openapi: 3.1.0 info: title: Identity Security Cloud V3 API description: >- Use these APIs to interact with the Identity Security Cloud platform to achieve repeatable, automated processes with greater scalability. The V3 APIs provide core endpoints covering access profiles, certifications, identities, roles, search, sources, transforms, workflows, and more. We encourage you to join the SailPoint Developer Community forum at https://developer.sailpoint.com/discuss to connect with other developers using our APIs. termsOfService: https://developer.sailpoint.com/discuss/tos contact: name: Developer Relations url: https://developer.sailpoint.com/discuss/api-help license: name: MIT url: https://opensource.org/licenses/MIT identifier: MIT version: 3.0.0 servers: - url: https://{tenant}.api.identitynow.com/v3 description: Production API server. variables: tenant: default: sailpoint description: >- The name of your tenant, typically your company's name. - url: https://{apiUrl}/v3 description: V3 API server. variables: apiUrl: default: sailpoint.api.identitynow.com description: The API URL of your tenant. security: - oauth2: [] - personalAccessToken: [] tags: - name: Identities description: >- Use this API to retrieve and manage public identity information. Public identities represent users within the Identity Security Cloud platform, including their attributes, lifecycle state, and manager relationships. externalDocs: description: SailPoint Identities Documentation url: https://developer.sailpoint.com/docs/api/v3/get-public-identities/ - name: Access Profiles description: >- Use this API to implement and customize access profile functionality. Access profiles group entitlements, which represent access rights on sources. For example, an Active Directory source can have multiple entitlements grouped into an access profile such as 'AD Developers' combining 'Employees' and 'Developers' entitlements. Access profiles are used in provisioning, certifications, access requests, and roles. externalDocs: description: SailPoint Access Profiles Documentation url: https://developer.sailpoint.com/docs/api/v3/access-profiles/ - name: Roles description: >- Use this API to implement and customize role functionality. Roles represent the broadest level of access and group one or more access profiles. When you create a role and configure it with role criteria, Identity Security Cloud can automatically assign the role to qualified identities. Roles simplify access management for organizational positions. externalDocs: description: SailPoint Roles Documentation url: https://developer.sailpoint.com/docs/api/v3/roles/ - name: Certifications description: >- Use this API to implement certification functionality. Certifications enable administrators and designated reviewers to review users' access to entitlements and decide whether to approve, revoke, or reassign the review. Certification campaigns provide a structured process for periodic access reviews and compliance verification. externalDocs: description: SailPoint Certifications Documentation url: https://developer.sailpoint.com/docs/api/v3/certifications/ paths: /public-identities: get: operationId: getPublicIdentities tags: - Identities summary: List public identities description: >- Get a list of public identities. This endpoint returns a paged list of public identity objects that can be filtered and sorted. parameters: - name: add-core-filters in: query description: >- Set to true to exclude incomplete identities and uncorrelated accounts from the results. required: false schema: type: boolean default: false - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' - name: filters in: query description: >- Filter results using the standard syntax described in V3 API Standard Collection Parameters. Filtering is supported for the following fields and operators: id (eq, in), name (eq, sw, co), alias (eq, sw, co), email (eq, sw, co), status (eq). required: false schema: type: string example: name eq "John Smith" - name: sorters in: query description: >- Sort results using the standard syntax. Sorting is supported for the following fields: name, alias, email. required: false schema: type: string example: name,-email responses: '200': description: List of public identities. content: application/json: schema: type: array items: $ref: '#/components/schemas/PublicIdentity' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:identity:read' /public-identities/{id}: get: operationId: getPublicIdentity tags: - Identities summary: Get a public identity description: >- Get the details of a public identity by its ID. parameters: - name: id in: path description: The identity ID. required: true schema: type: string example: 2c9180857182305e0171993735622948 responses: '200': description: A public identity object. content: application/json: schema: $ref: '#/components/schemas/PublicIdentity' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:identity:read' /identity-profiles: get: operationId: listIdentityProfiles tags: - Identities summary: List identity profiles description: >- Get a list of identity profiles. Identity profiles define how identity attributes are mapped from source account attributes and configure lifecycle states. parameters: - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' - name: filters in: query description: >- Filter results using the standard syntax. Filtering is supported for the following fields: id (eq, in), name (eq, sw), priority (eq, gt, lt, ge, le). required: false schema: type: string example: name eq "HR Profile" - name: sorters in: query description: >- Sort results using the standard syntax. Sorting is supported for the following fields: name, priority, created, modified. required: false schema: type: string example: name,-priority responses: '200': description: List of identity profiles. content: application/json: schema: type: array items: $ref: '#/components/schemas/IdentityProfile' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:identity-profile:read' post: operationId: createIdentityProfile tags: - Identities summary: Create an identity profile description: >- Create an identity profile. An identity profile defines the mapping between source account attributes and identity attributes and configures lifecycle states for identities. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/IdentityProfile' responses: '201': description: Identity profile created. content: application/json: schema: $ref: '#/components/schemas/IdentityProfile' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:identity-profile:manage' /identity-profiles/{identity-profile-id}: get: operationId: getIdentityProfile tags: - Identities summary: Get an identity profile description: >- Get the details of an identity profile by its ID. parameters: - name: identity-profile-id in: path description: The identity profile ID. required: true schema: type: string example: 2b838de9-db9b-abcf-e646-d4f274ad4238 responses: '200': description: An identity profile object. content: application/json: schema: $ref: '#/components/schemas/IdentityProfile' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:identity-profile:read' patch: operationId: updateIdentityProfile tags: - Identities summary: Update an identity profile description: >- Update an existing identity profile using a JSON Patch document. parameters: - name: identity-profile-id in: path description: The identity profile ID. required: true schema: type: string example: 2b838de9-db9b-abcf-e646-d4f274ad4238 requestBody: required: true content: application/json-patch+json: schema: type: array items: $ref: '#/components/schemas/JsonPatchOperation' responses: '200': description: Updated identity profile. content: application/json: schema: $ref: '#/components/schemas/IdentityProfile' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:identity-profile:manage' delete: operationId: deleteIdentityProfile tags: - Identities summary: Delete an identity profile description: >- Delete an identity profile by its ID. parameters: - name: identity-profile-id in: path description: The identity profile ID. required: true schema: type: string example: 2b838de9-db9b-abcf-e646-d4f274ad4238 responses: '202': description: >- Identity profile delete request accepted. This is a long-running asynchronous operation. content: application/json: schema: $ref: '#/components/schemas/TaskResultSimplified' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:identity-profile:manage' /access-profiles: get: operationId: listAccessProfiles tags: - Access Profiles summary: List access profiles description: >- Get a list of access profiles. When you filter for access profiles that have the '+' symbol in their names, the response is blank. parameters: - name: for-subadmin in: query description: >- Filters the returned list according to what is visible to the indicated ROLE_SUBADMIN or SOURCE_SUBADMIN identity. The value is either an identity ID or the special value 'me' for the calling identity's ID. required: false schema: type: string example: 8c190e6787aa4ed9a90bd9d5344523fb - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' - name: filters in: query description: >- Filter results using the standard syntax. Filtering is supported for the following fields and operators: id (eq, in), name (eq, sw), created (gt, ge, le), modified (gt, lt, ge, le), owner.id (eq, in), requestable (eq), source.id (eq, in). Supported composite operators are 'and' and 'or'. required: false schema: type: string example: name eq "SailPoint Support" - name: sorters in: query description: >- Sort results using the standard syntax. Sorting is supported for the following fields: name, created, modified. required: false schema: type: string example: name,-modified - name: for-segment-ids in: query description: >- Filters access profiles to only those assigned to the segment(s) with the specified IDs. If segmentation is unavailable, specifying this parameter results in an error. required: false schema: type: string example: 0b5c9f25-83c6-4762-9073-e38f7bb2ae26,2e8d8180-24bc-4d21-91c6-7affdb473b0d - name: include-unsegmented in: query description: >- Indicates whether the response should include unsegmented access profiles. If for-segment-ids is absent or empty, specifying this as false results in an error. required: false schema: type: boolean default: true responses: '200': description: List of access profiles. content: application/json: schema: type: array items: $ref: '#/components/schemas/AccessProfile' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:access-profile:read' post: operationId: createAccessProfile tags: - Access Profiles summary: Create an access profile description: >- Create an access profile. A user with ROLE_SUBADMIN or SOURCE_SUBADMIN authority must be associated with the access profile's source. The maximum supported length for the description field is 2000 characters. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AccessProfile' responses: '201': description: Access profile created. content: application/json: schema: $ref: '#/components/schemas/AccessProfile' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:access-profile:manage' - 'idn:entitlement:read' - 'idn:identity:read' - 'idn:sources:read' /access-profiles/{id}: get: operationId: getAccessProfile tags: - Access Profiles summary: Get an access profile description: >- Get an access profile by its ID. parameters: - name: id in: path description: The access profile ID. required: true schema: type: string example: 2c91808a7190d06e01719938fcd20792 responses: '200': description: An access profile object. content: application/json: schema: $ref: '#/components/schemas/AccessProfile' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:access-profile:read' patch: operationId: patchAccessProfile tags: - Access Profiles summary: Patch an access profile description: >- Update an existing access profile using a JSON Patch document. The maximum supported length for the description field is 2000 characters. parameters: - name: id in: path description: The access profile ID. required: true schema: type: string example: 2c91808a7190d06e01719938fcd20792 requestBody: required: true content: application/json-patch+json: schema: type: array items: $ref: '#/components/schemas/JsonPatchOperation' responses: '200': description: Updated access profile. content: application/json: schema: $ref: '#/components/schemas/AccessProfile' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:access-profile:manage' delete: operationId: deleteAccessProfile tags: - Access Profiles summary: Delete an access profile description: >- Delete an existing access profile by its ID. The access profile must not be in use by any roles. parameters: - name: id in: path description: The access profile ID. required: true schema: type: string example: 2c91808a7190d06e01719938fcd20792 responses: '204': description: Access profile deleted successfully. '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:access-profile:manage' /access-profiles/{id}/entitlements: get: operationId: listAccessProfileEntitlements tags: - Access Profiles summary: List access profile entitlements description: >- Get a list of entitlements associated with the specified access profile. parameters: - name: id in: path description: The access profile ID. required: true schema: type: string example: 2c91808a7190d06e01719938fcd20792 - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' - name: filters in: query description: >- Filter results using the standard syntax. Filtering is supported for the following fields: name (eq, sw). required: false schema: type: string - name: sorters in: query description: >- Sort results using the standard syntax. Sorting is supported for the following fields: name, created, modified. required: false schema: type: string responses: '200': description: List of entitlements for the access profile. content: application/json: schema: type: array items: $ref: '#/components/schemas/Entitlement' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:access-profile:read' /access-profiles/bulk-delete: post: operationId: bulkDeleteAccessProfiles tags: - Access Profiles summary: Bulk delete access profiles description: >- Delete one or more access profiles in a single request. The access profiles must not be in use by any roles or applications. Returns details about which profiles were deleted and which failed. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AccessProfileBulkDeleteRequest' responses: '200': description: Bulk delete results. content: application/json: schema: $ref: '#/components/schemas/AccessProfileBulkDeleteResponse' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:access-profile:manage' /roles: get: operationId: listRoles tags: - Roles summary: List roles description: >- Get a paged list of roles. Roles represent the broadest level of access and group one or more access profiles. parameters: - name: for-subadmin in: query description: >- Filters the returned list according to what is visible to the indicated ROLE_SUBADMIN identity. The value is either an identity ID or 'me' for the calling identity. required: false schema: type: string example: 5168015d32f890ca15812c9180835d2e - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' - name: filters in: query description: >- Filter results using the standard syntax. Filtering is supported for the following fields and operators: id (eq, in), name (eq, sw), created (gt, ge, le), modified (gt, lt, ge, le), owner.id (eq, in), requestable (eq). required: false schema: type: string example: name sw "Role" - name: sorters in: query description: >- Sort results using the standard syntax. Sorting is supported for the following fields: name, created, modified. required: false schema: type: string example: name,-modified - name: for-segment-ids in: query description: >- Filters roles to only those assigned to the segment(s) with the specified IDs. required: false schema: type: string - name: include-unsegmented in: query description: >- Indicates whether the response should include unsegmented roles. required: false schema: type: boolean default: true responses: '200': description: List of roles. content: application/json: schema: type: array items: $ref: '#/components/schemas/Role' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:role-unchecked:read' post: operationId: createRole tags: - Roles summary: Create a role description: >- Create a role. The maximum supported length for the description field is 2000 characters. ROLE_SUBADMIN users cannot create roles with access profiles from sources outside their authorization scope. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Role' responses: '201': description: Role created. content: application/json: schema: $ref: '#/components/schemas/Role' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:role-unchecked:manage' /roles/{id}: get: operationId: getRole tags: - Roles summary: Get a role description: >- Get a role by its ID. parameters: - name: id in: path description: The role ID. required: true schema: type: string example: 2c918086749d78830174a1a40e121518 responses: '200': description: A role object. content: application/json: schema: $ref: '#/components/schemas/Role' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:role-unchecked:read' patch: operationId: patchRole tags: - Roles summary: Patch a role description: >- Update an existing role using a JSON Patch document. The maximum supported length for the description field is 2000 characters. parameters: - name: id in: path description: The role ID. required: true schema: type: string example: 2c918086749d78830174a1a40e121518 requestBody: required: true content: application/json-patch+json: schema: type: array items: $ref: '#/components/schemas/JsonPatchOperation' responses: '200': description: Updated role. content: application/json: schema: $ref: '#/components/schemas/Role' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:role-unchecked:manage' delete: operationId: deleteRole tags: - Roles summary: Delete a role description: >- Delete a role by its ID. parameters: - name: id in: path description: The role ID. required: true schema: type: string example: 2c918086749d78830174a1a40e121518 responses: '204': description: Role deleted successfully. '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:role-unchecked:manage' /roles/{id}/identities: get: operationId: listRoleIdentities tags: - Roles summary: List identities assigned a role description: >- Get a list of identities that have been assigned the specified role. parameters: - name: id in: path description: The role ID. required: true schema: type: string example: 2c918086749d78830174a1a40e121518 - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' - name: filters in: query description: >- Filter results using the standard syntax. Filtering is supported for the following fields: name (eq, sw). required: false schema: type: string - name: sorters in: query description: >- Sort results using the standard syntax. Sorting is supported for the following fields: name, created, modified. required: false schema: type: string responses: '200': description: List of identities assigned to the role. content: application/json: schema: type: array items: $ref: '#/components/schemas/RoleIdentity' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:role-unchecked:read' /roles/bulk-delete: post: operationId: bulkDeleteRoles tags: - Roles summary: Bulk delete roles description: >- Delete one or more roles in a single request. requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RoleBulkDeleteRequest' responses: '200': description: Bulk delete results. content: application/json: schema: $ref: '#/components/schemas/TaskResultSimplified' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:role-unchecked:manage' /certifications: get: operationId: listIdentityCertifications tags: - Certifications summary: List identity campaign certifications description: >- Get a list of identity campaign certifications for the current user. A token with ORG_ADMIN, CERT_ADMIN, or REPORT_ADMIN authority is required to call this API. Callers with CERT_ADMIN authority can only see certifications they own. Callers with REPORT_ADMIN or ORG_ADMIN authority can see all certifications. parameters: - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' - name: filters in: query description: >- Filter results using the standard syntax. Filtering is supported for the following fields: id (eq, in), campaign.id (eq, in), phase (eq), completed (eq). required: false schema: type: string example: campaign.id eq "ef38f94347e94562b5bb8424a56397d8" - name: sorters in: query description: >- Sort results using the standard syntax. Sorting is supported for the following fields: name, due, signed. required: false schema: type: string example: name,-due responses: '200': description: List of certification objects. content: application/json: schema: type: array items: $ref: '#/components/schemas/IdentityCertification' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:certification:read' /certifications/{id}: get: operationId: getIdentityCertification tags: - Certifications summary: Get an identity certification description: >- Get the details of an identity certification by its ID. parameters: - name: id in: path description: The certification ID. required: true schema: type: string example: ef38f94347e94562b5bb8424a56397d8 responses: '200': description: An identity certification object. content: application/json: schema: $ref: '#/components/schemas/IdentityCertification' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:certification:read' /certifications/{id}/access-review-items: get: operationId: listCertificationAccessReviewItems tags: - Certifications summary: List access review items description: >- Get a list of access review items for the specified certification. These items represent the access that is being reviewed and may be approved, revoked, or reassigned. parameters: - name: id in: path description: The certification ID. required: true schema: type: string example: ef38f94347e94562b5bb8424a56397d8 - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' - name: filters in: query description: >- Filter results using the standard syntax. Filtering is supported for the following fields: type (eq), status (eq). required: false schema: type: string - name: sorters in: query description: >- Sort results using the standard syntax. Sorting is supported for the following fields: name, type, status. required: false schema: type: string responses: '200': description: List of access review items. content: application/json: schema: type: array items: $ref: '#/components/schemas/AccessReviewItem' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:certification:read' /certifications/{id}/decide: post: operationId: makeCertificationDecision tags: - Certifications summary: Decide on a certification item description: >- Submit an approval, revocation, or acknowledgment decision for one or more access items in the specified certification. parameters: - name: id in: path description: The certification ID. required: true schema: type: string example: ef38f94347e94562b5bb8424a56397d8 requestBody: required: true content: application/json: schema: type: array items: $ref: '#/components/schemas/CertificationDecision' responses: '200': description: Certification decisions submitted. content: application/json: schema: $ref: '#/components/schemas/IdentityCertificationDecisionSummary' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:certification:manage' /certifications/{id}/reassign: post: operationId: reassignIdentityCertification tags: - Certifications summary: Reassign identities or items description: >- Reassign one or more identities or access items in the specified certification to a different reviewer. parameters: - name: id in: path description: The certification ID. required: true schema: type: string example: ef38f94347e94562b5bb8424a56397d8 requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ReviewReassign' responses: '200': description: Reassignment completed. content: application/json: schema: $ref: '#/components/schemas/IdentityCertification' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:certification:manage' /certifications/{id}/sign-off: post: operationId: signOffIdentityCertification tags: - Certifications summary: Finalize identity certification decisions description: >- Sign off on a certification by its ID, finalizing all decisions. Once signed off, the certification is considered complete and all approved and revoked decisions will be processed. parameters: - name: id in: path description: The certification ID. required: true schema: type: string example: ef38f94347e94562b5bb8424a56397d8 responses: '200': description: Certification signed off. content: application/json: schema: $ref: '#/components/schemas/IdentityCertification' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:certification:manage' /certifications/{id}/reviewers: get: operationId: listCertificationReviewers tags: - Certifications summary: List certification reviewers description: >- Get a list of reviewers for the specified certification. parameters: - name: id in: path description: The certification ID. required: true schema: type: string example: ef38f94347e94562b5bb8424a56397d8 - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' responses: '200': description: List of certification reviewers. content: application/json: schema: type: array items: $ref: '#/components/schemas/Reviewer' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:certification:read' /certifications/{id}/tasks: get: operationId: listCertificationTasks tags: - Certifications summary: List pending certification tasks description: >- Get a list of pending certification tasks for the specified certification. parameters: - name: id in: path description: The certification ID. required: true schema: type: string example: ef38f94347e94562b5bb8424a56397d8 - $ref: '#/components/parameters/Limit' - $ref: '#/components/parameters/Offset' - $ref: '#/components/parameters/Count' responses: '200': description: List of pending certification tasks. content: application/json: schema: type: array items: $ref: '#/components/schemas/CertificationTask' headers: X-Total-Count: description: Total number of results matching the query. schema: type: integer '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:certification:read' /certifications/{id}/tasks/{taskId}: get: operationId: getCertificationTask tags: - Certifications summary: Get a certification task description: >- Get a specific certification task by its ID. parameters: - name: id in: path description: The certification ID. required: true schema: type: string example: ef38f94347e94562b5bb8424a56397d8 - name: taskId in: path description: The certification task ID. required: true schema: type: string example: 2c918086749d78830174a1a40e121518 responses: '200': description: A certification task object. content: application/json: schema: $ref: '#/components/schemas/CertificationTask' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/InternalServerError' security: - oauth2: - 'idn:certification:read' components: securitySchemes: oauth2: type: oauth2 description: >- OAuth 2.0 authentication. Use client credentials or authorization code flow to obtain access tokens. flows: clientCredentials: tokenUrl: https://{tenant}.api.identitynow.com/oauth/token scopes: 'idn:identity:read': Read identity information 'idn:identity-profile:read': Read identity profiles 'idn:identity-profile:manage': Manage identity profiles 'idn:access-profile:read': Read access profiles 'idn:access-profile:manage': Manage access profiles 'idn:entitlement:read': Read entitlements 'idn:sources:read': Read sources 'idn:role-unchecked:read': Read roles 'idn:role-unchecked:manage': Manage roles 'idn:certification:read': Read certifications 'idn:certification:manage': Manage certifications authorizationCode: authorizationUrl: https://{tenant}.identitynow.com/oauth/authorize tokenUrl: https://{tenant}.api.identitynow.com/oauth/token scopes: 'idn:identity:read': Read identity information 'idn:identity-profile:read': Read identity profiles 'idn:identity-profile:manage': Manage identity profiles 'idn:access-profile:read': Read access profiles 'idn:access-profile:manage': Manage access profiles 'idn:entitlement:read': Read entitlements 'idn:sources:read': Read sources 'idn:role-unchecked:read': Read roles 'idn:role-unchecked:manage': Manage roles 'idn:certification:read': Read certifications 'idn:certification:manage': Manage certifications personalAccessToken: type: http scheme: bearer bearerFormat: JWT description: >- Personal access token (PAT) authentication. Generate a PAT in Identity Security Cloud and use it as a bearer token. parameters: Limit: name: limit in: query description: >- Maximum number of results to return. Maximum value is 250. required: false schema: type: integer minimum: 0 maximum: 250 default: 250 Offset: name: offset in: query description: >- Offset into the full result set. Usually specified with limit to paginate through the results. required: false schema: type: integer minimum: 0 default: 0 Count: name: count in: query description: >- If true, the total count of items in the full result set is included in the X-Total-Count response header. Only items in the current page are returned. Requesting a count can decrease performance. required: false schema: type: boolean default: false schemas: PublicIdentity: type: object description: Details about a public identity. properties: id: type: string description: The identity ID. examples: - 2c9180857182305e0171993735622948 name: type: string description: Human-readable display name of the identity. examples: - Alison Ferguso alias: type: string description: Alternate unique identifier for the identity. examples: - alison.ferguso email: type: - string - 'null' description: Email address of the identity. examples: - alison.ferguso@acme-solar.com status: type: - string - 'null' description: The lifecycle status for the identity. examples: - Active identityState: type: - string - 'null' description: >- The current state of the identity, which determines how Identity Security Cloud interacts with the identity. Active identities are included in identity picklists in Request Center, identity processing, and more. Inactive identities are excluded from these features. enum: - ACTIVE - INACTIVE_SHORT_TERM - INACTIVE_LONG_TERM - null examples: - ACTIVE manager: $ref: '#/components/schemas/IdentityReference' attributes: type: array description: The public identity attributes of the identity. items: $ref: '#/components/schemas/IdentityAttribute' IdentityReference: type: - object - 'null' description: Reference to an identity. properties: type: type: string description: The type of the referenced object. enum: - IDENTITY examples: - IDENTITY id: type: string description: The identity ID. examples: - 2c9180a46faadee4016fb4e018c20639 name: type: string description: Human-readable display name of the identity. examples: - Thomas Edison IdentityAttribute: type: object description: A public identity attribute key-value pair. properties: key: type: string description: The attribute key. examples: - country name: type: string description: Human-readable display name of the attribute. examples: - Country value: type: - string - 'null' description: The attribute value. examples: - US IdentityProfile: type: object description: >- An identity profile defines the mapping between source account attributes and identity attributes and configures lifecycle states for identities. required: - name - authoritativeSource properties: id: type: string description: The identity profile ID. readOnly: true examples: - 2b838de9-db9b-abcf-e646-d4f274ad4238 name: type: string description: The identity profile name. examples: - HR Employees description: type: - string - 'null' description: The identity profile description. examples: - My custom flat file profile owner: $ref: '#/components/schemas/OwnerReference' priority: type: integer format: int64 description: The identity profile priority. examples: - 10 authoritativeSource: $ref: '#/components/schemas/SourceReference' identityRefreshRequired: type: boolean default: false description: >- Set to true if an identity refresh is necessary, typically when a change has been made on the source. examples: - true identityCount: type: integer format: int32 description: Number of identities belonging to the identity profile. readOnly: true examples: - 8 hasTimeBasedAttr: type: boolean default: false description: >- Indicates the value of the requiresPeriodicRefresh attribute for the identity profile. examples: - true created: type: string format: date-time description: Date and time the profile was created. readOnly: true examples: - '2023-01-03T21:16:22.432Z' modified: type: string format: date-time description: Date and time the profile was last modified. readOnly: true examples: - '2023-01-05T18:40:35.772Z' OwnerReference: type: object description: Reference to the owner of the object. properties: type: type: string description: >- Owner type. Must be either left null or set to IDENTITY on input, otherwise a 400 Bad Request error will result. enum: - IDENTITY examples: - IDENTITY id: type: string description: The owner's identity ID. examples: - 2c9180a46faadee4016fb4e018c20639 name: type: string description: >- The owner's name. If set, it must match the current value of the owner's display name, otherwise a 400 Bad Request error will result. examples: - support SourceReference: type: object description: Reference to a source. properties: type: type: string description: The source object type. enum: - SOURCE examples: - SOURCE id: type: string description: The source ID. examples: - 2c9180835d191a86015d28455b4b232a name: type: string description: The source name. examples: - HR Active Directory AccessProfile: type: object description: >- An access profile groups entitlements that represent access rights on sources. Access profiles are used in provisioning, certifications, access requests, and roles. required: - name - owner - source properties: id: type: string description: The access profile ID. readOnly: true examples: - 2c91808a7190d06e01719938fcd20792 name: type: string description: The access profile name. examples: - Employee-database-read-write description: type: - string - 'null' description: >- The access profile description. Maximum supported length is 2000 characters. maxLength: 2000 examples: - Collection of entitlements to read/write the employee database created: type: string format: date-time description: Date and time the access profile was created. readOnly: true examples: - '2021-03-01T22:32:58.104Z' modified: type: string format: date-time description: Date and time the access profile was last modified. readOnly: true examples: - '2021-03-02T20:22:28.104Z' enabled: type: boolean default: false description: >- Whether the access profile is enabled. If enabled, you must include at least one entitlement. examples: - true owner: $ref: '#/components/schemas/OwnerReference' source: $ref: '#/components/schemas/AccessProfileSourceRef' entitlements: type: - array - 'null' description: >- List of entitlements associated with the access profile. If enabled is false, this can be empty. Otherwise, it must contain at least one entitlement. items: $ref: '#/components/schemas/EntitlementRef' requestable: type: boolean default: true description: >- Whether the access profile is requestable via access requests. examples: - true accessRequestConfig: $ref: '#/components/schemas/Requestability' revocationRequestConfig: $ref: '#/components/schemas/Revocability' segments: type: - array - 'null' description: List of segment IDs the access profile is assigned to. items: type: string examples: - - f7b1b8a3-5fed-4fd4-ad29-82014e137e19 - 29cb6c06-1da8-43ea-8be4-b3125f248f2a AccessProfileSourceRef: type: object description: Reference to the source associated with the access profile. properties: id: type: string description: The source ID. examples: - 2c91809773dee3610173fdb1b6969d4e type: type: string description: The source object type. enum: - SOURCE examples: - SOURCE name: type: string description: The source name. examples: - ODS-AD-SOURCE EntitlementRef: type: object description: Reference to an entitlement. properties: type: type: string description: The entitlement object type. enum: - ENTITLEMENT examples: - ENTITLEMENT id: type: string description: The entitlement ID. examples: - 2c91809773dee32014e13e122092014e name: type: string description: The entitlement display name. examples: - CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local Entitlement: type: object description: An entitlement representing access rights on a source. properties: id: type: string description: The entitlement ID. examples: - 2c91809773dee32014e13e122092014e name: type: string description: The entitlement name. examples: - CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local description: type: - string - 'null' description: The entitlement description. examples: - Entitlement granting access to the developer tools attribute: type: string description: The name of the entitlement attribute. examples: - memberOf value: type: string description: The value of the entitlement. examples: - CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local sourceSchemaObjectType: type: string description: The object type of the source schema. examples: - group privileged: type: boolean description: Whether the entitlement is privileged. default: false cloudGoverned: type: boolean description: Whether the entitlement is governed in the cloud. default: false created: type: string format: date-time description: Date and time the entitlement was created. readOnly: true modified: type: string format: date-time description: Date and time the entitlement was last modified. readOnly: true source: $ref: '#/components/schemas/EntitlementSourceRef' owner: $ref: '#/components/schemas/OwnerReference' EntitlementSourceRef: type: object description: Reference to the source associated with the entitlement. properties: id: type: string description: The source ID. examples: - 2c9180835d191a86015d28455b4b232a type: type: string description: The source object type. examples: - SOURCE name: type: string description: The source name. examples: - ODS-AD-SOURCE Requestability: type: - object - 'null' description: Access request configuration for the object. properties: commentsRequired: type: boolean default: false description: Whether comments are required for access requests. denialCommentsRequired: type: boolean default: false description: Whether comments are required for denial of access requests. approvalSchemes: type: array description: List of approval schemes for access requests. items: $ref: '#/components/schemas/ApprovalScheme' Revocability: type: - object - 'null' description: Revocation request configuration for the object. properties: commentsRequired: type: boolean default: false description: Whether comments are required for revocation requests. denialCommentsRequired: type: boolean default: false description: Whether comments are required for denial of revocation requests. approvalSchemes: type: array description: List of approval schemes for revocation requests. items: $ref: '#/components/schemas/ApprovalScheme' ApprovalScheme: type: object description: An approval scheme defining the approval process. properties: approverType: type: string description: >- The type of approver. APP_OWNER is the application owner, OWNER is the access profile/role owner, SOURCE_OWNER is the source owner, MANAGER is the requesting user's manager, and GOVERNANCE_GROUP is a governance group. enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP examples: - MANAGER approverId: type: - string - 'null' description: >- The ID of the approver. Only required when approverType is GOVERNANCE_GROUP. examples: - 46c79c6399252b1a80dbdff5e2b1d4b7 AccessProfileRef: type: object description: Reference to an access profile. properties: id: type: string description: The access profile ID. examples: - ff808081751e6e129f1518161919ecca type: type: string description: The access profile object type. enum: - ACCESS_PROFILE examples: - ACCESS_PROFILE name: type: string description: Human-readable display name of the access profile. examples: - Access Profile 2567 Role: type: object description: >- A role represents the broadest level of access and groups one or more access profiles. Roles can be automatically assigned to qualified identities based on configured criteria. required: - name - owner properties: id: type: string description: >- The role ID. This field must be left null when creating a role. readOnly: true examples: - 2c918086749d78830174a1a40e121518 name: type: string description: Human-readable display name of the role. maxLength: 128 examples: - Role 2567 description: type: - string - 'null' description: >- A human-readable description of the role. Maximum supported length is 2000 characters. maxLength: 2000 examples: - This role grants developers access to the source code repository and CI/CD pipeline. created: type: string format: date-time description: Date the role was created. readOnly: true examples: - '2021-03-01T22:32:58.104Z' modified: type: string format: date-time description: Date the role was last modified. readOnly: true examples: - '2021-03-02T20:22:28.104Z' owner: $ref: '#/components/schemas/OwnerReference' accessProfiles: type: - array - 'null' description: List of access profiles associated with the role. items: $ref: '#/components/schemas/AccessProfileRef' entitlements: type: array description: List of entitlements directly associated with the role. items: $ref: '#/components/schemas/EntitlementRef' membership: $ref: '#/components/schemas/RoleMembershipSelector' enabled: type: boolean default: false description: Whether the role is enabled. examples: - true requestable: type: boolean default: false description: Whether the role can be the target of access requests. examples: - true accessRequestConfig: $ref: '#/components/schemas/RequestabilityForRole' revocationRequestConfig: $ref: '#/components/schemas/RevocabilityForRole' segments: type: - array - 'null' description: List of IDs of segments the role is assigned to. items: type: string examples: - - f7b1b8a3-5fed-4fd4-ad29-82014e137e19 - 29cb6c06-1da8-43ea-8be4-b3125f248f2a dimensional: type: - boolean - 'null' default: false description: Whether the role is dimensional. RoleMembershipSelector: type: - object - 'null' description: >- Defines the criteria for role membership. When configured, Identity Security Cloud automatically assigns the role to qualifying identities. properties: type: type: string description: The type of role membership selector. enum: - STANDARD - IDENTITY_LIST examples: - STANDARD criteria: $ref: '#/components/schemas/RoleCriteriaLevel1' identities: type: - array - 'null' description: >- List of identities for IDENTITY_LIST membership type. items: $ref: '#/components/schemas/RoleMembershipIdentity' RoleCriteriaLevel1: type: - object - 'null' description: Top-level role criteria expression. properties: operation: type: string description: The logical operation for combining criteria. enum: - EQUALS - NOT_EQUALS - CONTAINS - STARTS_WITH - ENDS_WITH - AND - OR examples: - EQUALS key: $ref: '#/components/schemas/RoleCriteriaKey' stringValue: type: - string - 'null' description: String value for comparison when operation is a leaf. children: type: - array - 'null' description: Child criteria for compound operations (AND, OR). items: $ref: '#/components/schemas/RoleCriteriaLevel2' RoleCriteriaLevel2: type: object description: Second-level role criteria expression. properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - STARTS_WITH - ENDS_WITH - AND - OR key: $ref: '#/components/schemas/RoleCriteriaKey' stringValue: type: - string - 'null' children: type: - array - 'null' items: $ref: '#/components/schemas/RoleCriteriaLevel3' RoleCriteriaLevel3: type: object description: Third-level (leaf) role criteria expression. properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - STARTS_WITH - ENDS_WITH key: $ref: '#/components/schemas/RoleCriteriaKey' stringValue: type: - string - 'null' RoleCriteriaKey: type: - object - 'null' description: The key element for role criteria. properties: type: type: string description: The type of criteria key. enum: - IDENTITY - ACCOUNT - ENTITLEMENT examples: - IDENTITY property: type: string description: The property name for the criteria. examples: - attribute.department sourceId: type: - string - 'null' description: >- The ID of the source. Required for ACCOUNT and ENTITLEMENT types. examples: - 2c9180867427f3a301745aec18211519 RoleMembershipIdentity: type: object description: An identity for role membership. properties: type: type: string description: The type of the identity. enum: - IDENTITY examples: - IDENTITY id: type: string description: The identity ID. examples: - 2c9180a46faadee4016fb4e018c20639 name: type: string description: The identity name. examples: - Thomas Edison aliasName: type: - string - 'null' description: The identity alias name. examples: - t.edison RoleIdentity: type: object description: An identity assigned to a role. properties: id: type: string description: The identity ID. examples: - 2c9180a46faadee4016fb4e018c20639 aliasName: type: - string - 'null' description: The identity alias. examples: - t.edison name: type: string description: The identity display name. examples: - Thomas Edison email: type: - string - 'null' description: The identity email. examples: - t.edison@example.com roleAssignmentSource: type: string description: How the role was assigned. enum: - ROLE_MEMBERSHIP - ACCESS_REQUEST examples: - ROLE_MEMBERSHIP RequestabilityForRole: type: - object - 'null' description: Access request configuration for a role. properties: commentsRequired: type: boolean default: false description: Whether comments are required for access requests. denialCommentsRequired: type: boolean default: false description: Whether comments are required for denial. approvalSchemes: type: array description: List of approval schemes for access requests. items: $ref: '#/components/schemas/ApprovalScheme' RevocabilityForRole: type: - object - 'null' description: Revocation request configuration for a role. properties: commentsRequired: type: boolean default: false description: Whether comments are required for revocation requests. denialCommentsRequired: type: boolean default: false description: Whether comments are required for denial. approvalSchemes: type: array description: List of approval schemes for revocation requests. items: $ref: '#/components/schemas/ApprovalScheme' RoleBulkDeleteRequest: type: object description: Request body for bulk deleting roles. required: - roleIds properties: roleIds: type: array description: List of role IDs to delete. items: type: string examples: - - 2c918086749d78830174a1a40e121518 - 2c918086749d78830174a1a40e121519 IdentityCertification: type: object description: >- An identity certification used in access review campaigns to review a user's access to entitlements and approve or remove that access. properties: id: type: string description: The certification ID. examples: - 2c9180835d2e5168015d32f890ca1581 name: type: string description: The certification name. examples: - Source Owner Access Review for Employees [source] campaign: $ref: '#/components/schemas/CampaignReference' completed: type: boolean description: Whether all decisions have been made. examples: - true identitiesCompleted: type: integer format: int32 description: >- The number of identities for whom all decisions have been made and are complete. examples: - 5 identitiesTotal: type: integer format: int32 description: >- The total number of identities in the certification, both complete and incomplete. examples: - 10 created: type: string format: date-time description: Date and time the certification was created. examples: - '2018-06-25T20:22:28.104Z' modified: type: string format: date-time description: Date and time the certification was last modified. examples: - '2018-06-25T20:22:28.104Z' decisionsMade: type: integer format: int32 description: >- The number of approve/revoke/acknowledge decisions that have been made. examples: - 20 decisionsTotal: type: integer format: int32 description: >- The total number of approve/revoke/acknowledge decisions. examples: - 40 due: type: - string - 'null' format: date-time description: The due date of the certification. examples: - '2018-10-19T13:49:37.385Z' signed: type: - string - 'null' format: date-time description: >- The date the reviewer signed off on the certification. examples: - '2018-10-19T13:49:37.385Z' reviewer: $ref: '#/components/schemas/Reviewer' reassignment: $ref: '#/components/schemas/Reassignment' hasErrors: type: boolean description: Whether the certification has an error. examples: - false errorMessage: type: - string - 'null' description: Description of the certification error. examples: - The certification has an error phase: type: string description: >- The current phase of the campaign. STAGED means the campaign is waiting to be activated. ACTIVE means the campaign is active. SIGNED means the reviewer has signed off and it is complete. enum: - STAGED - ACTIVE - SIGNED examples: - ACTIVE CampaignReference: type: object description: Reference to the campaign associated with the certification. required: - id - name - type - campaignType properties: id: type: string description: The unique ID of the campaign. examples: - ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the campaign. examples: - Campaign Name type: type: string description: The type of object being referenced. enum: - CAMPAIGN examples: - CAMPAIGN campaignType: type: string description: The type of the campaign. enum: - MANAGER - SOURCE_OWNER - SEARCH examples: - MANAGER description: type: - string - 'null' description: The description of the campaign. examples: - A description of the campaign correlatedStatus: type: string description: >- The correlated status of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated campaign only includes uncorrelated identities. enum: - CORRELATED - UNCORRELATED examples: - CORRELATED mandatoryCommentRequirement: type: string description: >- Determines whether comments are required for decisions during certification reviews. By default, comments are not required. enum: - ALL_DECISIONS - REVOKE_ONLY_DECISIONS - NO_DECISIONS examples: - NO_DECISIONS Reviewer: type: object description: The reviewer of a certification. properties: id: type: string description: The reviewer ID. examples: - ef38f94347e94562b5bb8424a56397d8 name: type: string description: The reviewer name. examples: - Reviewer Name email: type: string description: The reviewer email address. examples: - reviewer@test.com type: type: string description: The type of the reviewing identity. enum: - IDENTITY examples: - IDENTITY created: type: - string - 'null' format: date-time description: The date the reviewing identity was created. examples: - '2018-06-25T20:22:28.104Z' modified: type: - string - 'null' format: date-time description: The date the reviewing identity was last modified. examples: - '2018-06-25T20:22:28.104Z' Reassignment: type: - object - 'null' description: >- Information about a certification reassignment, if applicable. properties: from: $ref: '#/components/schemas/IdentityReference' comment: type: - string - 'null' description: The comment provided when reassigning. examples: - Reassigning to the new team lead AccessReviewItem: type: object description: >- An access review item within a certification, representing access that is being reviewed. properties: id: type: string description: The access review item ID. examples: - 2c9180857182305e0171993735622948 accessSummary: $ref: '#/components/schemas/AccessSummary' identitySummary: $ref: '#/components/schemas/CertificationIdentitySummary' decision: type: string description: The current decision for this item. enum: - APPROVE - REVOKE - ACKNOWLEDGE examples: - APPROVE recommendation: $ref: '#/components/schemas/ReviewRecommendation' comments: type: - string - 'null' description: Comments provided with the decision. completed: type: boolean description: Whether a decision has been made on this item. examples: - false AccessSummary: type: object description: Summary of the access being reviewed. properties: access: type: object description: The access item being reviewed. properties: type: type: string description: The type of access. enum: - ROLE - ACCESS_PROFILE - ENTITLEMENT examples: - ACCESS_PROFILE id: type: string description: The ID of the access item. examples: - 2c91808568c529c60168cee9c85a015f name: type: string description: The name of the access item. examples: - Cloud Engineering Access entitlement: type: - object - 'null' description: The entitlement associated with this access item. properties: id: type: string description: The entitlement ID. name: type: string description: The entitlement name. CertificationIdentitySummary: type: object description: Summary of the identity being certified. properties: id: type: string description: The identity ID. examples: - 2c9180857182305e0171993735622948 name: type: string description: The identity name. examples: - Alison Ferguso identityId: type: string description: The identity unique identifier. examples: - ALF01 completed: type: boolean description: >- Whether all decisions have been made for this identity. examples: - false ReviewRecommendation: type: - object - 'null' description: >- AI-driven recommendation for the review item. properties: recommendation: type: - string - 'null' description: The recommended decision. enum: - APPROVE - REVOKE - null examples: - APPROVE reasons: type: array description: Reasons for the recommendation. items: type: string timestamp: type: - string - 'null' format: date-time description: The date the recommendation was generated. CertificationDecision: type: object description: >- A decision made on a certification item, approving, revoking, or acknowledging access. required: - id - decision properties: id: type: string description: The ID of the access review item being decided. examples: - 2c9180857182305e0171993735622948 decision: type: string description: The decision for the certification item. enum: - APPROVE - REVOKE - ACKNOWLEDGE examples: - APPROVE bulk: type: boolean default: false description: >- Whether this is a bulk decision applying to multiple items. comments: type: - string - 'null' description: Comments to accompany the decision. examples: - Access is still required for this project IdentityCertificationDecisionSummary: type: object description: Summary of certification decisions. properties: entitiesCertified: type: integer format: int32 description: Number of entities certified. entitiesCompleted: type: integer format: int32 description: Number of entities completed. entitiesTotalCount: type: integer format: int32 description: Total count of entities. ReviewReassign: type: object description: Request body to reassign a certification review. required: - reassign - reason properties: reassign: type: array description: List of reassignment items. items: type: object properties: id: type: string description: The ID of the item or identity to reassign. type: type: string description: The type of item to reassign. enum: - TARGET_SUMMARY - ACCESS_REVIEW_ITEM reassignTo: $ref: '#/components/schemas/IdentityReference' reason: type: string description: The reason for the reassignment. examples: - Reassigning to the appropriate reviewer CertificationTask: type: object description: A pending certification task. properties: id: type: string description: The certification task ID. examples: - 2c918086749d78830174a1a40e121518 type: type: string description: The type of the task. examples: - ADMIN_REASSIGN targetType: type: string description: The type of the target. enum: - CAMPAIGN - CERTIFICATION examples: - CERTIFICATION targetId: type: string description: The ID of the target. examples: - ef38f94347e94562b5bb8424a56397d8 status: type: string description: The status of the task. enum: - QUEUED - IN_PROGRESS - SUCCESS - ERROR examples: - QUEUED created: type: string format: date-time description: When the task was created. AccessProfileBulkDeleteRequest: type: object description: Request body for bulk deleting access profiles. required: - accessProfileIds properties: accessProfileIds: type: array description: List of access profile IDs to delete. items: type: string examples: - - 2c91808a7190d06e01719938fcd20792 - 2c91808a7190d06e01719938fcd20793 bestEffortOnly: type: boolean default: false description: >- If true, silently skip access profiles that cannot be deleted. AccessProfileBulkDeleteResponse: type: object description: Response body for bulk deleting access profiles. properties: pending: type: array description: IDs of access profiles queued for deletion. items: type: string inUse: type: array description: >- Details about access profiles that could not be deleted because they are in use. items: type: object properties: accessProfileId: type: string description: The access profile ID. usedBy: type: array description: Objects using this access profile. items: type: object properties: type: type: string id: type: string name: type: string TaskResultSimplified: type: object description: A simplified task result for asynchronous operations. properties: id: type: string description: The task ID. examples: - 464ae7bf-791e-49fd-b746-06a2e4a89635 type: type: string description: The type of task. examples: - TASK_RESULT name: type: - string - 'null' description: The task name. JsonPatchOperation: type: object description: A JSON Patch operation as defined in RFC 6902. required: - op - path properties: op: type: string description: The operation to perform. enum: - add - remove - replace - move - copy - test examples: - replace path: type: string description: The JSON pointer path for the operation. examples: - /description value: description: The value for the operation (required for add, replace, test). ErrorResponseDto: type: object description: Error response body. properties: detailCode: type: string description: Fine-grained error code providing more detail. examples: - 400.1 Bad Request Content trackingId: type: string description: Unique tracking ID for the error. examples: - e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error. items: type: object properties: locale: type: string description: The locale for the message text. examples: - en-US localeOrigin: type: string description: >- An indicator of how the locale was selected. enum: - DEFAULT - REQUEST examples: - DEFAULT text: type: string description: The actual text of the error message. examples: - The request was syntactically correct but its content is semantically invalid. causes: type: array description: >- Plain-text descriptive reasons to provide additional detail to the text provided in the messages field. items: type: object properties: locale: type: string examples: - en-US localeOrigin: type: string enum: - DEFAULT - REQUEST text: type: string responses: BadRequest: description: >- Client Error - Returned if the request body is invalid. content: application/json: schema: $ref: '#/components/schemas/ErrorResponseDto' Unauthorized: description: >- Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. content: application/json: schema: $ref: '#/components/schemas/ErrorResponseDto' Forbidden: description: >- Forbidden - Returned if the user you are running as does not have access to this endpoint. content: application/json: schema: $ref: '#/components/schemas/ErrorResponseDto' NotFound: description: >- Not Found - Returned if the specified resource does not exist. content: application/json: schema: $ref: '#/components/schemas/ErrorResponseDto' TooManyRequests: description: >- Too Many Requests - Returned in response to too many requests in a given period of time, rate limited. The Retry-After header in the response includes how long to wait before trying again. headers: Retry-After: description: Number of seconds to wait before retrying. schema: type: integer content: application/json: schema: $ref: '#/components/schemas/ErrorResponseDto' InternalServerError: description: >- Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: $ref: '#/components/schemas/ErrorResponseDto'