I've used one that was at least mediocre. Access requests were signed off (optionally) by your manager and then (optionally) by an authoriser of the service required, and then delivered automatically 99% of the time.
So you'd select "System Z Update Access", write a one liner of "I need update system Z to do my job supporting The Alpha Process", your manager would approve it (providing they agreed that your role did involve supporting the Alpha Process) and then someone from the System Z team would also approve it (providing they agreed that you needed that access to support that process), and then a few minutes later you'd be automatically added to the right role.
Traceable, secure, and fairly painless. Required a lot of setup for all of the roles and automation though, I believe.
Yes, and making changes to those processes over time will probably be dependent on consultants/staff who are no longer there, and their understanding of the Rube Goldberg configuration will take months/quarters to unravel. I've found that even simple requests -- add one field -- is considered a high risk change, usually because "the business". It's a weird world where the IS and business sides of the company can hold each other hostage.
So you'd select "System Z Update Access", write a one liner of "I need update system Z to do my job supporting The Alpha Process", your manager would approve it (providing they agreed that your role did involve supporting the Alpha Process) and then someone from the System Z team would also approve it (providing they agreed that you needed that access to support that process), and then a few minutes later you'd be automatically added to the right role.
Traceable, secure, and fairly painless. Required a lot of setup for all of the roles and automation though, I believe.