Management. Instead of forcing IT into another portal, it uses JSM and Slack as the work layer, then executes access changes through Okta, Entra ID, or Google Workspace.
A JSM Catalog That Feeds the Ticket
Multiplier starts with the Application Catalog inside Jira Service Management. Employees browse approved apps, choose roles, and submit access requests from the JSM portal or Slack. Behind the scenes, approved catalog roles map to identity provider groups, so the request isn't just a form. It's a structured workflow that can route approval and trigger provisioning.

That matters because it cuts the translation work we talked about earlier. The employee doesn't send a vague Slack message. The approver doesn't guess which role they meant. IT doesn't have to maintain a separate app list by hand when the catalog can sync apps and groups from Okta, Entra ID, or Google Workspace. For SSO apps, Multiplier provisions through mapped identity provider groups after approval, and the Jira issue records success or failure for audit and troubleshooting.
There are limits, and I think it's better to be clear about them. Multiplier provisions through identity provider groups, not by directly logging into every SaaS app and clicking around. Automatic revocation also depends on access being managed through group membership. For non-SSO or manual apps, you can still centralize the request and evidence, but the actual grant may need a manual step. Still, that is a much better place to start than scattered intake with no clean record.
The practical difference is simple:
- Before: request in Slack, approval in a thread, group change in the IDP, evidence copied later.
- After: request in Jira or Slack, approval tied to the Jira issue, provisioning through the IDP group, evidence written back to the issue.
- Audit prep: less reconstruction, fewer screenshots, cleaner proof of what happened.
Access Reviews With Revocation Built In
Multiplier's Access Reviews run as Jira-native campaigns. Admins select approved applications, assign reviewers, and give reviewers a dashboard with user attributes, groups, last login, and recommendations. Reviewers mark Keep or Revoke. When they choose Revoke for supported group-based access, Multiplier removes the user from the relevant identity provider group and creates Jira evidence documenting the change.
That's the big unlock. A review decision without execution is just an opinion. The value comes from connecting the reviewer action to the actual revocation and the audit trail. Multiplier also supports time-based access for just-in-time use cases, where requesters choose a duration and access is removed automatically at expiry through the mapped identity provider group. That directly addresses the standing privilege problem, not with another policy doc, but with a workflow that removes access when the work is done.
Auto Reclaim adds another layer for SaaS waste, when you're on the Advanced edition. It uses last-login data from the connected identity provider, applies inactivity thresholds and grace periods, notifies users, and revokes access if they stay inactive. Again, the important part isn't just the removal. It's the record. The Jira ticket documents what happened, which gives IT, security, finance, and audit the same source of proof.
If your current access reviews end with a spreadsheet full of "revoke" decisions and a separate cleanup project, the workflow is doing too little. Get started with Multiplier if you want the review, revocation, and evidence chain to live in the same place your team already works.
The Access Model Worth Building Now
Self-service portals cut access workload when they become the front door to a governed workflow, not just a nicer form. The winning pattern is pretty clear: approved app catalog, risk-based approvals, identity provider group provisioning, time-bound access, Jira-native reviews, and evidence captured as work happens.
That's the access model I think more IT and security teams should build. Not because portals are exciting. They aren't. Because the old way creates too many small manual steps, and those steps turn into delays, standing privilege, SaaS waste, and ugly audit prep. Fix the workflow, and the portal becomes the visible part of a much stronger system.
Frequently Asked Questions
How do I set up a self-service portal with Multiplier?
To set up a self-service portal with Multiplier, start by integrating it with your Jira Service Management (JSM). 1) Navigate to the JSM portal and select 'Request Access.' 2) Use the Application Catalog to display approved apps and roles for employees. 3) Ensure that requests are routed to the correct approvers based on your organizational structure. This setup streamlines intake and ensures that requests include the necessary context from the start.
What if an employee needs temporary access to sensitive data?
If an employee needs temporary access, you can use Multiplier's Time-Based Access feature. 1) When submitting the access request, the employee can choose a duration for the access (like 1, 6, or 24 hours). 2) Once approved, Multiplier will automatically provision the access and set a timer for revocation after the specified duration. This helps minimize standing privileges and ensures that access is only granted when necessary.
Can I customize the approval workflow in Multiplier?
Yes, you can customize the approval workflow in Multiplier. 1) Admins can map workflow statuses to 'Waiting for Approval' and 'Approved' in JSM. 2) You can designate default approvers globally or on a per-app basis, ensuring that the right people are notified for approvals. 3) This allows you to maintain control over who approves access requests while keeping the process efficient and tied to the originating ticket.
When should I run access reviews using Multiplier?
You should run access reviews regularly to ensure compliance and security. 1) Set up access review campaigns in Multiplier when you have a significant number of users or after major onboarding events. 2) Use the built-in dashboard to track user attributes and last login dates. 3) This helps identify inactive users and ensures that access is still appropriate, allowing you to mark users for revocation directly within the system.
Why does my access request process feel slow?
Your access request process might feel slow due to fragmented workflows. 1) Ensure that all requests are submitted through the Multiplier-enabled JSM portal to maintain context. 2) Check if approvals are being delayed by unclear ownership or multiple approval layers. 3) Consider using Multiplier's automated provisioning to speed up the process and reduce manual follow-ups, which can help streamline the entire access workflow.






