openapi: 3.0.1
info:
title: IdentityNow Beta API
description: 'Use these APIs to interact with the IdentityNow platform to achieve repeatable, automated processes with greater scalability. These APIs are in beta and are subject to change. We encourage you to join the SailPoint Developer Community forum at https://developer.sailpoint.com/discuss to connect with other developers using our APIs.'
termsOfService: 'https://developer.sailpoint.com/discuss/tos'
contact:
name: Developer Relations
url: 'https://developer.sailpoint.com/discuss/api-help'
license:
name: MIT
url: 'https://opensource.org/licenses/MIT'
version: 3.1.0-beta
servers:
- url: 'https://{tenant}.api.identitynow.com/beta'
description: This is the beta API server.
variables:
tenant:
default: sailpoint
description: 'This is the name of your tenant, typically your company''s name.'
tags:
- name: Access Profiles
description: |
Use this API to implement and customize access profile functionality.
With this functionality in place, administrators can create access profiles and configure them for use throughout IdentityNow, enabling users to get the access they need quickly and securely.
Access profiles group entitlements, which represent access rights on sources.
For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.
When users only need Active Directory employee access, they can request access to the 'Employees' entitlement.
When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile.
Access profiles are the most important units of access in IdentityNow. IdentityNow uses access profiles in many features, including the following:
- Provisioning: When you use the Provisioning Service, lifecycle states and roles both grant access to users in the form of access profiles.
- Certifications: You can approve or revoke access profiles in certification campaigns, just like entitlements.
- Access Requests: You can assign access profiles to applications, and when a user requests access to the app associated with an access profile and someone approves the request, access is granted to both the application and its associated access profile.
- Roles: You can group one or more access profiles into a role to quickly assign access items based on an identity's role.
In IdentityNow, administrators can use the Access drop-down menu and select Access Profiles to view, configure, and delete existing access profiles, as well as create new ones.
Administrators can enable and disable an access profile, and they can also make the following configurations:
- Manage Entitlements: Manage the profile's access by adding and removing entitlements.
- Access Requests: Configure access profiles to be requestable and establish an approval process for any requests that the access profile be granted or revoked.
Do not configure an access profile to be requestable without first establishing a secure access request approval process for the access profile.
- Multiple Account Options: Define the logic IdentityNow uses to provision access to an identity with multiple accounts on the source.
Refer to [Managing Access Profiles](https://documentation.sailpoint.com/saas/help/access/access-profiles.html) for more information about access profiles.
- name: Access Request Approvals
description: |
Use this API to implement and customize access request approval functionality.
With this functionality in place, administrators can delegate qualified users to review users' requests for access or managers' requests to revoke team members' access to applications, entitlements, or roles.
This enables more qualified users to review access requests and the others to spend their time on other tasks.
In IdentityNow, users can request access to applications, entitlements, and roles, and managers can request that team members' access be revoked.
For applications and entitlements, administrators can set access profiles to require approval from the access profile owner, the application owner, the source owner, the requesting user's manager, or a governance group for access to be granted or revoked.
For roles, administrators can also set roles to allow access requests and require approval from the role owner, the requesting user's manager, or a governance group for access to be granted or revoked.
If the administrator designates a governance group as the required approver, any governance group member can approve the requests.
When a user submits an access request, IdentityNow sends the first required approver in the queue an email notification, based on the access request configuration's approval and reminder escalation configuration.
In Approvals in IdentityNow, required approvers can view pending access requests under the Requested tab and approve or deny them, or the approvers can reassign the requests to different reviewers for approval.
If the required approver approves the request and is the only reviewer required, IdentityNow grants or revokes access, based on the request.
If multiple reviewers are required, IdentityNow sends the request to the next reviewer in the queue, based on the access request configuration's approval reminder and escalation configuration.
The required approver can then view any completed access requests under the Reviewed tab.
Refer to [Access Requests](https://documentation.sailpoint.com/saas/help/requests/index.html) for more information about access request approvals.
- name: Access Requests
description: |
Use this API to implement and customize access request functionality.
With this functionality in place, users can request access to applications, entitlements, or roles, and managers can request that team members' access be revoked.
This allows users to get access to the tools they need quickly and securely, and it allows managers to take away access to those tools.
IdentityNow's Access Request service allows end users to request access that requires approval before it can be granted to users and enables qualified users to review those requests and approve or deny them.
In the Request Center in IdentityNow, users can view available applications, roles, and entitlements and request access to them.
If the requested tools requires approval, the requests appear as 'Pending' under the My Requests tab until the required approver approves, rejects, or cancels them.
Users can use My Requests to track and/or cancel the requests.
In My Team on the IdentityNow Home, managers can submit requests to revoke their team members' access.
They can use the My Requests tab under Request Center to track and/or cancel the requests.
Refer to [Requesting Access](https://documentation.sailpoint.com/saas/user-help/requests/requesting_access.html) for more information about access requests.
- name: Account Activities
description: |
Use this API to implement account activity tracking functionality.
With this functionality in place, users can track source account activity in IdentityNow, which greatly improves traceability in the system.
An account activity refers to a log of each action performed on a source account. This is useful for auditing the changes that occur on an account throughout its life.
In IdentityNow's Search, users can search for account activities and select the activity's row to get an overview of the activity's account action and view its progress, its involved sources, and its most basic metadata, such as the identity requesting the option and the recipient.
Account activity includes most actions IdentityNow completes on source accounts. Users can search in IdentityNow for the following account action types:
- Access Request: These include any access requests the source account is involved in.
- Account Attribute Updates: These include updates to a single attribute on an account on a source.
- Account State Update: These include locking or unlocking actions on an account on a source.
- Certification: These include actions removing an entitlement from an account on a source as a result of the entitlement's revocation during a certification.
- Cloud Automated `Lifecyclestate`: These include automated lifecycle state changes that result in a source account's correlated identity being assigned to a different lifecycle state.
IdentityNow replaces the `Lifecyclestate` variable with the name of the lifecycle state it has moved the account's identity to.
- Identity Attribute Update: These include updates to a source account's correlated identity attributes as the result of a provisioning action.
When you update an identity attribute that also updates an identity's lifecycle state, the cloud automated `Lifecyclestate` event also displays.
Account Activity does not include attribute updates that occur as a result of aggregation.
- Identity Refresh: These include correlated identity refreshes that occur for an account on a source whenever the account's correlated identity profile gets a new role or updates.
These also include refreshes that occur whenever IdentityNow assigns an application to the account's correlated identity based on the application's being assigned to All Users From Source or Specific Users From Source.
- Lifecycle State Refresh: These include the actions that took place when a lifecycle state changed. This event only occurs after a cloud automated `Lifecyclestate` change or a lifecycle state change.
- Lifecycle State Change: These include the account activities that result from an identity's manual assignment to a null lifecycle state.
- Password Change: These include password changes on sources.
Refer to [Account Activity](https://documentation.sailpoint.com/saas/help/search/index.html#account-activity) for more information about account activities.
- name: Account Aggregations
description: |
Use this API to implement account aggregation progress tracking functionality.
With this functionality in place, administrators can view in-progress account aggregations, their statuses, and their relevant details.
An account aggregation refers to the process IdentityNow uses to gather and load account data from a source into IdentityNow.
Whenever IdentityNow is in the process of aggregating a source, it adds an entry to the Aggregation Activity Log, along with its relevant details.
To view aggregation activity, administrators can select the Connections drop-down menu, select Sources, and select the relevant source, select its Import Data tab, and select Account Aggregation.
In Account Aggregation, administrators can view the account aggregations' statuses and details in the Account Activity Log.
Refer to [Loading Account Data](https://documentation.sailpoint.com/saas/help/accounts/loading_data.html) for more information about account aggregations.
- name: Accounts
description: |
Use this API to implement and customize account functionality.
With this functionality in place, administrators can manage users' access across sources in IdentityNow.
In IdentityNow, an account refers to a user's account on a supported source.
This typically includes a unique identifier for the user, a unique password, a set of permissions associated with the source and a set of attributes. IdentityNow loads accounts through the creation of sources in IdentityNow.
Administrators can correlate users' identities with the users' accounts on the different sources they use.
This allows IdentityNow to govern the access of identities and all their correlated accounts securely and cohesively.
To view the accounts on a source and their correlated identities, administrators can use the Connections drop-down menu, select Sources, select the relevant source, and select its Account tab.
To view and edit source account statuses for an identity in IdentityNow, administrators can use the Identities drop-down menu, select Identity List, select the relevant identity, and select its Accounts tab.
Administrators can toggle an account's Actions to aggregate the account, enable/disable it, unlock it, or remove it from the identity.
Accounts can have the following statuses:
- Enabled: The account is enabled. The user can access it.
- Disabled: The account is disabled, and the user cannot access it, but the identity is not disabled in IdentityNow. This can occur when an administrator disables the account or when the user's lifecycle state changes.
- Locked: The account is locked. This may occur when someone has entered an incorrect password for the account too many times.
- Pending: The account is currently updating. This status typically lasts seconds.
Administrators can select the source account to view its attributes, entitlements, and the last time the account's password was changed.
Refer to [Managing User Accounts](https://documentation.sailpoint.com/saas/help/common/users/user_access.html#managing-user-accounts) for more information about accounts.
- name: Certification Campaigns
description: |
Use this API to implement certification campaign functionality.
With this functionality in place, administrators can create, customize, and manage certification campaigns for their organizations' use.
Certification campaigns provide IdentityNow (IDN) users with an interactive review process they can use to identify and verify access to systems.
Campaigns help organizations reduce risk of inappropriate access and satisfy audit requirements.
A certification refers to IDN's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These certifications serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification campaign as a way of showing that a user's access has been reviewed and approved by multiple managers.
Once this campaign has been completed, IDN would provision all the access the user needs, nothing more.
IDN provides two simple campaign types users can create without using search queries, Manager and Source Owner campaigns:
You can create these types of campaigns without using any search queries in IDN:
- ManagerCampaign: IDN provides this campaign type as a way to ensure that an identity's access is certified by their managers.
You only need to provide a name and description to create one.
- Source Owner Campaign: IDN provides this campaign type as a way to ensure that an identity's access to a source is certified by its source owners.
You only need to provide a name and description to create one.
You can specify the sources whose owners you want involved or just run it across all sources.
For more information about these campaign types, refer to [Starting a Manager or Source Owner Campaign](https://documentation.sailpoint.com/saas/help/certs/starting_campaign.html).
One useful way to create certification campaigns in IDN is to use a specific search and then run a campaign on the results returned by that search.
This allows you to be much more specific about whom you are certifying in your campaigns and what access you are certifying in your campaigns.
For example, you can search for all identities who are managed by "Amanda.Ross" and also have the access to the "Accounting" role and then run a certification campaign based on that search to ensure that the returned identities are appropriately certified.
You can use IDN search queries to create these types of campaigns:
- Identities: Use this campaign type to review and revoke access items for specific identities.
You can either build a search query and create a campaign certifying all identities returned by that query, or you can search for individual identities and add those identities to the certification campaign.
- Access Items: Use this campaign type to review and revoke a set of roles, access profiles, or entitlements from the identities that have them.
You can either build a search query and create a campaign certifying all access items returned by that query, or you can search for individual access items and add those items to the certification campaign.
- Role Composition: Use this campaign type to review a role's composition, including its title, description, and membership criteria.
You can either build a search query and create a campaign certifying all roles returned by that query, or you can search for individual roles and add those roles to the certification campaign.
- Uncorrelated Accounts: Use this campaign type to certify source accounts that aren't linked to an authoritative identity in IDN.
You can use this campaign type to view all the uncorrelated accounts for a source and certify them.
For more information about search-based campaigns, refer to [Starting a Campaign from Search](https://documentation.sailpoint.com/saas/help/certs/starting_search_campaign.html).
Once you have generated your campaign, it becomes available for preview.
An administrator can review the campaign and make changes, or if it's ready and accurate, activate it.
Once the campaign is active, organization administrators or certification administrators can designate other IDN users as certification reviewers.
Those reviewers can view any of the certifications they either need to review (active) or have already reviewed (completed).
When a certification campaign is in progress, certification reviewers see the listed active certifications whose involved identities they can review.
Reviewers can then make decisions to grant or revoke access, as well as reassign the ceritifcation to another reviewer. If the reviewer chooses this option, they must provide a reason for reassignment in the form of a comment.
Once a reviewer has made decisions on all the certification's involved access items, he or she must "Sign Off" to complete the review process.
Doing so converts the certification into read-only status, preventing any further changes to the review decisions and deleting the work item (task) from the reviewer's list of work items.
Once all the reviewers have signed off, the certification campaign either completes or, if any reviewers decided to revoke access for any of the involved identities, it moves into a remediation phase.
In the remediation phase, identities' entitlements are altered to remove any entitlements marked for revocation.
In this situation, the certification campaign completes once all the remediation requests are completed.
The end of a certification campaign is determined by its deadline, its completion status, or by an administrator's decision.
For more information about certifications and certification campaigns, refer to [Certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html).
- name: Certifications
description: |
Use this API to implement certification functionality.
This API provides specific functionality that improves an organization's ability to manage its certification process.
A certification refers to IdentityNow's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access.
These certifications serve as a way of showing that a user's access has been reviewed and approved.
Multiple certifications by different reviewers are often required to approve a user's access.
A set of multiple certifications is called a certification campaign.
For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers.
Once this certification has been completed, IdentityNow would provision all the access the user needs, nothing more.
This API enables administrators and reviewers to get useful information about certifications at a high level, such as the reviewers involved, and at a more granular level, such as the permissions affected by changes to entitlements within those certifications.
It also provides the useful ability to reassign identities and items within certifications to other reviewers, rather than [reassigning the entire certifications themselves](https://developer.sailpoint.com/idn/api/beta/reassign-identity-certs-async).
- name: Connector Rule Management
- name: Connectors
description: |
Use this API to implement connector functionality.
With this functionality in place, administrators can view available connectors.
Connectors are the bridges IdentityNow uses to communicate with and aggregate data from sources.
For example, if it is necessary to set up a connection between IdentityNow and the Active Directory source, a connector can bridge the two and enable IdentityNow to synchronize data between the systems.
This ensures account entitlements and states are correct throughout the organization.
In IdentityNow, administrators can use the Connections drop-down menu and select Sources to view the available source connectors.
Refer to [IdentityNow Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about the connectors available in IdentityNow.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/idn/docs/saas-connectivity) for more information about the SaaS custom connectors that do not need VAs (virtual appliances) to communicate with their sources.
Refer to [Managing Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) for more information about using connectors in IdentityNow.
- name: Custom Password Instructions
description: |
Use this API to implement custom password instruction functionality.
With this functionality in place, administrators can create custom password instructions to help users reset their passwords, change them, unlock their accounts, or recover their usernames.
This allows administrators to emphasize password policies or provide organization-specific instructions.
Administrators must first use [Update Password Org Config](https://developer.sailpoint.com/idn/api/beta/update-password-org-config) to set `customInstructionsEnabled` to `true`.
Once they have enabled custom instructions, they can use [Create Custom Password Instructions](https://developer.sailpoint.com/idn/api/beta/create-custom-password-instructions) to create custom page content for the specific pageId they select.
For example, an administrator can use the pageId forget-username:user-email to set the custom text for the case when users forget their usernames and must enter their emails.
Refer to [Creating Custom Instruction Text](https://documentation.sailpoint.com/saas/help/pwd/pwd_reset.html#creating-custom-instruction-text) for more information about creating custom password instructions.
- name: Entitlements
description: |
Use this API to implement and customize entitlement functionality.
With this functionality in place, administrators can view entitlements and configure them for use throughout IdentityNow in certifications, access profiles, and roles.
Administrators in IdentityNow can then grant users access to the entitlements or configure them so users themselves can request access to the entitlements whenever they need them.
With a good approval process, this entitlement functionality allows users to gain the specific access they need on sources quickly and securely.
Entitlements represent access rights on sources.
Entitlements are the most granular form of access in IdentityNow.
Entitlements are often grouped into access profiles, and access profiles themselves are often grouped into roles, the broadest form of access in IdentityNow.
For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.
An administrator can then create an even broader set of access in the form of a role grouping the 'AD Developers' access profile with another profile, 'GitHub Developers,' grouping entitlements for the GitHub source.
When users only need Active Directory employee access, they can request access to the 'Employees' entitlement.
When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile.
When users need both the 'AD Developers' access profile and the 'GitHub Developers' access profile, they can request access to the role grouping both.
Administrators often use roles and access profiles within those roles to manage access so that users can gain access more quickly, but the hierarchy of access all starts with entitlements.
Anywhere entitlements appear, you can select them to find more information about the following:
- Cloud Access Details: These provide details about the cloud access entitlements on cloud-enabled sources.
- Permissions: Permissions represent individual units of read/write/admin access to a system.
- Relationships: These list each entitlement's parent and child relationships.
- Type: This is the entitlement's type. Some sources support multiple types, each with a different attribute schema.
IdentityNow uses entitlements in many features, including the following:
- Certifications: Entitlements can be revoked from an identity that no longer needs them.
- Roles: Roles can group access profiles which themselves group entitlements. You can grant and revoke access on a broad level with roles. Role membership criteria can grant roles to identities based on whether they have certain entitlements or attributes.
- Access Profiles: Access profiles group entitlements.
They are the most important units of access in IdentityNow.
IdentityNow uses them in provisioning, certifications, and access requests, and administrators can configure them to grant very broad or very granular access.
You cannot delete entitlements directly from IdentityNow.
Entitlements are deleted based on their inclusion in aggregations.
Refer to [Deleting Entitlements](https://documentation.sailpoint.com/saas/help/access/entitlements.html#deleting-entitlements) more information about deleting entitlements.
Refer to [Entitlements](https://documentation.sailpoint.com/saas/help/access/entitlements.html) for more information about entitlements.
- name: IAI Access Request Recommendations
- name: IAI Common Access
- name: IAI Outliers
- name: IAI Peer Group Strategies
- name: IAI Recommendations
- name: IAI Role Mining
- name: Identities
description: |
Use this API to implement identity functionality.
With this functionality in place, administrators can synchronize an identity's attributes with its various source attributes.
IdentityNow uses identities as users' authoritative accounts. Identities can own other accounts, entitlements, and attributes.
An identity has a variety of attributes, such as an account name, an email address, a job title, and more.
These identity attributes can be correlated with different attributes on different sources.
For example, the identity John.Smith can own an account in the GitHub source with the account name John-Smith-Org, and IdentityNow knows they are the same person with the same access and attributes.
In IdentityNow, administrators often set up these synchronizations to get triggered automatically with a change or to run on a schedule.
To manually synchronize attributes for an identity, administrators can use the Identities drop-down menu and select Identity List to view the list of identities.
They can then select the identity they want to manually synchronize and use the hamburger menu to select 'Synchronize Attributes.'
Doing so immediately begins the attribute synchronization and analyzes all accounts for the selected identity.
Refer to [Synchronizing Attributes](https://documentation.sailpoint.com/saas/help/provisioning/attr_sync.html) for more information about synchronizing attributes.
- name: Identity History
- name: Identity Profiles
description: |
Use this API to implement and customize identity profile functionality.
With this functionality in place, administrators can manage identity profiles and configure them for use by identities throughout IdentityNow.
Identity profiles represent the configurations that can be applied to identities as a way of granting them a set of security and access, as well as defining the mappings between their identity attributes and their source attributes.
This allows administrators to save time by applying identity profiles to any number of similar identities rather than configuring each one individually.
In IdentityNow, administrators can use the Identities drop-down menu and select Identity Profiles to view the list of identity profiles.
This list shows some details about each identity profile, along with its status. They can select an identity profile to view and modify its settings, its mappings between identity attributes and correlating source account attributes, and its provisioning settings.
Administrators can also use this page to create new identity profiles or delete existing ones.
Refer to [Creating Identity Profiles](https://documentation.sailpoint.com/saas/help/setup/identity_profiles.html) for more information about identity profiles.
- name: Lifecycle States
description: |
Use this API to implement and customize lifecycle state functionality.
With this functionality in place, administrators can view and configure custom lifecycle states for use across their organizations, which is key to controlling which users have access, when they have access, and the access they have.
A lifecycle state describes a user's status in a company. For example, two lifecycle states come by default with IdentityNow: 'Active' and 'Inactive.'
When an active employee takes an extended leave of absence from a company, his or her lifecycle state may change to 'Inactive,' for security purposes.
The inactive employee would lose access to all the applications, sources, and sensitive data during the leave of absence, but when the employee returns and becomes active again, all that access would be restored.
This saves administrators the time that would otherwise be spent provisioning the employee's access to each individual tool, reviewing the employee's certification history, etc.
Administrators must define the criteria for being in each lifecycle state, and they must define how IdentityNow manages users' access to apps and sources for each lifecycle state.
In IdentityNow, administrators can manage lifecycle states by going to Admin > Identities > Identity Profile, selecting the identity profile whose lifecycle states they want to manage, selecting the 'Provisioning' tab, and using the left panel to select the lifecycle state they want to modify.
In the 'Provisioning' tab, administrators can make the following access changes to an identity profile's lifecycle state:
- Enable/disable the lifecycle state for the identity profile.
- Enable/disable source accounts for the identity profile's lifecycle state.
- Add existing access profiles to grant to the identity profiles in that lifecycle state.
- Create a new access profile to grant to the identity profile in that lifecycle state.
Access profiles granted in a previous lifecycle state are automatically revoked when the identity moves to a new lifecycle state.
To maintain access across multiple lifecycle states, administrators must grant the access profiles in each lifecycle state.
For example, if an administrator wants users with the 'HR Employee' identity profile to maintain their building access in both the 'Active' and 'Leave of Absence' lifecycle states, the administrator must grant the access profile for that building access to both lifecycle states.
During scheduled refreshes, IdentityNow evaluates lifecycle states to determine whether their assigned identities have the access defined in the lifecycle states' access profiles.
If the identities are missing access, IdentityNow provisions that access.
Administrators can also use the 'Provisioning' tab to configure email notifications for IdentityNow to send whenever an identity with that identity profile has a lifecycle state change.
Refer to [Configuring Lifecycle State Notifications](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html#configuring-lifecycle-state-notifications) for more information on how to do so.
An identity's lifecycle state can have four different statuses: the lifecycle state's status can be 'Active,' it can be 'Not Set,' it can be 'Not Valid,' or it 'Does Not Match Technical Name Case.'
Refer to [Moving Identities into Lifecycle States](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html#moving-identities-into-lifecycle-states) for more information about these different lifecycle state statuses.
Refer to [Setting Up Lifecycle States](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html) for more information about lifecycle states.
- name: Managed Clients
description: Read and write operations for managing client data and statuses
- name: Managed Clusters
description: 'Operations for accessing and managing client Clusters, including Log Configuration'
- name: MFA Configuration
description: Configure and test multifactor authentication (MFA) methods
- name: Non-Employee Lifecycle Management
description: |
Use this API to implement non-employee lifecycle management functionality.
With this functionality in place, administrators can create non-employee records and configure them for use in their organizations.
This allows organizations to provide secure access to non-employees and control that access.
The 'non-employee' term refers to any consultant, contractor, intern, or other user in an organization who is not a full-time permanent employee.
Organizations can track non-employees' access and activity in IdentityNow by creating and maintaining non-employee sources.
Organizations can have a maximum of 50 non-employee sources.
By using SailPoint's Non-Employee Lifecycle Management functionality, you agree to the following:
- SailPoint is not responsible for storing sensitive data.
You may only add account attributes to non-employee identities that are necessary for business operations and are consistent with your contractual limitations on data that may be sent or stored in IdentityNow.
- You are responsible for regularly downloading your list of non-employee accounts for all the sources you create and storing this list of accounts in a managed location to maintain an authoritative system of record and backup data for these accounts.
To manage non-employees in IdentityNow, administrators must create a non-employee source and add accounts to the source.
To create a non-employee source in IdentityNow, administrators must use the Admin panel to go to Connections > Sources.
They must then specify 'Non-Employee' in the 'Source Type' field.
Refer to [Creating a Non-Employee Source](https://documentation.sailpoint.com/saas/help/common/non-employee-mgmt.html#creating-a-non-employee-source) for more details about how to create non-employee sources.
To add accounts to a non-employee source in IdentityNow, administrators can select the non-employee source and add the accounts.
They can also use the 'Manage Non-Employees' widget on their user dashboards to reach the list of sources and then select the non-employee source they want to add the accounts to.
Administrators can either add accounts individually or in bulk. Each non-employee source can have a maximum of 20,000 accounts.
To add accounts in bulk, they must select the 'Bulk Upload' option and upload a CSV file.
Refer to [Adding Accounts](https://documentation.sailpoint.com/saas/help/common/non-employee-mgmt.html#adding-accounts) for more details about how to add accounts to non-employee sources.
Once administrators have created the non-employee source and added accounts to it, they can create identity profiles to generate identities for the non-employee accounts and manage the non-employee identities the same way they would any other identities.
Refer to [Managing Non-Employee Sources and Accounts](https://documentation.sailpoint.com/saas/help/common/non-employee-mgmt.html) for more information about non-employee lifecycle management.
- name: Notifications
- name: OAuth Clients
description: |
Use this API to implement OAuth client functionality.
With this functionality in place, users with the appropriate security scopes can create and configure OAuth clients to use as a way to obtain authorization to use the IdentityNow REST API.
Refer to [Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information about OAuth and how it works with the IdentityNow REST API.
- name: Org Config
description: Operations for managing org configuration settings (eg. time zone)
- name: Password Configuration
description: |
Use this API to implement organization password configuration functionality.
With this functionality in place, organization administrators can create organization-specific password configurations.
These configurations include details like custom password instructions, as well as digit token length and duration.
Refer to [Configuring User Authentication for Password Resets](https://documentation.sailpoint.com/saas/help/pwd/pwd_reset.html) for more information about organization password configuration functionality.
- name: Password Dictionary
description: |
Use this API to implement password dictionary functionality.
With this functionality in place, administrators can create password dictionaries to prevent users from using certain words or characters in their passwords.
A password dictionary is a list of words or characters that users are prevented from including in their passwords.
This can help protect users from themselves and force them to create passwords that are not easy to break.
A password dictionary must meet the following requirements to for the API to handle them correctly:
- It must be in .txt format.
- All characters must be UTF-8 characters.
- Each line must contain a single word or character with no spaces or whitespace characters.
- It must contain at least one line other than the locale string.
- Each line must not exceed 128 characters.
- The file must not exceed 2500 lines.
Administrators should also consider the following when they create their dictionaries:
- Lines starting with a # represent comments.
- All words in the password dictionary are case-insensitive.
For example, adding the word "password" to the dictionary also disallows the following: PASSWORD, Password, and PassWord.
- The dictionary uses substring matching.
For example, adding the word "spring" to the dictionary also disallows the following: Spring124, 345SprinG, and 8spring.
Users can then select 'Change Password' to update their passwords.
Administrators must do the following to create a password dictionary:
- Create the text file that will contain the prohibited password values.
- If the dictionary is not in English, they must add a locale string to the top line: locale:`languageCode`_`countryCode`
The languageCode value refers to the language's 2-letter ISO 639-1 code.
The countryCode value refers to the country's 2-letter ISO 3166-1 code.
Refer to this list https://docs.oracle.com/cd/E13214_01/wli/docs92/xref/xqisocodes.html to see all the available ISO 639-1 language codes and ISO 3166-1 country codes.
- Upload the .txt file to IdentityNow with [Update Password Dictionary](https://developer.sailpoint.com/idn/api/beta/update-password-dictionary). Uploading a new file always overwrites the previous dictionary file.
Administrators can then specify which password policies check new passwords against the password dictionary by doing the following: In the Admin panel, they can use the Password Mgmt dropdown menu to select Policies, select the policy, and select the 'Prevent use of words in this site's password dictionary' checkbox beside it.
Refer to [Configuring Advanced Password Management Options](https://documentation.sailpoint.com/saas/help/pwd/adv_config.html) for more information about password dictionaries.
- name: Password Management
description: |
Use this API to implement password management functionality.
With this functionality in place, users can manage their identity passwords for all their applications.
In IdentityNow, users can select their names in the upper right corner of the page and use the drop-down menu to select Password Manager.
Password Manager lists the user's identity's applications, possibly grouped to share passwords.
Users can then select 'Change Password' to update their passwords.
Grouping passwords allows users to update their passwords more broadly, rather than requiring them to update each password individually.
Password Manager may list the applications and sources in the following groups:
- Password Group: This refers to a group of applications that share a password.
For example, a user can use the same password for Google Drive, Google Mail, and YouTube.
Updating the password for the password group updates the password for all its included applications.
- Multi-Application Source: This refers to a source with multiple applications that share a password.
For example, a user can have a source, G Suite, that includes the Google Calendar, Google Drive, and Google Mail applications.
Updating the password for the multi-application source updates the password for all its included applications.
- Applications: These are applications that do not share passwords with other applications.
An organization may require some authentication for users to update their passwords.
Users may be required to answer security questions or use a third-party authenticator before they can confirm their updates.
Refer to [Managing Passwords](https://documentation.sailpoint.com/saas/user-help/accounts/passwords.html) for more information about password management.
- name: Password Sync Groups
description: |
Use this API to implement password sync group functionality.
With this functionality in place, administrators can group sources into password sync groups so that all their applications share the same password.
This allows users to update the password for all the applications in a sync group if they want, rather than updating each password individually.
A password sync group is a group of applications that shares a password.
Administrators create these groups by grouping the applications' sources.
For example, an administrator can group the ActiveDirectory, GitHub, and G Suite sources together so that all those sources' applications can also be grouped to share a password.
A user can then update his or her password for ActiveDirectory, GitHub, Gmail, Google Drive, and Google Calendar all at once, rather then updating each one individually.
The following are required for administrators to create a password sync group in IdentityNow:
- At least two direct connect sources connected to IdentityNow and configured for Password Management.
- Each authentication source in a sync group must have at least one application. Refer to [Adding and Resetting Application Passwords](https://documentation.sailpoint.com/saas/help/pwd/adv_config.html#adding-and-resetting-application-passwords) for more information about adding applications to sources.
- At least one password policy. Refer to [Managing Password Policies](https://documentation.sailpoint.com/saas/help/pwd/policies.html) for more information about password policies.
In the Admin panel in IdentityNow, administrators can use the Password Mgmt dropdown menu to select Sync Groups.
To create a sync group, administrators must provide a name, choose a password policy to be enforced across the sources in the sync group, and select the sources to include in the sync group.
Administrators can also delete sync groups in IdentityNow, but they should know the following before they do:
- Passwords related to the associated sources will become independent, so changing one will not change the others anymore.
- Passwords for the sources' connected applications will also become independent.
- Password policies assigned to the sync group are then assigned directly to the associated sources.
To change the password policy for a source, administrators must edit it directly.
Once the password sync group has been created, users can update the password for the group in Password Manager.
Refer to [Managing Password Sync Groups](https://documentation.sailpoint.com/saas/help/pwd/sync_grps.html) for more information about password sync groups.
- name: Personal Access Tokens
description: |
Use this API to implement personal access token (PAT) functionality.
With this functionality in place, users can use PATs as an alternative to passwords for authentication in IdentityNow.
PATs embed user information into the client ID and secret.
This replaces the API clients' need to store and provide a username and password to establish a connection, improving IdentityNow organizations' integration security.
In IdentityNow, users can do the following to create and manage their PATs: Select the dropdown menu under their names, select Preferences, and then select Personal Access Tokens.
They must then provide a description about the token's purpose.
They can then select 'Create Token' at the bottom of the page to generate and view the Secret and Client ID.
Refer to [Managing Personal Access Tokens](https://documentation.sailpoint.com/saas/help/common/generate_tokens.html) for more information about PATs.
- name: Public Identities Config
description: |
Use this API to implement public identity configuration functionality.
With this functionality in place, administrators can make up to 5 identity attributes publicly visible so other non-administrator users can see the relevant information they need to make decisions.
This can be helpful for access approvers, certification reviewers, managers viewing their direct reports' access, and source owners viewing their tasks.
By default, non-administrators can select an identity and view the following attributes: email, lifecycle state, and manager.
However, it may be helpful for a non-administrator reviewer to see other identity attributes like department, region, title, etc.
Administrators can use this API to make those necessary identity attributes public to non-administrators.
For example, a non-administrator deciding whether to approve another identity's request for access to the Workday application, whose access may be restricted to members of the HR department, would want to know whether the identity is a member of the HR department.
If an administrator has used [Update Public Identity Config](https://developer.sailpoint.com/idn/api/beta/update-public-identity-config) to make the "department" attribute public, the approver can see the department and make a decision without requesting any more information.
- name: Requestable Objects
description: |
Use this API to implement requestable object functionality.
With this functionality in place, administrators can determine which access items can be requested with the [Access Request APIs](https://developer.sailpoint.com/idn/api/beta/access-requests), along with their statuses.
This can be helpful for administrators who are implementing and customizing access request functionality as a way of checking which items are requestable as they are created, assigned, and made available.
- name: Role Insights
- name: Roles
description: |
Use this API to implement and customize role functionality.
With this functionality in place, administrators can create roles and configure them for use throughout IdentityNow.
IdentityNow can use established criteria to automatically assign the roles to qualified users. This enables users to get all the access they need quickly and securely and administrators to spend their time on other tasks.
Entitlements represent the most granular level of access in IdentityNow.
Access profiles represent the next level and often group entitlements.
Roles represent the broadest level of access and often group access profiles.
For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.
An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.
An administrator can then create an even broader set of access in the form of a role grouping the 'AD Developers' access profile with another profile, 'GitHub Developers,' grouping entitlements for the GitHub source.
When users only need Active Directory employee access, they can request access to the 'Employees' entitlement.
When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile.
When users need both the 'AD Developers' access profile and the 'GitHub Developers' access profile, they can request access to the role grouping both.
Roles often represent positions within organizations.
For example, an organization's accountant can access all the tools the organization's accountants need with the 'Accountant' role.
If the accountant switches to engineering, a qualified member of the organization can quickly revoke the accountant's 'Accountant' access and grant access to the 'Engineer' role instead, granting access to all the tools the organization's engineers need.
In IdentityNow, adminstrators can use the Access drop-down menu and select Roles to view, configure, and delete existing roles, as well as create new ones.
Administrators can enable and disable the role, and they can also make the following configurations:
- Manage Access: Manage the role's access by adding or removing access profiles.
- Define Assignment: Define the criteria IdentityNow uses to assign the role to identities.
Use the first option, 'Standard Criteria,' to provide specific criteria for assignment like specific account attributes, entitlements, or identity attributes.
Use the second, 'Identity List,' to specify the identities for assignment.
- Access Requests: Configure roles to be requestable and establish an approval process for any requests that the role be granted or revoked.
Do not configure a role to be requestable without establishing a secure access request approval process for that role first.
Refer to [Working with Roles](https://documentation.sailpoint.com/saas/help/provisioning/roles.html) for more information about roles.
- name: Search Attribute Configuration
- name: Segments
- name: Service Desk Integration
description: |
Use this API to build an integration between IdentityNow and a service desk ITSM (IT service management) solution.
Once an administrator builds this integration between IdentityNow and a service desk, users can use IdentityNow to raise and track tickets that are synchronized between IdentityNow and the service desk.
In IdentityNow, administrators can create a service desk integration (sometimes also called an SDIM, or Service Desk Integration Module) by going to Admin > Connections > Service Desk and selecting 'Create.'
To create a Generic Service Desk integration, for example, administrators must provide the required information on the General Settings page, the Connectivity and Authentication information, Ticket Creation information, Status Mapping information, and Requester Source information on the Configure page.
Refer to [Integrating SailPoint with Generic Service Desk](https://documentation.sailpoint.com/connectors/generic_sd/help/integrating_generic_service_desk/intro.html) for more information about the process of setting up a Generic Service Desk in IdentityNow.
Administrators can create various service desk integrations, all with their own nuances.
The following service desk integrations are available:
- [Atlassian Cloud Jira Service Management](https://documentation.sailpoint.com/connectors/atlassian/jira_cloud/help/integrating_jira_cloud_sd/introduction.html)
- [Atlassian Server Jira Service Management](https://documentation.sailpoint.com/connectors/atlassian/jira_server/help/integrating_jira_server_sd/introduction.html)
- [BMC Helix ITSM Service Desk](https://documentation.sailpoint.com/connectors/bmc/helix_ITSM_sd/help/integrating_bmc_helix_itsm_sd/intro.html)
- [BMC Helix Remedyforce Service Desk](https://documentation.sailpoint.com/connectors/bmc/helix_remedyforce_sd/help/integrating_bmc_helix_remedyforce_sd/intro.html)
- [Generic Service Desk](https://documentation.sailpoint.com/connectors/generic_sd/help/integrating_generic_service_desk/intro.html)
- [ServiceNow Service Desk](https://documentation.sailpoint.com/connectors/servicenow/sdim/help/integrating_servicenow_sdim/intro.html)
- [Zendesk Service Desk](https://documentation.sailpoint.com/connectors/zendesk/help/integrating_zendesk_sd/introduction.html)
- name: SOD Policy
description: Operations for Creating & Executing SOD (Seperation of Duties) policies
- name: SOD Violations
description: Operations for Predicting SOD (Seperation of Duties) violations
- name: Sources
description: |
Use this API to implement and customize source functionality.
With source functionality in place, organizations can use IdentityNow to connect their various sources and user data sets and manage access across all those different sources in a secure, scalable way.
[Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) refer to the IdentityNow representations for external applications, databases, and directory management systems that maintain their own sets of users, like Dropbox, GitHub, and Workday, for example.
Organizations may use hundreds, if not thousands, of different source systems, and any one employee within an organization likely has a different user record on each source, often with different permissions on many of those records.
Connecting these sources to IdentityNow makes it possible to manage user access across them all.
Then, if a new hire starts at an organization, IdentityNow can grant the new hire access to all the sources they need.
If an employee moves to a new department and needs access to new sources but no longer needs access to others, IdentityNow can grant the necessary access and revoke the unnecessary access for all the employee's various sources.
If an employee leaves the company, IdentityNow can revoke access to all the employee's various source accounts immediately.
These are just a few examples of the many ways that source functionality makes identity governance easier, more efficient, and more secure.
In IdentityNow, administrators can create configure, manage, and edit sources, and they can designate other users as source admins to be able to do so.
They can also designate users as source sub-admins, who can perform the same source actions but only on sources associated with their governance groups.
Admins go to Connections > Sources to see a list of the existing source representations in their organizations.
They can create new sources or select existing ones.
To create a new source, the following must be specified: Source Name, Description, Source Owner, and Connection Type.
Refer to [Configuring a Source](https://documentation.sailpoint.com/saas/help/accounts/loading_data.html#configuring-a-source) for more information about the source configuration process.
IdentityNow connects with its sources either by a direct communication with the source server (connection information specific to the source must be provided) or a flat file feed, a CSV file containing all the relevant information about the accounts to be loaded in.
Different sources use different connectors to share data with IdentityNow, and each connector's setup process is specific to that connector.
SailPoint has built a number of connectors to come out of the box and connect to the most common sources, and SailPoint actively maintains these connectors.
Refer to [IdentityNow Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about these SailPoint supported connectors.
Refer to the following links for more information about two useful connectors:
- [JDBC Connector](https://documentation.sailpoint.com/connectors/jdbc/help/integrating_jdbc/introduction.html): This customizable connector an directly connect to databases that support JDBC (Java Database Connectivity).
- [Web Services Connector](https://documentation.sailpoint.com/connectors/webservices/help/integrating_webservices/introduction.html): This connector can directly connect to databases that support Web Services.
Refer to [SaaS Connectivity](https://developer.sailpoint.com/idn/docs/saas-connectivity) for more information about SailPoint's new connectivity framework that makes it easy to build and manage custom connectors to SaaS sources.
When admins select existing sources, they can view the following information about the source:
- Associated connections (any associated identity profiles, apps, or references to the source in a transform).
- Associated user accounts. These accounts are linked to their identities - this provides a more complete picture of each user's access across sources.
- Associated entitlements (sets of access rights on sources).
- Associated access profiles (groupings of entitlements).
The user account data and the entitlements update with each data aggregation from the source.
Organizations generally run scheduled, automated data aggregations to ensure that their data is always in sync between their sources and their IdentityNow tenants so an access change on a source is detected quickly in IdentityNow.
Admins can view a history of these aggregations, and they can also run manual imports.
Refer to [Loading Account Data](https://documentation.sailpoint.com/saas/help/accounts/loading_data.html) for more information about manual and scheduled aggregations.
Admins can also make changes to determine which user account data IdentityNow collects from the source and how it correlates that account data with identity data.
To define which account attributes the source shares with IdentityNow, admins can edit the account schema on the source.
Refer to [Managing Source Account Schemas](https://documentation.sailpoint.com/saas/help/accounts/schema.html) for more information about source account schemas and how to edit them.
To define the mapping between the source account attributes and their correlating identity attributes, admins can edit the correlation configuration on the source.
Refer to [Assigning Source Accounts to Identities](https://documentation.sailpoint.com/saas/help/accounts/correlation.html) for more information about this correlation process between source accounts and identities.
Admins can also delete sources, but they must first ensure that the sources no longer have any active connections: the source must not be associated with any identity profile or any app, and it must not be referenced by any transform.
Refer to [Deleting Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html#deleting-sources) for more information about deleting sources.
Well organized, mappped out connections between sources and IdentityNow are essential to achieving comprehensive identity access governance across all the source systems organizations need.
Refer to [Managing Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) for more information about all the different things admins can do with sources once they are connected.
- name: SP-Config
description: Import and export configuration for some objects between tenants.
- name: Tagged Objects
- name: Transforms
description: 'Operations for creating, managing, and deleting transforms'
- name: Triggers
description: |
Event Triggers provide real-time updates to changes in IdentityNow so you can take action as soon as an event occurs, rather than poll an API endpoint for updates. IdentityNow provides a user interface within the admin console to create and manage trigger subscriptions. These endpoints allow for programatically creating and managing trigger subscriptions.
There are two types of event triggers:
* `FIRE_AND_FORGET`: This trigger type will send a payload to each subscriber without needing a response. Each trigger of this type has a limit of **50 subscriptions**.
* `REQUEST_RESPONSE`: This trigger type will send a payload to a subscriber and expect a response back. Each trigger of this type may only have **one subscription**.
## Available Event Triggers
Production ready event triggers that are available in all tenants.
| Name | ID | Type | Trigger condition | Schema(s) |
|-|-|-|-|-|
| [Access Request Dynamic Approval](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/access-request-dynamic-approval) | idn:access-request-dynamic-approver | REQUEST_RESPONSE |After an access request is submitted. Expects the subscriber to respond with the ID of an identity or workgroup to add to the approval workflow. | [Input Schema](#section/Access-Request-Dynamic-Approver-Event-Trigger-Input) - [Output Schema](#section/Access-Request-Dynamic-Approver-Event-Trigger-Output) |
| [Access Request Postapproval](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/access-request-postapproval) | idn:access-request-post-approval | FIRE_AND_FORGET | After an access request is approved. |[Input Schema](#section/Access-Request-Post-Approval-Event-Trigger-Input)|
| [Access Request Preapproval](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/access-request-preapproval) | idn:access-request-pre-approval | REQUEST_RESPONSE | After an access request is submitted. Expects the subscriber to respond with an approval decision. | [Input Schema](#section/Access-Request-Pre-Approval-Event-Trigger-Input) - [Output Schema](#section/Access-Request-Pre-Approval-Event-Trigger-Output) |
| [Account Aggregation Completed](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/account-aggregation-completed) | idn:account-aggregation-completed | FIRE_AND_FORGET | After an account aggregation completed, terminated, failed. | [Input Schema](#section/Account-Aggregation-Completed-Event-Trigger-Input) |
| Account Attributes Changed | idn:account-attributes-changed | FIRE_AND_FORGET | After an account aggregation, and one or more account attributes have changed. | [Input Schema](#section/Account-Attributes-Changed-Event-Trigger-Input) |
| Account Correlated | idn:account-correlated | FIRE_AND_FORGET | After an account is added to an identity. | [Input Schema](#section/Account-Correlated-Event-Trigger-Input) |
| Accounts Collected for Aggregation | idn:aggregation-accounts-collected | FIRE_AND_FORGET | New, changed, and deleted accounts have been gathered during an aggregation and are being processed. | [Input Schema](#section/Accounts-Collected-for-Aggregation-Event-Trigger-Input) |
| Account Uncorrelated | idn:account-uncorrelated | FIRE_AND_FORGET | After an account is removed from an identity. | [Input Schema](#section/Account-Uncorrelated-Event-Trigger-Input) |
| Campaign Activated | idn:campaign-activated | FIRE_AND_FORGET | After a campaign is activated. | [Input Schema](#section/Campaign-Activated-Event-Trigger-Input) |
| Campaign Ended | idn:campaign-ended | FIRE_AND_FORGET | After a campaign ends. | [Input Schema](#section/Campaign-Ended-Event-Trigger-Input) |
| Campaign Generated | idn:campaign-generated | FIRE_AND_FORGET | After a campaign finishes generating. | [Input Schema](#section/Campaign-Generated-Event-Trigger-Input) |
| Certification Signed Off | idn:certification-signed-off | FIRE_AND_FORGET | After a certification is signed off by its reviewer. | [Input Schema](#section/Certification-Signed-Off-Event-Trigger-Input) |
| [Identity Attributes Changed](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/account-aggregation-completed) | idn:identity-attributes-changed | FIRE_AND_FORGET | After One or more identity attributes changed. | [Input Schema](#section/Identity-Attributes-Changed-Event-Trigger-Input) |
| [Identity Created](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/identity-created) | idn:identity-created | FIRE_AND_FORGET | After an identity is created. | [Input Schema](#section/Identity-Created-Event-Trigger-Input) |
| [Provisioning Action Completed](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/provisioning-action-completed) | idn:post-provisioning | FIRE_AND_FORGET | After a provisioning action completed on a source. | [Input Schema](#section/Provisioning-Completed-Event-Trigger-Input) |
| [Saved Search Complete](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/saved-search-completed) | idn:saved-search-complete | FIRE_AND_FORGET | After a scheduled search completed. | [Input Schema](#section/Saved-Search-Complete-Event-Trigger-Input) |
| [Source Created](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-created) | idn:source-created | FIRE_AND_FORGET | After a source is created. | [Input Schema](#section/Source-Created-Event-Trigger-Input) |
| [Source Deleted](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-deleted) | idn:source-deleted | FIRE_AND_FORGET | After a source is deleted. | [Input Schema](#section/Source-Deleted-Event-Trigger-Input) |
| [Source Updated](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-updated) | idn:source-updated | FIRE_AND_FORGET | After configuration changes have been made to a source. | [Input Schema](#section/Source-Updated-Event-Trigger-Input) |
| [VA Cluster Status Change](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/va-cluster-status-change) | idn:va-cluster-status-change | FIRE_AND_FORGET | After the status of a VA cluster has changed. | [Input Schema](#section/VA-Cluster-Status-Change-Event-Event-Trigger-Input) |
## Early Access Event Triggers
Triggers that are in-development and not ready for production use. Please contact support to enable these triggers in your tenant.
| Name | ID | Type | Trigger condition | Schema(s) |
|-|-|-|-|-|
| [Identity Deleted](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/identity-deleted) | idn:identity-deleted | FIRE_AND_FORGET | After an identity is deleted. | [Input Schema](#section/Identity-Deleted-Event-Trigger-Input) |
| [Source Account Created](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-account-created) | idn:source-account-created | FIRE_AND_FORGET | After a source account is created. | [Input Schema](#section/Source-Account-Created-Event-Trigger-Input) |
| [Source Account Deleted](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-account-deleted) | idn:source-account-deleted | FIRE_AND_FORGET | After a source account is deleted. | [Input Schema](#section/Source-Account-Deleted-Event-Trigger-Input) |
| [Source Account Updated](https://developer.sailpoint.com/idn/docs/event-triggers/triggers/source-account-updated) | idn:source-account-updated | FIRE_AND_FORGET | After a source account is changed. | [Input Schema](#section/Source-Account-Updated-Event-Trigger-Input) |
Refer to [Event Triggers](https://developer.sailpoint.com/idn/docs/event-triggers/) for more information about event triggers.
- name: Work Items
description: |
Use this API to implement work item functionality.
With this functionality in place, users can manage their work items (tasks).
Work items refer to the tasks users see in IdentityNow's Task Manager.
They can see the pending work items they need to complete, as well as the work items they have already completed.
Task Manager lists the work items along with the involved sources, identities, accounts, and the timestamp when the work item was created.
For example, a user may see a pending 'Create an Account' work item for the identity Fred.Astaire in GitHub for Fred's GitHub account, fred-astaire-sp.
Once the user completes the work item, the work item will be listed with his or her other completed work items.
To complete work items, users can use their dashboards and select the 'My Tasks' widget.
The widget will list any work items they need to complete, and they can select the work item from the list to review its details.
When they complete the work item, they can select 'Mark Complete' to add it to their list of completed work items.
Refer to [Task Manager](https://documentation.sailpoint.com/saas/user-help/task_manager.html) for more information about work items, including the different types of work items users may need to complete.
- name: Workflows
description: |
Workflows allow administrators to create custom automation scripts directly within IdentityNow. These automation scripts respond to [event triggers](https://developer.sailpoint.com/idn/docs/event-triggers#how-to-get-started-with-event-triggers) and perform a series of actions to perform tasks that are either too cumbersome or not available in the IdentityNow UI. Workflows can be configured via a graphical user interface within IdentityNow, or by creating and uploading a JSON formatted script to the Workflow service. The Workflows API collection provides the necessary functionality to create, manage, and test your workflows via REST.
Refer to [Creating and Managing Workflows](https://documentation.sailpoint.com/saas/help/workflows/workflow-basics.html) for more information about how to build workflows in the visual builder in the IdentityNow UI.
- name: Event Trigger Models
x-displayName: Trigger Models
description: |
## Access Request Dynamic Approver Event Trigger Input
## Access Request Dynamic Approver Event Trigger Output
## Access Request Post Approval Event Trigger Input
## Access Request Pre Approval Event Trigger Input
## Access Request Pre Approval Event Trigger Output
## Account Aggregation Completed Event Trigger Input
## Account Attributes Changed Event Trigger Input
## Account Correlated Event Trigger Input
## Accounts Collected for Aggregation Event Trigger Input
## Account Uncorrelated Event Trigger Input
## Campaign Activated Event Trigger Input
## Campaign Ended Event Trigger Input
## Campaign Generated Event Trigger Input
## Certification Signed Off Event Trigger Input
## Identity Attributes Changed Event Trigger Input
## Identity Created Event Trigger Input
## Identity Deleted Event Trigger Input
## Provisioning Completed Event Trigger Input
## Saved Search Complete Event Trigger Input
## Source Account Created Event Trigger Input
## Source Account Deleted Event Trigger Input
## Source Account Updated Event Trigger Input
## Source Created Event Trigger Input
## Source Deleted Event Trigger Input
## Source Updated Event Trigger Input
## VA Cluster Status Change Event Event Trigger Input
security:
- oauth2: []
components:
securitySchemes:
oauth2:
type: oauth2
description: |
OAuth2 Bearer token (JWT). See [IdentityNow REST API Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information.
- Directions for generating a [personal access token](https://developer.sailpoint.com/idn/api/authentication#personal-access-tokens)
- Directions using [client credentials flow](https://developer.sailpoint.com/idn/api/authentication#client-credentials-grant-flow)
- Directions for using [authorization code flow](https://developer.sailpoint.com/idn/api/authentication#authorization-code-grant-flow)
Which authentication method should I choose? See our [guide](https://developer.sailpoint.com/idn/api/authentication#which-oauth-20-grant-flow-should-i-use)
Learn more about how to find your `tokenUrl` and `authorizationUrl` [in our docs](https://developer.sailpoint.com/idn/api/authentication#find-your-tenants-oauth-details)
flows:
clientCredentials:
tokenUrl: 'https://tenant.api.identitynow.com/oauth/token'
scopes:
'sp:scopes:default': default scope
'sp:scopes:all': access to all scopes
authorizationCode:
authorizationUrl: 'https://tenant.identitynow.com/oauth/authorize'
tokenUrl: 'https://tenant.api.identitynow.com/oauth/token'
scopes:
'sp:scopes:default': default scope
'sp:scopes:all': access to all scopes
schemas:
AccountAggregation:
type: object
properties:
start:
type: string
format: date-time
example: '2021-01-31T14:30:05.104Z'
description: When the aggregation started.
status:
type: string
enum:
- STARTED
- ACCOUNTS_COLLECTED
- COMPLETED
- CANCELLED
- RETRIED
- TERMINATED
example: ACCOUNTS_COLLECTED
description: |
STARTED - Aggregation started, but source account iteration has not completed.
ACCOUNTS_COLLECTED - Source account iteration completed, but all accounts have not yet been processed.
COMPLETED - Aggregation completed (*possibly with errors*).
CANCELLED - Aggregation cancelled by user.
RETRIED - Aggregation retried because of connectivity issues with the Virtual Appliance.
TERMINATED - Aggregation marked as failed after 3 tries after connectivity issues with the Virtual Appliance.
totalAccounts:
type: integer
example: 520
description: 'The total number of *NEW, CHANGED and DELETED* accounts that need to be processed for this aggregation. This does not include accounts that were unchanged since the previous aggregation. This can be zero if there were no new, changed or deleted accounts since the previous aggregation. *Only available when status is ACCOUNTS_COLLECTED or COMPLETED.*'
processedAccounts:
type: integer
example: 150
description: 'The number of *NEW, CHANGED and DELETED* accounts that have been processed so far. This reflects the number of accounts that have been processed at the time of the API call, and may increase on subsequent API calls while the status is ACCOUNTS_COLLECTED. *Only available when status is ACCOUNTS_COLLECTED or COMPLETED.*'
ApprovalItems:
type: object
properties:
id:
type: string
description: ID of the approval item
example: 2c9180835d2e5168015d32f890ca1581
account:
type: string
description: The account referenced by the approval item
example: john.smith
application:
type: string
description: The name the application/source
example: Active Directory
attributeName:
type: string
description: The name of the attribute
example: emailAddress
attributeOperation:
type: string
description: The operation of the attribute
example: update
attributeValue:
type: string
description: The value of the attribute
example: a@b.com
state:
type: string
enum:
- FINISHED
- REJECTED
- RETURNED
- EXPIRED
- PENDING
- CANCELED
example: FINISHED
description: The state of a work item
slimcampaign:
type: object
title: Slim Campaign
required:
- name
- description
- type
properties:
id:
type: string
readOnly: true
description: Id of the campaign
example: 2c9079b270a266a60170a2779fcb0007
name:
description: 'The campaign name. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.'
type: string
example: Manager Campaign
description:
type: string
description: 'The campaign description. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.'
example: Everyone needs to be reviewed by their manager
deadline:
type: string
format: date-time
description: The campaign's completion deadline.
example: '2020-03-15T10:00:01.456Z'
type:
type: string
description: The type of campaign. Could be extended in the future.
enum:
- MANAGER
- SOURCE_OWNER
- SEARCH
- ROLE_COMPOSITION
example: MANAGER
emailNotificationEnabled:
type: boolean
description: Enables email notification for this campaign
example: false
autoRevokeAllowed:
type: boolean
description: Allows auto revoke for this campaign
example: false
recommendationsEnabled:
type: boolean
description: Enables IAI for this campaign. Accepts true even if the IAI product feature is off. If IAI is turned off then campaigns generated from this template will indicate false. The real value will then be returned if IAI is ever enabled for the org in the future.
example: true
status:
type: string
description: The campaign's current status.
readOnly: true
enum:
- PENDING
- STAGED
- CANCELING
- ACTIVATING
- ACTIVE
- COMPLETING
- COMPLETED
- ERROR
- ARCHIVED
example: ACTIVE
correlatedStatus:
type: string
description: The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source).
enum:
- CORRELATED
- UNCORRELATED
example: CORRELATED
fullcampaign:
type: object
title: Campaign
allOf:
- type: object
title: Slim Campaign
required:
- name
- description
- type
properties:
id:
type: string
readOnly: true
description: Id of the campaign
example: 2c9079b270a266a60170a2779fcb0007
name:
description: 'The campaign name. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.'
type: string
example: Manager Campaign
description:
type: string
description: 'The campaign description. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.'
example: Everyone needs to be reviewed by their manager
deadline:
type: string
format: date-time
description: The campaign's completion deadline.
example: '2020-03-15T10:00:01.456Z'
type:
type: string
description: The type of campaign. Could be extended in the future.
enum:
- MANAGER
- SOURCE_OWNER
- SEARCH
- ROLE_COMPOSITION
example: MANAGER
emailNotificationEnabled:
type: boolean
description: Enables email notification for this campaign
example: false
autoRevokeAllowed:
type: boolean
description: Allows auto revoke for this campaign
example: false
recommendationsEnabled:
type: boolean
description: Enables IAI for this campaign. Accepts true even if the IAI product feature is off. If IAI is turned off then campaigns generated from this template will indicate false. The real value will then be returned if IAI is ever enabled for the org in the future.
example: true
status:
type: string
description: The campaign's current status.
readOnly: true
enum:
- PENDING
- STAGED
- CANCELING
- ACTIVATING
- ACTIVE
- COMPLETING
- COMPLETED
- ERROR
- ARCHIVED
example: ACTIVE
correlatedStatus:
type: string
description: The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source).
enum:
- CORRELATED
- UNCORRELATED
example: CORRELATED
- type: object
properties:
created:
type: string
readOnly: true
format: date-time
description: Created time of the campaign
example: '2020-03-03T22:15:13.611Z'
modified:
type: string
readOnly: true
format: date-time
description: Modified time of the campaign
example: '2020-03-03T22:20:12.674Z'
correlatedStatus:
description: The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source).
enum:
- CORRELATED
- UNCORRELATED
example: CORRELATED
filter:
type: object
description: Determines which items will be included in this campaign. The default campaign filter is used if this field is left blank.
properties:
id:
type: string
description: The ID of whatever type of filter is being used.
example: 0fbe863c063c4c88a35fd7f17e8a3df5
type:
type: string
description: Type of the filter
enum:
- CAMPAIGN_FILTER
- RULE
example: CAMPAIGN_FILTER
name:
type: string
description: Name of the filter
example: Test Filter
sunsetCommentsRequired:
type: boolean
description: Determines if comments on sunset date changes are required.
default: true
example: true
sourceOwnerCampaignInfo:
type: object
description: Must be set only if the campaign type is SOURCE_OWNER.
properties:
sourceIds:
type: array
description: The list of sources to be included in the campaign.
items:
type: string
example:
- 0fbe863c063c4c88a35fd7f17e8a3df5
searchCampaignInfo:
type: object
description: Must be set only if the campaign type is SEARCH.
properties:
type:
type: string
description: The type of search campaign represented.
enum:
- IDENTITY
- ACCESS
example: ACCESS
description:
type: string
description: 'Describes this search campaign. Intended for storing the query used, and possibly the number of identities selected/available.'
example: Search Campaign description
reviewer:
description: 'If specified, this identity or governance group will be the reviewer for all certifications in this campaign. The allowed DTO types are IDENTITY and GOVERNANCE_GROUP'
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
- type: object
query:
type: string
description: The scope for the campaign. The campaign will cover identities returned by the query and identities that have access items returned by the query. One of `query` or `identityIds` must be set.
example: Search Campaign query description
identityIds:
type: array
description: A direct list of identities to include in this campaign. One of `identityIds` or `query` must be set.
items:
type: string
maxItems: 1000
example:
- 0fbe863c063c4c88a35fd7f17e8a3df5
accessConstraints:
type: array
description: Further reduces the scope of the campaign by excluding identities (from `query` or `identityIds`) that do not have this access.
items:
type: object
properties:
type:
type: string
enum:
- ENTITLEMENT
- ACCESS_PROFILE
- ROLE
description: Type of Access
example: ENTITLEMENT
ids:
description: Must be set only if operator is SELECTED.
type: array
items:
type: string
example:
- 2c90ad2a70ace7d50170acf22ca90010
operator:
type: string
enum:
- ALL
- SELECTED
description: Used to determine whether the scope of the campaign should be reduced for selected ids or all.
example: SELECTED
required:
- type
- operator
maxItems: 1000
required:
- type
roleCompositionCampaignInfo:
type: object
description: Optional configuration options for role composition campaigns.
properties:
reviewer:
description: 'If specified, this identity or governance group will be the reviewer for all certifications in this campaign. The allowed DTO types are IDENTITY and GOVERNANCE_GROUP'
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
- type: object
roleIds:
type: array
description: 'Optional list of roles to include in this campaign. Only one of `roleIds` and `query` may be set; if neither are set, all roles are included.'
items:
type: string
example:
- 2c90ad2a70ace7d50170acf22ca90010
remediatorRef:
type: object
description: 'This determines who remediation tasks will be assigned to. Remediation tasks are created for each revoke decision on items in the campaign. The only legal remediator type is ''IDENTITY'', and the chosen identity must be a Role Admin or Org Admin.'
properties:
type:
type: string
enum:
- IDENTITY
description: Legal Remediator Type
example: IDENTITY
id:
type: string
description: The ID of the remediator.
example: 2c90ad2a70ace7d50170acf22ca90010
name:
type: string
description: The name of the remediator.
readOnly: true
example: Role Admin
required:
- type
- id
query:
type: string
description: 'Optional search query to scope this campaign to a set of roles. Only one of `roleIds` and `query` may be set; if neither are set, all roles are included.'
example: Search Query
description:
type: string
description: 'Describes this role composition campaign. Intended for storing the query used, and possibly the number of roles selected/available.'
example: Role Composition Description
required:
- remediatorRef
alerts:
type: array
description: A list of errors and warnings that have accumulated.
readOnly: true
items:
type: object
properties:
level:
type: string
enum:
- ERROR
- WARN
- INFO
description: Denotes the level of the message
example: ERROR
localizations:
type: array
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
totalCertifications:
type: integer
description: The total number of certifications in this campaign.
readOnly: true
example: 100
completedCertifications:
type: integer
description: The number of completed certifications in this campaign.
readOnly: true
example: 10
sourcesWithOrphanEntitlements:
type: array
description: A list of sources in the campaign that contain \"orphan entitlements\" (entitlements without a corresponding Managed Attribute). An empty list indicates the campaign has no orphan entitlements. Null indicates there may be unknown orphan entitlements in the campaign (the campaign was created before this feature was implemented).
readOnly: true
items:
type: object
properties:
id:
type: string
description: Id of the source
example: 2c90ad2a70ace7d50170acf22ca90010
type:
type: string
enum:
- SOURCE
description: Type
example: SOURCE
name:
type: string
description: Name of the source
example: Source with orphan entitlements
IdentityProfile:
allOf:
- type: object
required:
- name
properties:
id:
description: System-generated unique ID of the Object
type: string
example: id12345
readOnly: true
name:
description: Name of the Object
type: string
example: aName
created:
description: Creation date of the Object
type: string
format: date-time
readOnly: true
example: '2023-01-03T21:16:22.432Z'
modified:
description: Last modification date of the Object
type: string
format: date-time
readOnly: true
example: '2023-01-03T21:16:22.432Z'
- type: object
required:
- authoritativeSource
properties:
description:
type: string
nullable: true
description: The description of the Identity Profile.
example: My custom flat file profile
owner:
type: object
description: The owner of the Identity Profile.
nullable: true
properties:
type:
type: string
enum:
- IDENTITY
description: Type of the object to which this reference applies
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c9180835d191a86015d28455b4b232a
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
priority:
type: integer
format: int64
description: The priority for an Identity Profile.
example: 10
authoritativeSource:
type: object
properties:
type:
type: string
enum:
- SOURCE
description: Type of the object to which this reference applies
example: SOURCE
id:
type: string
description: ID of the object to which this reference applies
example: 2c9180835d191a86015d28455b4b232a
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: HR Active Directory
description: The authoritative source for this Identity Profile.
identityRefreshRequired:
type: boolean
default: false
description: True if a identity refresh is needed. Typically triggered when a change on the source has been made
example: true
identityCount:
type: integer
description: The number of identities that belong to the Identity Profile.
format: int32
example: 8
identityAttributeConfig:
type: object
properties:
enabled:
type: boolean
description: If the profile or mapping is enabled
example: true
default: true
attributeTransforms:
type: array
items:
type: object
properties:
identityAttributeName:
type: string
description: Name of the identity attribute
example: email
transformDefinition:
description: The seaspray transformation definition
type: object
properties:
type:
type: string
description: The type of the transform definition.
example: accountAttribute
attributes:
type: object
nullable: true
additionalProperties: true
description: Arbitrary key-value pairs to store any metadata for the object
example:
attributeName: e-mail
sourceName: MySource
sourceId: 2c9180877a826e68017a8c0b03da1a53
identityExceptionReportReference:
type: object
nullable: true
properties:
taskResultId:
type: string
format: uuid
description: The id of the task result
example: 2c918086795cd09201795d5f7d7533df
reportName:
type: string
example: My annual report
description: The name of the report
hasTimeBasedAttr:
description: Indicates the value of requiresPeriodicRefresh attribute for the Identity Profile.
type: boolean
default: true
example: true
ManagedClient:
description: Managed Client
type: object
required:
- clientId
- clusterId
- description
- type
properties:
id:
description: ManagedClient ID
readOnly: true
type: string
example: aClientId
alertKey:
description: ManagedClient alert key
readOnly: true
type: string
example: anAlertKey
apiGatewayBaseUrl:
description: ManagedClient gateway base url
readOnly: true
type: string
example: 'https://denali-xxx.api.cloud.sailpoint.com'
ccId:
description: Previous CC ID to be used in data migration. (This field will be deleted after CC migration!)
type: integer
format: int64
example: 2248
clientId:
description: The client ID used in API management
type: string
example: aClientApiId
clusterId:
description: Cluster ID that the ManagedClient is linked to
type: string
example: aClusterId
cookbook:
description: VA cookbook
readOnly: true
type: string
example: va-cookbook-info
description:
description: ManagedClient description
type: string
example: A short description of the ManagedClient
ipAddress:
description: The public IP address of the ManagedClient
readOnly: true
type: string
example: 123.456.78.90
lastSeen:
description: When the ManagedClient was last seen by the server
readOnly: true
type: string
format: date-time
example: '2020-01-01T00:00:00.000000Z'
name:
description: ManagedClient name
type: string
example: aName
sinceLastSeen:
description: Milliseconds since the ManagedClient has polled the server
readOnly: true
type: string
example: 15000
status:
description: Status of the ManagedClient
readOnly: true
allOf:
- type: string
enum:
- NORMAL
- UNDEFINED
- NOT_CONFIGURED
- CONFIGURING
- WARNING
- ERROR
- FAILED
type:
description: 'Type of the ManagedClient (VA, CCG)'
type: string
example: VA
vaDownloadUrl:
description: ManagedClient VA download URL
readOnly: true
type: string
example: aUrl
vaVersion:
description: Version that the ManagedClient's VA is running
readOnly: true
type: string
example: va-megapod-useast1-610-1621372012
secret:
description: Client's apiKey
type: string
example: ef878e15eaa8c8d3e2fa52f41125e2a0eeadadc6a14f931a33ad3e1b62d56381
ManagedClientStatus:
description: Managed Client Status
type: object
required:
- body
- status
- type
- timestamp
properties:
body:
description: ManagedClientStatus body information
type: object
example:
alertKey: ''
id: '5678'
clusterId: '1234'
ccg_etag: ccg_etag123xyz456
ccg_pin: NONE
cookbook_etag: 20210420125956-20210511144538
hostname: megapod-useast1-secret-hostname.sailpoint.com
internal_ip: 127.0.0.1
lastSeen: '1620843964604'
sinceSeen: '14708'
sinceSeenMillis: '14708'
localDev: false
stacktrace: ''
state: null
status: NORMAL
uuid: null
product: idn
va_version: null
platform_version: '2'
os_version: 2345.3.1
os_type: flatcar
hypervisor: unknown
status:
description: status of the Managed Client
type: string
enum:
- NORMAL
- UNDEFINED
- NOT_CONFIGURED
- CONFIGURING
- WARNING
- ERROR
- FAILED
type:
description: type of the Managed Client
type: string
example: CCG
nullable: true
enum:
- CCG
- VA
- INTERNAL
- null
timestamp:
description: timestamp on the Client Status update
type: string
format: date-time
example: '2020-01-01T00:00:00.000000Z'
MessageCatalogDto:
type: object
properties:
locale:
type: string
description: The language in which the messages are returned
example: en_US
messages:
type: array
items:
type: object
properties:
key:
type: string
description: The key of the message
example: recommender-api.V2_WEIGHT_FEATURE_PRODUCT_INTERPRETATION_LOW
format:
type: string
description: The format of the message
example: '{0,,\"i18n hint: percentage\"}% of identities with the same {1,,\"i18n hint: name of category feature\"} have this access. This information had a low impact on the overall score.'
description: The list of message with their keys and formats
PeerGroupMember:
type: object
properties:
id:
type: string
description: A unique identifier for the peer group member.
type:
type: string
description: The type of the peer group member.
peer_group_id:
type: string
description: The ID of the peer group.
attributes:
type: object
additionalProperties:
type: object
description: 'Arbitrary key-value pairs, belonging to the peer group member.'
RecommendationRequestDto:
type: object
properties:
requests:
type: array
items:
description: List of requests to retrieve recommendations
type: object
properties:
identityId:
type: string
description: The identity ID
example: 2c938083633d259901633d25c68c00fa
item:
type: object
properties:
id:
type: string
description: The ID of the access item for which to retrieve the recommendation
example: 2c938083633d259901633d2623ec0375
type:
type: string
example: ENTITLEMENT
description: The type of the access item.
enum:
- ENTITLEMENT
- ACCESS_PROFILE
- ROLE
excludeInterpretations:
type: boolean
description: Exclude interpretations in the response if "true". Return interpretations in the response if this attribute is not specified.
default: 'false'
example: 'false'
includeTranslationMessages:
type: boolean
description: 'When set to true, the calling system uses the translated messages for the specified language'
default: 'false'
example: 'false'
includeDebugInformation:
type: boolean
description: Returns the recommender calculations if set to true
default: 'false'
example: 'true'
prescribeMode:
type: boolean
description: 'When set to true, uses prescribedRulesRecommenderConfig to get identity attributes and peer group threshold instead of standard config.'
default: 'false'
example: 'false'
RecommendationResponseDto:
type: object
properties:
response:
type: array
items:
type: object
properties:
request:
type: object
properties:
identityId:
type: string
description: The identity ID
example: 2c938083633d259901633d25c68c00fa
item:
type: object
properties:
id:
type: string
description: The ID of the access item for which to retrieve the recommendation
example: 2c938083633d259901633d2623ec0375
type:
type: string
example: ENTITLEMENT
description: The type of the access item.
enum:
- ENTITLEMENT
- ACCESS_PROFILE
- ROLE
recommendation:
type: string
example: 'YES'
description: 'The recommendation - YES if the access is recommended, NO if not recommended, MAYBE if there is not enough information to make a recommendation, NOT_FOUND if the identity is not found in the system'
enum:
- 'YES'
- 'NO'
- MAYBE
- NOT_FOUND
interpretations:
type: array
items:
type: string
description: 'The list of interpretations explaining the recommendation. The array is empty if includeInterpretations is false or not present in the request. e.g. - [ "Not approved in the last 6 months." ]. Interpretations will be translated using the client''s locale as found in the Accept-Language header. If a translation for the client''s locale cannot be found, the US English translation will be returned.'
example:
- 75% of identities with the same department have this access. This information had a high impact on the overall score.
- 67% of identities with the same peer group have this access. This information had a low impact on the overall score.
- 42% of identities with the same location have this access. This information had a low impact on the overall score.
translationMessages:
type: array
example:
- key: recommender-api.V2_WEIGHT_FEATURE_PRODUCT_INTERPRETATION_HIGH
values:
- '75'
- department
items:
properties:
key:
type: string
description: The key of the translation message
example: recommender-api.V2_WEIGHT_FEATURE_PRODUCT_INTERPRETATION_HIGH
values:
type: array
description: The values corresponding to the translation messages
items:
type: string
example:
- '75'
- department
description: 'The list of translation messages, if they have been requested.'
recommenderCalculations:
description: The calcuations performed behind the scenes that provide recommendations to the user.
properties:
identityId:
type: string
description: The ID of the identity
example: 2c91808457d8f3ab0157e3e62cb4213c
entitlementId:
type: string
description: The entitlement ID
example: 2c91809050db617d0150e0bf3215385e
recommendation:
type: string
description: The actual recommendation
example: 'YES'
overallWeightedScore:
type: number
description: The overall weighted score
featureWeightedScores:
type: object
description: The weighted score of each individual feature
additionalProperties:
type: number
threshold:
type: number
description: The configured value against which the overallWeightedScore is compared
identityAttributes:
type: object
description: The values for your configured features
additionalProperties:
type: object
properties:
value:
type: string
featureValues:
description: The feature details
type: object
properties:
feature:
type: string
description: The type of feature
example: department
numerator:
type: integer
format: int32
example: 14
description: The number of identities that have access to the feature
denominator:
type: integer
format: int32
example: 14
description: The number of identities with the corresponding feature
RemediationItems:
type: object
properties:
id:
type: string
description: The ID of the certification
example: 2c9180835d2e5168015d32f890ca1581
targetId:
type: string
description: The ID of the certification target
example: 2c9180835d2e5168015d32f890ca1581
targetName:
type: string
description: The name of the certification target
example: john.smith
targetDisplayName:
type: string
description: The display name of the certification target
example: emailAddress
applicationName:
type: string
description: The name of the application/source
example: Active Directory
attributeName:
type: string
description: The name of the attribute being certified
example: phoneNumber
attributeOperation:
type: string
description: The operation of the certification on the attribute
example: update
attributeValue:
type: string
description: The value of the attribute being certified
example: 512-555-1212
nativeIdentity:
type: string
description: The native identity of the target
example: jason.smith2
SearchAttributeConfig:
type: object
properties:
name:
type: string
description: Name of the new attribute
example: newMailAttribute
displayName:
type: string
description: The display name of the new attribute
example: New Mail Attribute
applicationAttributes:
type: object
description: Map of application id and their associated attribute.
example:
2c91808b79fd2422017a0b35d30f3968: employeeNumber
2c91808b79fd2422017a0b36008f396b: employeeNumber
WorkItems:
type: object
properties:
id:
type: string
description: ID of the work item
example: 2c9180835d2e5168015d32f890ca1581
requesterId:
type: string
description: ID of the requester
example: 2c9180835d2e5168015d32f890ca1581
requesterDisplayName:
type: string
description: The displayname of the requester
example: John Smith
ownerId:
type: string
description: The ID of the owner
example: 2c9180835d2e5168015d32f890ca1581
ownerName:
type: string
description: The name of the owner
example: Jason Smith
created:
type: string
format: date-time
example: '2017-07-11T18:45:37.098Z'
modified:
type: string
format: date-time
example: '2018-06-25T20:22:28.104Z'
description:
type: string
description: The description of the work item
example: Create account on source 'AD'
state:
type: string
enum:
- FINISHED
- REJECTED
- RETURNED
- EXPIRED
- PENDING
- CANCELED
example: FINISHED
description: The state of a work item
type:
type: string
enum:
- UNKNOWN
- GENERIC
- CERTIFICATION
- REMEDIATION
- DELEGATION
- APPROVAL
- VIOLATIONREVIEW
- FORM
- POLICYVIOLATION
- CHALLENGE
- IMPACTANALYSIS
- SIGNOFF
- EVENT
- MANUALACTION
- TEST
example: GENERIC
description: The type of the work item
remediationItems:
type: object
properties:
id:
type: string
description: The ID of the certification
example: 2c9180835d2e5168015d32f890ca1581
targetId:
type: string
description: The ID of the certification target
example: 2c9180835d2e5168015d32f890ca1581
targetName:
type: string
description: The name of the certification target
example: john.smith
targetDisplayName:
type: string
description: The display name of the certification target
example: emailAddress
applicationName:
type: string
description: The name of the application/source
example: Active Directory
attributeName:
type: string
description: The name of the attribute being certified
example: phoneNumber
attributeOperation:
type: string
description: The operation of the certification on the attribute
example: update
attributeValue:
type: string
description: The value of the attribute being certified
example: 512-555-1212
nativeIdentity:
type: string
description: The native identity of the target
example: jason.smith2
approvalItems:
type: object
properties:
id:
type: string
description: ID of the approval item
example: 2c9180835d2e5168015d32f890ca1581
account:
type: string
description: The account referenced by the approval item
example: john.smith
application:
type: string
description: The name the application/source
example: Active Directory
attributeName:
type: string
description: The name of the attribute
example: emailAddress
attributeOperation:
type: string
description: The operation of the attribute
example: update
attributeValue:
type: string
description: The value of the attribute
example: a@b.com
state:
type: string
enum:
- FINISHED
- REJECTED
- RETURNED
- EXPIRED
- PENDING
- CANCELED
example: FINISHED
description: The state of a work item
name:
type: string
description: The work item name
example: Account Create
completed:
type: string
format: date-time
example: '2018-10-19T13:49:37.385Z'
numItems:
type: integer
description: The number of items in the work item
example: 19
errors:
type: array
items:
type: string
example:
- The work item ID that was specified was not found.
WorkItemsCount:
type: object
properties:
count:
type: integer
description: The count of work items
example: 29
WorkItemsSummary:
type: object
properties:
open:
type: integer
description: The count of open work items
example: 29
completed:
type: integer
description: The count of completed work items
example: 1
total:
type: integer
description: The count of total work items
example: 30
Form:
type: object
properties:
id:
type: string
description: ID of the form
example: 2c9180835d2e5168015d32f890ca1581
name:
type: string
description: Name of the form
example: AccountSelection Form
title:
type: string
description: The form title
example: Account Selection for John.Doe
subtitle:
type: string
description: The form subtitle.
example: Please select from the following
targetUser:
type: string
description: The name of the user that should be shown this form
example: Jane.Doe
sections:
type: object
allOf:
- type: object
properties:
name:
type: string
description: Name of the FormItem
example: Field1
- type: object
properties:
label:
type: string
description: Label of the section
example: Section 1
formItems:
type: array
items:
type: object
description: List of FormItems. FormItems can be SectionDetails and/or FieldDetails
example: []
FormItem:
type: object
properties:
name:
type: string
description: Name of the FormItem
example: Field1
Section:
type: object
allOf:
- type: object
properties:
name:
type: string
description: Name of the FormItem
example: Field1
- type: object
properties:
label:
type: string
description: Label of the section
example: Section 1
formItems:
type: array
items:
type: object
description: List of FormItems. FormItems can be SectionDetails and/or FieldDetails
example: []
Field:
type: object
allOf:
- type: object
properties:
name:
type: string
description: Name of the FormItem
example: Field1
- type: object
properties:
displayName:
type: string
description: Display name of the field
example: Field 1
displayType:
type: string
description: Type of the field to display
example: checkbox
required:
type: boolean
description: True if the field is required
allowedValuesList:
type: array
items:
type: object
description: List of allowed values for the field
example:
- Val1Display: null
Val1Value: null
- Val2Display: null
Val2Value: null
value:
type: object
description: Value of the field
Trigger-Input-AccessRequestDynamicApprover:
title: Access Request Dynamic Approver
type: object
required:
- accessRequestId
- requestedFor
- requestedItems
- requestedBy
properties:
accessRequestId:
type: string
description: |
The unique ID of the access request object. Can be used with the [access request status endpoint](https://developer.sailpoint.com/idn/api/beta/list-access-request-status) to get the status of the request.
example: 4b4d982dddff4267ab12f0f1e72b5a6d
requestedFor:
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity for whom the access is requested for.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
requestedItems:
description: The access items that are being requested.
type: array
items:
type: object
required:
- id
- name
- type
- operation
properties:
id:
type: string
description: The unique ID of the access item.
example: 2c91808b6ef1d43e016efba0ce470904
name:
type: string
description: Human friendly name of the access item.
example: Engineering Access
description:
nullable: true
type: string
description: Extended description of the access item.
example: Engineering Access
type:
enum:
- ACCESS_PROFILE
- ROLE
- ENTITLEMENT
description: The type of access item being requested.
example: ACCESS_PROFILE
operation:
enum:
- Add
- Remove
description: Grant or revoke the access item
example: Add
comment:
nullable: true
type: string
description: A comment from the requestor on why the access is needed.
example: William needs this access for his day to day job activities.
requestedBy:
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity that initiated the access request.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
Trigger-Input-AccessRequestPostApproval:
title: Access Request Post Approval
type: object
required:
- accessRequestId
- requestedFor
- requestedItemsStatus
- requestedBy
properties:
accessRequestId:
type: string
description: The unique ID of the access request.
example: 2c91808b6ef1d43e016efba0ce470904
requestedFor:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity who the access request is for.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
requestedItemsStatus:
description: Details on the outcome of each access item.
type: array
items:
type: object
required:
- id
- name
- type
- operation
- approvalInfo
properties:
id:
type: string
description: The unique ID of the access item being requested.
example: 2c91808b6ef1d43e016efba0ce470904
name:
type: string
description: The human friendly name of the access item.
example: Engineering Access
description:
nullable: true
type: string
description: Detailed description of the access item.
example: Access to engineering database
type:
enum:
- ACCESS_PROFILE
- ROLE
- ENTITLEMENT
description: The type of access item.
example: ACCESS_PROFILE
operation:
enum:
- Add
- Remove
description: The action to perform on the access item.
example: Add
comment:
nullable: true
type: string
description: A comment from the identity requesting the access.
example: William needs this access to do his job.
clientMetadata:
description: Additional customer defined metadata about the access item.
nullable: true
type: object
additionalProperties: true
example:
applicationName: My application
approvalInfo:
description: A list of one or more approvers for the access request.
type: array
items:
type: object
required:
- approvalDecision
- approverName
- approver
properties:
approvalComment:
nullable: true
type: string
description: A comment left by the approver.
example: This access looks good. Approved.
approvalDecision:
enum:
- APPROVED
- DENIED
description: The final decision of the approver.
example: APPROVED
approverName:
type: string
description: The name of the approver
example: Stephen.Austin
approver:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity of the approver.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
requestedBy:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity that initiated the access request.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
Trigger-Input-AccessRequestPreApproval:
title: Access Request Pre Approval
type: object
required:
- accessRequestId
- requestedFor
- requestedItems
- requestedBy
properties:
accessRequestId:
type: string
description: The unique ID of the access request.
example: 2c91808b6ef1d43e016efba0ce470904
requestedFor:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity who the access request is for.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
requestedItems:
description: Details of the access items being requested.
type: array
items:
type: object
required:
- id
- name
- type
- operation
properties:
id:
type: string
description: The unique ID of the access item being requested.
example: 2c91808b6ef1d43e016efba0ce470904
name:
type: string
description: The human friendly name of the access item.
example: Engineering Access
description:
nullable: true
type: string
description: Detailed description of the access item.
example: Access to engineering database
type:
enum:
- ACCESS_PROFILE
- ROLE
- ENTITLEMENT
description: The type of access item.
example: ACCESS_PROFILE
operation:
enum:
- Add
- Remove
description: The action to perform on the access item.
example: Add
comment:
nullable: true
type: string
description: A comment from the identity requesting the access.
example: William needs this access to do his job.
requestedBy:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity that initiated the access request.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
Trigger-Input-AccountAggregationCompleted:
title: Account Aggregation Completed
type: object
required:
- source
- status
- started
- completed
- errors
- warnings
- stats
properties:
source:
required:
- type
- name
- id
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The source from which the accounts were aggregated.
properties:
type:
enum:
- SOURCE
description: The type of object that is referenced
example: SOURCE
status:
description: The overall status of the aggregation.
enum:
- Success
- Failed
- Terminated
example: Success
started:
type: string
format: date-time
description: The date and time when the account aggregation started.
example: '2020-06-29T22:01:50.474Z'
completed:
type: string
format: date-time
description: The date and time when the account aggregation finished.
example: '2020-06-29T22:02:04.090Z'
errors:
nullable: true
description: A list of errors that occurred during the aggregation.
type: array
items:
type: string
description: A descriptive error message.
example: Accounts unable to be aggregated.
warnings:
nullable: true
description: A list of warnings that occurred during the aggregation.
type: array
items:
type: string
description: A descriptive warning message.
example: Account Skipped
stats:
type: object
description: Overall statistics about the account aggregation.
required:
- scanned
- unchanged
- changed
- added
- removed
properties:
scanned:
type: integer
format: int32
minimum: 0
maximum: 2147483647
description: The number of accounts which were scanned / iterated over.
example: 200
unchanged:
type: integer
format: int32
minimum: 0
maximum: 2147483647
description: 'The number of accounts which existed before, but had no changes.'
example: 190
changed:
type: integer
format: int32
minimum: 0
maximum: 2147483647
description: 'The number of accounts which existed before, but had changes.'
example: 6
added:
type: integer
format: int32
minimum: 0
maximum: 2147483647
description: The number of accounts which are new - have not existed before.
example: 4
removed:
type: integer
minimum: 0
maximum: 2147483647
format: int32
description: 'The number accounts which existed before, but no longer exist (thus getting removed).'
example: 3
Trigger-Input-AccountAttributesChanged:
title: Account Attributes Changed
type: object
required:
- identity
- source
- account
- changes
properties:
identity:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity whose account attributes changed.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
source:
required:
- id
- type
- name
type: object
description: The source that contains the account.
properties:
id:
description: ID of the object to which this reference applies
type: string
example: 4e4d982dddff4267ab12f0f1e72b5a6d
type:
type: string
enum:
- SOURCE
example: SOURCE
description: The type of object that is referenced
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: Corporate Active Directory
account:
type: object
description: Details of the account where the attributes changed.
required:
- id
- uuid
- name
- nativeIdentity
- type
properties:
id:
type: string
description: SailPoint generated unique identifier.
example: 52170a74-ca89-11ea-87d0-0242ac130003
uuid:
nullable: true
type: string
description: The source's unique identifier for the account. UUID is generated by the source system.
example: 1cb1f07d-3e5a-4431-becd-234fa4306108
name:
type: string
description: Name of the account.
example: john.doe
nativeIdentity:
type: string
description: Unique ID of the account on the source.
example: 'cn=john.doe,ou=users,dc=acme,dc=com'
type:
enum:
- ACCOUNT
description: The type of the account
example: ACCOUNT
changes:
type: array
description: A list of attributes that changed.
items:
type: object
required:
- attribute
- oldValue
- newValue
properties:
attribute:
type: string
description: The name of the attribute.
example: sn
oldValue:
description: The previous value of the attribute.
nullable: true
oneOf:
- type: string
- type: boolean
- type: array
items:
nullable: true
type: string
example: doe
newValue:
description: The new value of the attribute.
nullable: true
oneOf:
- type: string
- type: boolean
- type: array
items:
nullable: true
type: string
example: ryans
Trigger-Input-AccountCorrelated:
title: Account Correlated
type: object
required:
- identity
- source
- account
- attributes
properties:
identity:
required:
- type
- name
- id
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity that the account correlated with.
properties:
type:
enum:
- IDENTITY
description: The type of object that is referenced
example: IDENTITY
source:
required:
- id
- type
- name
type: object
description: The source from which the account came from.
properties:
id:
description: ID of the object to which this reference applies
type: string
example: 4e4d982dddff4267ab12f0f1e72b5a6d
type:
type: string
enum:
- SOURCE
example: SOURCE
description: The type of object that is referenced
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: Corporate Active Directory
account:
required:
- id
- name
- nativeIdentity
- type
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The account that was correlated.
properties:
type:
enum:
- ACCOUNT
description: The type of object that is referenced
example: ACCOUNT
nativeIdentity:
type: string
description: Unique ID of the account on the source.
example: 'cn=john.doe,ou=users,dc=acme,dc=com'
uuid:
nullable: true
type: string
description: The source's unique identifier for the account. UUID is generated by the source system.
example: 1cb1f07d-3e5a-4431-becd-234fa4306108
attributes:
type: object
description: The attributes associated with the account. Attributes are unique per source.
additionalProperties: true
example:
sn: doe
givenName: john
memberOf:
- 'cn=g1,ou=groups,dc=acme,dc=com'
- 'cn=g2,ou=groups,dc=acme,dc=com'
- 'cn=g3,ou=groups,dc=acme,dc=com'
entitlementCount:
type: integer
format: int32
description: The number of entitlements associated with this account.
example: 0
Trigger-Input-AccountsCollectedForAggregation:
title: Accounts Collected for Aggregation
type: object
required:
- source
- status
- started
- completed
- errors
- warnings
- stats
properties:
source:
required:
- id
- type
- name
type: object
description: Reference to the source that has been aggregated.
properties:
id:
description: ID of the object to which this reference applies
type: string
example: 4e4d982dddff4267ab12f0f1e72b5a6d
type:
type: string
enum:
- SOURCE
example: SOURCE
description: The type of object that is referenced
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: Corporate Active Directory
status:
description: The overall status of the collection.
enum:
- Success
- Failed
- Terminated
example: Success
started:
type: string
format: date-time
description: The date and time when the account collection started.
example: '2020-06-29T22:01:50.474Z'
completed:
type: string
format: date-time
description: The date and time when the account collection finished.
example: '2020-06-29T22:02:04.090Z'
errors:
nullable: true
description: A list of errors that occurred during the collection.
type: array
items:
type: string
description: A descriptive error message.
example: Unable to collect accounts for aggregation.
warnings:
nullable: true
description: A list of warnings that occurred during the collection.
type: array
items:
type: string
description: A descriptive warning message.
example: Account Skipped
stats:
type: object
description: Overall statistics about the account collection.
required:
- scanned
- unchanged
- changed
- added
- removed
properties:
scanned:
type: integer
format: int32
minimum: 0
maximum: 2147483647
description: The number of accounts which were scanned / iterated over.
example: 200
unchanged:
type: integer
format: int32
minimum: 0
maximum: 2147483647
description: 'The number of accounts which existed before, but had no changes.'
example: 190
changed:
type: integer
format: int32
minimum: 0
maximum: 2147483647
description: 'The number of accounts which existed before, but had changes.'
example: 6
added:
type: integer
format: int32
minimum: 0
maximum: 2147483647
description: The number of accounts which are new - have not existed before.
example: 4
removed:
type: integer
minimum: 0
maximum: 2147483647
format: int32
description: 'The number accounts which existed before, but no longer exist (thus getting removed).'
example: 3
Trigger-Input-AccountUncorrelated:
title: Account Uncorrelated
type: object
required:
- identity
- source
- account
properties:
identity:
required:
- type
- name
- id
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity that the account uncorrelated with.
properties:
type:
enum:
- IDENTITY
description: The type of object that is referenced
example: IDENTITY
source:
required:
- type
- name
- id
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The source from which the account came from.
properties:
type:
enum:
- SOURCE
description: The type of object that is referenced
example: SOURCE
account:
required:
- id
- name
- nativeIdentity
- type
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The account that was uncorrelated.
properties:
type:
enum:
- ACCOUNT
description: The type of object that is referenced
example: ACCOUNT
nativeIdentity:
type: string
description: Unique ID of the account on the source.
example: 'cn=john.doe,ou=users,dc=acme,dc=com'
uuid:
nullable: true
type: string
description: The source's unique identifier for the account. UUID is generated by the source system.
example: 1cb1f07d-3e5a-4431-becd-234fa4306108
entitlementCount:
type: integer
format: int32
description: The number of entitlements associated with this account.
example: 0
Trigger-Input-CampaignActivated:
title: Campaign Activated
type: object
required:
- campaign
properties:
campaign:
type: object
description: Details about the certification campaign that was activated.
required:
- id
- name
- description
- created
- deadline
- type
- campaignOwner
- status
properties:
id:
type: string
description: Unique ID for the campaign.
example: 2c91808576f886190176f88cac5a0010
name:
type: string
description: The human friendly name of the campaign.
example: Manager Access Campaign
description:
type: string
description: Extended description of the campaign.
example: Audit access for all employees.
created:
type: string
format: date-time
description: The date and time the campaign was created.
example: '2021-02-16T03:04:45.815Z'
modified:
nullable: true
type: string
format: date-time
description: The date and time the campaign was last modified.
example: '2021-02-16T03:06:45.815Z'
deadline:
type: string
format: date-time
description: The date and time the campaign is due.
example: '2021-03-16T03:04:45.815Z'
type:
description: The type of campaign.
enum:
- MANAGER
- SOURCE_OWNER
- SEARCH
- ROLE_COMPOSITION
example: MANAGER
campaignOwner:
type: object
description: Details of the identity that owns the campaign.
required:
- id
- displayName
- email
properties:
id:
type: string
description: The unique ID of the identity.
example: 37f080867702c1910177031320c40n27
displayName:
type: string
description: The human friendly name of the identity.
example: John Snow
email:
type: string
description: The primary email address of the identity.
example: john.snow@example.com
status:
enum:
- ACTIVE
description: The current status of the campaign.
example: ACTIVE
Trigger-Input-CampaignEnded:
title: Campaign Ended
type: object
required:
- campaign
properties:
campaign:
type: object
description: Details about the certification campaign that ended.
required:
- id
- name
- description
- created
- deadline
- type
- campaignOwner
- status
properties:
id:
type: string
description: Unique ID for the campaign.
example: 2c91808576f886190176f88cac5a0010
name:
type: string
description: The human friendly name of the campaign.
example: Manager Access Campaign
description:
type: string
description: Extended description of the campaign.
example: Audit access for all employees.
created:
type: string
format: date-time
description: The date and time the campaign was created.
example: '2021-02-16T03:04:45.815Z'
modified:
nullable: true
type: string
format: date-time
description: The date and time the campaign was last modified.
example: '2021-03-16T03:06:45.815Z'
deadline:
type: string
format: date-time
description: The date and time the campaign is due.
example: '2021-03-16T03:04:45.815Z'
type:
description: The type of campaign.
enum:
- MANAGER
- SOURCE_OWNER
- SEARCH
- ROLE_COMPOSITION
example: MANAGER
campaignOwner:
type: object
description: Details of the identity that owns the campaign.
required:
- id
- displayName
- email
properties:
id:
type: string
description: The unique ID of the identity.
example: 37f080867702c1910177031320c40n27
displayName:
type: string
description: The human friendly name of the identity.
example: John Snow
email:
type: string
description: The primary email address of the identity.
example: john.snow@example.com
status:
enum:
- COMPLETED
description: The current status of the campaign.
example: COMPLETED
Trigger-Input-CampaignGenerated:
title: Campaign Generated
type: object
required:
- campaign
properties:
campaign:
description: Details about the campaign that was generated.
type: object
required:
- id
- name
- description
- created
- type
- campaignOwner
- status
properties:
id:
type: string
description: The unique ID of the campaign.
example: 2c91808576f886190176f88cac5a0010
name:
type: string
description: Human friendly name of the campaign.
example: Manager Access Campaign
description:
type: string
description: Extended description of the campaign.
example: Audit access for all employees.
created:
type: string
format: date-time
description: The date and time the campaign was created.
example: '2021-02-16T03:04:45.815Z'
modified:
nullable: true
type: string
description: The date and time the campaign was last modified.
example: '2021-02-17T03:04:45.815Z'
deadline:
nullable: true
type: string
description: The date and time when the campaign must be finished by.
example: '2021-02-18T03:04:45.815Z'
type:
enum:
- MANAGER
- SOURCE_OWNER
- SEARCH
- ROLE_COMPOSITION
description: The type of campaign that was generated.
example: MANAGER
campaignOwner:
type: object
description: The identity that owns the campaign.
required:
- id
- displayName
- email
properties:
id:
type: string
description: The unique ID of the identity.
example: 37f080867702c1910177031320c40n27
displayName:
type: string
description: The display name of the identity.
example: John Snow
email:
type: string
description: The primary email address of the identity.
example: john.snow@example.com
status:
enum:
- STAGED
- ACTIVATING
- ACTIVE
description: The current status of the campaign.
example: STAGED
Trigger-Input-CertificationSignedOff:
title: Certification Signed Off
type: object
required:
- certification
properties:
certification:
description: The certification campaign that was signed off on.
required:
- id
- name
- created
allOf:
- type: object
required:
- campaignRef
- completed
- decisionsMade
- decisionsTotal
- due
- signed
- reviewer
- campaignOwner
- hasErrors
- phase
- entitiesCompleted
- entitiesTotal
properties:
campaignRef:
type: object
required:
- id
- name
- type
- campaignType
- description
properties:
id:
type: string
description: The unique ID of the campaign.
example: ef38f94347e94562b5bb8424a56397d8
name:
type: string
description: The name of the campaign.
example: Campaign Name
type:
type: string
enum:
- CAMPAIGN
description: The type of object that is being referenced.
example: CAMPAIGN
campaignType:
type: string
enum:
- MANAGER
- SOURCE_OWNER
- SEARCH
description: The type of the campaign.
example: MANAGER
description:
type: string
description: The description of the campaign set by the admin who created it.
nullable: true
example: A description of the campaign
phase:
type: string
description: |
The current phase of the campaign.
* `STAGED`: The campaign is waiting to be activated.
* `ACTIVE`: The campaign is active.
* `SIGNED`: The reviewer has signed off on the campaign, and it is considered complete.
enum:
- STAGED
- ACTIVE
- SIGNED
example: ACTIVE
due:
type: string
format: date-time
description: The due date of the certification.
example: '2018-10-19T13:49:37.385Z'
signed:
type: string
format: date-time
description: The date the reviewer signed off on the certification.
example: '2018-10-19T13:49:37.385Z'
reviewer:
description: A reference to the reviewer of the campaign.
type: object
required:
- type
- id
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
properties:
type:
description: The type of object that the reviewer is.
enum:
- IDENTITY
- GOVERNANCE_GROUP
example: IDENTITY
email:
type: string
nullable: true
description: The email of the reviewing identity. Only applicable to `IDENTITY`
example: reviewer@test.com
reassignment:
nullable: true
description: A reference to a reviewer that this campaign has been reassigned to.
type: object
properties:
from:
description: The previous certification
type: object
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
- type: object
properties:
reviewer:
description: Certification reviewer
type: object
required:
- type
- id
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
properties:
type:
description: The type of object that the reviewer is.
enum:
- IDENTITY
- GOVERNANCE_GROUP
example: IDENTITY
email:
type: string
nullable: true
description: The email of the reviewing identity. Only applicable to `IDENTITY`
example: reviewer@test.com
properties:
type:
description: The type of object that the reviewer is.
enum:
- CERTIFICATION
example: CERTIFICATION
correlatedStatus:
description: The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source).
enum:
- CORRELATED
- UNCORRELATED
example: CORRELATED
comment:
type: string
description: Comments from the previous reviewer.
example: Please review
hasErrors:
type: boolean
example: false
description: Indicates it the certification has any errors.
errorMessage:
type: string
nullable: true
example: The certification has an error
description: A message indicating what the error is.
completed:
type: boolean
description: Indicates if all certification decisions have been made.
example: false
decisionsMade:
type: integer
description: The number of approve/revoke/acknowledge decisions that have been made by the reviewer.
example: 20
format: int32
decisionsTotal:
type: integer
description: The total number of approve/revoke/acknowledge decisions for the certification.
example: 40
format: int32
entitiesCompleted:
type: integer
description: 'The number of entities (identities, access profiles, roles, etc.) for which all decisions have been made and are complete.'
example: 5
format: int32
entitiesTotal:
type: integer
format: int32
description: 'The total number of entities (identities, access profiles, roles, etc.) in the certification, both complete and incomplete.'
example: 10
properties:
id:
type: string
description: Unique ID of the certification.
example: 2c91808576f886190176f88caf0d0067
name:
type: string
description: The name of the certification.
example: Manager Access Review for Alice Baker
created:
type: string
format: date-time
description: The date and time the certification was created.
example: '2020-02-16T03:04:45.815Z'
modified:
nullable: true
type: string
format: date-time
description: The date and time the certification was last modified.
example: '2020-02-16T03:06:45.815Z'
Trigger-Input-IdentityAttributesChanged:
title: Identity Attributes Changed
type: object
required:
- identity
- changes
properties:
identity:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity who's attributes changed.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
changes:
description: A list of one or more identity attributes that changed on the identity.
type: array
items:
type: object
required:
- attribute
properties:
attribute:
type: string
description: The name of the identity attribute that changed.
example: department
oldValue:
description: The value of the identity attribute before it changed.
nullable: true
example: sales
oneOf:
- type: string
- type: boolean
- type: array
items:
type: string
- type: object
nullable: true
additionalProperties:
oneOf:
- type: string
- type: number
- type: integer
- type: boolean
newValue:
description: The value of the identity attribute after it changed.
example: marketing
oneOf:
- type: string
- type: boolean
- type: array
items:
type: string
- type: object
nullable: true
additionalProperties:
oneOf:
- type: string
- type: number
- type: integer
- type: boolean
Trigger-Input-IdentityCreated:
title: Identity Created
type: object
required:
- identity
- attributes
properties:
identity:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity that was created.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
attributes:
type: object
description: The attributes assigned to the identity. Attributes are determined by the identity profile.
additionalProperties: true
example:
firstname: John
Trigger-Input-IdentityDeleted:
title: Identity Deleted
type: object
required:
- identity
- attributes
properties:
identity:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity that was deleted.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
attributes:
type: object
description: The attributes assigned to the identity. Attributes are determined by the identity profile.
additionalProperties: true
example:
firstname: John
Trigger-Input-ProvisioningCompleted:
title: Provisioning Completed
type: object
required:
- trackingNumber
- sources
- recipient
- accountRequests
properties:
trackingNumber:
type: string
description: The reference number of the provisioning request. Useful for tracking status in the Account Activity search interface.
example: 4b4d982dddff4267ab12f0f1e72b5a6d
sources:
type: string
description: One or more sources that the provisioning transaction(s) were done against. Sources are comma separated.
example: 'Corp AD, Corp LDAP, Corp Salesforce'
action:
nullable: true
type: string
description: Origin of where the provisioning request came from.
example: IdentityRefresh
errors:
nullable: true
description: A list of any accumulated error messages that occurred during provisioning.
type: array
items:
type: string
example: Connector AD Failed
warnings:
nullable: true
description: A list of any accumulated warning messages that occurred during provisioning.
type: array
items:
type: string
example: Notification Skipped due to invalid email
recipient:
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: Reference to the identity who is the target of the provisioning request.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
requester:
nullable: true
required:
- id
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: Reference to the identity (if any) who submitted the provisioning request.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
accountRequests:
type: array
description: A list of provisioning instructions to perform on an account-by-account basis.
items:
type: object
required:
- source
- accountOperation
- provisioningResult
- provisioningTarget
properties:
source:
required:
- id
- type
- name
type: object
description: Reference to the source being provisioned against.
properties:
id:
description: ID of the object to which this reference applies
type: string
example: 4e4d982dddff4267ab12f0f1e72b5a6d
type:
type: string
enum:
- SOURCE
example: SOURCE
description: The type of object that is referenced
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: Corporate Active Directory
accountId:
type: string
description: The unique idenfier of the account being provisioned.
example: 'CN=Chewy.Bacca,ou=hardcorefigter,ou=wookies,dc=starwars,dc=com'
accountOperation:
type: string
description: 'The provisioning operation; typically Create, Modify, Enable, Disable, Unlock, or Delete.'
example: Modify
provisioningResult:
description: 'The overall result of the provisioning transaction; this could be success, pending, failed, etc.'
enum:
- SUCCESS
- PENDING
- FAILED
example: SUCCESS
provisioningTarget:
type: string
description: 'The name of the provisioning channel selected; this could be the same as the source, or could be a Service Desk Integration Module (SDIM).'
example: Corp AD
ticketId:
nullable: true
type: string
description: 'A reference to a tracking number, if this is sent to a Service Desk Integration Module (SDIM).'
example: '72619262'
attributeRequests:
nullable: true
description: A list of attributes as part of the provisioning transaction.
type: array
items:
type: object
required:
- attributeName
- operation
properties:
attributeName:
type: string
description: The name of the attribute being provisioned.
example: memberOf
attributeValue:
nullable: true
type: string
description: The value of the attribute being provisioned.
example: 'CN=jedi,DC=starwars,DC=com'
operation:
enum:
- Add
- Set
- Remove
description: The operation to handle the attribute.
example: Add
Trigger-Input-SavedSearchComplete:
title: Saved Search Complete
type: object
required:
- fileName
- ownerEmail
- ownerName
- query
- searchName
- searchResults
- signedS3Url
properties:
fileName:
type: string
description: A name for the report file.
example: Modified.zip
ownerEmail:
type: string
description: The email address of the identity that owns the saved search.
example: test@sailpoint.com
ownerName:
type: string
description: The name of the identity that owns the saved search.
example: Cloud Support
query:
type: string
description: The search query that was used to generate the report.
example: 'modified:[now-7y/d TO now]'
searchName:
type: string
description: The name of the saved search.
example: Modified Activity
searchResults:
type: object
description: 'A preview of the search results for each object type. This includes a count as well as headers, and the first several rows of data, per object type.'
properties:
Account:
description: A table of accounts that match the search criteria.
nullable: true
type: object
required:
- count
- noun
- preview
properties:
count:
type: string
description: The number of rows in the table.
example: 3
noun:
type: string
description: The type of object represented in the table.
example: accounts
preview:
description: A sample of the data in the table.
type: array
items:
type: array
items:
type: string
example: Robert.Chase
example: []
Entitlement:
description: A table of entitlements that match the search criteria.
nullable: true
type: object
required:
- count
- noun
- preview
properties:
count:
type: string
description: The number of rows in the table.
example: 2
noun:
type: string
description: The type of object represented in the table.
example: entitlements
preview:
description: A sample of the data in the table.
type: array
items:
type: array
items:
type: string
example: Administrator
example: []
Identity:
description: A table of identities that match the search criteria.
nullable: true
type: object
required:
- count
- noun
- preview
properties:
count:
type: string
description: The number of rows in the table.
example: 2
noun:
type: string
description: The type of object represented in the table.
example: identities
preview:
description: A sample of the data in the table.
type: array
items:
type: array
items:
type: string
example: Carol Shelby
example: []
signedS3Url:
type: string
description: The Amazon S3 URL to download the report from.
example: 'https://sptcbu-org-data-useast1.s3.amazonaws.com/arsenal-john/reports/Events%20Export.2020-05-06%2018%2759%20GMT.3e580592-86e4-4953-8aea-49e6ef20a086.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20200506T185919Z&X-Amz-SignedHeaders=host&X-Amz-Expires=899&X-Amz-Credential=AKIAV5E54XOGTS4Q4L7A%2F20200506%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=2e732bb97a12a1fd8a215613e3c31fcdae8ba1fb6a25916843ab5b51d2ddefbc'
Trigger-Input-SourceAccountCreated:
type: object
required:
- id
- nativeIdentifier
- sourceId
- sourceName
- identityId
- identityName
- attributes
properties:
uuid:
type: string
description: Source unique identifier for the identity. UUID is generated by the source system.
example: b7264868-7201-415f-9118-b581d431c688
id:
type: string
description: SailPoint generated unique identifier.
example: ee769173319b41d19ccec35ba52f237b
nativeIdentifier:
type: string
description: Unique ID of the account on the source.
example: E009
sourceId:
type: string
description: The ID of the source.
example: 2c918082814e693601816e09471b29b6
sourceName:
type: string
description: The name of the source.
example: Active Directory
identityId:
type: string
description: The ID of the identity that is corellated with this account.
example: ee769173319b41d19ccec6c235423237b
identityName:
type: string
description: The name of the identity that is corellated with this account.
example: john.doe
attributes:
type: object
additionalProperties: true
description: The attributes of the account. The contents of attributes depends on the account schema for the source.
example:
firstname: John
lastname: Doe
email: john.doe@gmail.com
department: Sales
displayName: John Doe
created: '2020-04-27T16:48:33.597Z'
employeeNumber: E009
uid: E009
inactive: 'true'
phone: null
identificationNumber: E009
Trigger-Input-SourceAccountDeleted:
type: object
required:
- id
- nativeIdentifier
- sourceId
- sourceName
- identityId
- identityName
- attributes
properties:
uuid:
type: string
description: Source unique identifier for the identity. UUID is generated by the source system.
example: b7264868-7201-415f-9118-b581d431c688
id:
type: string
description: SailPoint generated unique identifier.
example: ee769173319b41d19ccec35ba52f237b
nativeIdentifier:
type: string
description: Unique ID of the account on the source.
example: E009
sourceId:
type: string
description: The ID of the source.
example: 2c918082814e693601816e09471b29b6
sourceName:
type: string
description: The name of the source.
example: Active Directory
identityId:
type: string
description: The ID of the identity that is corellated with this account.
example: ee769173319b41d19ccec6c235423237b
identityName:
type: string
description: The name of the identity that is corellated with this account.
example: john.doe
attributes:
type: object
additionalProperties: true
description: The attributes of the account. The contents of attributes depends on the account schema for the source.
example:
firstname: John
lastname: Doe
email: john.doe@gmail.com
department: Sales
displayName: John Doe
created: '2020-04-27T16:48:33.597Z'
employeeNumber: E009
uid: E009
inactive: 'true'
phone: null
identificationNumber: E009
Trigger-Input-SourceAccountUpdated:
type: object
required:
- id
- nativeIdentifier
- sourceId
- sourceName
- identityId
- identityName
- attributes
properties:
uuid:
type: string
description: Source unique identifier for the identity. UUID is generated by the source system.
example: b7264868-7201-415f-9118-b581d431c688
id:
type: string
description: SailPoint generated unique identifier.
example: ee769173319b41d19ccec35ba52f237b
nativeIdentifier:
type: string
description: Unique ID of the account on the source.
example: E009
sourceId:
type: string
description: The ID of the source.
example: 2c918082814e693601816e09471b29b6
sourceName:
type: string
description: The name of the source.
example: Active Directory
identityId:
type: string
description: The ID of the identity that is corellated with this account.
example: ee769173319b41d19ccec6c235423237b
identityName:
type: string
description: The name of the identity that is corellated with this account.
example: john.doe
attributes:
type: object
additionalProperties: true
description: The attributes of the account. The contents of attributes depends on the account schema for the source.
example:
firstname: John
lastname: Doe
email: john.doe@gmail.com
department: Sales
displayName: John Doe
created: '2020-04-27T16:48:33.597Z'
employeeNumber: E009
uid: E009
inactive: 'true'
phone: null
identificationNumber: E009
Trigger-Input-SourceCreated:
title: Source Created
type: object
required:
- id
- name
- type
- created
- connector
- actor
properties:
id:
type: string
description: The unique ID of the source.
example: 2c9180866166b5b0016167c32ef31a66
name:
type: string
description: Human friendly name of the source.
example: Test source
type:
type: string
description: The connection type.
example: DIRECT_CONNECT
created:
type: string
format: date-time
description: The date and time the source was created.
example: '2021-03-29T22:01:50.474Z'
connector:
type: string
description: The connector type used to connect to the source.
example: active-directory
actor:
required:
- id
- name
- type
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity that created the source.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
Trigger-Input-SourceDeleted:
title: Source Deleted
type: object
required:
- id
- name
- type
- deleted
- connector
- actor
properties:
id:
type: string
description: The unique ID of the source.
example: 2c9180866166b5b0016167c32ef31a66
name:
type: string
description: Human friendly name of the source.
example: Test source
type:
type: string
description: The connection type.
example: DIRECT_CONNECT
deleted:
type: string
format: date-time
description: The date and time the source was deleted.
example: '2021-03-29T22:01:50.474Z'
connector:
type: string
description: The connector type used to connect to the source.
example: active-directory
actor:
required:
- id
- name
- type
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity that deleted the source.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
Trigger-Input-SourceUpdated:
title: Source Updated
type: object
required:
- id
- name
- type
- modified
- connector
- actor
properties:
id:
type: string
description: The unique ID of the source.
example: 2c9180866166b5b0016167c32ef31a66
name:
type: string
description: The user friendly name of the source.
example: Corporate Active Directory
type:
type: string
description: The connection type of the source.
example: DIRECT_CONNECT
modified:
type: string
format: date-time
description: The date and time the source was modified.
example: '2021-03-29T22:01:50.474Z'
connector:
type: string
description: The connector type used to connect to the source.
example: active-directory
actor:
required:
- type
- name
allOf:
- type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
description: The identity or system that performed the update.
properties:
type:
enum:
- IDENTITY
example: IDENTITY
description: The type of object that is referenced
Trigger-Input-VAClusterStatusChangeEvent:
title: VA Cluster Status Change Event
type: object
required:
- created
- type
- application
- healthCheckResult
- previousHealthCheckResult
properties:
created:
type: string
format: date-time
description: The date and time the status change occurred.
example: '2020-06-29T22:01:50.474Z'
type:
enum:
- SOURCE
- CLUSTER
description: The type of the object that initiated this event.
example: CLUSTER
application:
type: object
description: Details about the `CLUSTER` or `SOURCE` that initiated this event.
required:
- id
- name
- attributes
properties:
id:
type: string
description: The GUID of the application
example: 2c9180866166b5b0016167c32ef31a66
name:
type: string
description: The name of the application
example: Production VA Cluster
attributes:
type: object
description: Custom map of attributes for a source. This will only be populated if type is `SOURCE` and the source has a proxy.
additionalProperties: true
nullable: true
example: null
healthCheckResult:
type: object
description: The results of the most recent health check.
required:
- message
- resultType
- status
properties:
message:
type: string
description: Detailed message of the result of the health check.
example: Test Connection failed with exception. Error message - java.lang Exception
resultType:
type: string
description: The type of the health check result.
example: SOURCE_STATE_ERROR_CLUSTER
status:
enum:
- Succeeded
- Failed
description: The status of the health check.
example: Succeeded
previousHealthCheckResult:
type: object
description: The results of the last health check.
required:
- message
- resultType
- status
properties:
message:
type: string
description: Detailed message of the result of the health check.
example: Test Connection failed with exception. Error message - java.lang Exception
resultType:
type: string
description: The type of the health check result.
example: SOURCE_STATE_ERROR_CLUSTER
status:
enum:
- Succeeded
- Failed
description: The status of the health check.
example: Failed
Trigger-Output-AccessRequestDynamicApprover:
title: Access Request Dynamic Approver
type: object
nullable: true
required:
- id
- name
- type
properties:
id:
type: string
description: The unique ID of the identity to add to the approver list for the access request.
example: 2c91808b6ef1d43e016efba0ce470906
name:
type: string
description: The name of the identity to add to the approver list for the access request.
example: Adam Adams
type:
enum:
- IDENTITY
- GOVERNANCE_GROUP
description: The type of object being referenced.
example: IDENTITY
Trigger-Output-AccessRequestPreApproval:
title: Access Request Pre Approval
type: object
required:
- approved
- comment
- approver
properties:
approved:
type: boolean
description: Whether or not to approve the access request.
example: false
comment:
type: string
description: A comment about the decision to approve or deny the request.
example: 'This access should be denied, because this will cause an SOD violation.'
approver:
type: string
description: The name of the entity that approved or denied the request.
example: AcmeCorpExternalIntegration
paths:
/access-profiles:
get:
operationId: listAccessProfiles
tags:
- Access Profiles
summary: List Access Profiles
description: |-
This API returns a list of Access Profiles.
A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.
parameters:
- in: query
name: for-subadmin
schema:
type: string
description: |-
If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN or SOURCE_SUBADMIN Identity. The value of the parameter is either an Identity ID, or the special value **me**, which is shorthand for the calling Identity's ID.
A 400 Bad Request error is returned if the **for-subadmin** parameter is specified for an Identity that is not a subadmin.
example: 8c190e6787aa4ed9a90bd9d5344523fb
required: false
- in: query
name: limit
description: |-
Note that for this API the maximum value for limit is 50.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 50
schema:
type: integer
format: int32
minimum: 0
maximum: 50
default: 50
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
- in: query
name: filters
schema:
type: string
description: |-
Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following fields and operators:
**id**: *eq, in*
**name**: *eq, sw*
**created, modified**: *gt, lt, ge, le*
**owner.id**: *eq, in*
**requestable**: *eq*
**source.id**: *eq, in*
example: name eq "SailPoint Support"
required: false
- in: query
name: sorters
schema:
type: string
format: comma-separated
description: |-
Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results)
Sorting is supported for the following fields: **name, created, modified**
example: 'name,-modified'
required: false
- in: query
name: for-segment-ids
schema:
type: string
format: comma-separated
description: |-
If present and not empty, additionally filters Access Profiles to those which are assigned to the Segment(s) with the specified IDs.
If segmentation is currently unavailable, specifying this parameter results in an error.
example: '0b5c9f25-83c6-4762-9073-e38f7bb2ae26,2e8d8180-24bc-4d21-91c6-7affdb473b0d'
required: false
- in: query
name: include-unsegmented
schema:
type: boolean
default: true
description: 'Whether or not the response list should contain unsegmented Access Profiles. If *for-segment-ids* is absent or empty, specifying *include-unsegmented* as false results in an error.'
example: false
required: false
responses:
'200':
description: List of Access Profiles
content:
application/json:
schema:
type: array
items:
type: object
properties:
id:
type: string
description: The ID of the Access Profile
example: 2c91808a7190d06e01719938fcd20792
readOnly: true
name:
type: string
description: Name of the Access Profile
example: Employee-database-read-write
description:
type: string
nullable: true
description: Information about the Access Profile
example: Collection of entitlements to read/write the employee database
created:
type: string
description: Date the Access Profile was created
format: date-time
example: '2021-03-01T22:32:58.104Z'
readOnly: true
modified:
type: string
description: Date the Access Profile was last modified.
format: date-time
example: '2021-03-02T20:22:28.104Z'
readOnly: true
enabled:
type: boolean
description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.
example: true
owner:
description: Owner of the Access Profile
type: object
properties:
type:
description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.'
example: IDENTITY
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
id:
type: string
description: Identity id
example: 2c9180a46faadee4016fb4e018c20639
name:
type: string
description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.'
example: support
source:
type: object
properties:
id:
type: string
description: The ID of the Source with with which the Access Profile is associated
example: 2c91809773dee3610173fdb0b6061ef4
type:
type: string
enum:
- SOURCE
description: 'The type of the Source, will always be SOURCE'
example: SOURCE
name:
type: string
description: The display name of the associated Source
example: ODS-AD-SOURCE
entitlements:
type: array
description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.
items:
type: object
properties:
id:
type: string
description: The ID of the Entitlement
example: 2c91809773dee32014e13e122092014e
type:
type: string
enum:
- ENTITLEMENT
description: 'The type of the Entitlement, will always be ENTITLEMENT'
example: ENTITLEMENT
name:
type: string
description: The display name of the Entitlement
example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local'
requestable:
type: boolean
description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.'
example: true
accessRequestConfig:
nullable: true
description: Access request configuration for this object
type: object
properties:
commentsRequired:
type: boolean
description: Whether the requester of the containing object must provide comments justifying the request
example: true
denialCommentsRequired:
type: boolean
description: Whether an approver must provide comments when denying the request
example: true
approvalSchemes:
type: array
description: List describing the steps in approving the request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
revocationRequestConfig:
nullable: true
description: Revocation request configuration for this object.
type: object
properties:
approvalSchemes:
type: array
description: List describing the steps in approving the revocation request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
segments:
type: array
nullable: true
items:
type: string
description: 'List of IDs of segments, if any, to which this Access Profile is assigned.'
example:
- f7b1b8a3-5fed-4fd4-ad29-82014e137e19
- 29cb6c06-1da8-43ea-8be4-b3125f248f2a
provisioningCriteria:
description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.'
nullable: true
example:
operation: OR
children:
- operation: AND
children:
- attribute: dn
operation: CONTAINS
value: useast
- attribute: manager
operation: CONTAINS
value: Scott.Clark
- operation: AND
children:
- attribute: dn
operation: EQUALS
value: Gibson
- attribute: telephoneNumber
operation: CONTAINS
value: '512'
type: object
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
required:
- owner
- name
- source
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
security:
- oauth2:
- 'idn:access-profile:read'
- 'idn:access-profile:manage'
post:
operationId: createAccessProfile
tags:
- Access Profiles
summary: Create an Access Profile
description: |-
This API creates an Access Profile.
A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API. In addition, a token with only ROLE_SUBADMIN or SOURCE_SUBADMIN authority must be associated with the Access Profile's Source.
The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing access profiles, however, any new access profiles as well as any updates to existing descriptions will be limited to 2000 characters.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
id:
type: string
description: The ID of the Access Profile
example: 2c91808a7190d06e01719938fcd20792
readOnly: true
name:
type: string
description: Name of the Access Profile
example: Employee-database-read-write
description:
type: string
nullable: true
description: Information about the Access Profile
example: Collection of entitlements to read/write the employee database
created:
type: string
description: Date the Access Profile was created
format: date-time
example: '2021-03-01T22:32:58.104Z'
readOnly: true
modified:
type: string
description: Date the Access Profile was last modified.
format: date-time
example: '2021-03-02T20:22:28.104Z'
readOnly: true
enabled:
type: boolean
description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.
example: true
owner:
description: Owner of the Access Profile
type: object
properties:
type:
description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.'
example: IDENTITY
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
id:
type: string
description: Identity id
example: 2c9180a46faadee4016fb4e018c20639
name:
type: string
description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.'
example: support
source:
type: object
properties:
id:
type: string
description: The ID of the Source with with which the Access Profile is associated
example: 2c91809773dee3610173fdb0b6061ef4
type:
type: string
enum:
- SOURCE
description: 'The type of the Source, will always be SOURCE'
example: SOURCE
name:
type: string
description: The display name of the associated Source
example: ODS-AD-SOURCE
entitlements:
type: array
description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.
items:
type: object
properties:
id:
type: string
description: The ID of the Entitlement
example: 2c91809773dee32014e13e122092014e
type:
type: string
enum:
- ENTITLEMENT
description: 'The type of the Entitlement, will always be ENTITLEMENT'
example: ENTITLEMENT
name:
type: string
description: The display name of the Entitlement
example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local'
requestable:
type: boolean
description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.'
example: true
accessRequestConfig:
nullable: true
description: Access request configuration for this object
type: object
properties:
commentsRequired:
type: boolean
description: Whether the requester of the containing object must provide comments justifying the request
example: true
denialCommentsRequired:
type: boolean
description: Whether an approver must provide comments when denying the request
example: true
approvalSchemes:
type: array
description: List describing the steps in approving the request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
revocationRequestConfig:
nullable: true
description: Revocation request configuration for this object.
type: object
properties:
approvalSchemes:
type: array
description: List describing the steps in approving the revocation request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
segments:
type: array
nullable: true
items:
type: string
description: 'List of IDs of segments, if any, to which this Access Profile is assigned.'
example:
- f7b1b8a3-5fed-4fd4-ad29-82014e137e19
- 29cb6c06-1da8-43ea-8be4-b3125f248f2a
provisioningCriteria:
description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.'
nullable: true
example:
operation: OR
children:
- operation: AND
children:
- attribute: dn
operation: CONTAINS
value: useast
- attribute: manager
operation: CONTAINS
value: Scott.Clark
- operation: AND
children:
- attribute: dn
operation: EQUALS
value: Gibson
- attribute: telephoneNumber
operation: CONTAINS
value: '512'
type: object
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
required:
- owner
- name
- source
responses:
'201':
description: Access Profile created
content:
application/json:
schema:
type: object
properties:
id:
type: string
description: The ID of the Access Profile
example: 2c91808a7190d06e01719938fcd20792
readOnly: true
name:
type: string
description: Name of the Access Profile
example: Employee-database-read-write
description:
type: string
nullable: true
description: Information about the Access Profile
example: Collection of entitlements to read/write the employee database
created:
type: string
description: Date the Access Profile was created
format: date-time
example: '2021-03-01T22:32:58.104Z'
readOnly: true
modified:
type: string
description: Date the Access Profile was last modified.
format: date-time
example: '2021-03-02T20:22:28.104Z'
readOnly: true
enabled:
type: boolean
description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.
example: true
owner:
description: Owner of the Access Profile
type: object
properties:
type:
description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.'
example: IDENTITY
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
id:
type: string
description: Identity id
example: 2c9180a46faadee4016fb4e018c20639
name:
type: string
description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.'
example: support
source:
type: object
properties:
id:
type: string
description: The ID of the Source with with which the Access Profile is associated
example: 2c91809773dee3610173fdb0b6061ef4
type:
type: string
enum:
- SOURCE
description: 'The type of the Source, will always be SOURCE'
example: SOURCE
name:
type: string
description: The display name of the associated Source
example: ODS-AD-SOURCE
entitlements:
type: array
description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.
items:
type: object
properties:
id:
type: string
description: The ID of the Entitlement
example: 2c91809773dee32014e13e122092014e
type:
type: string
enum:
- ENTITLEMENT
description: 'The type of the Entitlement, will always be ENTITLEMENT'
example: ENTITLEMENT
name:
type: string
description: The display name of the Entitlement
example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local'
requestable:
type: boolean
description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.'
example: true
accessRequestConfig:
nullable: true
description: Access request configuration for this object
type: object
properties:
commentsRequired:
type: boolean
description: Whether the requester of the containing object must provide comments justifying the request
example: true
denialCommentsRequired:
type: boolean
description: Whether an approver must provide comments when denying the request
example: true
approvalSchemes:
type: array
description: List describing the steps in approving the request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
revocationRequestConfig:
nullable: true
description: Revocation request configuration for this object.
type: object
properties:
approvalSchemes:
type: array
description: List describing the steps in approving the revocation request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
segments:
type: array
nullable: true
items:
type: string
description: 'List of IDs of segments, if any, to which this Access Profile is assigned.'
example:
- f7b1b8a3-5fed-4fd4-ad29-82014e137e19
- 29cb6c06-1da8-43ea-8be4-b3125f248f2a
provisioningCriteria:
description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.'
nullable: true
example:
operation: OR
children:
- operation: AND
children:
- attribute: dn
operation: CONTAINS
value: useast
- attribute: manager
operation: CONTAINS
value: Scott.Clark
- operation: AND
children:
- attribute: dn
operation: EQUALS
value: Gibson
- attribute: telephoneNumber
operation: CONTAINS
value: '512'
type: object
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
required:
- owner
- name
- source
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
security:
- oauth2:
- 'idn:access-profile:manage'
'/access-profiles/{id}':
get:
operationId: getAccessProfile
tags:
- Access Profiles
summary: Get an Access Profile
description: |-
This API returns an Access Profile by its ID.
A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.
parameters:
- in: path
name: id
required: true
schema:
type: string
description: ID of the Access Profile
example: 2c9180837ca6693d017ca8d097500149
responses:
'200':
description: An AccessProfile
content:
application/json:
schema:
type: object
properties:
id:
type: string
description: The ID of the Access Profile
example: 2c91808a7190d06e01719938fcd20792
readOnly: true
name:
type: string
description: Name of the Access Profile
example: Employee-database-read-write
description:
type: string
nullable: true
description: Information about the Access Profile
example: Collection of entitlements to read/write the employee database
created:
type: string
description: Date the Access Profile was created
format: date-time
example: '2021-03-01T22:32:58.104Z'
readOnly: true
modified:
type: string
description: Date the Access Profile was last modified.
format: date-time
example: '2021-03-02T20:22:28.104Z'
readOnly: true
enabled:
type: boolean
description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.
example: true
owner:
description: Owner of the Access Profile
type: object
properties:
type:
description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.'
example: IDENTITY
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
id:
type: string
description: Identity id
example: 2c9180a46faadee4016fb4e018c20639
name:
type: string
description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.'
example: support
source:
type: object
properties:
id:
type: string
description: The ID of the Source with with which the Access Profile is associated
example: 2c91809773dee3610173fdb0b6061ef4
type:
type: string
enum:
- SOURCE
description: 'The type of the Source, will always be SOURCE'
example: SOURCE
name:
type: string
description: The display name of the associated Source
example: ODS-AD-SOURCE
entitlements:
type: array
description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.
items:
type: object
properties:
id:
type: string
description: The ID of the Entitlement
example: 2c91809773dee32014e13e122092014e
type:
type: string
enum:
- ENTITLEMENT
description: 'The type of the Entitlement, will always be ENTITLEMENT'
example: ENTITLEMENT
name:
type: string
description: The display name of the Entitlement
example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local'
requestable:
type: boolean
description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.'
example: true
accessRequestConfig:
nullable: true
description: Access request configuration for this object
type: object
properties:
commentsRequired:
type: boolean
description: Whether the requester of the containing object must provide comments justifying the request
example: true
denialCommentsRequired:
type: boolean
description: Whether an approver must provide comments when denying the request
example: true
approvalSchemes:
type: array
description: List describing the steps in approving the request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
revocationRequestConfig:
nullable: true
description: Revocation request configuration for this object.
type: object
properties:
approvalSchemes:
type: array
description: List describing the steps in approving the revocation request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
segments:
type: array
nullable: true
items:
type: string
description: 'List of IDs of segments, if any, to which this Access Profile is assigned.'
example:
- f7b1b8a3-5fed-4fd4-ad29-82014e137e19
- 29cb6c06-1da8-43ea-8be4-b3125f248f2a
provisioningCriteria:
description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.'
nullable: true
example:
operation: OR
children:
- operation: AND
children:
- attribute: dn
operation: CONTAINS
value: useast
- attribute: manager
operation: CONTAINS
value: Scott.Clark
- operation: AND
children:
- attribute: dn
operation: EQUALS
value: Gibson
- attribute: telephoneNumber
operation: CONTAINS
value: '512'
type: object
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
required:
- owner
- name
- source
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
security:
- oauth2:
- 'idn:access-profile:read'
- 'idn:access-profile:manage'
patch:
operationId: patchAccessProfile
tags:
- Access Profiles
summary: Patch a specified Access Profile
description: |-
This API updates an existing Access Profile. The following fields are patchable:
**name**, **description**, **enabled**, **owner**, **requestable**, **accessRequestConfig**, **revokeRequestConfig**, **segments**, **entitlements**, **provisioningCriteria**
A token with API, ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API. In addition, a SOURCE_SUBADMIN may only use this API to patch Access Profiles which are associated with Sources they are able to administer.
> The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing access profiles, however, any new access profiles as well as any updates to existing descriptions will be limited to 2000 characters.
> You can only add or replace **entitlements** that exist on the source that the access profile is attached to. You can use the **list entitlements** endpoint with the **filters** query parameter to get a list of available entitlements on the access profile's source.
> Patching the value of the **requestable** field is only supported for customers enabled with the new Request Center. Otherwise, attempting to modify this field results in a 400 error.
parameters:
- name: id
in: path
description: ID of the Access Profile to patch
required: true
schema:
type: string
example: 2c91808a7813090a017814121919ecca
requestBody:
content:
application/json-patch+json:
schema:
type: array
items:
type: object
description: 'A JSONPatch Operation as defined by [RFC 6902 - JSON Patch](https://tools.ietf.org/html/rfc6902)'
required:
- op
- path
properties:
op:
type: string
description: The operation to be performed
enum:
- add
- remove
- replace
- move
- copy
- test
example: replace
path:
type: string
description: A string JSON Pointer representing the target path to an element to be affected by the operation
example: /description
value:
anyOf:
- type: string
- type: integer
- type: object
- type: array
items:
anyOf:
- type: string
- type: integer
- type: object
description: 'The value to be used for the operation, required for "add" and "replace" operations'
example: New description
examples:
Add Entitlements:
description: Add one or more entitlements to the end of the list
value:
- op: add
path: /entitlements
value:
- id: 2c9180857725c14301772a93bb77242d
type: ENTITLEMENT
name: AD User Group
Insert Entitlement:
description: Add an entitlement at the beginning of the entitlement list
value:
- op: add
path: /entitlements/0
value:
id: 2c9180857725c14301772a93bb77242d
type: ENTITLEMENT
name: AD User Group
Replace Entitlements:
description: Replace all entitlements with a new list of entitlements
value:
- op: replace
path: /entitlements
value:
- id: 2c9180857725c14301772a93bb77242d
type: ENTITLEMENT
name: AD User Group
Remove Entitlement:
description: Remove the first entitlement in the list
value:
- op: remove
path: /entitlements/0
required: true
responses:
'200':
description: Responds with the Access Profile as updated.
content:
application/json:
schema:
type: object
properties:
id:
type: string
description: The ID of the Access Profile
example: 2c91808a7190d06e01719938fcd20792
readOnly: true
name:
type: string
description: Name of the Access Profile
example: Employee-database-read-write
description:
type: string
nullable: true
description: Information about the Access Profile
example: Collection of entitlements to read/write the employee database
created:
type: string
description: Date the Access Profile was created
format: date-time
example: '2021-03-01T22:32:58.104Z'
readOnly: true
modified:
type: string
description: Date the Access Profile was last modified.
format: date-time
example: '2021-03-02T20:22:28.104Z'
readOnly: true
enabled:
type: boolean
description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.
example: true
owner:
description: Owner of the Access Profile
type: object
properties:
type:
description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.'
example: IDENTITY
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
id:
type: string
description: Identity id
example: 2c9180a46faadee4016fb4e018c20639
name:
type: string
description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.'
example: support
source:
type: object
properties:
id:
type: string
description: The ID of the Source with with which the Access Profile is associated
example: 2c91809773dee3610173fdb0b6061ef4
type:
type: string
enum:
- SOURCE
description: 'The type of the Source, will always be SOURCE'
example: SOURCE
name:
type: string
description: The display name of the associated Source
example: ODS-AD-SOURCE
entitlements:
type: array
description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.
items:
type: object
properties:
id:
type: string
description: The ID of the Entitlement
example: 2c91809773dee32014e13e122092014e
type:
type: string
enum:
- ENTITLEMENT
description: 'The type of the Entitlement, will always be ENTITLEMENT'
example: ENTITLEMENT
name:
type: string
description: The display name of the Entitlement
example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local'
requestable:
type: boolean
description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.'
example: true
accessRequestConfig:
nullable: true
description: Access request configuration for this object
type: object
properties:
commentsRequired:
type: boolean
description: Whether the requester of the containing object must provide comments justifying the request
example: true
denialCommentsRequired:
type: boolean
description: Whether an approver must provide comments when denying the request
example: true
approvalSchemes:
type: array
description: List describing the steps in approving the request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
revocationRequestConfig:
nullable: true
description: Revocation request configuration for this object.
type: object
properties:
approvalSchemes:
type: array
description: List describing the steps in approving the revocation request
items:
type: object
properties:
approverType:
type: string
enum:
- APP_OWNER
- OWNER
- SOURCE_OWNER
- MANAGER
- GOVERNANCE_GROUP
description: |-
Describes the individual or group that is responsible for an approval step. Values are as follows.
**APP_OWNER**: The owner of the Application
**OWNER**: Owner of the associated Access Profile or Role
**SOURCE_OWNER**: Owner of the Source associated with an Access Profile
**MANAGER**: Manager of the Identity making the request
**GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field
example: GOVERNANCE_GROUP
approverId:
type: string
nullable: true
description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP'
example: 46c79819-a69f-49a2-becb-12c971ae66c6
segments:
type: array
nullable: true
items:
type: string
description: 'List of IDs of segments, if any, to which this Access Profile is assigned.'
example:
- f7b1b8a3-5fed-4fd4-ad29-82014e137e19
- 29cb6c06-1da8-43ea-8be4-b3125f248f2a
provisioningCriteria:
description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.'
nullable: true
example:
operation: OR
children:
- operation: AND
children:
- attribute: dn
operation: CONTAINS
value: useast
- attribute: manager
operation: CONTAINS
value: Scott.Clark
- operation: AND
children:
- attribute: dn
operation: EQUALS
value: Gibson
- attribute: telephoneNumber
operation: CONTAINS
value: '512'
type: object
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
nullable: true
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
children:
type: array
items:
type: object
description: Defines matching criteria for an Account to be provisioned with a specific Access Profile
properties:
operation:
type: string
enum:
- EQUALS
- NOT_EQUALS
- CONTAINS
- HAS
- AND
- OR
description: Supported operations on ProvisioningCriteria
example: EQUALS
attribute:
type: string
description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.'
example: email
nullable: true
value:
type: string
description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.'
example: carlee.cert1c9f9b6fd@mailinator.com
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
nullable: true
description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.'
example: null
required:
- owner
- name
- source
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
security:
- oauth2:
- 'idn:access-profile:manage'
delete:
operationId: deleteAccessProfile
tags:
- Access Profiles
summary: Delete the specified Access Profile
description: |-
This API deletes an existing Access Profile.
The Access Profile must not be in use. If it is, a 400 error is returned.
A token with API, ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to invoke this API. In addition, a SOURCE_SUBADMIN token must be able to administer the Source associated with the Access Profile.
parameters:
- name: id
in: path
description: ID of the Access Profile to delete
required: true
schema:
type: string
example: 2c91808a7813090a017814121919ecca
responses:
'204':
description: No content - indicates the request was successful but there is no content to be returned in the response.
'400':
description: Returned when an access profile cannot be deleted as it's being used.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
400.2.1.0 Object in use by another:
description: Returned when an access profile cannot be deleted as it's being used
value:
detailCode: 400.2.1.0 Object in use by another
trackingId: c9c1033c55b84ebc9e93e926dcf8b8b3
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The "testAccessProfile" access profile can't be deleted because it's in use.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
security:
- oauth2:
- 'idn:access-profile:manage'
/access-profiles/bulk-delete:
post:
operationId: deleteAccessProfilesInBulk
summary: Delete Access Profile(s)
tags:
- Access Profiles
description: |-
This API initiates a bulk deletion of one or more Access Profiles.
By default, if any of the indicated Access Profiles are in use, no deletions will be performed and the **inUse** field of the response indicates the usages that must be removed first. If the request field **bestEffortOnly** is **true**, however, usages are reported in the **inUse** response field but all other indicated Access Profiles will be deleted.
A token with API, ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API. In addition, a SOURCE_SUBADMIN may only use this API to delete Access Profiles which are associated with Sources they are able to administer.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
accessProfileIds:
description: List of IDs of Access Profiles to be deleted.
type: array
items:
type: string
example:
- 2c9180847812e0b1017817051919ecca
- 2c9180887812e0b201781e129f151816
bestEffortOnly:
description: 'If **true**, silently skip over any of the specified Access Profiles if they cannot be deleted because they are in use. If **false**, no deletions will be attempted if any of the Access Profiles are in use.'
type: boolean
example: true
example:
bestEffortOnly: true
accessProfileIds:
- 2c91808876438bb2017668b91919ecca
- 2c91808876438ba801766e129f151816
responses:
'200':
description: 'Returned only if **bestEffortOnly** is **false**, and one or more Access Profiles are in use.'
content:
application/json:
schema:
type: object
properties:
taskId:
type: string
description: ID of the task which is executing the bulk deletion. This can be passed to the **/task-status** API to track status.
example: 2c9180867817ac4d017817c491119a20
pending:
type: array
description: List of IDs of Access Profiles which are pending deletion.
items:
type: string
example:
- 2c91808876438bbb017668c21919ecca
- 2c91808876438bb201766e129f151816
inUse:
type: array
description: List of usages of Access Profiles targeted for deletion.
items:
type: object
properties:
accessProfileId:
type: string
description: ID of the Access Profile that is in use
example: 2c91808876438bbb017668c21919ecca
usedBy:
type: array
description: List of references to objects which are using the indicated Access Profile
items:
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
example:
pending: []
inUse:
- accessProfileId: 2c91808876438ba801766e129f151816
usages:
- type: Role
id: 2c9180887643764201766e9f6e121518
'202':
description: Returned if at least one deletion will be performed.
content:
application/json:
schema:
type: object
properties:
taskId:
type: string
description: ID of the task which is executing the bulk deletion. This can be passed to the **/task-status** API to track status.
example: 2c9180867817ac4d017817c491119a20
pending:
type: array
description: List of IDs of Access Profiles which are pending deletion.
items:
type: string
example:
- 2c91808876438bbb017668c21919ecca
- 2c91808876438bb201766e129f151816
inUse:
type: array
description: List of usages of Access Profiles targeted for deletion.
items:
type: object
properties:
accessProfileId:
type: string
description: ID of the Access Profile that is in use
example: 2c91808876438bbb017668c21919ecca
usedBy:
type: array
description: List of references to objects which are using the indicated Access Profile
items:
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
example:
taskId: 2c91808a7813090a01781412a1119a20
pending:
- 2c91808a7813090a017813fe1919ecca
inUse:
- accessProfileId: 2c91808876438ba801766e129f151816
usages:
- type: Role
id: 2c9180887643764201766e9f6e121518
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
security:
- oauth2:
- 'idn:access-profile:manage'
'/access-profiles/{id}/entitlements':
get:
operationId: getAccessProfileEntitlements
tags:
- Access Profiles
summary: List Access Profile's Entitlements
description: |-
This API lists the Entitlements associated with a given Access Profile
A token with API, ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to invoke this API. In addition, a token with SOURCE_SUBADMIN authority must have access to the Source associated with the given Access Profile
parameters:
- name: id
in: path
description: ID of the containing Access Profile
required: true
schema:
type: string
example: 2c91808a7813090a017814121919ecca
- in: query
name: limit
description: |-
Max number of results to return.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 250
schema:
type: integer
format: int32
minimum: 0
maximum: 250
default: 250
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
- in: query
name: filters
schema:
type: string
description: |-
Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following Entitlement fields and operators:
**id**: *eq, in*
**name**: *eq, sw*
**attribute**: *eq, sw*
**value**: *eq, sw*
**created, modified**: *gt, lt, ge, le*
**owner.id**: *eq, in*
**source.id**: *eq, in*
example: attribute eq "memberOf"
required: false
- in: query
name: sorters
schema:
type: string
format: comma-separated
description: |-
Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results)
Sorting is supported for the following fields: **name, attribute, value, created, modified**
example: 'name,-modified'
required: false
responses:
'200':
description: List of Entitlements
content:
application/json:
schema:
type: array
items:
type: object
properties:
id:
type: string
description: The entitlement id
example: 2c91808874ff91550175097daaec161c
name:
type: string
description: The entitlement name
example: LauncherTest2
attribute:
type: string
description: The entitlement attribute name
example: memberOf
value:
type: string
description: The value of the entitlement
example: 'CN=LauncherTest2,OU=LauncherTestOrg,OU=slpt-automation,DC=TestAutomationAD,DC=local'
sourceSchemaObjectType:
type: string
description: The object type of the entitlement from the source schema
example: group
description:
type: string
description: The description of the entitlement
example: 'CN=LauncherTest2,OU=LauncherTestOrg,OU=slpt-automation,DC=TestAutomationAD,DC=local'
privileged:
type: boolean
description: True if the entitlement is privileged
example: true
cloudGoverned:
type: boolean
description: True if the entitlement is cloud governed
example: true
created:
type: string
description: Time when the entitlement was created
format: date-time
example: '2020-10-08T18:33:52.029Z'
modified:
type: string
description: Time when the entitlement was last modified
format: date-time
example: '2020-10-08T18:33:52.029Z'
source:
type: object
properties:
id:
type: string
description: The source ID
example: 2c9180827ca885d7017ca8ce28a000eb
type:
type: string
description: 'The source type, will always be "SOURCE"'
example: SOURCE
name:
type: string
description: The source name
example: ODS-AD-Source
attributes:
type: object
description: A map of free-form key-value pairs from the source system
example:
fieldName: fieldValue
additionalProperties: true
segments:
type: array
items:
type: string
nullable: true
description: 'List of IDs of segments, if any, to which this Entitlement is assigned.'
example:
- f7b1b8a3-5fed-4fd4-ad29-82014e137e19
- 29cb6c06-1da8-43ea-8be4-b3125f248f2a
directPermissions:
type: array
items:
type: object
description: 'Simplified DTO for the Permission objects stored in SailPoint''s database. The data is aggregated from customer systems and is free-form, so its appearance can vary largely between different clients/customers.'
properties:
rights:
type: array
description: All the rights (e.g. actions) that this permission allows on the target
readOnly: true
items:
type: string
example: SELECT
target:
type: string
description: The target the permission would grants rights on.
readOnly: true
example: SYS.GV_$TRANSACTION
owner:
type: object
description: Simplified DTO for the owner object of the entitlement
properties:
id:
type: string
description: The owner id for the entitlement
example: 2a2fdacca5e345f18bf7970cfbb8fec2
name:
type: string
description: The owner name for the entitlement
example: identity 1
type:
type: string
enum:
- IDENTITY
description: The type of the owner. Initially only type IDENTITY is supported
example: IDENTITY
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
security:
- oauth2:
- 'idn:access-profile:read'
- 'idn:access-profile:manage'
/access-requests:
post:
operationId: createAccessRequest
security:
- oauth2:
- 'idn:access-request:create'
summary: Submit an Access Request
tags:
- Access Requests
description: |
This submits the access request into IdentityNow, where it will follow any IdentityNow approval processes.
Access requests are processed asynchronously by IdentityNow. A success response from this endpoint means the request
has been submitted to IDN and is queued for processing. Because this endpoint is asynchronous, it will not return an error
if you submit duplicate access requests in quick succession, or you submit an access request for access that is already in progress, approved, or rejected.
It is best practice to check for any existing access requests that reference the same access items before submitting a new access request. This can
be accomplished by using the [access request status](https://developer.sailpoint.com/idn/api/v3/list-access-request-status) or the [pending access request approvals](https://developer.sailpoint.com/idn/api/v3/list-pending-approvals) endpoints. You can also
use the [search API](https://developer.sailpoint.com/idn/api/v3/search) to check the existing access items that an identity has before submitting
an access request to ensure you are not requesting access that is already granted.
There are two types of access request:
__GRANT_ACCESS__
* Can be requested for multiple identities in a single request.
* Supports self request and request on behalf of other users, see '/beta/access-request-config' endpoint for request configuration options.
* Allows any authenticated token (except API) to call this endpoint to request to grant access to themselves. Depending on the configuration, a user can request access for others.
* Roles, Access Profiles and Entitlements can be requested.
* While requesting entitlements, maximum of 25 entitlements and 10 recipients are allowed in a request.
__REVOKE_ACCESS__
* Can only be requested for a single identity at a time.
* Does not support self request. Only manager can request to revoke access for their directly managed employees.
* If removeDate is specified, then the access will be removed on that date and time only for Roles and Access Profiles. Entitlements are currently unsupported for removeDate.
* Roles, Access Profiles, and Entitlements can be requested for revocation.
* Revoke requests for entitlements are limited to 1 entitlement per access request currently.
* [Roles, Access Profiles] RemoveData can be specified only if access don't have a sunset date.
* Allows a manager to request to revoke access for direct employees. A token with ORG_ADMIN authority can also request to revoke access from anyone.
NOTE: There is no indication to the approver in the IdentityNow UI that the approval request is for a revoke action. Take this into consideration when calling this API.
A token with API authority cannot be used to call this endpoint.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
requestedFor:
description: 'A list of Identity IDs for whom the Access is requested. If it''s a Revoke request, there can only be one Identity ID.'
type: array
items:
type: string
example: 2c918084660f45d6016617daa9210584
requestType:
type: string
enum:
- GRANT_ACCESS
- REVOKE_ACCESS
description: Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field.
example: GRANT_ACCESS
requestedItems:
type: array
items:
type: object
properties:
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
- ENTITLEMENT
description: The type of the item being requested.
example: ACCESS_PROFILE
id:
type: string
description: 'ID of Role, Access Profile or Entitlement being requested.'
example: 2c9180835d2e5168015d32f890ca1581
comment:
type: string
description: |
Comment provided by requester.
* Comment is required when the request is of type Revoke Access.
example: Requesting access profile for John Doe
clientMetadata:
type: object
additionalProperties:
type: string
example:
requestedAppId: 2c91808f7892918f0178b78da4a305a1
requestedAppName: test-app
example:
requestedAppName: test-app
requestedAppId: 2c91808f7892918f0178b78da4a305a1
description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities and /access-request-status.
removeDate:
type: string
description: |
The date the role or access profile is no longer assigned to the specified identity.
* Specify a date in the future.
* The current SLA for the deprovisioning is 24 hours.
* This date can be modified to either extend or decrease the duration of access item assignments for the specified identity.
* Currently it is not supported for entitlements.
* If sunset date for role or access profile specified, removeDate cannot be established. This rule doesn't apply for entitlements.
format: date-time
example: '2020-07-11T21:23:15.000Z'
required:
- id
- type
clientMetadata:
type: object
additionalProperties:
type: string
example:
requestedAppId: 2c91808f7892918f0178b78da4a305a1
requestedAppName: test-app
example:
requestedAppId: 2c91808f7892918f0178b78da4a305a1
requestedAppName: test-app
description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities.
required:
- requestedFor
- requestedItems
responses:
'202':
description: Accepted - Returned if the request was successfully accepted into the system.
content:
application/json:
schema:
type: object
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/access-requests/cancel:
post:
operationId: cancelAccessRequest
tags:
- Access Requests
summary: Cancel Access Request
description: |-
This API endpoint cancels a pending access request. An access request can be cancelled only if it has not passed the approval step.
Any token with ORG_ADMIN authority or token of the user who originally requested the access request is required to cancel it.
requestBody:
required: true
content:
application/json:
schema:
type: object
description: Request body payload for cancel access request endpoint.
required:
- accountActivityId
- comment
properties:
accountActivityId:
type: string
description: ID of the account activity object corresponding to the access request.
example: 2c9180835d2e5168015d32f890ca1581
comment:
type: string
description: Reason for cancelling the pending access request.
example: I requested this role by mistake.
example:
accountActivityId: 2c91808568c529c60168cca6f90c1313
comment: I requested this role by mistake.
responses:
'202':
description: Accepted - Returned if the request was successfully accepted into the system.
content:
application/json:
schema:
type: object
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/access-requests/close:
post:
operationId: closeAccessRequest
tags:
- Access Requests
summary: Close Access Request
description: |
This endpoint closes access requests that are stuck in a pending state. It can be used throughout a request's lifecycle (even after the approval state, unlike Cancel Access Request). A token with ORG_ADMIN authority is required.
To find pending access requests via the UI, navigate to Search and use this query: status: Pending AND "Access Request". Use the Column Chooser to select "Tracking Number," and the Download button to export a CSV containing the Tracking Numbers.
To find pending access requests via the API, use List Account Activities.
Input the ids from either source
To track the status of endpoint requests, navigate to Search and use this query: name:"Close Identity Requests". Search will include "Close Identity Requests Started" audits when requests are initiated, and "Close Identity Requests Completed" audits when requests are completed. The completion audit will list the Identity Request IDs that finished in error.
This API triggers the Provisioning Action Completed event trigger for each access request that is closed.
requestBody:
required: true
content:
application/json:
schema:
type: object
description: Request body payload for close access requests endpoint.
required:
- accessRequestIds
properties:
accessRequestIds:
type: array
description: Access Request IDs for the requests to be closed. Accepts 1-500 Identity Request IDs per request.
items:
type: string
example:
- 2c90ad2a70ace7d50170acf22ca90010
message:
type: string
description: Reason for closing the access request. Displayed under Warnings in IdentityNow.
default: The IdentityNow Administrator manually closed this request.
example: The IdentityNow Administrator manually closed this request.
executionStatus:
type: string
enum:
- Terminated
- Completed
description: The request's provisioning status. Displayed as Stage in IdentityNow.
default: Terminated
example: Terminated
completionStatus:
type: string
enum:
- Success
- Incomplete
- Failure
description: The request's overall status. Displayed as Status in IdentityNow.
default: Failure
example: Failure
example:
accessRequestIds:
- 2c90ad2a70ace7d50170acf22ca90010
executionStatus: Terminated
completionStatus: Failure
message: The IdentityNow Administrator manually closed this request.
responses:
'202':
description: Accepted - Returned if the request was successfully accepted into the system.
content:
application/json:
schema:
type: object
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/access-request-config:
get:
operationId: getAccessRequestConfig
summary: Get Access Request Configuration
tags:
- Access Requests
description: This endpoint returns the current access-request configuration.
responses:
'200':
description: Access Request Configuration Details.
content:
application/json:
schema:
type: object
properties:
approvalsMustBeExternal:
type: boolean
description: 'If true, then approvals must be processed by external system.'
example: true
autoApprovalEnabled:
type: boolean
description: 'If true and requester and reviewer are the same, then automatically approve the approval.'
example: true
requestOnBehalfOfConfig:
description: Request On Behalf Of Configuration.
type: object
properties:
allowRequestOnBehalfOfAnyoneByAnyone:
type: boolean
description: If anyone can request access for anyone.
example: true
allowRequestOnBehalfOfEmployeeByManager:
type: boolean
description: If a manager can request access for his/her direct reports.
example: true
approvalReminderAndEscalationConfig:
description: Approval Reminder and Escalation Configuration.
type: object
properties:
daysUntilEscalation:
type: integer
description: 'Number of days to wait before the first reminder. If no reminders are configured, then this is the number of days to wait before escalation.'
format: int32
example: 0
daysBetweenReminders:
type: integer
description: Number of days to wait between reminder notifications.
format: int32
example: 0
maxReminders:
type: integer
description: Maximum number of reminder notification to send to the reviewer before approval escalation.
format: int32
example: 0
fallbackApproverRef:
type: object
nullable: true
properties:
type:
type: string
description: The type can only be IDENTITY. This is read-only
example: IDENTITY
id:
type: string
description: Identity id.
example: 5168015d32f890ca15812c9180835d2e
name:
type: string
description: Human-readable display name of identity. This is read-only
example: Alison Ferguso
email:
type: string
description: Email address of identity. This is read-only
example: alison.ferguso@identitysoon.com
entitlementRequestConfig:
description: Entitlement Request Configuration.
type: object
properties:
allowEntitlementRequest:
type: boolean
description: Flag for allowing entitlement request.
example: true
requestCommentsRequired:
type: boolean
description: Flag for requiring comments while submitting an entitlement request.
default: false
example: false
deniedCommentsRequired:
type: boolean
description: Flag for requiring comments while rejecting an entitlement request.
default: false
example: false
grantRequestApprovalSchemes:
type: string
description: |
Approval schemes for granting entitlement request. This can be empty if no approval is needed.
Multiple schemes must be comma-separated. The valid schemes are "entitlementOwner", "sourceOwner", "manager" and "workgroup:{id}".
Multiple workgroups (governance groups) can be used.
default: sourceOwner
example: 'entitlementOwner, sourceOwner, manager, workgroup:2c918084660f45d6016617daa9210584'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
put:
operationId: updateAccessRequestConfig
summary: Update Access Request Configuration
tags:
- Access Requests
description: |-
This endpoint replaces the current access-request configuration.
A token with ORG_ADMIN authority is required to call this API.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
approvalsMustBeExternal:
type: boolean
description: 'If true, then approvals must be processed by external system.'
example: true
autoApprovalEnabled:
type: boolean
description: 'If true and requester and reviewer are the same, then automatically approve the approval.'
example: true
requestOnBehalfOfConfig:
description: Request On Behalf Of Configuration.
type: object
properties:
allowRequestOnBehalfOfAnyoneByAnyone:
type: boolean
description: If anyone can request access for anyone.
example: true
allowRequestOnBehalfOfEmployeeByManager:
type: boolean
description: If a manager can request access for his/her direct reports.
example: true
approvalReminderAndEscalationConfig:
description: Approval Reminder and Escalation Configuration.
type: object
properties:
daysUntilEscalation:
type: integer
description: 'Number of days to wait before the first reminder. If no reminders are configured, then this is the number of days to wait before escalation.'
format: int32
example: 0
daysBetweenReminders:
type: integer
description: Number of days to wait between reminder notifications.
format: int32
example: 0
maxReminders:
type: integer
description: Maximum number of reminder notification to send to the reviewer before approval escalation.
format: int32
example: 0
fallbackApproverRef:
type: object
nullable: true
properties:
type:
type: string
description: The type can only be IDENTITY. This is read-only
example: IDENTITY
id:
type: string
description: Identity id.
example: 5168015d32f890ca15812c9180835d2e
name:
type: string
description: Human-readable display name of identity. This is read-only
example: Alison Ferguso
email:
type: string
description: Email address of identity. This is read-only
example: alison.ferguso@identitysoon.com
entitlementRequestConfig:
description: Entitlement Request Configuration.
type: object
properties:
allowEntitlementRequest:
type: boolean
description: Flag for allowing entitlement request.
example: true
requestCommentsRequired:
type: boolean
description: Flag for requiring comments while submitting an entitlement request.
default: false
example: false
deniedCommentsRequired:
type: boolean
description: Flag for requiring comments while rejecting an entitlement request.
default: false
example: false
grantRequestApprovalSchemes:
type: string
description: |
Approval schemes for granting entitlement request. This can be empty if no approval is needed.
Multiple schemes must be comma-separated. The valid schemes are "entitlementOwner", "sourceOwner", "manager" and "workgroup:{id}".
Multiple workgroups (governance groups) can be used.
default: sourceOwner
example: 'entitlementOwner, sourceOwner, manager, workgroup:2c918084660f45d6016617daa9210584'
responses:
'200':
description: Access Request Configuration Details.
content:
application/json:
schema:
type: object
properties:
approvalsMustBeExternal:
type: boolean
description: 'If true, then approvals must be processed by external system.'
example: true
autoApprovalEnabled:
type: boolean
description: 'If true and requester and reviewer are the same, then automatically approve the approval.'
example: true
requestOnBehalfOfConfig:
description: Request On Behalf Of Configuration.
type: object
properties:
allowRequestOnBehalfOfAnyoneByAnyone:
type: boolean
description: If anyone can request access for anyone.
example: true
allowRequestOnBehalfOfEmployeeByManager:
type: boolean
description: If a manager can request access for his/her direct reports.
example: true
approvalReminderAndEscalationConfig:
description: Approval Reminder and Escalation Configuration.
type: object
properties:
daysUntilEscalation:
type: integer
description: 'Number of days to wait before the first reminder. If no reminders are configured, then this is the number of days to wait before escalation.'
format: int32
example: 0
daysBetweenReminders:
type: integer
description: Number of days to wait between reminder notifications.
format: int32
example: 0
maxReminders:
type: integer
description: Maximum number of reminder notification to send to the reviewer before approval escalation.
format: int32
example: 0
fallbackApproverRef:
type: object
nullable: true
properties:
type:
type: string
description: The type can only be IDENTITY. This is read-only
example: IDENTITY
id:
type: string
description: Identity id.
example: 5168015d32f890ca15812c9180835d2e
name:
type: string
description: Human-readable display name of identity. This is read-only
example: Alison Ferguso
email:
type: string
description: Email address of identity. This is read-only
example: alison.ferguso@identitysoon.com
entitlementRequestConfig:
description: Entitlement Request Configuration.
type: object
properties:
allowEntitlementRequest:
type: boolean
description: Flag for allowing entitlement request.
example: true
requestCommentsRequired:
type: boolean
description: Flag for requiring comments while submitting an entitlement request.
default: false
example: false
deniedCommentsRequired:
type: boolean
description: Flag for requiring comments while rejecting an entitlement request.
default: false
example: false
grantRequestApprovalSchemes:
type: string
description: |
Approval schemes for granting entitlement request. This can be empty if no approval is needed.
Multiple schemes must be comma-separated. The valid schemes are "entitlementOwner", "sourceOwner", "manager" and "workgroup:{id}".
Multiple workgroups (governance groups) can be used.
default: sourceOwner
example: 'entitlementOwner, sourceOwner, manager, workgroup:2c918084660f45d6016617daa9210584'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/access-request-status:
get:
operationId: listAccessRequestStatus
tags:
- Access Requests
summary: Access Request Status
description: |-
The Access Request Status API returns a list of access request statuses based on the specified query parameters.
Any token with any authority can request their own status. A token with ORG_ADMIN authority is required to call this API to get a list of statuses for other users.
parameters:
- in: query
name: requested-for
schema:
type: string
example: 2c9180877b2b6ea4017b2c545f971429
description: Filter the results by the identity for which the requests were made. *me* indicates the current user. Mutually exclusive with *regarding-identity*.
required: false
- in: query
name: requested-by
schema:
type: string
example: 2c9180877b2b6ea4017b2c545f971429
description: Filter the results by the identity that made the requests. *me* indicates the current user. Mutually exclusive with *regarding-identity*.
required: false
- in: query
name: regarding-identity
schema:
type: string
example: 2c9180877b2b6ea4017b2c545f971429
description: Filter the results by the specified identity which is either the requester or target of the requests. *me* indicates the current user. Mutually exclusive with *requested-for* and *requested-by*.
required: false
- in: query
name: count
description: If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
required: false
schema:
type: boolean
default: false
example: false
- in: query
name: limit
description: Max number of results to return.
required: false
schema:
type: integer
format: int32
minimum: 0
maximum: 250
default: 250
example: 100
- in: query
name: offset
description: Offset into the full result set. Usually specified with *limit* to paginate through the results. Defaults to 0 if not specified.
required: false
schema:
type: integer
format: int32
minimum: 0
example: 10
- in: query
name: filters
schema:
type: string
example: accountActivityItemId eq "2c918086771c86df0177401efcdf54c0"
description: |-
Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following fields and operators:
**accountActivityItemId**: *eq, in*
required: false
- in: query
name: sorters
schema:
type: string
format: comma-separated
description: |-
Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results)
Sorting is supported for the following fields: **created, modified, accountActivityItemId**
example: created
required: false
responses:
'200':
description: List of requested item status.
content:
application/json:
schema:
type: array
items:
type: object
properties:
name:
type: string
description: Human-readable display name of the item being requested.
example: AccessProfile1
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
- ENTITLEMENT
description: Type of requested object.
example: ACCESS_PROFILE
cancelledRequestDetails:
nullable: true
type: object
properties:
comment:
type: string
description: Comment made by the owner when cancelling the associated request.
example: Nisl quis ipsum quam quisque condimentum nunc ut dolor nunc.
owner:
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
modified:
type: string
format: date-time
description: Date comment was added by the owner when cancelling the associated request
example: '2019-12-20T09:17:12.192Z'
description: Provides additional details for a request that has been cancelled.
errorMessages:
type: array
nullable: true
items:
type: array
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
description: 'List of list of localized error messages, if any, encountered during the approval/provisioning process.'
state:
type: string
enum:
- EXECUTING
- REQUEST_COMPLETED
- CANCELLED
- TERMINATED
- PROVISIONING_VERIFICATION_PENDING
- REJECTED
- PROVISIONING_FAILED
- NOT_ALL_ITEMS_PROVISIONED
- ERROR
description: |-
Indicates the state of an access request:
* EXECUTING: The request is executing, which indicates the system is doing some processing.
* REQUEST_COMPLETED: Indicates the request has been completed.
* CANCELLED: The request was cancelled with no user input.
* TERMINATED: The request has been terminated before it was able to complete.
* PROVISIONING_VERIFICATION_PENDING: The request has finished any approval steps and provisioning is waiting to be verified.
* REJECTED: The request was rejected.
* PROVISIONING_FAILED: The request has failed to complete.
* NOT_ALL_ITEMS_PROVISIONED: One or more of the requested items failed to complete, but there were one or more successes.
* ERROR: An error occurred during request processing.
example: EXECUTING
approvalDetails:
type: array
items:
type: object
properties:
forwarded:
type: boolean
description: True if the request for this item was forwarded from one owner to another.
example: false
originalOwner:
description: 'Base identity/workgroup reference object representing the original owner, if forwarded.'
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
currentOwner:
description: Base reference of approver that will make decision.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
reviewedBy:
description: The identity who has reviewed the approval.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
modified:
type: string
format: date-time
description: Time at which item was modified.
example: '2019-08-23T18:52:57.398Z'
status:
type: string
enum:
- PENDING
- APPROVED
- REJECTED
- EXPIRED
- CANCELLED
- ARCHIVED
description: |-
Indicates the state of the request processing for this item:
* PENDING: The request for this item is awaiting processing.
* APPROVED: The request for this item has been approved.
* REJECTED: The request for this item was rejected.
* EXPIRED: The request for this item expired with no action taken.
* CANCELLED: The request for this item was cancelled with no user action.
* ARCHIVED: The request for this item has been archived after completion.
example: PENDING
scheme:
type: string
enum:
- APP_OWNER
- SOURCE_OWNER
- MANAGER
- ROLE_OWNER
- ACCESS_PROFILE_OWNER
- ENTITLEMENT_OWNER
- GOVERNANCE_GROUP
description: Describes the individual or group that is responsible for an approval step.
example: MANAGER
errorMessages:
type: array
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
description: 'If the request failed, includes any error messages that were generated.'
comment:
type: string
description: 'Comment, if any, provided by the approver.'
example: I approve this request
removeDate:
type: string
description: The date the role or access profile is no longer assigned to the specified identity.
format: date-time
example: '2020-07-11T00:00:00Z'
description: Approval details for each item.
manualWorkItemDetails:
type: array
nullable: true
items:
type: object
properties:
forwarded:
type: boolean
description: True if the request for this item was forwarded from one owner to another.
example: true
originalOwner:
description: 'Base identity/workgroup reference object representing the original owner, if forwarded.'
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
currentOwner:
description: Base reference of approver that will make decision.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
modified:
type: string
format: date-time
description: Time at which item was modified.
example: '2019-08-23T18:52:57.398Z'
status:
type: string
enum:
- PENDING
- APPROVED
- REJECTED
- EXPIRED
- CANCELLED
- ARCHIVED
description: |-
Indicates the state of the request processing for this item:
* PENDING: The request for this item is awaiting processing.
* APPROVED: The request for this item has been approved.
* REJECTED: The request for this item was rejected.
* EXPIRED: The request for this item expired with no action taken.
* CANCELLED: The request for this item was cancelled with no user action.
* ARCHIVED: The request for this item has been archived after completion.
example: PENDING
forwardHistory:
type: array
items:
type: object
properties:
oldApproverName:
type: string
description: Display name of approver from whom the approval was forwarded.
example: Frank Mir
newApproverName:
type: string
description: Display name of approver to whom the approval was forwarded.
example: Al Volta
comment:
type: string
nullable: true
description: Comment made while forwarding.
example: Forwarding from Frank to Al
modified:
type: string
format: date-time
description: Time at which approval was forwarded.
example: '2019-08-23T18:52:57.398Z'
forwarderName:
type: string
nullable: true
description: Display name of forwarder who forwarded the approval.
example: William Wilson
reassignmentType:
description: |-
The approval reassignment type.
* MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's.
* AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time.
* AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to [Setting Global Reminders and Escalation Policies](https://documentation.sailpoint.com/saas/help/requests/config_emails.html).
* SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to [Self-review Prevention](https://documentation.sailpoint.com/saas/help/users/work_reassignment.html#self-review-prevention) and [Preventing Self-approval](https://documentation.sailpoint.com/saas/help/requests/config_ap_roles.html#preventing-self-approval).
example: AUTOMATIC_REASSIGNMENT
type: string
enum:
- MANUAL_REASSIGNMENT
- AUTOMATIC_REASSIGNMENT
- AUTO_ESCALATION
- SELF_REVIEW_DELEGATION
description: The history of approval forward action.
description: Manual work items created for provisioning the item.
accountActivityItemId:
type: string
description: Id of associated account activity item.
example: 2c9180926cbfbddd016cbfc7c3b10010
requestType:
type: string
enum:
- GRANT_ACCESS
- REVOKE_ACCESS
description: Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field.
example: GRANT_ACCESS
modified:
type: string
format: date-time
description: When the request was last modified.
example: '2019-08-23T18:52:59.162Z'
created:
type: string
format: date-time
description: When the request was created.
example: '2019-08-23T18:40:35.772Z'
requester:
description: The identity that requested the item.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
requestedFor:
description: The identity for whom the Access Request Status is requested for.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
requesterComment:
nullable: true
description: The requester's comment.
type: object
properties:
comment:
type: string
description: Content of the comment
example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat
author:
type: object
properties:
type:
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
example: IDENTITY
id:
type: string
description: ID of the author
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the identity making the comment
example: Adam Kennedy
created:
type: string
format: date-time
description: Date and time comment was created
example: '2017-07-11T18:45:37.098Z'
sodViolationContext:
nullable: true
description: The details of the SOD violations for the associated approval.
type: object
properties:
state:
type: string
enum:
- SUCCESS
- ERROR
description: The status of SOD violation check
example: SUCCESS
uuid:
description: The id of the Violation check event
type: string
example: f73d16e9-a038-46c5-b217-1246e15fdbdd
violationCheckResult:
description: The inner object representing the completed SOD Violation check
type: object
properties:
message:
description: 'If the request failed, includes any error message that was generated.'
example:
- locale: en-US
localeOrigin: DEFAULT
text: An error has occurred during the SOD violation check
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
clientMetadata:
type: object
additionalProperties:
type: string
description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check.
example:
requestedAppName: test-app
requestedAppId: 2c91808f7892918f0178b78da4a305a1
violationContexts:
type: array
items:
description: The contextual information of the violated criteria
type: object
properties:
policy:
description: Reference to the Policy that is being violated.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
conflictingAccessCriteria:
type: object
description: The object which contains the left and right hand side of the entitlements that got violated according to the policy.
properties:
leftCriteria:
type: object
properties:
criteriaList:
type: array
items:
description: Details of the Entitlement criteria
type: object
properties:
existing:
type: boolean
example: true
description: If the entitlement already belonged to the user or not.
type:
example: ENTITLEMENT
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
id:
type: string
description: Entitlement ID
example: 2c918085771e9d3301773b3cb66f6398
name:
type: string
description: Entitlement name
example: My HR Entitlement
rightCriteria:
type: object
properties:
criteriaList:
type: array
items:
description: Details of the Entitlement criteria
type: object
properties:
existing:
type: boolean
example: true
description: If the entitlement already belonged to the user or not.
type:
example: ENTITLEMENT
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
id:
type: string
description: Entitlement ID
example: 2c918085771e9d3301773b3cb66f6398
name:
type: string
description: Entitlement name
example: My HR Entitlement
violatedPolicies:
type: array
description: A list of the Policies that were violated
items:
description: Reference to the policy that was violated
example:
- type: SOD_POLICY
id: 69129440-422d-4a23-aadd-35c828d5bfda
name: HR Policy
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
provisioningDetails:
nullable: true
type: object
properties:
orderedSubPhaseReferences:
type: string
description: 'Ordered CSV of sub phase references to objects that contain more information about provisioning. For example, this can contain "manualWorkItemDetails" which indicate that there is further information in that object for this phase.'
example: manualWorkItemDetails
description: Provides additional details about provisioning for this request.
preApprovalTriggerDetails:
nullable: true
type: object
properties:
comment:
type: string
description: Comment left for the pre-approval decision
example: Access is Approved
reviewer:
type: string
description: The reviewer of the pre-approval decision
example: John Doe
decision:
type: string
enum:
- APPROVED
- REJECTED
description: The decision of the pre-approval trigger
example: APPROVED
description: Provides additional details about the pre-approval trigger for this request.
accessRequestPhases:
type: array
items:
type: object
properties:
started:
type: string
description: The time that this phase started.
format: date-time
example: '2020-07-11T00:00:00Z'
finished:
type: string
description: The time that this phase finished.
format: date-time
example: '2020-07-12T00:00:00Z'
name:
type: string
description: The name of this phase.
example: APPROVAL_PHASE
state:
type: string
enum:
- PENDING
- EXECUTING
- COMPLETED
- CANCELLED
description: The state of this phase.
example: COMPLETED
result:
type: string
enum:
- SUCCESSFUL
- FAILED
description: The state of this phase.
example: SUCCESSFUL
phaseReference:
type: string
description: 'A reference to another object on the RequestedItemStatus that contains more details about the phase. Note that for the Provisioning phase, this will be empty if there are no manual work items.'
example: approvalDetails
description: Provides additional details about this access request phase.
description: 'A list of Phases that the Access Request has gone through in order, to help determine the status of the request.'
description:
type: string
description: Description associated to the requested object.
example: This is the Engineering role that engineers are granted.
removeDate:
type: string
format: date-time
nullable: true
description: When the role access is scheduled for removal.
example: '2019-10-23T00:00:00.000Z'
cancelable:
type: boolean
description: True if the request can be canceled.
example: true
accessRequestId:
type: string
format: string
description: This is the account activity id.
example: 2b838de9-db9b-abcf-e646-d4f274ad4238
clientMetadata:
nullable: true
type: object
additionalProperties:
type: string
description: 'Arbitrary key-value pairs, if any were included in the corresponding access request'
example:
key1: value1
key2: value2
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/access-request-approvals/pending:
get:
operationId: listPendingApprovals
summary: Pending Access Request Approvals List
tags:
- Access Request Approvals
description: This endpoint returns a list of pending approvals. See "owner-id" query parameter below for authorization info.
parameters:
- in: query
name: owner-id
schema:
type: string
description: |-
If present, the value returns only pending approvals for the specified identity.
* ORG_ADMIN users can call this with any identity ID value.
* ORG_ADMIN users can also fetch all the approvals in the org, when owner-id is not used.
* Non-ORG_ADMIN users can only specify *me* or pass their own identity ID value.
required: false
- in: query
name: limit
description: |-
Max number of results to return.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 250
schema:
type: integer
format: int32
minimum: 0
maximum: 250
default: 250
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
- in: query
name: filters
schema:
type: string
description: |-
Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following fields and operators:
**id**: *eq, in*
**requestedFor.id**: *eq, in*
**modified**: *gt, lt, ge, le*
- in: query
name: sorters
schema:
type: string
format: comma-separated
description: |-
Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results)
Sorting is supported for the following fields: **created, modified**
responses:
'200':
description: List of Pending Approvals.
content:
application/json:
schema:
type: array
items:
type: object
properties:
id:
type: string
example: 2c9180835d2e5168015d32f890ca1581
description: The approval id.
name:
type: string
example: Pending approval name
description: The name of the approval.
created:
type: string
format: date-time
description: When the approval was created.
example: '2017-07-11T18:45:37.098Z'
modified:
type: string
format: date-time
description: When the approval was modified last time.
example: '2018-07-25T20:22:28.104Z'
requestCreated:
type: string
format: date-time
description: When the access-request was created.
example: '2017-07-11T18:45:35.098Z'
requestType:
description: If the access-request was for granting or revoking access.
type: string
enum:
- GRANT_ACCESS
- REVOKE_ACCESS
example: GRANT_ACCESS
requester:
description: The identity that requested the item.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
requestedFor:
description: The identity for whom the item is requested for.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
owner:
description: The owner or approver of the approval.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
requestedObject:
description: The requested access item.
type: object
properties:
id:
type: string
example: 2c938083633d259901633d25c68c00fa
description: Id of the object.
name:
type: string
example: Object Name
description: Name of the object.
description:
type: string
example: Object Description
description: Description of the object.
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
- ENTITLEMENT
description: Type of the object.
example: ROLE
requesterComment:
description: The requester's comment.
type: object
properties:
comment:
type: string
description: Content of the comment
example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat
author:
type: object
properties:
type:
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
example: IDENTITY
id:
type: string
description: ID of the author
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the identity making the comment
example: Adam Kennedy
created:
type: string
format: date-time
description: Date and time comment was created
example: '2017-07-11T18:45:37.098Z'
previousReviewersComments:
type: array
items:
type: object
properties:
comment:
type: string
description: Content of the comment
example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat
author:
type: object
properties:
type:
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
example: IDENTITY
id:
type: string
description: ID of the author
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the identity making the comment
example: Adam Kennedy
created:
type: string
format: date-time
description: Date and time comment was created
example: '2017-07-11T18:45:37.098Z'
description: The history of the previous reviewers comments.
forwardHistory:
type: array
items:
type: object
properties:
oldApproverName:
type: string
description: Display name of approver from whom the approval was forwarded.
example: Frank Mir
newApproverName:
type: string
description: Display name of approver to whom the approval was forwarded.
example: Al Volta
comment:
type: string
nullable: true
description: Comment made while forwarding.
example: Forwarding from Frank to Al
modified:
type: string
format: date-time
description: Time at which approval was forwarded.
example: '2019-08-23T18:52:57.398Z'
forwarderName:
type: string
nullable: true
description: Display name of forwarder who forwarded the approval.
example: William Wilson
reassignmentType:
description: |-
The approval reassignment type.
* MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's.
* AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time.
* AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to [Setting Global Reminders and Escalation Policies](https://documentation.sailpoint.com/saas/help/requests/config_emails.html).
* SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to [Self-review Prevention](https://documentation.sailpoint.com/saas/help/users/work_reassignment.html#self-review-prevention) and [Preventing Self-approval](https://documentation.sailpoint.com/saas/help/requests/config_ap_roles.html#preventing-self-approval).
example: AUTOMATIC_REASSIGNMENT
type: string
enum:
- MANUAL_REASSIGNMENT
- AUTOMATIC_REASSIGNMENT
- AUTO_ESCALATION
- SELF_REVIEW_DELEGATION
description: The history of approval forward action.
commentRequiredWhenRejected:
type: boolean
example: true
description: When true the rejector has to provide comments when rejecting
actionInProcess:
description: 'Action that is performed on this approval, and system has not finished performing that action yet.'
type: string
enum:
- APPROVED
- REJECTED
- FORWARDED
example: APPROVED
removeDate:
type: string
description: The date the role or access profile is no longer assigned to the specified identity.
format: date-time
example: '2020-07-11T00:00:00Z'
removeDateUpdateRequested:
type: boolean
example: true
description: 'If true, then the request is to change the remove date or sunset date.'
currentRemoveDate:
type: string
description: The remove date or sunset date that was assigned at the time of the request.
format: date-time
example: '2020-07-11T00:00:00Z'
sodViolationContext:
description: The details of the SOD violations for the associated approval.
type: object
properties:
state:
type: string
enum:
- SUCCESS
- ERROR
description: The status of SOD violation check
example: SUCCESS
uuid:
description: The id of the Violation check event
type: string
example: f73d16e9-a038-46c5-b217-1246e15fdbdd
violationCheckResult:
description: The inner object representing the completed SOD Violation check
type: object
properties:
message:
description: 'If the request failed, includes any error message that was generated.'
example:
- locale: en-US
localeOrigin: DEFAULT
text: An error has occurred during the SOD violation check
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
clientMetadata:
type: object
additionalProperties:
type: string
description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check.
example:
requestedAppName: test-app
requestedAppId: 2c91808f7892918f0178b78da4a305a1
violationContexts:
type: array
items:
description: The contextual information of the violated criteria
type: object
properties:
policy:
description: Reference to the Policy that is being violated.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
conflictingAccessCriteria:
type: object
description: The object which contains the left and right hand side of the entitlements that got violated according to the policy.
properties:
leftCriteria:
type: object
properties:
criteriaList:
type: array
items:
description: Details of the Entitlement criteria
type: object
properties:
existing:
type: boolean
example: true
description: If the entitlement already belonged to the user or not.
type:
example: ENTITLEMENT
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
id:
type: string
description: Entitlement ID
example: 2c918085771e9d3301773b3cb66f6398
name:
type: string
description: Entitlement name
example: My HR Entitlement
rightCriteria:
type: object
properties:
criteriaList:
type: array
items:
description: Details of the Entitlement criteria
type: object
properties:
existing:
type: boolean
example: true
description: If the entitlement already belonged to the user or not.
type:
example: ENTITLEMENT
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
id:
type: string
description: Entitlement ID
example: 2c918085771e9d3301773b3cb66f6398
name:
type: string
description: Entitlement name
example: My HR Entitlement
violatedPolicies:
type: array
description: A list of the Policies that were violated
items:
description: Reference to the policy that was violated
example:
- type: SOD_POLICY
id: 69129440-422d-4a23-aadd-35c828d5bfda
name: HR Policy
type: object
properties:
id:
type: string
description: the application ID
example: ff8081814d977c21014da056804a0af3
name:
type: string
description: the application name
example: Github
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/access-request-approvals/completed:
get:
operationId: listCompletedApprovals
summary: Completed Access Request Approvals List
tags:
- Access Request Approvals
description: This endpoint returns list of completed approvals. See *owner-id* query parameter below for authorization info.
parameters:
- in: query
name: owner-id
schema:
type: string
description: |-
If present, the value returns only completed approvals for the specified identity.
* ORG_ADMIN users can call this with any identity ID value.
* ORG_ADMIN users can also fetch all the approvals in the org, when owner-id is not used.
* Non-ORG_ADMIN users can only specify *me* or pass their own identity ID value.
- in: query
name: limit
description: |-
Max number of results to return.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 250
schema:
type: integer
format: int32
minimum: 0
maximum: 250
default: 250
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
- in: query
name: filters
schema:
type: string
description: |-
Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following fields and operators:
**id**: *eq, in*
**requestedFor.id**: *eq, in*
**modified**: *gt, lt, ge, le*
- in: query
name: sorters
schema:
type: string
format: comma-separated
description: |-
Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results)
Sorting is supported for the following fields: **created, modified**
responses:
'200':
description: List of Completed Approvals.
content:
application/json:
schema:
type: array
items:
type: object
properties:
id:
type: string
example: 2c938083633d259901633d25c68c00fa
description: The approval id.
name:
type: string
example: Approval Name
description: The name of the approval.
created:
type: string
format: date-time
description: When the approval was created.
example: '2017-07-11T18:45:37.098Z'
modified:
type: string
format: date-time
description: When the approval was modified last time.
example: '2018-07-25T20:22:28.104Z'
requestCreated:
type: string
format: date-time
description: When the access-request was created.
example: '2017-07-11T18:45:35.098Z'
requestType:
description: If the access-request was for granting or revoking access.
type: string
enum:
- GRANT_ACCESS
- REVOKE_ACCESS
example: GRANT_ACCESS
requester:
description: The identity that requested the item.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
requestedFor:
description: The identity for whom the item is requested for.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
reviewedBy:
description: The identity who has reviewed the approval.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
owner:
description: The owner or approver of the approval.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
requestedObject:
description: The requested access item.
type: object
properties:
id:
type: string
example: 2c938083633d259901633d25c68c00fa
description: Id of the object.
name:
type: string
example: Object Name
description: Name of the object.
description:
type: string
example: Object Description
description: Description of the object.
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
- ENTITLEMENT
description: Type of the object.
example: ROLE
requesterComment:
description: The requester's comment.
type: object
properties:
comment:
type: string
description: Content of the comment
example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat
author:
type: object
properties:
type:
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
example: IDENTITY
id:
type: string
description: ID of the author
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the identity making the comment
example: Adam Kennedy
created:
type: string
format: date-time
description: Date and time comment was created
example: '2017-07-11T18:45:37.098Z'
reviewerComment:
description: The approval's reviewer's comment.
type: object
properties:
comment:
type: string
description: Content of the comment
example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat
author:
type: object
properties:
type:
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
example: IDENTITY
id:
type: string
description: ID of the author
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the identity making the comment
example: Adam Kennedy
created:
type: string
format: date-time
description: Date and time comment was created
example: '2017-07-11T18:45:37.098Z'
previousReviewersComments:
type: array
items:
type: object
properties:
comment:
type: string
description: Content of the comment
example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat
author:
type: object
properties:
type:
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
example: IDENTITY
id:
type: string
description: ID of the author
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the identity making the comment
example: Adam Kennedy
created:
type: string
format: date-time
description: Date and time comment was created
example: '2017-07-11T18:45:37.098Z'
description: The history of the previous reviewers comments.
forwardHistory:
type: array
items:
type: object
properties:
oldApproverName:
type: string
description: Display name of approver from whom the approval was forwarded.
example: Frank Mir
newApproverName:
type: string
description: Display name of approver to whom the approval was forwarded.
example: Al Volta
comment:
type: string
nullable: true
description: Comment made while forwarding.
example: Forwarding from Frank to Al
modified:
type: string
format: date-time
description: Time at which approval was forwarded.
example: '2019-08-23T18:52:57.398Z'
forwarderName:
type: string
nullable: true
description: Display name of forwarder who forwarded the approval.
example: William Wilson
reassignmentType:
description: |-
The approval reassignment type.
* MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's.
* AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time.
* AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to [Setting Global Reminders and Escalation Policies](https://documentation.sailpoint.com/saas/help/requests/config_emails.html).
* SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to [Self-review Prevention](https://documentation.sailpoint.com/saas/help/users/work_reassignment.html#self-review-prevention) and [Preventing Self-approval](https://documentation.sailpoint.com/saas/help/requests/config_ap_roles.html#preventing-self-approval).
example: AUTOMATIC_REASSIGNMENT
type: string
enum:
- MANUAL_REASSIGNMENT
- AUTOMATIC_REASSIGNMENT
- AUTO_ESCALATION
- SELF_REVIEW_DELEGATION
description: The history of approval forward action.
commentRequiredWhenRejected:
type: boolean
example: true
description: When true the rejector has to provide comments when rejecting
state:
description: The final state of the approval
type: string
enum:
- APPROVED
- REJECTED
example: APPROVED
removeDate:
type: string
description: The date the role or access profile is no longer assigned to the specified identity.
format: date-time
example: '2020-07-11T00:00:00Z'
removeDateUpdateRequested:
type: boolean
example: true
description: 'If true, then the request was to change the remove date or sunset date.'
currentRemoveDate:
type: string
description: The remove date or sunset date that was assigned at the time of the request.
format: date-time
example: '2020-07-11T00:00:00Z'
sodViolationContext:
description: The details of the SOD violations for the associated approval.
type: object
properties:
state:
type: string
enum:
- SUCCESS
- ERROR
description: The status of SOD violation check
example: SUCCESS
uuid:
description: The id of the Violation check event
type: string
example: f73d16e9-a038-46c5-b217-1246e15fdbdd
violationCheckResult:
description: The inner object representing the completed SOD Violation check
type: object
properties:
message:
description: 'If the request failed, includes any error message that was generated.'
example:
- locale: en-US
localeOrigin: DEFAULT
text: An error has occurred during the SOD violation check
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
clientMetadata:
type: object
additionalProperties:
type: string
description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check.
example:
requestedAppName: test-app
requestedAppId: 2c91808f7892918f0178b78da4a305a1
violationContexts:
type: array
items:
description: The contextual information of the violated criteria
type: object
properties:
policy:
description: Reference to the Policy that is being violated.
type: object
properties:
type:
description: DTO type
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
example: IDENTITY
id:
type: string
description: ID of the object to which this reference applies
example: 2c91808568c529c60168cca6f90c1313
name:
type: string
description: Human-readable display name of the object to which this reference applies
example: William Wilson
conflictingAccessCriteria:
type: object
description: The object which contains the left and right hand side of the entitlements that got violated according to the policy.
properties:
leftCriteria:
type: object
properties:
criteriaList:
type: array
items:
description: Details of the Entitlement criteria
type: object
properties:
existing:
type: boolean
example: true
description: If the entitlement already belonged to the user or not.
type:
example: ENTITLEMENT
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
id:
type: string
description: Entitlement ID
example: 2c918085771e9d3301773b3cb66f6398
name:
type: string
description: Entitlement name
example: My HR Entitlement
rightCriteria:
type: object
properties:
criteriaList:
type: array
items:
description: Details of the Entitlement criteria
type: object
properties:
existing:
type: boolean
example: true
description: If the entitlement already belonged to the user or not.
type:
example: ENTITLEMENT
type: string
enum:
- ACCOUNT_CORRELATION_CONFIG
- ACCESS_PROFILE
- ACCESS_REQUEST_APPROVAL
- ACCOUNT
- APPLICATION
- CAMPAIGN
- CAMPAIGN_FILTER
- CERTIFICATION
- CLUSTER
- CONNECTOR_SCHEMA
- ENTITLEMENT
- GOVERNANCE_GROUP
- IDENTITY
- IDENTITY_PROFILE
- IDENTITY_REQUEST
- LIFECYCLE_STATE
- PASSWORD_POLICY
- ROLE
- RULE
- SOD_POLICY
- SOURCE
- TAG_CATEGORY
- TASK_RESULT
- REPORT_RESULT
- SOD_VIOLATION
- ACCOUNT_ACTIVITY
description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
id:
type: string
description: Entitlement ID
example: 2c918085771e9d3301773b3cb66f6398
name:
type: string
description: Entitlement name
example: My HR Entitlement
violatedPolicies:
type: array
description: A list of the Policies that were violated
items:
description: Reference to the policy that was violated
example:
- type: SOD_POLICY
id: 69129440-422d-4a23-aadd-35c828d5bfda
name: HR Policy
type: object
properties:
id:
type: string
description: the application ID
example: ff8081814d977c21014da056804a0af3
name:
type: string
description: the application name
example: Github
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
'/access-request-approvals/{approvalId}/approve':
post:
operationId: approveAccessRequest
summary: Approves an access request approval.
tags:
- Access Request Approvals
description: This endpoint approves an access request approval. Only the owner of the approval and ORG_ADMIN users are allowed to perform this action.
parameters:
- in: path
name: approvalId
schema:
type: string
required: true
description: The id of the approval.
example: 2c91808b7294bea301729568c68c002e
requestBody:
description: Reviewer's comment.
required: false
content:
application/json:
schema:
type: object
properties:
comment:
type: string
responses:
'202':
description: Accepted - Returned if the request was successfully accepted into the system.
content:
application/json:
schema:
type: object
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
'/access-request-approvals/{approvalId}/reject':
post:
operationId: rejectAccessRequest
summary: Rejects an access request approval.
tags:
- Access Request Approvals
description: This endpoint rejects an access request approval. Only the owner of the approval and admin users are allowed to perform this action.
parameters:
- in: path
name: approvalId
schema:
type: string
required: true
description: The id of the approval.
example: 2c91808b7294bea301729568c68c002e
requestBody:
description: Reviewer's comment.
required: false
content:
application/json:
schema:
type: object
properties:
comment:
type: string
responses:
'202':
description: Accepted - Returned if the request was successfully accepted into the system.
content:
application/json:
schema:
type: object
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
'/access-request-approvals/{approvalId}/forward':
post:
operationId: forwardAccessRequest
summary: Forwards an access request approval to a new owner.
tags:
- Access Request Approvals
description: This endpoint forwards an access request approval. Only the owner of the approval and ORG_ADMIN users are allowed to perform this action.
parameters:
- in: path
name: approvalId
schema:
type: string
required: true
description: The id of the approval.
example: 2c91808b7294bea301729568c68c002e
requestBody:
description: Information about the forwarded approval.
required: true
content:
application/json:
schema:
type: object
required:
- newOwnerId
- comment
properties:
newOwnerId:
type: string
description: The Id of the new owner
minLength: 1
maxLength: 255
comment:
type: string
description: The comment provided by the forwarder
minLength: 1
maxLength: 255
responses:
'202':
description: Accepted - Returned if the request was successfully accepted into the system.
content:
application/json:
schema:
type: object
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/access-request-approvals/approval-summary:
get:
operationId: getAccessRequestApprovalSummary
summary: 'Get the number of pending, approved and rejected access requests approvals'
tags:
- Access Request Approvals
description: 'This endpoint returns the number of pending, approved and rejected access requests approvals. See "owner-id" query parameter below for authorization info.'
parameters:
- in: query
name: owner-id
schema:
type: string
description: |-
The id of the owner or approver identity of the approvals. If present, the value returns approval summary for the specified identity.
* ORG_ADMIN users can call this with any identity ID value.
* ORG_ADMIN user can also fetch all the approvals in the org, when owner-id is not used.
* Non ORG_ADMIN users can only specify *me* or pass their own identity ID value.
- in: query
name: from-date
schema:
type: string
description: |-
From date is the date and time from which the results will be shown. It should be in a valid ISO-8601 format
example: from-date=2020-03-19T19:59:11Z
responses:
'200':
description: 'Number of pending, approved, rejected access request approvals.'
content:
application/json:
schema:
type: object
properties:
pending:
type: integer
description: The number of pending access requests approvals.
approved:
type: integer
description: The number of approved access requests approvals.
rejected:
type: integer
description: The number of rejected access requests approvals.
'400':
description: Client Error - Returned if the query parameter is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/ai-access-request-recommendations:
get:
operationId: getAccessRequestRecommendations
tags:
- IAI Access Request Recommendations
summary: Identity Access Request Recommendations
description: This API returns the access request recommendations for the specified identity. The default identity is *me* which indicates the current user.
parameters:
- in: query
name: identity-id
description: Get access request recommendations for an identityId. *me* indicates the current user.
schema:
type: string
default: me
required: false
example: 2c91808570313110017040b06f344ec9
- in: query
name: limit
description: Max number of results to return.
required: false
schema:
type: integer
minimum: 0
maximum: 15
default: 15
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
- in: query
name: include-translation-messages
description: If *true* it will populate a list of translation messages in the response.
schema:
type: boolean
default: false
required: false
example: false
- in: query
name: filters
schema:
type: string
description: |-
Filter recommendations using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following fields and operators:
**access.name**: *co*
**access.type**: *eq, in*
**access.description**: *co*
- in: query
name: sorters
schema:
type: string
format: comma-separated
description: |-
Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results)
Sorting is supported for the following fields: **access.name, access.type**
By default the recommendations are sorted by highest confidence first.
responses:
'200':
description: List of access request recommendations for the identityId
content:
application/json:
schema:
type: array
items:
type: object
properties:
identityId:
type: string
format: UUID
description: Identity ID for the recommendation
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
name:
type: string
description: Name of the access item
example: Employee-database-read-write
description:
type: string
description: Description of the access item
example: This item grants an employee read and write access to the database
ignored:
type: boolean
example: true
description: Whether or not the identity has already chosen to ignore this recommendation.
requested:
type: boolean
example: true
description: Whether or not the identity has already chosen to request this recommendation.
viewed:
type: boolean
example: true
description: Whether or not the identity reportedly viewed this recommendation.
messages:
type: array
items:
type: object
properties:
interpretation:
type: string
description: Information about why the access item was recommended.
example: 95% of your peers have this access.
translationMessages:
description: The list of translation messages
type: array
example:
- key: recommender-api.V2_WEIGHT_FEATURE_PRODUCT_INTERPRETATION_HIGH
values:
- '75'
- department
items:
properties:
key:
type: string
description: The key of the translation message
example: recommender-api.V2_WEIGHT_FEATURE_PRODUCT_INTERPRETATION_HIGH
values:
type: array
description: The values corresponding to the translation messages
items:
type: string
example:
- '75'
- department
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/ai-access-request-recommendations/ignored-items:
post:
operationId: addAccessRequestRecommendationsIgnoredItem
tags:
- IAI Access Request Recommendations
summary: Notification of Ignored Access Request Recommendations
description: 'This API ignores a recommended access request item. Once an item is ignored, it will be marked as ignored=true if it is still a recommended item. The consumer can decide to hide ignored recommendations.'
requestBody:
description: The recommended access item to ignore for an identity.
required: true
content:
application/json:
schema:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
required:
- identityId
- access
responses:
'201':
description: Recommendation successfully stored as ignored.
content:
application/json:
schema:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
timestamp:
type: string
format: date-time
example: '2017-07-11T18:45:37.098Z'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
get:
operationId: getAccessRequestRecommendationsIgnoredItems
tags:
- IAI Access Request Recommendations
summary: List of Ignored Access Request Recommendations
description: This API returns the list of ignored access request recommendations.
parameters:
- in: query
name: limit
description: |-
Max number of results to return.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 250
schema:
type: integer
format: int32
minimum: 0
maximum: 250
default: 250
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
- in: query
name: filters
schema:
type: string
description: |-
Filter recommendations using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following fields and operators:
**access.id**: *eq, in*
**access.type**: *eq, in*
**identityId**: *eq, in*
- in: query
name: sorters
schema:
type: string
format: comma-separated
description: |-
Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results)
Sorting is supported for the following fields: **access.id, access.type, identityId, timestamp**
responses:
'200':
description: Returns list of ignored access request recommendations.
content:
application/json:
schema:
type: array
items:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
timestamp:
type: string
format: date-time
example: '2017-07-11T18:45:37.098Z'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/ai-access-request-recommendations/requested-items:
post:
operationId: addAccessRequestRecommendationsRequestedItem
tags:
- IAI Access Request Recommendations
summary: Notification of Requested Access Request Recommendations
description: 'This API consumes a notification that a recommended access request item was requested. This API does not actually make the request, it is just a notification. This will help provide feedback in order to improve our recommendations.'
requestBody:
description: The recommended access item that was requested for an identity.
required: true
content:
application/json:
schema:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
required:
- identityId
- access
responses:
'201':
description: Notification successfully acknowledged.
content:
application/json:
schema:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
timestamp:
type: string
format: date-time
example: '2017-07-11T18:45:37.098Z'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
get:
operationId: getAccessRequestRecommendationsRequestedItems
tags:
- IAI Access Request Recommendations
summary: List of Requested Access Request Recommendations
description: This API returns a list of requested access request recommendations.
parameters:
- in: query
name: limit
description: |-
Max number of results to return.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 250
schema:
type: integer
format: int32
minimum: 0
maximum: 250
default: 250
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
- in: query
name: filters
schema:
type: string
description: |-
Filter recommendations using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following fields and operators:
**access.id**: *eq, in*
**access.type**: *eq, in*
**identityId**: *eq, in*
- in: query
name: sorters
schema:
type: string
format: comma-separated
description: |-
Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results)
Sorting is supported for the following fields: **access.id, access.type, identityId, timestamp**
responses:
'200':
description: Returns the list of requested access request recommendations.
content:
application/json:
schema:
type: array
items:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
timestamp:
type: string
format: date-time
example: '2017-07-11T18:45:37.098Z'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/ai-access-request-recommendations/viewed-items:
post:
operationId: addAccessRequestRecommendationsViewedItem
tags:
- IAI Access Request Recommendations
summary: Notification of Viewed Access Request Recommendations
description: This API consumes a notification that a recommended access request item was viewed. Future recommendations with this item will be marked with viewed=true. This can be useful for the consumer to determine if there are any new/unviewed recommendations.
requestBody:
description: The recommended access that was viewed for an identity.
required: true
content:
application/json:
schema:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
required:
- identityId
- access
responses:
'201':
description: Recommendation successfully stored as viewed.
content:
application/json:
schema:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
timestamp:
type: string
format: date-time
example: '2017-07-11T18:45:37.098Z'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
get:
operationId: getAccessRequestRecommendationsViewedItems
tags:
- IAI Access Request Recommendations
summary: List of Viewed Access Request Recommendations
description: This API returns the list of viewed access request recommendations.
parameters:
- in: query
name: limit
description: |-
Max number of results to return.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 250
schema:
type: integer
format: int32
minimum: 0
maximum: 250
default: 250
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
- in: query
name: filters
schema:
type: string
description: |-
Filter recommendations using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following fields and operators:
**access.id**: *eq, in*
**access.type**: *eq, in*
**identityId**: *eq, in*
- in: query
name: sorters
schema:
type: string
format: comma-separated
description: |-
Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results)
Sorting is supported for the following fields: **access.id, access.type, identityId, timestamp**
responses:
'200':
description: Returns list of viewed access request recommendations.
content:
application/json:
schema:
type: array
items:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
timestamp:
type: string
format: date-time
example: '2017-07-11T18:45:37.098Z'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/ai-access-request-recommendations/viewed-items/bulk-create:
post:
operationId: addAccessRequestRecommendationsViewedItems
tags:
- IAI Access Request Recommendations
summary: Notification of Viewed Access Request Recommendations in Bulk
description: This API consumes a notification that a set of recommended access request item were viewed. Future recommendations with these items will be marked with viewed=true. This can be useful for the consumer to determine if there are any new/unviewed recommendations.
requestBody:
description: The recommended access items that were viewed for an identity.
required: true
content:
application/json:
schema:
type: array
items:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
required:
- identityId
- access
responses:
'201':
description: Recommendations successfully stored as viewed.
content:
application/json:
schema:
type: array
items:
type: object
properties:
identityId:
type: string
format: UUID
description: The identity ID taking the action.
example: 2c91808570313110017040b06f344ec9
access:
type: object
properties:
id:
type: string
format: UUID
description: ID of access item being recommended.
example: 2c9180835d2e5168015d32f890ca1581
type:
type: string
enum:
- ACCESS_PROFILE
- ROLE
description: The type of access item.
example: ACCESS_PROFILE
timestamp:
type: string
format: date-time
example: '2017-07-11T18:45:37.098Z'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
/accounts:
get:
operationId: listAccounts
tags:
- Accounts
summary: Accounts List
description: |-
This returns a list of accounts.
A token with ORG_ADMIN authority is required to call this API.
security:
- oauth2:
- 'idn:accounts:read'
- 'idn:accounts:manage'
parameters:
- in: query
name: detailLevel
schema:
type: string
enum:
- SLIM
- FULL
description: 'Determines whether Slim, or increased level of detail is provided for each account in the returned list. FULL is the default behavior.'
example: FULL
- in: query
name: limit
description: |-
Max number of results to return.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 250
schema:
type: integer
format: int32
minimum: 0
maximum: 250
default: 250
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
- in: query
name: filters
schema:
type: string
example: identityId eq "2c9180858082150f0180893dbaf44201"
description: |-
Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results)
Filtering is supported for the following fields and operators:
**id**: *eq, in*
**identityId**: *eq*
**name**: *eq, in*
**nativeIdentity**: *eq, in*
**sourceId**: *eq, in*
**uncorrelated**: *eq*
responses:
'200':
description: List of account objects
content:
application/json:
schema:
type: array
items:
oneOf:
- type: object
title: Slim Account
allOf:
- type: object
required:
- name
properties:
id:
description: System-generated unique ID of the Object
type: string
example: id12345
readOnly: true
name:
description: Name of the Object
type: string
example: aName
created:
description: Creation date of the Object
type: string
format: date-time
readOnly: true
example: '2023-01-03T21:16:22.432Z'
modified:
description: Last modification date of the Object
type: string
format: date-time
readOnly: true
example: '2023-01-03T21:16:22.432Z'
- type: object
properties:
uuid:
type: string
format: uuid
description: Unique ID from the owning source
example: 2c9180857893f12901789445619b0366
nullable: true
nativeIdentity:
type: string
description: The native identifier of the account
example: brandin.gray
description:
type: string
description: The description for the account
example: Brandin Gray the CEO of Silly Inc.
nullable: true
disabled:
type: boolean
description: Whether the account is disabled
example: false
locked:
type: boolean
description: Whether the account is locked
example: false
manuallyCorrelated:
type: boolean
description: Whether the account was manually correlated
example: false
hasEntitlements:
type: boolean
description: Whether the account has any entitlements associated with it
example: true
sourceId:
type: string
description: The ID of the source for which this account belongs
example: 2c9180835d2e5168015d32f890ca1581
sourceName:
type: string
description: The name of the source
example: Large Source
identityId:
type: string
description: The ID of the identity for which this account is correlated to if not uncorrelated
example: 4b9163835d2e5168015d32f890ca5936
attributes:
type: object
description: A map containing attributes associated with the account
additionalProperties: true
example:
firstName: SailPoint
lastName: Support
displayName: SailPoint Support
- type: object
title: Full Account
allOf:
- type: object
title: Slim Account
allOf:
- type: object
required:
- name
properties:
id:
description: System-generated unique ID of the Object
type: string
example: id12345
readOnly: true
name:
description: Name of the Object
type: string
example: aName
created:
description: Creation date of the Object
type: string
format: date-time
readOnly: true
example: '2023-01-03T21:16:22.432Z'
modified:
description: Last modification date of the Object
type: string
format: date-time
readOnly: true
example: '2023-01-03T21:16:22.432Z'
- type: object
properties:
uuid:
type: string
format: uuid
description: Unique ID from the owning source
example: 2c9180857893f12901789445619b0366
nullable: true
nativeIdentity:
type: string
description: The native identifier of the account
example: brandin.gray
description:
type: string
description: The description for the account
example: Brandin Gray the CEO of Silly Inc.
nullable: true
disabled:
type: boolean
description: Whether the account is disabled
example: false
locked:
type: boolean
description: Whether the account is locked
example: false
manuallyCorrelated:
type: boolean
description: Whether the account was manually correlated
example: false
hasEntitlements:
type: boolean
description: Whether the account has any entitlements associated with it
example: true
sourceId:
type: string
description: The ID of the source for which this account belongs
example: 2c9180835d2e5168015d32f890ca1581
sourceName:
type: string
description: The name of the source
example: Large Source
identityId:
type: string
description: The ID of the identity for which this account is correlated to if not uncorrelated
example: 4b9163835d2e5168015d32f890ca5936
attributes:
type: object
description: A map containing attributes associated with the account
additionalProperties: true
example:
firstName: SailPoint
lastName: Support
displayName: SailPoint Support
- type: object
properties:
authoritative:
type: boolean
description: Whether this account belongs to an authoritative source
example: false
systemAccount:
type: boolean
description: Whether this account is for the IdentityNow source
example: false
uncorrelated:
type: boolean
description: True if this account is not correlated to an identity
example: false
features:
type: string
description: A string list containing the owning source's features
example: ENABLE
examples:
SlimAccounts:
description: List of slim accounts that would result with *detailLevel = SLIM*
value:
- attributes: null
created: '2021-09-28T02:15:44.644Z'
description: null
disabled: false
features: 'PROVISIONING, GROUP_PROVISIONING, SYNC_PROVISIONING, AUTHENTICATE'
hasEntitlements: true
id: 2c9180867c184ff6017c2a2fbf031667
identityId: 2c9180867c184ff6017c2a2fbf031666
locked: false
manuallyCorrelated: false
modified: '2021-09-28T02:16:12.207Z'
name: Geovanni.0a7cad6df
nativeIdentity: 'CN=Geovanni 0a7cad6df,OU=hpun,OU=org-data-service,DC=TestAutomationAD,DC=local'
sourceId: 2c91808b7c28b350017c2a2ec5790aa1
uuid: '{e4218fa4-da52-4bb0-aa41-d2dcc08a7ad8}'
FullAccounts:
description: List of slim accounts that would result with *detailLevel = FULL* or not specifying it
value:
- attributes: null
authoritative: true
created: '2021-09-28T02:15:44.644Z'
description: null
disabled: false
features: 'PROVISIONING, GROUP_PROVISIONING, SYNC_PROVISIONING, AUTHENTICATE'
hasEntitlements: true
id: 2c9180867c184ff6017c2a2fbf031667
identityId: 2c9180867c184ff6017c2a2fbf031666
locked: false
manuallyCorrelated: false
modified: '2021-09-28T02:16:12.207Z'
name: Geovanni.0a7cad6df
nativeIdentity: 'CN=Geovanni 0a7cad6df,OU=hpun,OU=org-data-service,DC=TestAutomationAD,DC=local'
sourceId: 2c91808b7c28b350017c2a2ec5790aa1
systemAccount: false
uncorrelated: false
uuid: '{e4218fa4-da52-4bb0-aa41-d2dcc08a7ad8}'
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
post:
operationId: createAccount
tags:
- Accounts
summary: Create Account
description: |-
This API submits an account creation task and returns the task ID.
A token with ORG_ADMIN authority is required to call this API.
security:
- oauth2:
- 'idn:accounts:manage'
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- attributes
properties:
attributes:
description: The schema attribute values for the account
type: object
example:
city: Austin
displayName: John Doe
userName: jdoe
sAMAccountName: jDoe
mail: john.doe@sailpoint.com
responses:
'202':
description: Async task details
content:
application/json:
schema:
description: Accounts async response containing details on started async process
required:
- id
type: object
properties:
id:
description: id of the task
type: string
example: 2c91808474683da6017468693c260195
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
'/accounts/{id}':
get:
operationId: getAccount
tags:
- Accounts
summary: Account Details
description: |-
This API returns the details for a single account based on the ID.
A token with ORG_ADMIN authority is required to call this API.
security:
- oauth2:
- 'idn:accounts:read'
- 'idn:accounts:manage'
parameters:
- in: path
name: id
schema:
type: string
required: true
description: The account ID
example: ef38f94347e94562b5bb8424a56397d8
responses:
'200':
description: An account object
content:
application/json:
schema:
allOf:
- type: object
required:
- name
properties:
id:
description: System-generated unique ID of the Object
type: string
example: id12345
readOnly: true
name:
description: Name of the Object
type: string
example: aName
created:
description: Creation date of the Object
type: string
format: date-time
readOnly: true
example: '2023-01-03T21:16:22.432Z'
modified:
description: Last modification date of the Object
type: string
format: date-time
readOnly: true
example: '2023-01-03T21:16:22.432Z'
- type: object
required:
- sourceId
- sourceName
- attributes
- authoritative
- disabled
- locked
- nativeIdentity
- systemAccount
- uncorrelated
- manuallyCorrelated
- hasEntitlements
properties:
sourceId:
type: string
example: 2c9180835d2e5168015d32f890ca1581
description: The unique ID of the source this account belongs to
sourceName:
type: string
example: Employees
description: The display name of the source this account belongs to
identityId:
type: string
example: 2c9180835d2e5168015d32f890ca1581
description: The unique ID of the identity this account is correlated to
attributes:
type: object
additionalProperties: true
description: The account attributes that are aggregated
example:
firstName: SailPoint
lastName: Support
displayName: SailPoint Support
authoritative:
type: boolean
description: Indicates if this account is from an authoritative source
example: false
description:
type: string
description: A description of the account
nullable: true
example: null
disabled:
type: boolean
description: Indicates if the account is currently disabled
example: false
locked:
type: boolean
description: Indicates if the account is currently locked
example: false
nativeIdentity:
type: string
description: The unique ID of the account generated by the source system
example: '552775'
systemAccount:
type: boolean
example: false
description: 'If true, this is a user account within IdentityNow. If false, this is an account from a source system.'
uncorrelated:
type: boolean
description: Indicates if this account is not correlated to an identity
example: false
uuid:
type: string
description: The unique ID of the account as determined by the account schema
example: slpt.support
nullable: true
manuallyCorrelated:
type: boolean
description: Indicates if the account has been manually correlated to an identity
example: false
hasEntitlements:
type: boolean
description: Indicates if the account has entitlements
example: true
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
patch:
operationId: updateAccount
tags:
- Accounts
summary: Update Account
description: |-
This updates account details.
A token with ORG_ADMIN authority is required to call this API.
security:
- oauth2:
- 'idn:accounts:manage'
parameters:
- in: path
name: id
schema:
type: string
required: true
description: The account ID
example: ef38f94347e94562b5bb8424a56397d8
requestBody:
required: true
description: 'A list of account update operations according to the [JSON Patch](https://tools.ietf.org/html/rfc6902) standard.'
content:
application/json-patch+json:
schema:
type: array
items:
type: object
example:
- op: replace
path: /identityId
value: 2c9180845d1edece015d27a975983e21
responses:
'202':
description: Accepted. Update request accepted and is in progress.
content:
application/json:
schema:
type: object
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
put:
operationId: putAccount
tags:
- Accounts
summary: Update Account
description: |-
This API submits an account update task and returns the task ID.
A token with ORG_ADMIN authority is required to call this API.
security:
- oauth2:
- 'idn:accounts:manage'
parameters:
- in: path
name: id
schema:
type: string
required: true
description: The account ID
example: ef38f94347e94562b5bb8424a56397d8
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- attributes
properties:
attributes:
description: The schema attribute values for the account
type: object
example:
city: Austin
displayName: John Doe
userName: jdoe
sAMAccountName: jDoe
mail: john.doe@sailpoint.com
responses:
'202':
description: Async task details
content:
application/json:
schema:
description: Accounts async response containing details on started async process
required:
- id
type: object
properties:
id:
description: id of the task
type: string
example: 2c91808474683da6017468693c260195
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
delete:
operationId: deleteAccount
tags:
- Accounts
summary: Delete Account
description: |-
This API submits an account delete task and returns the task ID.
A token with ORG_ADMIN authority is required to call this API.
security:
- oauth2:
- 'idn:accounts:manage'
parameters:
- in: path
name: id
schema:
type: string
required: true
description: The account ID
example: ef38f94347e94562b5bb8424a56397d8
responses:
'202':
description: Async task details
content:
application/json:
schema:
description: Accounts async response containing details on started async process
required:
- id
type: object
properties:
id:
description: id of the task
type: string
example: 2c91808474683da6017468693c260195
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
'/accounts/{id}/entitlements':
get:
operationId: getAccountEntitlements
tags:
- Accounts
summary: Account Entitlements
description: |-
This API returns entitlements of the account.
A token with ORG_ADMIN authority is required to call this API.
security:
- oauth2:
- 'idn:accounts:read'
parameters:
- in: path
name: id
schema:
type: string
required: true
description: The account id
example: ef38f94347e94562b5bb8424a56397d8
- in: query
name: offset
description: |-
Offset into the full result set. Usually specified with *limit* to paginate through the results.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 0
schema:
type: integer
format: int32
minimum: 0
default: 0
- in: query
name: limit
description: |-
Max number of results to return.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: 250
schema:
type: integer
format: int32
minimum: 0
maximum: 250
default: 250
- in: query
name: count
description: |-
If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used.
See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information.
required: false
example: true
schema:
type: boolean
default: false
responses:
'200':
description: An array of account entitlements
content:
application/json:
schema:
type: array
items:
type: object
properties:
id:
type: string
description: The entitlement id
example: 2c91808874ff91550175097daaec161c
name:
type: string
description: The entitlement name
example: LauncherTest2
attribute:
type: string
description: The entitlement attribute name
example: memberOf
value:
type: string
description: The value of the entitlement
example: 'CN=LauncherTest2,OU=LauncherTestOrg,OU=slpt-automation,DC=TestAutomationAD,DC=local'
sourceSchemaObjectType:
type: string
description: The object type of the entitlement from the source schema
example: group
description:
type: string
description: The description of the entitlement
example: 'CN=LauncherTest2,OU=LauncherTestOrg,OU=slpt-automation,DC=TestAutomationAD,DC=local'
privileged:
type: boolean
description: True if the entitlement is privileged
example: true
cloudGoverned:
type: boolean
description: True if the entitlement is cloud governed
example: true
created:
type: string
description: Time when the entitlement was created
format: date-time
example: '2020-10-08T18:33:52.029Z'
modified:
type: string
description: Time when the entitlement was last modified
format: date-time
example: '2020-10-08T18:33:52.029Z'
source:
type: object
properties:
id:
type: string
description: The source ID
example: 2c9180827ca885d7017ca8ce28a000eb
type:
type: string
description: 'The source type, will always be "SOURCE"'
example: SOURCE
name:
type: string
description: The source name
example: ODS-AD-Source
attributes:
type: object
description: A map of free-form key-value pairs from the source system
example:
fieldName: fieldValue
additionalProperties: true
segments:
type: array
items:
type: string
nullable: true
description: 'List of IDs of segments, if any, to which this Entitlement is assigned.'
example:
- f7b1b8a3-5fed-4fd4-ad29-82014e137e19
- 29cb6c06-1da8-43ea-8be4-b3125f248f2a
directPermissions:
type: array
items:
type: object
description: 'Simplified DTO for the Permission objects stored in SailPoint''s database. The data is aggregated from customer systems and is free-form, so its appearance can vary largely between different clients/customers.'
properties:
rights:
type: array
description: All the rights (e.g. actions) that this permission allows on the target
readOnly: true
items:
type: string
example: SELECT
target:
type: string
description: The target the permission would grants rights on.
readOnly: true
example: SYS.GV_$TRANSACTION
owner:
type: object
description: Simplified DTO for the owner object of the entitlement
properties:
id:
type: string
description: The owner id for the entitlement
example: 2a2fdacca5e345f18bf7970cfbb8fec2
name:
type: string
description: The owner name for the entitlement
example: identity 1
type:
type: string
enum:
- IDENTITY
description: The type of the owner. Initially only type IDENTITY is supported
example: IDENTITY
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
'/accounts/{id}/reload':
post:
operationId: reloadAccount
tags:
- Accounts
summary: Reload Account
description: |-
This API asynchronously reloads the account directly from the connector and performs a one-time aggregation process.
A token with ORG_ADMIN authority is required to call this API.
security:
- oauth2:
- 'idn:accounts-state:manage'
parameters:
- in: path
name: id
schema:
type: string
required: true
description: The account id
example: ef38f94347e94562b5bb8424a56397d8
responses:
'202':
description: Async task details
content:
application/json:
schema:
description: Accounts async response containing details on started async process
required:
- id
type: object
properties:
id:
description: id of the task
type: string
example: 2c91808474683da6017468693c260195
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: An internal fault occurred.
'/accounts/{id}/enable':
post:
operationId: enableAccount
tags:
- Accounts
summary: Enable Account
description: |-
This API submits a task to enable account and returns the task ID.
A token with ORG_ADMIN authority is required to call this API.
security:
- oauth2:
- 'idn:accounts-state:manage'
parameters:
- in: path
name: id
schema:
type: string
required: true
description: The account id
example: ef38f94347e94562b5bb8424a56397d8
requestBody:
required: true
content:
application/json:
schema:
description: Request used for account enable/disable
type: object
properties:
externalVerificationId:
description: 'If set, an external process validates that the user wants to proceed with this request.'
type: string
example: 3f9180835d2e5168015d32f890ca1581
forceProvisioning:
description: 'If set, provisioning updates the account attribute at the source. This option is used when the account is not synced to ensure the attribute is updated.'
type: boolean
example: false
responses:
'202':
description: Async task details
content:
application/json:
schema:
description: Accounts async response containing details on started async process
required:
- id
type: object
properties:
id:
description: id of the task
type: string
example: 2c91808474683da6017468693c260195
'400':
description: Client Error - Returned if the request body is invalid.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
'401':
description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.'
content:
application/json:
schema:
type: object
properties:
error:
description: A message describing the error
example: 'JWT validation failed: JWT is expired'
'403':
description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.'
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'403':
summary: An example of a 403 response object
value:
detailCode: 403 Forbidden
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server understood the request but refuses to authorize it.
'404':
description: Not Found - returned if the request URL refers to a resource or object that does not exist
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'404':
summary: An example of a 404 response object
value:
detailCode: 404 Not found
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: en-US
localeOrigin: DEFAULT
text: The server did not find a current representation for the target resource.
'429':
description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
content:
application/json:
schema:
type: object
properties:
message:
description: A message describing the error
example: ' Rate Limit Exceeded '
'500':
description: Internal Server Error - Returned if there is an unexpected error.
content:
application/json:
schema:
type: object
properties:
detailCode:
type: string
description: Fine-grained error code providing more detail of the error.
example: 400.1 Bad Request Content
trackingId:
type: string
description: Unique tracking id for the error.
example: e7eab60924f64aa284175b9fa3309599
messages:
type: array
description: Generic localized reason for error
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
causes:
type: array
description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
items:
type: object
properties:
locale:
type: string
description: 'The locale for the message text, a BCP 47 language tag.'
example: en-US
localeOrigin:
type: string
enum:
- DEFAULT
- REQUEST
description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.'
example: DEFAULT
text:
type: string
description: Actual text of the error message in the indicated locale.
example: The request was syntactically correct but its content is semantically invalid.
examples:
'500':
summary: An example of a 500 response object
value:
detailCode: 500.0 Internal Fault
trackingId: b21b1f7ce4da4d639f2c62a57171b427
messages:
- locale: e