{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://github.com/api-evangelist/sailpoint/json-schema/sailpoint-identity-schema.json", "title": "SailPoint Identity Security Cloud Core Models", "description": "JSON Schema definitions for core SailPoint Identity Security Cloud V3 API models, including identities, access profiles, roles, and certifications.", "type": "object", "$defs": { "PublicIdentity": { "type": "object", "title": "Public Identity", "description": "A public identity within the SailPoint Identity Security Cloud platform, representing a user with their core attributes, lifecycle state, and management relationships.", "properties": { "id": { "type": "string", "description": "The unique identifier of the identity.", "examples": ["2c9180857182305e0171993735622948"] }, "name": { "type": "string", "description": "Human-readable display name of the identity.", "examples": ["Alison Ferguso"] }, "alias": { "type": "string", "description": "Alternate unique identifier for the identity, typically a username or login ID.", "examples": ["alison.ferguso"] }, "email": { "type": ["string", "null"], "format": "email", "description": "Email address of the identity.", "examples": ["alison.ferguso@acme-solar.com"] }, "status": { "type": ["string", "null"], "description": "The lifecycle status for the identity.", "examples": ["Active"] }, "identityState": { "type": ["string", "null"], "description": "The current state of the identity, which determines how Identity Security Cloud interacts with it. Active identities are included in picklists, processing, and features. Inactive identities are excluded.", "enum": ["ACTIVE", "INACTIVE_SHORT_TERM", "INACTIVE_LONG_TERM", null] }, "manager": { "$ref": "#/$defs/IdentityReference", "description": "Reference to the identity's manager." }, "attributes": { "type": "array", "description": "Custom public identity attributes as key-value pairs.", "items": { "$ref": "#/$defs/IdentityAttribute" } } } }, "IdentityReference": { "type": ["object", "null"], "title": "Identity Reference", "description": "A reference to an identity, used to link identities as managers, owners, or reviewers.", "properties": { "type": { "type": "string", "const": "IDENTITY", "description": "The type of the referenced object." }, "id": { "type": "string", "description": "The identity ID.", "examples": ["2c9180a46faadee4016fb4e018c20639"] }, "name": { "type": "string", "description": "Human-readable display name of the identity.", "examples": ["Thomas Edison"] } } }, "IdentityAttribute": { "type": "object", "title": "Identity Attribute", "description": "A public identity attribute represented as a key-value pair with a human-readable name.", "properties": { "key": { "type": "string", "description": "The attribute key.", "examples": ["country"] }, "name": { "type": "string", "description": "Human-readable display name of the attribute.", "examples": ["Country"] }, "value": { "type": ["string", "null"], "description": "The attribute value.", "examples": ["US"] } } }, "IdentityProfile": { "type": "object", "title": "Identity Profile", "description": "An identity profile defines the mapping between source account attributes and identity attributes, and configures lifecycle states for identities in the Identity Security Cloud platform.", "required": ["name", "authoritativeSource"], "properties": { "id": { "type": "string", "description": "The identity profile ID.", "readOnly": true, "examples": ["2b838de9-db9b-abcf-e646-d4f274ad4238"] }, "name": { "type": "string", "description": "The identity profile name.", "examples": ["HR Employees"] }, "description": { "type": ["string", "null"], "description": "The identity profile description.", "examples": ["My custom flat file profile"] }, "owner": { "$ref": "#/$defs/OwnerReference", "description": "The owner of the identity profile." }, "priority": { "type": "integer", "description": "The identity profile priority, used for conflict resolution when multiple profiles match.", "examples": [10] }, "authoritativeSource": { "$ref": "#/$defs/SourceReference", "description": "The authoritative source that drives identity creation for this profile." }, "identityRefreshRequired": { "type": "boolean", "default": false, "description": "Set to true if an identity refresh is necessary, typically after source changes." }, "identityCount": { "type": "integer", "description": "Number of identities belonging to the identity profile.", "readOnly": true, "examples": [8] }, "hasTimeBasedAttr": { "type": "boolean", "default": false, "description": "Indicates whether the profile uses time-based attributes requiring periodic refresh." }, "created": { "type": "string", "format": "date-time", "description": "Date and time the profile was created.", "readOnly": true }, "modified": { "type": "string", "format": "date-time", "description": "Date and time the profile was last modified.", "readOnly": true } } }, "OwnerReference": { "type": "object", "title": "Owner Reference", "description": "Reference to the owner of an object. Owners are always identities in the Identity Security Cloud platform.", "properties": { "type": { "type": "string", "const": "IDENTITY", "description": "Owner type. Must be IDENTITY." }, "id": { "type": "string", "description": "The owner's identity ID.", "examples": ["2c9180a46faadee4016fb4e018c20639"] }, "name": { "type": "string", "description": "The owner's display name.", "examples": ["support"] } } }, "SourceReference": { "type": "object", "title": "Source Reference", "description": "Reference to a source (connector) in the Identity Security Cloud platform.", "properties": { "type": { "type": "string", "const": "SOURCE", "description": "The source object type." }, "id": { "type": "string", "description": "The source ID.", "examples": ["2c9180835d191a86015d28455b4b232a"] }, "name": { "type": "string", "description": "The source name.", "examples": ["HR Active Directory"] } } }, "AccessProfile": { "type": "object", "title": "Access Profile", "description": "An access profile groups entitlements that represent access rights on sources. Access profiles are the middle tier of the SailPoint access model: entitlements represent the most granular level, access profiles group entitlements, and roles group access profiles. Access profiles are used in provisioning, certifications, access requests, and roles.", "required": ["name", "owner", "source"], "properties": { "id": { "type": "string", "description": "The access profile ID.", "readOnly": true, "examples": ["2c91808a7190d06e01719938fcd20792"] }, "name": { "type": "string", "description": "The access profile name.", "examples": ["Employee-database-read-write"] }, "description": { "type": ["string", "null"], "description": "The access profile description. Maximum supported length is 2000 characters.", "maxLength": 2000, "examples": ["Collection of entitlements to read/write the employee database"] }, "created": { "type": "string", "format": "date-time", "description": "Date and time the access profile was created.", "readOnly": true, "examples": ["2021-03-01T22:32:58.104Z"] }, "modified": { "type": "string", "format": "date-time", "description": "Date and time the access profile was last modified.", "readOnly": true, "examples": ["2021-03-02T20:22:28.104Z"] }, "enabled": { "type": "boolean", "default": false, "description": "Whether the access profile is enabled. If enabled, you must include at least one entitlement." }, "owner": { "$ref": "#/$defs/OwnerReference", "description": "The owner of the access profile." }, "source": { "$ref": "#/$defs/AccessProfileSourceRef", "description": "The source associated with the access profile." }, "entitlements": { "type": ["array", "null"], "description": "List of entitlements associated with the access profile. If enabled is false, this can be empty. Otherwise, it must contain at least one entitlement.", "items": { "$ref": "#/$defs/EntitlementRef" } }, "requestable": { "type": "boolean", "default": true, "description": "Whether the access profile is requestable via access requests." }, "accessRequestConfig": { "$ref": "#/$defs/Requestability", "description": "Access request configuration for the access profile." }, "revocationRequestConfig": { "$ref": "#/$defs/Revocability", "description": "Revocation request configuration for the access profile." }, "segments": { "type": ["array", "null"], "description": "List of segment IDs the access profile is assigned to.", "items": { "type": "string" } } } }, "AccessProfileSourceRef": { "type": "object", "title": "Access Profile Source Reference", "description": "Reference to the source associated with an access profile.", "properties": { "id": { "type": "string", "description": "The source ID.", "examples": ["2c91809773dee3610173fdb1b6969d4e"] }, "type": { "type": "string", "const": "SOURCE", "description": "The source object type." }, "name": { "type": "string", "description": "The source name.", "examples": ["ODS-AD-SOURCE"] } } }, "EntitlementRef": { "type": "object", "title": "Entitlement Reference", "description": "Reference to an entitlement representing a specific set of access rights.", "properties": { "type": { "type": "string", "const": "ENTITLEMENT", "description": "The entitlement object type." }, "id": { "type": "string", "description": "The entitlement ID.", "examples": ["2c91809773dee32014e13e122092014e"] }, "name": { "type": "string", "description": "The entitlement display name.", "examples": ["CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local"] } } }, "Entitlement": { "type": "object", "title": "Entitlement", "description": "An entitlement representing access rights on a source. Entitlements are the most granular level of the SailPoint access model.", "properties": { "id": { "type": "string", "description": "The entitlement ID.", "examples": ["2c91809773dee32014e13e122092014e"] }, "name": { "type": "string", "description": "The entitlement name.", "examples": ["CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local"] }, "description": { "type": ["string", "null"], "description": "The entitlement description." }, "attribute": { "type": "string", "description": "The name of the entitlement attribute.", "examples": ["memberOf"] }, "value": { "type": "string", "description": "The value of the entitlement." }, "sourceSchemaObjectType": { "type": "string", "description": "The object type of the source schema.", "examples": ["group"] }, "privileged": { "type": "boolean", "default": false, "description": "Whether the entitlement is privileged." }, "cloudGoverned": { "type": "boolean", "default": false, "description": "Whether the entitlement is governed in the cloud." }, "created": { "type": "string", "format": "date-time", "description": "Date and time the entitlement was created.", "readOnly": true }, "modified": { "type": "string", "format": "date-time", "description": "Date and time the entitlement was last modified.", "readOnly": true }, "source": { "$ref": "#/$defs/SourceReference", "description": "The source associated with the entitlement." }, "owner": { "$ref": "#/$defs/OwnerReference", "description": "The owner of the entitlement." } } }, "Requestability": { "type": ["object", "null"], "title": "Requestability", "description": "Configuration for access request approval workflows.", "properties": { "commentsRequired": { "type": "boolean", "default": false, "description": "Whether comments are required for access requests." }, "denialCommentsRequired": { "type": "boolean", "default": false, "description": "Whether comments are required for denial of access requests." }, "approvalSchemes": { "type": "array", "description": "List of approval schemes for access requests.", "items": { "$ref": "#/$defs/ApprovalScheme" } } } }, "Revocability": { "type": ["object", "null"], "title": "Revocability", "description": "Configuration for revocation request approval workflows.", "properties": { "commentsRequired": { "type": "boolean", "default": false, "description": "Whether comments are required for revocation requests." }, "denialCommentsRequired": { "type": "boolean", "default": false, "description": "Whether comments are required for denial of revocation requests." }, "approvalSchemes": { "type": "array", "description": "List of approval schemes for revocation requests.", "items": { "$ref": "#/$defs/ApprovalScheme" } } } }, "ApprovalScheme": { "type": "object", "title": "Approval Scheme", "description": "An approval scheme defining who must approve an access or revocation request.", "properties": { "approverType": { "type": "string", "description": "The type of approver for the request.", "enum": ["APP_OWNER", "OWNER", "SOURCE_OWNER", "MANAGER", "GOVERNANCE_GROUP"] }, "approverId": { "type": ["string", "null"], "description": "The ID of the approver. Only required when approverType is GOVERNANCE_GROUP." } } }, "AccessProfileRef": { "type": "object", "title": "Access Profile Reference", "description": "Reference to an access profile.", "properties": { "id": { "type": "string", "description": "The access profile ID.", "examples": ["ff808081751e6e129f1518161919ecca"] }, "type": { "type": "string", "const": "ACCESS_PROFILE", "description": "The access profile object type." }, "name": { "type": "string", "description": "Human-readable display name of the access profile.", "examples": ["Access Profile 2567"] } } }, "Role": { "type": "object", "title": "Role", "description": "A role represents the broadest level of access in the SailPoint access model and groups one or more access profiles. Roles can be automatically assigned to qualifying identities based on configured criteria, simplifying access management for organizational positions.", "required": ["name", "owner"], "properties": { "id": { "type": "string", "description": "The role ID. This field must be left null when creating a role.", "readOnly": true, "examples": ["2c918086749d78830174a1a40e121518"] }, "name": { "type": "string", "description": "Human-readable display name of the role.", "maxLength": 128, "examples": ["Role 2567"] }, "description": { "type": ["string", "null"], "description": "A human-readable description of the role. Maximum supported length is 2000 characters.", "maxLength": 2000 }, "created": { "type": "string", "format": "date-time", "description": "Date the role was created.", "readOnly": true, "examples": ["2021-03-01T22:32:58.104Z"] }, "modified": { "type": "string", "format": "date-time", "description": "Date the role was last modified.", "readOnly": true, "examples": ["2021-03-02T20:22:28.104Z"] }, "owner": { "$ref": "#/$defs/OwnerReference", "description": "The owner of the role." }, "accessProfiles": { "type": ["array", "null"], "description": "List of access profiles associated with the role.", "items": { "$ref": "#/$defs/AccessProfileRef" } }, "entitlements": { "type": "array", "description": "List of entitlements directly associated with the role.", "items": { "$ref": "#/$defs/EntitlementRef" } }, "membership": { "$ref": "#/$defs/RoleMembershipSelector", "description": "Criteria for automatic role assignment to qualifying identities." }, "enabled": { "type": "boolean", "default": false, "description": "Whether the role is enabled." }, "requestable": { "type": "boolean", "default": false, "description": "Whether the role can be the target of access requests." }, "accessRequestConfig": { "$ref": "#/$defs/Requestability", "description": "Access request configuration for the role." }, "revocationRequestConfig": { "$ref": "#/$defs/Revocability", "description": "Revocation request configuration for the role." }, "segments": { "type": ["array", "null"], "description": "List of IDs of segments the role is assigned to.", "items": { "type": "string" } }, "dimensional": { "type": ["boolean", "null"], "default": false, "description": "Whether the role is dimensional." } } }, "RoleMembershipSelector": { "type": ["object", "null"], "title": "Role Membership Selector", "description": "Defines the criteria for automatic role membership. When configured, Identity Security Cloud automatically assigns the role to qualifying identities based on STANDARD criteria or an explicit IDENTITY_LIST.", "properties": { "type": { "type": "string", "description": "The type of role membership selector.", "enum": ["STANDARD", "IDENTITY_LIST"] }, "criteria": { "$ref": "#/$defs/RoleCriteria", "description": "The criteria expression for STANDARD membership type." }, "identities": { "type": ["array", "null"], "description": "List of identities for IDENTITY_LIST membership type.", "items": { "$ref": "#/$defs/IdentityReference" } } } }, "RoleCriteria": { "type": ["object", "null"], "title": "Role Criteria", "description": "A criteria expression used for automatic role assignment. Supports nested AND/OR logical operations with comparison operations (EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, ENDS_WITH) against identity, account, and entitlement attributes.", "properties": { "operation": { "type": "string", "description": "The logical or comparison operation.", "enum": ["EQUALS", "NOT_EQUALS", "CONTAINS", "STARTS_WITH", "ENDS_WITH", "AND", "OR"] }, "key": { "type": ["object", "null"], "description": "The key element for the criteria.", "properties": { "type": { "type": "string", "description": "The type of criteria key.", "enum": ["IDENTITY", "ACCOUNT", "ENTITLEMENT"] }, "property": { "type": "string", "description": "The property name for the criteria.", "examples": ["attribute.department"] }, "sourceId": { "type": ["string", "null"], "description": "The ID of the source. Required for ACCOUNT and ENTITLEMENT types." } } }, "stringValue": { "type": ["string", "null"], "description": "String value for comparison when operation is a leaf." }, "children": { "type": ["array", "null"], "description": "Child criteria for compound operations (AND, OR). Supports up to 3 levels of nesting.", "items": { "$ref": "#/$defs/RoleCriteria" } } } }, "IdentityCertification": { "type": "object", "title": "Identity Certification", "description": "An identity certification used in access review campaigns to review a user's access to entitlements and decide whether to approve or remove that access. Certifications are part of certification campaigns and provide a structured process for periodic access reviews and compliance verification.", "properties": { "id": { "type": "string", "description": "The certification ID.", "examples": ["2c9180835d2e5168015d32f890ca1581"] }, "name": { "type": "string", "description": "The certification name.", "examples": ["Source Owner Access Review for Employees [source]"] }, "campaign": { "$ref": "#/$defs/CampaignReference", "description": "Reference to the campaign this certification belongs to." }, "completed": { "type": "boolean", "description": "Whether all decisions have been made." }, "identitiesCompleted": { "type": "integer", "description": "The number of identities for whom all decisions have been made and are complete." }, "identitiesTotal": { "type": "integer", "description": "The total number of identities in the certification, both complete and incomplete." }, "created": { "type": "string", "format": "date-time", "description": "Date and time the certification was created.", "examples": ["2018-06-25T20:22:28.104Z"] }, "modified": { "type": "string", "format": "date-time", "description": "Date and time the certification was last modified.", "examples": ["2018-06-25T20:22:28.104Z"] }, "decisionsMade": { "type": "integer", "description": "The number of approve/revoke/acknowledge decisions that have been made." }, "decisionsTotal": { "type": "integer", "description": "The total number of approve/revoke/acknowledge decisions." }, "due": { "type": ["string", "null"], "format": "date-time", "description": "The due date of the certification." }, "signed": { "type": ["string", "null"], "format": "date-time", "description": "The date the reviewer signed off on the certification." }, "reviewer": { "$ref": "#/$defs/Reviewer", "description": "The reviewer assigned to this certification." }, "reassignment": { "$ref": "#/$defs/Reassignment", "description": "Information about reassignment, if the certification has been reassigned." }, "hasErrors": { "type": "boolean", "description": "Whether the certification has an error." }, "errorMessage": { "type": ["string", "null"], "description": "Description of the certification error." }, "phase": { "type": "string", "description": "The current phase of the campaign. STAGED means waiting to be activated, ACTIVE means currently active, SIGNED means the reviewer has signed off and the certification is complete.", "enum": ["STAGED", "ACTIVE", "SIGNED"] } } }, "CampaignReference": { "type": "object", "title": "Campaign Reference", "description": "Reference to a certification campaign. Campaigns organize and manage the certification review process.", "required": ["id", "name", "type", "campaignType"], "properties": { "id": { "type": "string", "description": "The unique ID of the campaign.", "examples": ["ef38f94347e94562b5bb8424a56397d8"] }, "name": { "type": "string", "description": "The name of the campaign.", "examples": ["Campaign Name"] }, "type": { "type": "string", "const": "CAMPAIGN", "description": "The type of object being referenced." }, "campaignType": { "type": "string", "description": "The type of the campaign. MANAGER campaigns are reviewed by identity managers, SOURCE_OWNER campaigns are reviewed by source owners, and SEARCH campaigns are based on search queries.", "enum": ["MANAGER", "SOURCE_OWNER", "SEARCH"] }, "description": { "type": ["string", "null"], "description": "The description of the campaign." }, "correlatedStatus": { "type": "string", "description": "The correlated status. Only SOURCE_OWNER campaigns can be Uncorrelated.", "enum": ["CORRELATED", "UNCORRELATED"] }, "mandatoryCommentRequirement": { "type": "string", "description": "Determines whether comments are required for decisions during certification reviews.", "enum": ["ALL_DECISIONS", "REVOKE_ONLY_DECISIONS", "NO_DECISIONS"] } } }, "Reviewer": { "type": "object", "title": "Reviewer", "description": "An identity designated as a reviewer for a certification.", "properties": { "id": { "type": "string", "description": "The reviewer ID.", "examples": ["ef38f94347e94562b5bb8424a56397d8"] }, "name": { "type": "string", "description": "The reviewer name.", "examples": ["Reviewer Name"] }, "email": { "type": "string", "format": "email", "description": "The reviewer email address.", "examples": ["reviewer@test.com"] }, "type": { "type": "string", "const": "IDENTITY", "description": "The type of the reviewing identity." }, "created": { "type": ["string", "null"], "format": "date-time", "description": "The date the reviewing identity was created." }, "modified": { "type": ["string", "null"], "format": "date-time", "description": "The date the reviewing identity was last modified." } } }, "Reassignment": { "type": ["object", "null"], "title": "Reassignment", "description": "Information about a certification reassignment.", "properties": { "from": { "$ref": "#/$defs/IdentityReference", "description": "The identity the certification was reassigned from." }, "comment": { "type": ["string", "null"], "description": "The comment provided when reassigning." } } }, "CertificationDecision": { "type": "object", "title": "Certification Decision", "description": "A decision made on a certification item, approving, revoking, or acknowledging access.", "required": ["id", "decision"], "properties": { "id": { "type": "string", "description": "The ID of the access review item being decided." }, "decision": { "type": "string", "description": "The decision for the certification item.", "enum": ["APPROVE", "REVOKE", "ACKNOWLEDGE"] }, "bulk": { "type": "boolean", "default": false, "description": "Whether this is a bulk decision applying to multiple items." }, "comments": { "type": ["string", "null"], "description": "Comments to accompany the decision." } } }, "AccessReviewItem": { "type": "object", "title": "Access Review Item", "description": "An access review item within a certification, representing access that is being reviewed for approval, revocation, or acknowledgment.", "properties": { "id": { "type": "string", "description": "The access review item ID." }, "accessSummary": { "type": "object", "description": "Summary of the access being reviewed.", "properties": { "access": { "type": "object", "properties": { "type": { "type": "string", "description": "The type of access.", "enum": ["ROLE", "ACCESS_PROFILE", "ENTITLEMENT"] }, "id": { "type": "string", "description": "The ID of the access item." }, "name": { "type": "string", "description": "The name of the access item." } } } } }, "identitySummary": { "type": "object", "description": "Summary of the identity being certified.", "properties": { "id": { "type": "string", "description": "The identity ID." }, "name": { "type": "string", "description": "The identity name." }, "identityId": { "type": "string", "description": "The identity unique identifier." }, "completed": { "type": "boolean", "description": "Whether all decisions have been made for this identity." } } }, "decision": { "type": "string", "description": "The current decision for this item.", "enum": ["APPROVE", "REVOKE", "ACKNOWLEDGE"] }, "recommendation": { "type": ["object", "null"], "description": "AI-driven recommendation for the review item.", "properties": { "recommendation": { "type": ["string", "null"], "enum": ["APPROVE", "REVOKE", null] }, "reasons": { "type": "array", "items": { "type": "string" } }, "timestamp": { "type": ["string", "null"], "format": "date-time" } } }, "comments": { "type": ["string", "null"], "description": "Comments provided with the decision." }, "completed": { "type": "boolean", "description": "Whether a decision has been made on this item." } } } } }