	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > Google Gemini API > Access Request Approval Agent

Access Request Approval Agent

Author: Venkata Sudhakar

Every new joiner and role-change at ShopMax India triggers access requests for systems like ERP, CRM, the warehouse management system, and financial dashboards. Granting excessive access violates least-privilege security principles and creates audit risk. An intelligent agent can check each request against role-based entitlement policies instantly.

This tutorial builds a Gemini ADK agent that validates an access request against the employee's role entitlement matrix, checks for segregation of duties conflicts, and returns an approval recommendation with justification.

The below example shows an IT access request approval agent for ShopMax India in a business context.

import asyncio
from google.adk.agents import LlmAgent
from google.adk.tools import FunctionTool
from google.adk.runners import Runner
from google.adk.sessions import InMemorySessionService
from google.genai import types

# Role entitlement matrix: role -> allowed systems
ROLE_ENTITLEMENTS = {
    "Sales Executive":   ["CRM", "Product Catalogue", "Sales Dashboard"],
    "Finance Manager":   ["ERP Finance", "Payroll", "Financial Dashboard", "Audit Logs"],
    "Warehouse Staff":   ["WMS", "Inventory System"],
    "IT Administrator":  ["All Systems"],
    "Data Analyst":      ["Sales Dashboard", "Financial Dashboard", "Data Warehouse"],
}

# Segregation of duties: these system pairs must not be held by same person
SOD_CONFLICTS = [
    ("Payroll", "ERP Finance"),  # can approve payment AND raise invoice
    ("Audit Logs", "Payroll"),   # can audit their own payroll entries
]

# Employee current access
EMPLOYEE_ACCESS = {
    "EMP-601": {"name": "Riya Kapoor", "role": "Finance Manager",
                "current_access": ["ERP Finance", "Financial Dashboard"]},
}

def evaluate_access_request(employee_id: str, system_requested: str, business_justification: str) -> dict:
    emp = EMPLOYEE_ACCESS.get(employee_id)
    if not emp:
        return {"error": f"Employee {employee_id} not found"}
    role = emp["role"]
    allowed = ROLE_ENTITLEMENTS.get(role, [])
    is_entitled = system_requested in allowed or "All Systems" in allowed
    # Check SoD conflicts
    sod_conflict = None
    if is_entitled:
        all_access = emp["current_access"] + [system_requested]
        for pair in SOD_CONFLICTS:
            if pair[0] in all_access and pair[1] in all_access:
                sod_conflict = f"SoD conflict: {pair[0]} + {pair[1]} cannot be held together"
                break
    if not is_entitled:
        decision = "REJECT"
        reason = f"{system_requested} is not in the entitlement list for role {role}."
    elif sod_conflict:
        decision = "REJECT"
        reason = sod_conflict
    else:
        decision = "APPROVE"
        reason = f"{system_requested} is within {role} entitlements and no SoD conflict detected."
    return {
        "employee": emp["name"],
        "role": role,
        "system_requested": system_requested,
        "business_justification": business_justification,
        "entitled": is_entitled,
        "sod_conflict": sod_conflict,
        "decision": decision,
        "reason": reason,
    }

access_tool = FunctionTool(func=evaluate_access_request)

agent = LlmAgent(
    name="access_request_agent",
    model="gemini-2.0-flash",
    description="Evaluates IT access requests for ShopMax India against role entitlements and SoD policies.",
    instruction=(
        "You are an IT access governance agent for ShopMax India. "
        "When an access request is submitted, call evaluate_access_request. "
        "State the decision (APPROVE or REJECT) clearly with the policy reason. "
        "If rejected due to SoD conflict, explain what the conflict is and suggest an alternative."
    ),
    tools=[access_tool],
)

async def main():
    session_service = InMemorySessionService()
    runner = Runner(agent=agent, app_name="access_app", session_service=session_service)
    session = await session_service.create_session(app_name="access_app", user_id="it1")
    msg = types.Content(role="user", parts=[types.Part(
        text=(
            "Access request: EMP-601 (Riya Kapoor) is requesting access to Payroll system. "
            "Justification: needs to verify salary disbursement for her team."
        )
    )])
    async for event in runner.run_async(user_id="it1", session_id=session.id, new_message=msg):
        if event.is_final_response() and event.content:
            print(event.content.parts[0].text)

asyncio.run(main())

It gives the following output,

Access Request Decision - ShopMax India IT Governance

Employee   : Riya Kapoor (EMP-601) | Finance Manager
Requested  : Payroll
Justification: Verify salary disbursement for her team

Entitlement Check : PASS (Payroll is within Finance Manager role)
SoD Check         : FAIL

Decision: REJECT
Reason  : SoD conflict detected - Payroll + ERP Finance cannot be held
          by the same person. This would allow approving and disbursing
          payments without a second authorisation, violating audit policy.

Alternative: Request read-only Payroll Reports access via the Finance
Dashboard instead, which does not trigger the SoD conflict.

ShopMax India's IT governance team can enforce least-privilege access automatically by integrating this agent into the access request workflow. Every request is evaluated in milliseconds rather than waiting days for a manual security review, while the SoD check ensures compliance with internal audit requirements and RBI financial controls.

Send your comments, suggestions or queries regarding this site to [email protected].