openapi: 3.0.1 info: title: IdentityNow V3 API description: 'Use these APIs to interact with the IdentityNow platform to achieve repeatable, automated processes with greater scalability. We encourage you to join the SailPoint Developer Community forum at https://developer.sailpoint.com/discuss to connect with other developers using our APIs.' termsOfService: 'https://developer.sailpoint.com/discuss/tos' contact: name: Developer Relations url: 'https://developer.sailpoint.com/discuss/api-help' license: name: MIT url: 'https://opensource.org/licenses/MIT' version: 3.0.0 servers: - url: 'https://{tenant}.api.identitynow.com/v3' description: This is the production API server. variables: tenant: default: sailpoint description: 'This is the name of your tenant, typically your company''s name.' tags: - name: Access Profiles description: | Use this API to implement and customize access profile functionality. With this functionality in place, administrators can create access profiles and configure them for use throughout IdentityNow, enabling users to get the access they need quickly and securely. Access profiles group entitlements, which represent access rights on sources. For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization. An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement. When users only need Active Directory employee access, they can request access to the 'Employees' entitlement. When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile. Access profiles are the most important units of access in IdentityNow. IdentityNow uses access profiles in many features, including the following: - Provisioning: When you use the Provisioning Service, lifecycle states and roles both grant access to users in the form of access profiles. - Certifications: You can approve or revoke access profiles in certification campaigns, just like entitlements. - Access Requests: You can assign access profiles to applications, and when a user requests access to the app associated with an access profile and someone approves the request, access is granted to both the application and its associated access profile. - Roles: You can group one or more access profiles into a role to quickly assign access items based on an identity's role. In IdentityNow, administrators can use the Access drop-down menu and select Access Profiles to view, configure, and delete existing access profiles, as well as create new ones. Administrators can enable and disable an access profile, and they can also make the following configurations: - Manage Entitlements: Manage the profile's access by adding and removing entitlements. - Access Requests: Configure access profiles to be requestable and establish an approval process for any requests that the access profile be granted or revoked. Do not configure an access profile to be requestable without first establishing a secure access request approval process for the access profile. - Multiple Account Options: Define the logic IdentityNow uses to provision access to an identity with multiple accounts on the source. Refer to [Managing Access Profiles](https://documentation.sailpoint.com/saas/help/access/access-profiles.html) for more information about access profiles. - name: Access Request Approvals description: | Use this API to implement and customize access request approval functionality. With this functionality in place, administrators can delegate qualified users to review users' requests for access or managers' requests to revoke team members' access to applications, entitlements, or roles. This enables more qualified users to review access requests and the others to spend their time on other tasks. In IdentityNow, users can request access to applications, entitlements, and roles, and managers can request that team members' access be revoked. For applications and entitlements, administrators can set access profiles to require approval from the access profile owner, the application owner, the source owner, the requesting user's manager, or a governance group for access to be granted or revoked. For roles, administrators can also set roles to allow access requests and require approval from the role owner, the requesting user's manager, or a governance group for access to be granted or revoked. If the administrator designates a governance group as the required approver, any governance group member can approve the requests. When a user submits an access request, IdentityNow sends the first required approver in the queue an email notification, based on the access request configuration's approval and reminder escalation configuration. In Approvals in IdentityNow, required approvers can view pending access requests under the Requested tab and approve or deny them, or the approvers can reassign the requests to different reviewers for approval. If the required approver approves the request and is the only reviewer required, IdentityNow grants or revokes access, based on the request. If multiple reviewers are required, IdentityNow sends the request to the next reviewer in the queue, based on the access request configuration's approval reminder and escalation configuration. The required approver can then view any completed access requests under the Reviewed tab. Refer to [Access Requests](https://documentation.sailpoint.com/saas/help/requests/index.html) for more information about access request approvals. - name: Access Requests description: | Use this API to implement and customize access request functionality. With this functionality in place, users can request access to applications, entitlements, or roles, and managers can request that team members' access be revoked. This allows users to get access to the tools they need quickly and securely, and it allows managers to take away access to those tools. IdentityNow's Access Request service allows end users to request access that requires approval before it can be granted to users and enables qualified users to review those requests and approve or deny them. In the Request Center in IdentityNow, users can view available applications, roles, and entitlements and request access to them. If the requested tools requires approval, the requests appear as 'Pending' under the My Requests tab until the required approver approves, rejects, or cancels them. Users can use My Requests to track and/or cancel the requests. In My Team on the IdentityNow Home, managers can submit requests to revoke their team members' access. They can use the My Requests tab under Request Center to track and/or cancel the requests. Refer to [Requesting Access](https://documentation.sailpoint.com/saas/user-help/requests/requesting_access.html) for more information about access requests. - name: Accounts description: | Use this API to implement and customize account functionality. With this functionality in place, administrators can manage users' access across sources in IdentityNow. In IdentityNow, an account refers to a user's account on a supported source. This typically includes a unique identifier for the user, a unique password, a set of permissions associated with the source and a set of attributes. IdentityNow loads accounts through the creation of sources in IdentityNow. Administrators can correlate users' identities with the users' accounts on the different sources they use. This allows IdentityNow to govern the access of identities and all their correlated accounts securely and cohesively. To view the accounts on a source and their correlated identities, administrators can use the Connections drop-down menu, select Sources, select the relevant source, and select its Account tab. To view and edit source account statuses for an identity in IdentityNow, administrators can use the Identities drop-down menu, select Identity List, select the relevant identity, and select its Accounts tab. Administrators can toggle an account's Actions to aggregate the account, enable/disable it, unlock it, or remove it from the identity. Accounts can have the following statuses: - Enabled: The account is enabled. The user can access it. - Disabled: The account is disabled, and the user cannot access it, but the identity is not disabled in IdentityNow. This can occur when an administrator disables the account or when the user's lifecycle state changes. - Locked: The account is locked. This may occur when someone has entered an incorrect password for the account too many times. - Pending: The account is currently updating. This status typically lasts seconds. Administrators can select the source account to view its attributes, entitlements, and the last time the account's password was changed. Refer to [Managing User Accounts](https://documentation.sailpoint.com/saas/help/common/users/user_access.html#managing-user-accounts) for more information about accounts. - name: Account Activities description: | Use this API to implement account activity tracking functionality. With this functionality in place, users can track source account activity in IdentityNow, which greatly improves traceability in the system. An account activity refers to a log of each action performed on a source account. This is useful for auditing the changes performed on an account throughout its life. In IdentityNow's Search, users can search for account activities and select the activity's row to get an overview of the activity's account action and view its progress, its involved sources, and its most basic metadata, such as the identity requesting the option and the recipient. Account activity includes most actions IdentityNow completes on source accounts. Users can search in IdentityNow for the following account action types: - Access Request: These include any access requests the source account is involved in. - Account Attribute Updates: These include updates to a single attribute on an account on a source. - Account State Update: These include locking or unlocking actions on an account on a source. - Certification: These include actions removing an entitlement from an account on a source as a result of the entitlement's revocation during a certification. - Cloud Automated `Lifecyclestate`: These include automated lifecycle state changes that result in a source account's correlated identity being assigned to a different lifecycle state. IdentityNow replaces the `Lifecyclestate` variable with the name of the lifecycle state it has moved the account's identity to. - Identity Attribute Update: These include updates to a source account's correlated identity attributes as the result of a provisioning action. When you update an identity attribute that also updates an identity's lifecycle state, the cloud automated `Lifecyclestate` event also displays. Account Activity does not include attribute updates that occur as a result of aggregation. - Identity Refresh: These include correlated identity refreshes that occur for an account on a source whenever the account's correlated identity profile gets a new role or updates. These also include refreshes that occur whenever IdentityNow assigns an application to the account's correlated identity based on the application's being assigned to All Users From Source or Specific Users From Source. - Lifecycle State Refresh: These include the actions that took place when a lifecycle state changed. This event only occurs after a cloud automated `Lifecyclestate` change or a lifecycle state change. - Lifecycle State Change: These include the account activities that result from an identity's manual assignment to a null lifecycle state. - Password Change: These include password changes on sources. Refer to [Account Activity](https://documentation.sailpoint.com/saas/help/search/index.html#account-activity) for more information about account activities. - name: Certification Campaigns description: | Use this API to implement certification campaign functionality. With this functionality in place, administrators can create, customize, and manage certification campaigns for their organizations' use. Certification campaigns provide IdentityNow (IDN) users with an interactive review process they can use to identify and verify access to systems. Campaigns help organizations reduce risk of inappropriate access and satisfy audit requirements. A certification refers to IDN's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access. These certifications serve as a way of showing that a user's access has been reviewed and approved. Multiple certifications by different reviewers are often required to approve a user's access. A set of multiple certifications is called a certification campaign. For example, an organization may use a Manager Certification campaign as a way of showing that a user's access has been reviewed and approved by multiple managers. Once this campaign has been completed, IDN would provision all the access the user needs, nothing more. IDN provides two simple campaign types users can create without using search queries, Manager and Source Owner campaigns: You can create these types of campaigns without using any search queries in IDN: - ManagerCampaign: IDN provides this campaign type as a way to ensure that an identity's access is certified by their managers. You only need to provide a name and description to create one. - Source Owner Campaign: IDN provides this campaign type as a way to ensure that an identity's access to a source is certified by its source owners. You only need to provide a name and description to create one. You can specify the sources whose owners you want involved or just run it across all sources. For more information about these campaign types, refer to [Starting a Manager or Source Owner Campaign](https://documentation.sailpoint.com/saas/help/certs/starting_campaign.html). One useful way to create certification campaigns in IDN is to use a specific search and then run a campaign on the results returned by that search. This allows you to be much more specific about whom you are certifying in your campaigns and what access you are certifying in your campaigns. For example, you can search for all identities who are managed by "Amanda.Ross" and also have the access to the "Accounting" role and then run a certification campaign based on that search to ensure that the returned identities are appropriately certified. You can use IDN search queries to create these types of campaigns: - Identities: Use this campaign type to review and revoke access items for specific identities. You can either build a search query and create a campaign certifying all identities returned by that query, or you can search for individual identities and add those identities to the certification campaign. - Access Items: Use this campaign type to review and revoke a set of roles, access profiles, or entitlements from the identities that have them. You can either build a search query and create a campaign certifying all access items returned by that query, or you can search for individual access items and add those items to the certification campaign. - Role Composition: Use this campaign type to review a role's composition, including its title, description, and membership criteria. You can either build a search query and create a campaign certifying all roles returned by that query, or you can search for individual roles and add those roles to the certification campaign. - Uncorrelated Accounts: Use this campaign type to certify source accounts that aren't linked to an authoritative identity in IDN. You can use this campaign type to view all the uncorrelated accounts for a source and certify them. For more information about search-based campaigns, refer to [Starting a Campaign from Search](https://documentation.sailpoint.com/saas/help/certs/starting_search_campaign.html). Once you have generated your campaign, it becomes available for preview. An administrator can review the campaign and make changes, or if it's ready and accurate, activate it. Once the campaign is active, organization administrators or certification administrators can designate other IDN users as certification reviewers. Those reviewers can view any of the certifications they either need to review (active) or have already reviewed (completed). When a certification campaign is in progress, certification reviewers see the listed active certifications whose involved identities they can review. Reviewers can then make decisions to grant or revoke access, as well as reassign the ceritifcation to another reviewer. If the reviewer chooses this option, they must provide a reason for reassignment in the form of a comment. Once a reviewer has made decisions on all the certification's involved access items, he or she must "Sign Off" to complete the review process. Doing so converts the certification into read-only status, preventing any further changes to the review decisions and deleting the work item (task) from the reviewer's list of work items. Once all the reviewers have signed off, the certification campaign either completes or, if any reviewers decided to revoke access for any of the involved identities, it moves into a remediation phase. In the remediation phase, identities' entitlements are altered to remove any entitlements marked for revocation. In this situation, the certification campaign completes once all the remediation requests are completed. The end of a certification campaign is determined by its deadline, its completion status, or by an administrator's decision. For more information about certifications and certification campaigns, refer to [Certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html). - name: Certifications description: | Use this API to implement certification functionality. With this functionality in place, administrators and designated certification reviewers can review users' access certifications and decide whether to approve access, revoke it, or reassign the review to another reviewer. Implementing certifications improves organizations' data security by reducing inappropriate access through a distributed review process and helping them satisfy audit and regulatory requirements. A certification refers to IdentityNow's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access. These serve as a way of showing that a user's access has been reviewed and approved. Multiple certifications by different reviewers are often required to approve a user's access. A set of multiple certifications is called a certification campaign. For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers. Once this certification has been completed, IdentityNow would provision all the access the user needs, nothing more. Organization administrators or certification administrators can designate other IdentityNow users as certification reviewers. Those reviewers can select the 'Certifications' tab to view any of the certifications they either need to review or have already reviewed under the 'Active' and 'Completed' tabs, respectively. When a certification campaign is in progress, certification reviewers will see certifications listed under 'Active,' where they can review the involved identities. Under the 'Decision' column on the right, next to each access item, reviewers can select the checkmark to approve access, select the 'X' to revoke access, or they can toggle the 'More Options' menu to reassign the certification to another reviewer and provide a reason for reassignment in the form of a comment. Once a reviewer has made decisions on all the certification's involved access items, he or she must select 'Sign Off' to complete the review process. Doing so converts the certification into read-only status, preventing any further changes to the review decisions and deleting the work item (task) from the reviewer's list of work items. Once all the reviewers have signed off, the certification campaign either completes or, if any reviewers decided to revoke access for any of the involved identities, it moves into a remediation phase. In the remediation phase, identities' entitlements are altered to remove any entitlements marked for revocation. In this situation, the certification campaign completes once all the remediation requests are completed. Refer to [Certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html) for more information about certifications. - name: Certification Summaries description: | Use this API to implement certification summary functionality. With this functionality in place, administrators and designated certification reviewers can review summaries of identity certification campaigns and draw conclusions about the campaigns' scope, security, and effectiveness. Implementing certification summary functionality improves organizations' ability to review their [certifications](https://documentation.sailpoint.com/saas/user-help/certifications.html) and helps them satisfy audit and regulatory requirements by enabling them to trace access changes and the decisions made in their review processes. A certification refers to IdentityNow's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access. These certifications serve as a way of showing that a user's access has been reviewed and approved. Multiple certifications by different reviewers are often required to approve a user's access. A set of multiple certifications is called a certification campaign. For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers. Once this certification has been completed, IdentityNow would provision all the access the user needs, nothing more. Certification summaries provide information about identity certification campaigns such as the identities involved, the number of decisions made, and the access changed. For example, an administrator or designated certification reviewer can examine the Manager Certification campaign to get an overview of how many entitlement decisions are made in that campaign as opposed to role decisions, which identities would be affected by changes to the campaign, and how those identities' access would be affected. - name: Lifecycle States description: | Use this API to implement and customize lifecycle state functionality. With this functionality in place, administrators can create and configure custom lifecycle states for use across their organizations, which is key to controlling which users have access, when they have access, and the access they have. A lifecycle state describes a user's status in a company. For example, two lifecycle states come by default with IdentityNow: 'Active' and 'Inactive.' When an active employee takes an extended leave of absence from a company, his or her lifecycle state may change to 'Inactive,' for security purposes. The inactive employee would lose access to all the applications, sources, and sensitive data during the leave of absence, but when the employee returns and becomes active again, all that access would be restored. This saves administrators the time that would otherwise be spent provisioning the employee's access to each individual tool, reviewing the employee's certification history, etc. Administrators can create a variety of custom lifecycle states. Refer to [Planning New Lifecycle States](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html#planning-new-lifecycle-states) for some custom lifecycle state ideas. Administrators must define the criteria for being in each lifecycle state, and they must define how IdentityNow manages users' access to apps and sources for each lifecycle state. In IdentityNow, administrators can manage lifecycle states by going to Admin > Identities > Identity Profile, selecting the identity profile whose lifecycle states they want to manage, selecting the 'Provisioning' tab, and using the left panel to either select the lifecycle state they want to modify or create a new lifecycle state. In the 'Provisioning' tab, administrators can make the following access changes to an identity profile's lifecycle state: - Enable/disable the lifecycle state for the identity profile. - Enable/disable source accounts for the identity profile's lifecycle state. - Add existing access profiles to grant to the identity profiles in that lifecycle state. - Create a new access profile to grant to the identity profile in that lifecycle state. Access profiles granted in a previous lifecycle state are automatically revoked when the identity moves to a new lifecycle state. To maintain access across multiple lifecycle states, administrators must grant the access profiles in each lifecycle state. For example, if an administrator wants users with the 'HR Employee' identity profile to maintain their building access in both the 'Active' and 'Leave of Absence' lifecycle states, the administrator must grant the access profile for that building access to both lifecycle states. During scheduled refreshes, IdentityNow evaluates lifFecycle states to determine whether their assigned identities have the access defined in the lifecycle states' access profiles. If the identities are missing access, IdentityNow provisions that access. Administrators can also use the 'Provisioning' tab to configure email notifications for IdentityNow to send whenever an identity with that identity profile has a lifecycle state change. Refer to [Configuring Lifecycle State Notifications](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html#configuring-lifecycle-state-notifications) for more information on how to do so. An identity's lifecycle state can have four different statuses: the lifecycle state's status can be 'Active,' it can be 'Not Set,' it can be 'Not Valid,' or it 'Does Not Match Technical Name Case.' Refer to [Moving Identities into Lifecycle States](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html#moving-identities-into-lifecycle-states) for more information about these different lifecycle state statuses. Refer to [Setting Up Lifecycle States](https://documentation.sailpoint.com/saas/help/provisioning/lifecycle.html) for more information about lifecycle states. - name: Identity Profiles description: | Use this API to implement identity profile functionality. With this functionality in place, administrators can view identity profiles and their configurations. Identity profiles represent the configurations that can be applied to identities as a way of granting them a set of security and access, as well as defining the mappings between their identity attributes and their source attributes. In IdentityNow, administrators can use the Identities drop-down menu and select Identity Profiles to view the list of identity profiles. This list shows some details about each identity profile, along with its status. They can select an identity profile to view its settings, its mappings between identity attributes and correlating source account attributes, and its provisioning settings. Refer to [Creating Identity Profiles](https://documentation.sailpoint.com/saas/help/setup/identity_profiles.html) for more information about identity profiles. - name: Non-Employee Lifecycle Management description: | Use this API to implement non-employee lifecycle management functionality. With this functionality in place, administrators can create non-employee records and configure them for use in their organizations. This allows organizations to provide secure access to non-employees and control that access. The 'non-employee' term refers to any consultant, contractor, intern, or other user in an organization who is not a full-time permanent employee. Organizations can track non-employees' access and activity in IdentityNow by creating and maintaining non-employee sources. Organizations can have a maximum of 50 non-employee sources. By using SailPoint's Non-Employee Lifecycle Management functionality, you agree to the following: - SailPoint is not responsible for storing sensitive data. You may only add account attributes to non-employee identities that are necessary for business operations and are consistent with your contractual limitations on data that may be sent or stored in IdentityNow. - You are responsible for regularly downloading your list of non-employee accounts for all the sources you create and storing this list of accounts in a managed location to maintain an authoritative system of record and backup data for these accounts. To manage non-employees in IdentityNow, administrators must create a non-employee source and add accounts to the source. To create a non-employee source in IdentityNow, administrators must use the Admin panel to go to Connections > Sources. They must then specify 'Non-Employee' in the 'Source Type' field. Refer to [Creating a Non-Employee Source](https://documentation.sailpoint.com/saas/help/common/non-employee-mgmt.html#creating-a-non-employee-source) for more details about how to create non-employee sources. To add accounts to a non-employee source in IdentityNow, administrators can select the non-employee source and add the accounts. They can also use the 'Manage Non-Employees' widget on their user dashboards to reach the list of sources and then select the non-employee source they want to add the accounts to. Administrators can either add accounts individually or in bulk. Each non-employee source can have a maximum of 20,000 accounts. To add accounts in bulk, they must select the 'Bulk Upload' option and upload a CSV file. Refer to [Adding Accounts](https://documentation.sailpoint.com/saas/help/common/non-employee-mgmt.html#adding-accounts) for more details about how to add accounts to non-employee sources. Once administrators have created the non-employee source and added accounts to it, they can create identity profiles to generate identities for the non-employee accounts and manage the non-employee identities the same way they would any other identities. Refer to [Managing Non-Employee Sources and Accounts](https://documentation.sailpoint.com/saas/help/common/non-employee-mgmt.html) for more information about non-employee lifecycle management. - name: OAuth Clients description: | Use this API to implement OAuth client functionality. With this functionality in place, users with the appropriate security scopes can create and configure OAuth clients to use as a way to obtain authorization to use the IdentityNow REST API. Refer to [Authentication](https://developer.sailpoint.com/idn/api/authentication) for more information about OAuth and how it works with the IdentityNow REST API. - name: Password Configuration description: | Use this API to implement organization password configuration functionality. With this functionality in place, organization administrators can create organization-specific password configurations. These configurations include details like custom password instructions, as well as digit token length and duration. Refer to [Configuring User Authentication for Password Resets](https://documentation.sailpoint.com/saas/help/pwd/pwd_reset.html) for more information about organization password configuration functionality. - name: Password Management description: | Use this API to implement password management functionality. With this functionality in place, users can manage their identity passwords for all their applications. In IdentityNow, users can select their names in the upper right corner of the page and use the drop-down menu to select Password Manager. Password Manager lists the user's identity's applications, possibly grouped to share passwords. Users can then select 'Change Password' to update their passwords. Grouping passwords allows users to update their passwords more broadly, rather than requiring them to update each password individually. Password Manager may list the applications and sources in the following groups: - Password Group: This refers to a group of applications that share a password. For example, a user can use the same password for Google Drive, Google Mail, and YouTube. Updating the password for the password group updates the password for all its included applications. - Multi-Application Source: This refers to a source with multiple applications that share a password. For example, a user can have a source, G Suite, that includes the Google Calendar, Google Drive, and Google Mail applications. Updating the password for the multi-application source updates the password for all its included applications. - Applications: These are applications that do not share passwords with other applications. An organization may require some authentication for users to update their passwords. Users may be required to answer security questions or use a third-party authenticator before they can confirm their updates. Refer to [Managing Passwords](https://documentation.sailpoint.com/saas/user-help/accounts/passwords.html) for more information about password management. - name: Password Dictionary description: | Use this API to implement password dictionary functionality. With this functionality in place, administrators can create password dictionaries to prevent users from using certain words or characters in their passwords. A password dictionary is a list of words or characters that users are prevented from including in their passwords. This can help protect users from themselves and force them to create passwords that are not easy to break. A password dictionary must meet the following requirements to for the API to handle them correctly: - It must be in .txt format. - All characters must be UTF-8 characters. - Each line must contain a single word or character with no spaces or whitespace characters. - It must contain at least one line other than the locale string. - Each line must not exceed 128 characters. - The file must not exceed 2500 lines. Administrators should also consider the following when they create their dictionaries: - Lines starting with a # represent comments. - All words in the password dictionary are case-insensitive. For example, adding the word "password" to the dictionary also disallows the following: PASSWORD, Password, and PassWord. - The dictionary uses substring matching. For example, adding the word "spring" to the dictionary also disallows the following: Spring124, 345SprinG, and 8spring. Users can then select 'Change Password' to update their passwords. Administrators must do the following to create a password dictionary: - Create the text file that will contain the prohibited password values. - If the dictionary is not in English, they must add a locale string to the top line: locale:`languageCode`_`countryCode` The languageCode value refers to the language's 2-letter ISO 639-1 code. The countryCode value refers to the country's 2-letter ISO 3166-1 code. Refer to this list https://docs.oracle.com/cd/E13214_01/wli/docs92/xref/xqisocodes.html to see all the available ISO 639-1 language codes and ISO 3166-1 country codes. - Upload the .txt file to IdentityNow with [Update Password Dictionary](https://developer.sailpoint.com/idn/api/v3/update-password-dictionary). Uploading a new file always overwrites the previous dictionary file. Administrators can then specify which password policies check new passwords against the password dictionary by doing the following: In the Admin panel, they can use the Password Mgmt dropdown menu to select Policies, select the policy, and select the 'Prevent use of words in this site's password dictionary' checkbox beside it. Refer to [Configuring Advanced Password Management Options](https://documentation.sailpoint.com/saas/help/pwd/adv_config.html) for more information about password dictionaries. - name: Password Sync Groups description: | Use this API to implement password sync group functionality. With this functionality in place, administrators can group sources into password sync groups so that all their applications share the same password. This allows users to update the password for all the applications in a sync group if they want, rather than updating each password individually. A password sync group is a group of applications that shares a password. Administrators create these groups by grouping the applications' sources. For example, an administrator can group the ActiveDirectory, GitHub, and G Suite sources together so that all those sources' applications can also be grouped to share a password. A user can then update his or her password for ActiveDirectory, GitHub, Gmail, Google Drive, and Google Calendar all at once, rather then updating each one individually. The following are required for administrators to create a password sync group in IdentityNow: - At least two direct connect sources connected to IdentityNow and configured for Password Management. - Each authentication source in a sync group must have at least one application. Refer to [Adding and Resetting Application Passwords](https://documentation.sailpoint.com/saas/help/pwd/adv_config.html#adding-and-resetting-application-passwords) for more information about adding applications to sources. - At least one password policy. Refer to [Managing Password Policies](https://documentation.sailpoint.com/saas/help/pwd/policies.html) for more information about password policies. In the Admin panel in IdentityNow, administrators can use the Password Mgmt dropdown menu to select Sync Groups. To create a sync group, administrators must provide a name, choose a password policy to be enforced across the sources in the sync group, and select the sources to include in the sync group. Administrators can also delete sync groups in IdentityNow, but they should know the following before they do: - Passwords related to the associated sources will become independent, so changing one will not change the others anymore. - Passwords for the sources' connected applications will also become independent. - Password policies assigned to the sync group are then assigned directly to the associated sources. To change the password policy for a source, administrators must edit it directly. Once the password sync group has been created, users can update the password for the group in Password Manager. Refer to [Managing Password Sync Groups](https://documentation.sailpoint.com/saas/help/pwd/sync_grps.html) for more information about password sync groups. - name: Personal Access Tokens description: | Use this API to implement personal access token (PAT) functionality. With this functionality in place, users can use PATs as an alternative to passwords for authentication in IdentityNow. PATs embed user information into the client ID and secret. This replaces the API clients' need to store and provide a username and password to establish a connection, improving IdentityNow organizations' integration security. In IdentityNow, users can do the following to create and manage their PATs: Select the dropdown menu under their names, select Preferences, and then select Personal Access Tokens. They must then provide a description about the token's purpose. They can then select 'Create Token' at the bottom of the page to generate and view the Secret and Client ID. Refer to [Managing Personal Access Tokens](https://documentation.sailpoint.com/saas/help/common/generate_tokens.html) for more information about PATs. - name: Public Identities description: | Use this API in conjunction with [Public Identites Config](https://developer.sailpoint.com/idn/api/v3/public-identities-config) to enable non-administrators to view identities' publicly visible attributes. With this functionality in place, non-administrators can view identity attributes other than the default attributes (email, lifecycle state, and manager), depending on which identity attributes their organization administrators have made public. This can be helpful for access approvers, certification reviewers, managers viewing their direct reports' access, and source owners viewing their tasks. - name: Public Identities Config description: | Use this API to implement public identity configuration functionality. With this functionality in place, administrators can make up to 5 identity attributes publicly visible so other non-administrator users can see the relevant information they need to make decisions. This can be helpful for approvers making approvals, certification reviewers, managers viewing their direct reports' access, and source owners viewing their tasks. By default, non-administrators can select an identity and view the following attributes: email, lifecycle state, and manager. However, it may be helpful for a non-administrator reviewer to see other identity attributes like department, region, title, etc. Administrators can use this API to make those necessary identity attributes public to non-administrators. For example, a non-administrator deciding whether to approve another identity's request for access to the Workday application, whose access may be restricted to members of the HR department, would want to know whether the identity is a member of the HR department. If an administrator has used [Update Public Identity Config](https://developer.sailpoint.com/idn/api/v3/update-public-identity-config) to make the "department" attribute public, the approver can see the department and make a decision without requesting any more information. - name: Requestable Objects description: | Use this API to implement requestable object functionality. With this functionality in place, administrators can determine which access items can be requested with the [Access Request APIs](https://developer.sailpoint.com/idn/api/v3/access-requests), along with their statuses. This can be helpful for administrators who are implementing and customizing access request functionality as a way of checking which items are requestable as they are created, assigned, and made available. - name: Roles description: | Use this API to implement and customize role functionality. With this functionality in place, administrators can create roles and configure them for use throughout IdentityNow. IdentityNow can use established criteria to automatically assign the roles to qualified users. This enables users to get all the access they need quickly and securely and administrators to spend their time on other tasks. Entitlements represent the most granular level of access in IdentityNow. Access profiles represent the next level and often group entitlements. Roles represent the broadest level of access and often group access profiles. For example, an Active Directory source in IdentityNow can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization. An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement. An administrator can then create an even broader set of access in the form of a role grouping the 'AD Developers' access profile with another profile, 'GitHub Developers,' grouping entitlements for the GitHub source. When users only need Active Directory employee access, they can request access to the 'Employees' entitlement. When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile. When users need both the 'AD Developers' access profile and the 'GitHub Developers' access profile, they can request access to the role grouping both. Roles often represent positions within organizations. For example, an organization's accountant can access all the tools the organization's accountants need with the 'Accountant' role. If the accountant switches to engineering, a qualified member of the organization can quickly revoke the accountant's 'Accountant' access and grant access to the 'Engineer' role instead, granting access to all the tools the organization's engineers need. In IdentityNow, adminstrators can use the Access drop-down menu and select Roles to view, configure, and delete existing roles, as well as create new ones. Administrators can enable and disable the role, and they can also make the following configurations: - Manage Access: Manage the role's access by adding or removing access profiles. - Define Assignment: Define the criteria IdentityNow uses to assign the role to identities. Use the first option, 'Standard Criteria,' to provide specific criteria for assignment like specific account attributes, entitlements, or identity attributes. Use the second, 'Identity List,' to specify the identities for assignment. - Access Requests: Configure roles to be requestable and establish an approval process for any requests that the role be granted or revoked. Do not configure a role to be requestable without establishing a secure access request approval process for that role first. Refer to [Working with Roles](https://documentation.sailpoint.com/saas/help/provisioning/roles.html) for more information about roles. - name: Saved Search description: | Use this API to implement saved search functionality. With saved search functionality in place, users can save search queries and then view those saved searches, as well as rerun them. Search queries in IdentityNow can grow very long and specific, which can make reconstructing them difficult or tedious, so it can be especially helpful to save search queries. It also opens the possibility to configure IdentityNow to run the saved queries on a schedule, which is essential to detecting user information and access changes throughout an organization's tenant and across all its sources. Refer to [Scheduled Search](https://developer.sailpoint.com/idn/api/v3/scheduled-search) for more information about running saved searches on a schedule. In IdentityNow, users can save searches under a name, and then they can access that saved search and run it again when they want. Refer to [Managing Saved Searches](https://documentation.sailpoint.com/saas/help/search/saved-searches.html) for more information about saving searches and using them. - name: Scheduled Search description: | Use this API to implement scheduled search functionality. With scheduled search functionality in place, users can run saved search queries on their tenants on a schedule, and IdentityNow emails them the search results. Users can also share these search results with other users by email by adding those users as subscribers, or those users can subscribe themselves. One of the greatest benefits of saving searches is the ability to run those searches on a schedule. This is essential for organizations to constantly detect any changes to user information or access throughout their tenants and across all their sources. For example, the manager Amanda Ross can schedule a saved search "manager.name:amanda.ross AND attributes.location:austin" on a schedule to regularly stay aware of changes with the Austin employees reporting to her. IdentityNow emails her the search results when the search runs, so she can work on other tasks instead of actively running this search. In IdentityNow, scheduling a search involves a subscription. Users can create a subscription for a saved search and schedule it to run daily, weekly, or monthly (you can only use one schedule option at a time). The user can add other identities as subscribers so when the scheduled search runs, the subscribers and the user all receive emails. By default, subscriptions exclude detailed results from the emails, for security purposes. Including detailed results about user access in an email may expose sensitive information. However, the subscription creator can choose to include the information in the emails. By default, IdentityNow sends emails to the subscribers even when the searches do not return new results. However, the subscription creator can choose to suppress these empty emails. Users can also subscribe to saved searches that already have existing subscriptions so they receive emails when the searches run. A saved search can have up to 10 subscriptions configured at a time. The subscription creator can enable, disable, or delete the subscription. Refer to [Subscribing to Saved Searches](https://documentation.sailpoint.com/saas/help/search/saved-searches.html#subscribing-to-saved-searches) for more information about scheduling searches and subscribing to them. - name: Search description: | Use this API to implement search functionality. With search functionality in place, users can search their tenants for nearly any information from throughout their organizations. IdentityNow enables organizations to store user data from across all their connected sources and manage the users' access, so the ability to query and filter that data is essential. Its search goes through all those sources and finds the results quickly and specifically. The search query is flexible - it can be very broad or very narrow. The search only returns results for searchable objects it is filtering for. The following objects are searchable: identities, roles, access profiles, entitlements, events, and account activities. By default, no filter is applied, so a search for "Ad" returns both the identity "Adam.Archer" as well as the role "Administrator." Users can further narrow their results by using IdentityNow's specific syntax and punctuation to structure their queries. For example, the query "attributes.location:austin AND NOT manager.name:amanda.ross" returns all results associated with the Austin location, but it excludes those associated with the manager Amanda Ross. Refer to [Building a Search Query](https://documentation.sailpoint.com/saas/help/search/building-query.html) for more information about how to construct specific search queries. Refer to [Using Search](https://documentation.sailpoint.com/saas/help/search/index.html) for more information about IdentityNow's search and its different possibilities. The search feature uses Elasticsearch as a datastore and query engine. The power of Elasticsearch makes this feature suitable for ad-hoc reporting. However, data from the operational databases (ex. identities, roles, events, etc) has to be ingested into Elasticsearch. This ingestion process introduces a latency from when the operational data is created to when it is available in search. Depending on the system load, this can take a few seconds to a few minutes. Please keep this latency in mind when you use search. - name: Segments - name: Service Desk Integration description: | Use this API to build an integration between IdentityNow and a service desk ITSM (IT service management) solution. Once an administrator builds this integration between IdentityNow and a service desk, users can use IdentityNow to raise and track tickets that are synchronized between IdentityNow and the service desk. In IdentityNow, administrators can create a service desk integration (sometimes also called an SDIM, or Service Desk Integration Module) by going to Admin > Connections > Service Desk and selecting 'Create.' To create a Generic Service Desk integration, for example, administrators must provide the required information on the General Settings page, the Connectivity and Authentication information, Ticket Creation information, Status Mapping information, and Requester Source information on the Configure page. Refer to [Integrating SailPoint with Generic Service Desk](https://documentation.sailpoint.com/connectors/generic_sd/help/integrating_generic_service_desk/intro.html) for more information about the process of setting up a Generic Service Desk in IdentityNow. Administrators can create various service desk integrations, all with their own nuances. The following service desk integrations are available: - [Atlassian Cloud Jira Service Management](https://documentation.sailpoint.com/connectors/atlassian/jira_cloud/help/integrating_jira_cloud_sd/introduction.html) - [Atlassian Server Jira Service Management](https://documentation.sailpoint.com/connectors/atlassian/jira_server/help/integrating_jira_server_sd/introduction.html) - [BMC Helix ITSM Service Desk](https://documentation.sailpoint.com/connectors/bmc/helix_ITSM_sd/help/integrating_bmc_helix_itsm_sd/intro.html) - [BMC Helix Remedyforce Service Desk](https://documentation.sailpoint.com/connectors/bmc/helix_remedyforce_sd/help/integrating_bmc_helix_remedyforce_sd/intro.html) - [Generic Service Desk](https://documentation.sailpoint.com/connectors/generic_sd/help/integrating_generic_service_desk/intro.html) - [ServiceNow Service Desk](https://documentation.sailpoint.com/connectors/servicenow/sdim/help/integrating_servicenow_sdim/intro.html) - [Zendesk Service Desk](https://documentation.sailpoint.com/connectors/zendesk/help/integrating_zendesk_sd/introduction.html) - name: SOD Policy description: Operations for Creating & Executing SOD (Seperation of Duties) policies - name: SOD Violations description: Operations for Predicting SOD (Seperation of Duties) violations - name: Sources description: | Use this API to implement and customize source functionality. With source functionality in place, organizations can use IdentityNow to connect their various sources and user data sets and manage access across all those different sources in a secure, scalable way. [Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) refer to the IdentityNow representations for external applications, databases, and directory management systems that maintain their own sets of users, like Dropbox, GitHub, and Workday, for example. Organizations may use hundreds, if not thousands, of different source systems, and any one employee within an organization likely has a different user record on each source, often with different permissions on many of those records. Connecting these sources to IdentityNow makes it possible to manage user access across them all. Then, if a new hire starts at an organization, IdentityNow can grant the new hire access to all the sources they need. If an employee moves to a new department and needs access to new sources but no longer needs access to others, IdentityNow can grant the necessary access and revoke the unnecessary access for all the employee's various sources. If an employee leaves the company, IdentityNow can revoke access to all the employee's various source accounts immediately. These are just a few examples of the many ways that source functionality makes identity governance easier, more efficient, and more secure. In IdentityNow, administrators can create configure, manage, and edit sources, and they can designate other users as source admins to be able to do so. They can also designate users as source sub-admins, who can perform the same source actions but only on sources associated with their governance groups. Admins go to Connections > Sources to see a list of the existing source representations in their organizations. They can create new sources or select existing ones. To create a new source, the following must be specified: Source Name, Description, Source Owner, and Connection Type. Refer to [Configuring a Source](https://documentation.sailpoint.com/saas/help/accounts/loading_data.html#configuring-a-source) for more information about the source configuration process. IdentityNow connects with its sources either by a direct communication with the source server (connection information specific to the source must be provided) or a flat file feed, a CSV file containing all the relevant information about the accounts to be loaded in. Different sources use different connectors to share data with IdentityNow, and each connector's setup process is specific to that connector. SailPoint has built a number of connectors to come out of the box and connect to the most common sources, and SailPoint actively maintains these connectors. Refer to [IdentityNow Connectors](https://documentation.sailpoint.com/connectors/identitynow/landingpages/help/landingpages/identitynow_connectivity_landing.html) for more information about these SailPoint supported connectors. Refer to the following links for more information about two useful connectors: - [JDBC Connector](https://documentation.sailpoint.com/connectors/jdbc/help/integrating_jdbc/introduction.html): This customizable connector an directly connect to databases that support JDBC (Java Database Connectivity). - [Web Services Connector](https://documentation.sailpoint.com/connectors/webservices/help/integrating_webservices/introduction.html): This connector can directly connect to databases that support Web Services. Refer to [SaaS Connectivity](https://developer.sailpoint.com/idn/docs/saas-connectivity) for more information about SailPoint's new connectivity framework that makes it easy to build and manage custom connectors to SaaS sources. When admins select existing sources, they can view the following information about the source: - Associated connections (any associated identity profiles, apps, or references to the source in a transform). - Associated user accounts. These accounts are linked to their identities - this provides a more complete picture of each user's access across sources. - Associated entitlements (sets of access rights on sources). - Associated access profiles (groupings of entitlements). The user account data and the entitlements update with each data aggregation from the source. Organizations generally run scheduled, automated data aggregations to ensure that their data is always in sync between their sources and their IdentityNow tenants so an access change on a source is detected quickly in IdentityNow. Admins can view a history of these aggregations, and they can also run manual imports. Refer to [Loading Account Data](https://documentation.sailpoint.com/saas/help/accounts/loading_data.html) for more information about manual and scheduled aggregations. Admins can also make changes to determine which user account data IdentityNow collects from the source and how it correlates that account data with identity data. To define which account attributes the source shares with IdentityNow, admins can edit the account schema on the source. Refer to [Managing Source Account Schemas](https://documentation.sailpoint.com/saas/help/accounts/schema.html) for more information about source account schemas and how to edit them. To define the mapping between the source account attributes and their correlating identity attributes, admins can edit the correlation configuration on the source. Refer to [Assigning Source Accounts to Identities](https://documentation.sailpoint.com/saas/help/accounts/correlation.html) for more information about this correlation process between source accounts and identities. Admins can also delete sources, but they must first ensure that the sources no longer have any active connections: the source must not be associated with any identity profile or any app, and it must not be referenced by any transform. Refer to [Deleting Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html#deleting-sources) for more information about deleting sources. Well organized, mappped out connections between sources and IdentityNow are essential to achieving comprehensive identity access governance across all the source systems organizations need. Refer to [Managing Sources](https://documentation.sailpoint.com/saas/help/sources/managing_sources.html) for more information about all the different things admins can do with sources once they are connected. - name: Tagged Objects - name: Transforms description: | The purpose of this API is to expose functionality for the manipulation of Transform objects. Transforms are a form of configurable objects which define an easy way to manipulate attribute data without having to write code. These endpoints don't require API calls to other resources, audit service is used for keeping track of which users have made changes to the Transforms. Refer to [Transforms](https://developer.sailpoint.com/idn/docs/transforms) for more information about transforms. - name: Work Items description: | Use this API to implement work item functionality. With this functionality in place, users can manage their work items (tasks). Work items refer to the tasks users see in IdentityNow's Task Manager. They can see the pending work items they need to complete, as well as the work items they have already completed. Task Manager lists the work items along with the involved sources, identities, accounts, and the timestamp when the work item was created. For example, a user may see a pending 'Create an Account' work item for the identity Fred.Astaire in GitHub for Fred's GitHub account, fred-astaire-sp. Once the user completes the work item, the work item will be listed with his or her other completed work items. To complete work items, users can use their dashboards and select the 'My Tasks' widget. The widget will list any work items they need to complete, and they can select the work item from the list to review its details. When they complete the work item, they can select 'Mark Complete' to add it to their list of completed work items. Refer to [Task Manager](https://documentation.sailpoint.com/saas/user-help/task_manager.html) for more information about work items, including the different types of work items users may need to complete. paths: /access-profiles: get: operationId: listAccessProfiles tags: - Access Profiles summary: List Access Profiles description: |- This API returns a list of Access Profiles. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API. parameters: - in: query name: for-subadmin schema: type: string description: |- If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN or SOURCE_SUBADMIN Identity. The value of the parameter is either an Identity ID, or the special value **me**, which is shorthand for the calling Identity's ID. A 400 Bad Request error is returned if the **for-subadmin** parameter is specified for an Identity that is not a subadmin. example: 8c190e6787aa4ed9a90bd9d5344523fb required: false - in: query name: limit description: |- Note that for this API the maximum value for limit is 50. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 50 schema: type: integer format: int32 minimum: 0 maximum: 50 default: 50 - in: query name: offset description: |- Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 0 schema: type: integer format: int32 minimum: 0 default: 0 - in: query name: count description: |- If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: true schema: type: boolean default: false - in: query name: filters schema: type: string description: |- Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **id**: *eq, in* **name**: *eq, sw* **created, modified**: *gt, lt, ge, le* **owner.id**: *eq, in* **requestable**: *eq* **source.id**: *eq, in* example: name eq "SailPoint Support" required: false - in: query name: sorters schema: type: string format: comma-separated description: |- Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **name, created, modified** example: 'name,-modified' required: false - in: query name: for-segment-ids schema: type: string format: comma-separated description: |- If present and not empty, additionally filters Access Profiles to those which are assigned to the Segment(s) with the specified IDs. If segmentation is currently unavailable, specifying this parameter results in an error. example: '0b5c9f25-83c6-4762-9073-e38f7bb2ae26,2e8d8180-24bc-4d21-91c6-7affdb473b0d' required: false - in: query name: include-unsegmented schema: type: boolean default: true description: 'Whether or not the response list should contain unsegmented Access Profiles. If *for-segment-ids* is absent or empty, specifying *include-unsegmented* as false results in an error.' example: false required: false responses: '200': description: List of Access Profiles content: application/json: schema: type: array items: type: object properties: id: type: string description: The ID of the Access Profile example: 2c91808a7190d06e01719938fcd20792 readOnly: true name: type: string description: Name of the Access Profile example: Employee-database-read-write description: type: string nullable: true description: Information about the Access Profile example: Collection of entitlements to read/write the employee database created: type: string description: Date the Access Profile was created format: date-time example: '2021-03-01T22:32:58.104Z' readOnly: true modified: type: string description: Date the Access Profile was last modified. format: date-time example: '2021-03-02T20:22:28.104Z' readOnly: true enabled: type: boolean description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement. example: true owner: description: Owner of the Access Profile type: object properties: type: description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.' example: IDENTITY type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY id: type: string description: Identity id example: 2c9180a46faadee4016fb4e018c20639 name: type: string description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.' example: support source: type: object properties: id: type: string description: The ID of the Source with with which the Access Profile is associated example: 2c91809773dee3610173fdb0b6061ef4 type: type: string enum: - SOURCE description: 'The type of the Source, will always be SOURCE' example: SOURCE name: type: string description: The display name of the associated Source example: ODS-AD-SOURCE entitlements: type: array description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement. items: type: object properties: id: type: string description: The ID of the Entitlement example: 2c91809773dee32014e13e122092014e type: type: string enum: - ENTITLEMENT description: 'The type of the Entitlement, will always be ENTITLEMENT' example: ENTITLEMENT name: type: string description: The display name of the Entitlement example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local' requestable: type: boolean description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.' example: true accessRequestConfig: nullable: true description: Access request configuration for this object type: object properties: commentsRequired: type: boolean description: Whether the requester of the containing object must provide comments justifying the request example: true denialCommentsRequired: type: boolean description: Whether an approver must provide comments when denying the request example: true approvalSchemes: type: array description: List describing the steps in approving the request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 revocationRequestConfig: nullable: true description: Revocation request configuration for this object. type: object properties: approvalSchemes: type: array description: List describing the steps in approving the revocation request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 segments: type: array nullable: true items: type: string description: 'List of IDs of segments, if any, to which this Access Profile is assigned.' example: - f7b1b8a3-5fed-4fd4-ad29-82014e137e19 - 29cb6c06-1da8-43ea-8be4-b3125f248f2a provisioningCriteria: description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.' nullable: true example: operation: OR children: - operation: AND children: - attribute: dn operation: CONTAINS value: useast - attribute: manager operation: CONTAINS value: Scott.Clark - operation: AND children: - attribute: dn operation: EQUALS value: Gibson - attribute: telephoneNumber operation: CONTAINS value: '512' type: object properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null required: - owner - name - source '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. security: - oauth2: - 'idn:access-profile:read' post: operationId: createAccessProfile tags: - Access Profiles summary: Create an Access Profile description: |- This API creates an Access Profile. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API. In addition, a token with only ROLE_SUBADMIN or SOURCE_SUBADMIN authority must be associated with the Access Profile's Source. The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing access profiles, however, any new access profiles as well as any updates to existing descriptions will be limited to 2000 characters. requestBody: required: true content: application/json: schema: type: object properties: id: type: string description: The ID of the Access Profile example: 2c91808a7190d06e01719938fcd20792 readOnly: true name: type: string description: Name of the Access Profile example: Employee-database-read-write description: type: string nullable: true description: Information about the Access Profile example: Collection of entitlements to read/write the employee database created: type: string description: Date the Access Profile was created format: date-time example: '2021-03-01T22:32:58.104Z' readOnly: true modified: type: string description: Date the Access Profile was last modified. format: date-time example: '2021-03-02T20:22:28.104Z' readOnly: true enabled: type: boolean description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement. example: true owner: description: Owner of the Access Profile type: object properties: type: description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.' example: IDENTITY type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY id: type: string description: Identity id example: 2c9180a46faadee4016fb4e018c20639 name: type: string description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.' example: support source: type: object properties: id: type: string description: The ID of the Source with with which the Access Profile is associated example: 2c91809773dee3610173fdb0b6061ef4 type: type: string enum: - SOURCE description: 'The type of the Source, will always be SOURCE' example: SOURCE name: type: string description: The display name of the associated Source example: ODS-AD-SOURCE entitlements: type: array description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement. items: type: object properties: id: type: string description: The ID of the Entitlement example: 2c91809773dee32014e13e122092014e type: type: string enum: - ENTITLEMENT description: 'The type of the Entitlement, will always be ENTITLEMENT' example: ENTITLEMENT name: type: string description: The display name of the Entitlement example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local' requestable: type: boolean description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.' example: true accessRequestConfig: nullable: true description: Access request configuration for this object type: object properties: commentsRequired: type: boolean description: Whether the requester of the containing object must provide comments justifying the request example: true denialCommentsRequired: type: boolean description: Whether an approver must provide comments when denying the request example: true approvalSchemes: type: array description: List describing the steps in approving the request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 revocationRequestConfig: nullable: true description: Revocation request configuration for this object. type: object properties: approvalSchemes: type: array description: List describing the steps in approving the revocation request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 segments: type: array nullable: true items: type: string description: 'List of IDs of segments, if any, to which this Access Profile is assigned.' example: - f7b1b8a3-5fed-4fd4-ad29-82014e137e19 - 29cb6c06-1da8-43ea-8be4-b3125f248f2a provisioningCriteria: description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.' nullable: true example: operation: OR children: - operation: AND children: - attribute: dn operation: CONTAINS value: useast - attribute: manager operation: CONTAINS value: Scott.Clark - operation: AND children: - attribute: dn operation: EQUALS value: Gibson - attribute: telephoneNumber operation: CONTAINS value: '512' type: object properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null required: - owner - name - source responses: '201': description: Access Profile created content: application/json: schema: type: object properties: id: type: string description: The ID of the Access Profile example: 2c91808a7190d06e01719938fcd20792 readOnly: true name: type: string description: Name of the Access Profile example: Employee-database-read-write description: type: string nullable: true description: Information about the Access Profile example: Collection of entitlements to read/write the employee database created: type: string description: Date the Access Profile was created format: date-time example: '2021-03-01T22:32:58.104Z' readOnly: true modified: type: string description: Date the Access Profile was last modified. format: date-time example: '2021-03-02T20:22:28.104Z' readOnly: true enabled: type: boolean description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement. example: true owner: description: Owner of the Access Profile type: object properties: type: description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.' example: IDENTITY type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY id: type: string description: Identity id example: 2c9180a46faadee4016fb4e018c20639 name: type: string description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.' example: support source: type: object properties: id: type: string description: The ID of the Source with with which the Access Profile is associated example: 2c91809773dee3610173fdb0b6061ef4 type: type: string enum: - SOURCE description: 'The type of the Source, will always be SOURCE' example: SOURCE name: type: string description: The display name of the associated Source example: ODS-AD-SOURCE entitlements: type: array description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement. items: type: object properties: id: type: string description: The ID of the Entitlement example: 2c91809773dee32014e13e122092014e type: type: string enum: - ENTITLEMENT description: 'The type of the Entitlement, will always be ENTITLEMENT' example: ENTITLEMENT name: type: string description: The display name of the Entitlement example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local' requestable: type: boolean description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.' example: true accessRequestConfig: nullable: true description: Access request configuration for this object type: object properties: commentsRequired: type: boolean description: Whether the requester of the containing object must provide comments justifying the request example: true denialCommentsRequired: type: boolean description: Whether an approver must provide comments when denying the request example: true approvalSchemes: type: array description: List describing the steps in approving the request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 revocationRequestConfig: nullable: true description: Revocation request configuration for this object. type: object properties: approvalSchemes: type: array description: List describing the steps in approving the revocation request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 segments: type: array nullable: true items: type: string description: 'List of IDs of segments, if any, to which this Access Profile is assigned.' example: - f7b1b8a3-5fed-4fd4-ad29-82014e137e19 - 29cb6c06-1da8-43ea-8be4-b3125f248f2a provisioningCriteria: description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.' nullable: true example: operation: OR children: - operation: AND children: - attribute: dn operation: CONTAINS value: useast - attribute: manager operation: CONTAINS value: Scott.Clark - operation: AND children: - attribute: dn operation: EQUALS value: Gibson - attribute: telephoneNumber operation: CONTAINS value: '512' type: object properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null required: - owner - name - source '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. security: - oauth2: - 'idn:access-profile:manage' '/access-profiles/{id}': get: operationId: getAccessProfile tags: - Access Profiles summary: Get an Access Profile description: |- This API returns an Access Profile by its ID. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API. parameters: - in: path name: id required: true schema: type: string description: ID of the Access Profile example: 2c9180837ca6693d017ca8d097500149 responses: '200': description: An AccessProfile content: application/json: schema: type: object properties: id: type: string description: The ID of the Access Profile example: 2c91808a7190d06e01719938fcd20792 readOnly: true name: type: string description: Name of the Access Profile example: Employee-database-read-write description: type: string nullable: true description: Information about the Access Profile example: Collection of entitlements to read/write the employee database created: type: string description: Date the Access Profile was created format: date-time example: '2021-03-01T22:32:58.104Z' readOnly: true modified: type: string description: Date the Access Profile was last modified. format: date-time example: '2021-03-02T20:22:28.104Z' readOnly: true enabled: type: boolean description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement. example: true owner: description: Owner of the Access Profile type: object properties: type: description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.' example: IDENTITY type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY id: type: string description: Identity id example: 2c9180a46faadee4016fb4e018c20639 name: type: string description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.' example: support source: type: object properties: id: type: string description: The ID of the Source with with which the Access Profile is associated example: 2c91809773dee3610173fdb0b6061ef4 type: type: string enum: - SOURCE description: 'The type of the Source, will always be SOURCE' example: SOURCE name: type: string description: The display name of the associated Source example: ODS-AD-SOURCE entitlements: type: array description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement. items: type: object properties: id: type: string description: The ID of the Entitlement example: 2c91809773dee32014e13e122092014e type: type: string enum: - ENTITLEMENT description: 'The type of the Entitlement, will always be ENTITLEMENT' example: ENTITLEMENT name: type: string description: The display name of the Entitlement example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local' requestable: type: boolean description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.' example: true accessRequestConfig: nullable: true description: Access request configuration for this object type: object properties: commentsRequired: type: boolean description: Whether the requester of the containing object must provide comments justifying the request example: true denialCommentsRequired: type: boolean description: Whether an approver must provide comments when denying the request example: true approvalSchemes: type: array description: List describing the steps in approving the request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 revocationRequestConfig: nullable: true description: Revocation request configuration for this object. type: object properties: approvalSchemes: type: array description: List describing the steps in approving the revocation request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 segments: type: array nullable: true items: type: string description: 'List of IDs of segments, if any, to which this Access Profile is assigned.' example: - f7b1b8a3-5fed-4fd4-ad29-82014e137e19 - 29cb6c06-1da8-43ea-8be4-b3125f248f2a provisioningCriteria: description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.' nullable: true example: operation: OR children: - operation: AND children: - attribute: dn operation: CONTAINS value: useast - attribute: manager operation: CONTAINS value: Scott.Clark - operation: AND children: - attribute: dn operation: EQUALS value: Gibson - attribute: telephoneNumber operation: CONTAINS value: '512' type: object properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null required: - owner - name - source '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. security: - oauth2: - 'idn:access-profile:read' patch: operationId: patchAccessProfile tags: - Access Profiles summary: Patch a specified Access Profile description: |- This API updates an existing Access Profile. The following fields are patchable: **name**, **description**, **enabled**, **owner**, **requestable**, **accessRequestConfig**, **revokeRequestConfig**, **segments**, **entitlements**, **provisioningCriteria** A token with API, ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API. In addition, a SOURCE_SUBADMIN may only use this API to patch Access Profiles which are associated with Sources they are able to administer. > The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing access profiles, however, any new access profiles as well as any updates to existing descriptions will be limited to 2000 characters. > You can only add or replace **entitlements** that exist on the source that the access profile is attached to. You can use the **list entitlements** endpoint with the **filters** query parameter to get a list of available entitlements on the access profile's source. > Patching the value of the **requestable** field is only supported for customers enabled with the new Request Center. Otherwise, attempting to modify this field results in a 400 error. parameters: - name: id in: path description: ID of the Access Profile to patch required: true schema: type: string example: 2c91808a7813090a017814121919ecca requestBody: content: application/json-patch+json: schema: type: array items: type: object description: 'A JSONPatch Operation as defined by [RFC 6902 - JSON Patch](https://tools.ietf.org/html/rfc6902)' required: - op - path properties: op: type: string description: The operation to be performed enum: - add - remove - replace - move - copy - test example: replace path: type: string description: A string JSON Pointer representing the target path to an element to be affected by the operation example: /description value: anyOf: - type: string - type: integer - type: object - type: array items: anyOf: - type: string - type: integer - type: object description: 'The value to be used for the operation, required for "add" and "replace" operations' example: New description examples: Add Entitlements: description: Add one or more entitlements to the end of the list value: - op: add path: /entitlements value: - id: 2c9180857725c14301772a93bb77242d type: ENTITLEMENT name: AD User Group Insert Entitlement: description: Add an entitlement at the beginning of the entitlement list value: - op: add path: /entitlements/0 value: id: 2c9180857725c14301772a93bb77242d type: ENTITLEMENT name: AD User Group Replace Entitlements: description: Replace all entitlements with a new list of entitlements value: - op: replace path: /entitlements value: - id: 2c9180857725c14301772a93bb77242d type: ENTITLEMENT name: AD User Group Remove Entitlement: description: Remove the first entitlement in the list value: - op: remove path: /entitlements/0 required: true responses: '200': description: Responds with the Access Profile as updated. content: application/json: schema: type: object properties: id: type: string description: The ID of the Access Profile example: 2c91808a7190d06e01719938fcd20792 readOnly: true name: type: string description: Name of the Access Profile example: Employee-database-read-write description: type: string nullable: true description: Information about the Access Profile example: Collection of entitlements to read/write the employee database created: type: string description: Date the Access Profile was created format: date-time example: '2021-03-01T22:32:58.104Z' readOnly: true modified: type: string description: Date the Access Profile was last modified. format: date-time example: '2021-03-02T20:22:28.104Z' readOnly: true enabled: type: boolean description: Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement. example: true owner: description: Owner of the Access Profile type: object properties: type: description: 'Owner type. This field must be either left null or set to ''IDENTITY'' on input, otherwise a 400 Bad Request error will result.' example: IDENTITY type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY id: type: string description: Identity id example: 2c9180a46faadee4016fb4e018c20639 name: type: string description: 'Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner''s display name, otherwise a 400 Bad Request error will result.' example: support source: type: object properties: id: type: string description: The ID of the Source with with which the Access Profile is associated example: 2c91809773dee3610173fdb0b6061ef4 type: type: string enum: - SOURCE description: 'The type of the Source, will always be SOURCE' example: SOURCE name: type: string description: The display name of the associated Source example: ODS-AD-SOURCE entitlements: type: array description: A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement. items: type: object properties: id: type: string description: The ID of the Entitlement example: 2c91809773dee32014e13e122092014e type: type: string enum: - ENTITLEMENT description: 'The type of the Entitlement, will always be ENTITLEMENT' example: ENTITLEMENT name: type: string description: The display name of the Entitlement example: 'CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local' requestable: type: boolean description: 'Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value **false** in this field results in a 400 error.' example: true accessRequestConfig: nullable: true description: Access request configuration for this object type: object properties: commentsRequired: type: boolean description: Whether the requester of the containing object must provide comments justifying the request example: true denialCommentsRequired: type: boolean description: Whether an approver must provide comments when denying the request example: true approvalSchemes: type: array description: List describing the steps in approving the request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 revocationRequestConfig: nullable: true description: Revocation request configuration for this object. type: object properties: approvalSchemes: type: array description: List describing the steps in approving the revocation request items: type: object properties: approverType: type: string enum: - APP_OWNER - OWNER - SOURCE_OWNER - MANAGER - GOVERNANCE_GROUP description: |- Describes the individual or group that is responsible for an approval step. Values are as follows. **APP_OWNER**: The owner of the Application **OWNER**: Owner of the associated Access Profile or Role **SOURCE_OWNER**: Owner of the Source associated with an Access Profile **MANAGER**: Manager of the Identity making the request **GOVERNANCE_GROUP**: A Governance Group, the ID of which is specified by the **approverId** field example: GOVERNANCE_GROUP approverId: type: string nullable: true description: 'Id of the specific approver, used only when approverType is GOVERNANCE_GROUP' example: 46c79819-a69f-49a2-becb-12c971ae66c6 segments: type: array nullable: true items: type: string description: 'List of IDs of segments, if any, to which this Access Profile is assigned.' example: - f7b1b8a3-5fed-4fd4-ad29-82014e137e19 - 29cb6c06-1da8-43ea-8be4-b3125f248f2a provisioningCriteria: description: 'When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.' nullable: true example: operation: OR children: - operation: AND children: - attribute: dn operation: CONTAINS value: useast - attribute: manager operation: CONTAINS value: Scott.Clark - operation: AND children: - attribute: dn operation: EQUALS value: Gibson - attribute: telephoneNumber operation: CONTAINS value: '512' type: object properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string nullable: true description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com children: type: array items: type: object description: Defines matching criteria for an Account to be provisioned with a specific Access Profile properties: operation: type: string enum: - EQUALS - NOT_EQUALS - CONTAINS - HAS - AND - OR description: Supported operations on ProvisioningCriteria example: EQUALS attribute: type: string description: 'Name of the Account attribute to be tested. If **operation** is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.' example: email nullable: true value: type: string description: 'String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.' example: carlee.cert1c9f9b6fd@mailinator.com nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null nullable: true description: 'Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.' example: null required: - owner - name - source '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. security: - oauth2: - 'idn:access-profile:manage' /access-profiles/bulk-delete: post: operationId: deleteAccessProfilesInBulk summary: Delete Access Profile(s) tags: - Access Profiles description: |- This API initiates a bulk deletion of one or more Access Profiles. By default, if any of the indicated Access Profiles are in use, no deletions will be performed and the **inUse** field of the response indicates the usages that must be removed first. If the request field **bestEffortOnly** is **true**, however, usages are reported in the **inUse** response field but all other indicated Access Profiles will be deleted. A token with API, ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API. In addition, a SOURCE_SUBADMIN may only use this API to delete Access Profiles which are associated with Sources they are able to administer. requestBody: required: true content: application/json: schema: type: object properties: accessProfileIds: description: List of IDs of Access Profiles to be deleted. type: array items: type: string example: - 2c9180847812e0b1017817051919ecca - 2c9180887812e0b201781e129f151816 bestEffortOnly: description: 'If **true**, silently skip over any of the specified Access Profiles if they cannot be deleted because they are in use. If **false**, no deletions will be attempted if any of the Access Profiles are in use.' type: boolean example: true example: bestEffortOnly: true accessProfileIds: - 2c91808876438bb2017668b91919ecca - 2c91808876438ba801766e129f151816 responses: '200': description: 'Returned only if **bestEffortOnly** is **false**, and one or more Access Profiles are in use.' content: application/json: schema: type: object properties: taskId: type: string description: ID of the task which is executing the bulk deletion. This can be passed to the **/task-status** API to track status. example: 2c9180867817ac4d017817c491119a20 pending: type: array description: List of IDs of Access Profiles which are pending deletion. items: type: string example: - 2c91808876438bbb017668c21919ecca - 2c91808876438bb201766e129f151816 inUse: type: array description: List of usages of Access Profiles targeted for deletion. items: type: object properties: accessProfileId: type: string description: ID of the Access Profile that is in use example: 2c91808876438bbb017668c21919ecca usedBy: type: array description: List of references to objects which are using the indicated Access Profile items: type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson example: pending: [] inUse: - accessProfileId: 2c91808876438ba801766e129f151816 usages: - type: Role id: 2c9180887643764201766e9f6e121518 '202': description: Returned if at least one deletion will be performed. content: application/json: schema: type: object properties: taskId: type: string description: ID of the task which is executing the bulk deletion. This can be passed to the **/task-status** API to track status. example: 2c9180867817ac4d017817c491119a20 pending: type: array description: List of IDs of Access Profiles which are pending deletion. items: type: string example: - 2c91808876438bbb017668c21919ecca - 2c91808876438bb201766e129f151816 inUse: type: array description: List of usages of Access Profiles targeted for deletion. items: type: object properties: accessProfileId: type: string description: ID of the Access Profile that is in use example: 2c91808876438bbb017668c21919ecca usedBy: type: array description: List of references to objects which are using the indicated Access Profile items: type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson example: taskId: 2c91808a7813090a01781412a1119a20 pending: - 2c91808a7813090a017813fe1919ecca inUse: - accessProfileId: 2c91808876438ba801766e129f151816 usages: - type: Role id: 2c9180887643764201766e9f6e121518 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. security: - oauth2: - 'idn:access-profile:manage' '/access-profiles/{id}/entitlements': get: operationId: getAccessProfileEntitlements tags: - Access Profiles summary: List Access Profile's Entitlements description: |- This API lists the Entitlements associated with a given Access Profile A token with API, ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to invoke this API. In addition, a token with SOURCE_SUBADMIN authority must have access to the Source associated with the given Access Profile parameters: - name: id in: path description: ID of the containing Access Profile required: true schema: type: string example: 2c91808a7813090a017814121919ecca - in: query name: limit description: |- Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 250 schema: type: integer format: int32 minimum: 0 maximum: 250 default: 250 - in: query name: offset description: |- Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 0 schema: type: integer format: int32 minimum: 0 default: 0 - in: query name: count description: |- If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: true schema: type: boolean default: false - in: query name: filters schema: type: string description: |- Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following Entitlement fields and operators: **id**: *eq, in* **name**: *eq, sw* **attribute**: *eq, sw* **value**: *eq, sw* **created, modified**: *gt, lt, ge, le* **owner.id**: *eq, in* **source.id**: *eq, in* example: attribute eq "memberOf" required: false - in: query name: sorters schema: type: string format: comma-separated description: |- Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **name, attribute, value, created, modified** example: 'name,-modified' required: false responses: '200': description: List of Entitlements content: application/json: schema: type: array items: type: object properties: id: type: string description: The entitlement id example: 2c91808874ff91550175097daaec161c name: type: string description: The entitlement name example: LauncherTest2 attribute: type: string description: The entitlement attribute name example: memberOf value: type: string description: The value of the entitlement example: 'CN=LauncherTest2,OU=LauncherTestOrg,OU=slpt-automation,DC=TestAutomationAD,DC=local' sourceSchemaObjectType: type: string description: The object type of the entitlement from the source schema example: group description: type: string description: The description of the entitlement example: 'CN=LauncherTest2,OU=LauncherTestOrg,OU=slpt-automation,DC=TestAutomationAD,DC=local' privileged: type: boolean description: True if the entitlement is privileged example: true cloudGoverned: type: boolean description: True if the entitlement is cloud governed example: true created: type: string description: Time when the entitlement was created format: date-time example: '2020-10-08T18:33:52.029Z' modified: type: string description: Time when the entitlement was last modified format: date-time example: '2020-10-08T18:33:52.029Z' source: type: object properties: id: type: string description: The source ID example: 2c9180827ca885d7017ca8ce28a000eb type: type: string description: 'The source type, will always be "SOURCE"' example: SOURCE name: type: string description: The source name example: ODS-AD-Source attributes: type: object description: A map of free-form key-value pairs from the source system example: fieldName: fieldValue additionalProperties: true segments: type: array items: type: string nullable: true description: 'List of IDs of segments, if any, to which this Entitlement is assigned.' example: - f7b1b8a3-5fed-4fd4-ad29-82014e137e19 - 29cb6c06-1da8-43ea-8be4-b3125f248f2a directPermissions: type: array items: type: object description: 'Simplified DTO for the Permission objects stored in SailPoint''s database. The data is aggregated from customer systems and is free-form, so its appearance can vary largely between different clients/customers.' properties: rights: type: array description: All the rights (e.g. actions) that this permission allows on the target readOnly: true items: type: string example: SELECT target: type: string description: The target the permission would grants rights on. readOnly: true example: SYS.GV_$TRANSACTION '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. security: - oauth2: - 'idn:access-profile:read' /access-requests: post: operationId: createAccessRequest security: - oauth2: - 'idn:access-request:create' summary: Submit an Access Request tags: - Access Requests description: | This submits the access request into IdentityNow, where it will follow any IdentityNow approval processes. Access requests are processed asynchronously by IdentityNow. A success response from this endpoint means the request has been submitted to IDN and is queued for processing. Because this endpoint is asynchronous, it will not return an error if you submit duplicate access requests in quick succession, or you submit an access request for access that is already in progress, approved, or rejected. It is best practice to check for any existing access requests that reference the same access items before submitting a new access request. This can be accomplished by using the [access request status](https://developer.sailpoint.com/idn/api/v3/list-access-request-status) or the [pending access request approvals](https://developer.sailpoint.com/idn/api/v3/list-pending-approvals) endpoints. You can also use the [search API](https://developer.sailpoint.com/idn/api/v3/search) to check the existing access items that an identity has before submitting an access request to ensure you are not requesting access that is already granted. There are two types of access request: __GRANT_ACCESS__ * Can be requested for multiple identities in a single request. * Supports self request and request on behalf of other users, see '/beta/access-request-config' endpoint for request configuration options. * Allows any authenticated token (except API) to call this endpoint to request to grant access to themselves. Depending on the configuration, a user can request access for others. * Roles, Access Profiles and Entitlements can be requested. * While requesting entitlements, maximum of 25 entitlements and 10 recipients are allowed in a request. __REVOKE_ACCESS__ * Can only be requested for a single identity at a time. * Does not support self request. Only manager can request to revoke access for their directly managed employees. * If removeDate is specified, then the access will be removed on that date and time only for Roles and Access Profiles. Entitlements are currently unsupported for removeDate. * Roles, Access Profiles, and Entitlements can be requested for revocation. * Revoke requests for entitlements are limited to 1 entitlement per access request currently. * [Roles, Access Profiles] RemoveData can be specified only if access don't have a sunset date. * Allows a manager to request to revoke access for direct employees. A token with ORG_ADMIN authority can also request to revoke access from anyone. NOTE: There is no indication to the approver in the IdentityNow UI that the approval request is for a revoke action. Take this into consideration when calling this API. A token with API authority cannot be used to call this endpoint. requestBody: required: true content: application/json: schema: type: object properties: requestedFor: description: 'A list of Identity IDs for whom the Access is requested. If it''s a Revoke request, there can only be one Identity ID.' type: array items: type: string example: 2c918084660f45d6016617daa9210584 requestType: type: string enum: - GRANT_ACCESS - REVOKE_ACCESS description: Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field. example: GRANT_ACCESS requestedItems: type: array items: type: object properties: type: type: string enum: - ACCESS_PROFILE - ROLE - ENTITLEMENT description: The type of the item being requested. example: ACCESS_PROFILE id: type: string description: 'ID of Role, Access Profile or Entitlement being requested.' example: 2c9180835d2e5168015d32f890ca1581 comment: type: string description: | Comment provided by requester. * Comment is required when the request is of type Revoke Access. example: Requesting access profile for John Doe clientMetadata: type: object additionalProperties: type: string example: requestedAppId: 2c91808f7892918f0178b78da4a305a1 requestedAppName: test-app example: requestedAppName: test-app requestedAppId: 2c91808f7892918f0178b78da4a305a1 description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities and /access-request-status. removeDate: type: string description: | The date the role or access profile is no longer assigned to the specified identity. * Specify a date in the future. * The current SLA for the deprovisioning is 24 hours. * This date can be modified to either extend or decrease the duration of access item assignments for the specified identity. * Currently it is not supported for entitlements. * If sunset date for role or access profile specified, removeDate cannot be established. This rule doesn't apply for entitlements. format: date-time example: '2020-07-11T21:23:15.000Z' required: - id - type clientMetadata: type: object additionalProperties: type: string example: requestedAppId: 2c91808f7892918f0178b78da4a305a1 requestedAppName: test-app example: requestedAppId: 2c91808f7892918f0178b78da4a305a1 requestedAppName: test-app description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities. required: - requestedFor - requestedItems responses: '202': description: Accepted - Returned if the request was successfully accepted into the system. content: application/json: schema: type: object '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /access-requests/cancel: post: operationId: cancelAccessRequest tags: - Access Requests summary: Cancel Access Request description: |- This API endpoint cancels a pending access request. An access request can be cancelled only if it has not passed the approval step. Any token with ORG_ADMIN authority or token of the user who originally requested the access request is required to cancel it. requestBody: required: true content: application/json: schema: type: object description: Request body payload for cancel access request endpoint. required: - accountActivityId - comment properties: accountActivityId: type: string description: ID of the account activity object corresponding to the access request. example: 2c9180835d2e5168015d32f890ca1581 comment: type: string description: Reason for cancelling the pending access request. example: I requested this role by mistake. example: accountActivityId: 2c91808568c529c60168cca6f90c1313 comment: I requested this role by mistake. responses: '202': description: Accepted - Returned if the request was successfully accepted into the system. content: application/json: schema: type: object '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /access-request-config: get: operationId: getAccessRequestConfig summary: Get Access Request Configuration tags: - Access Requests description: This endpoint returns the current access-request configuration. responses: '200': description: Access Request Configuration Details. content: application/json: schema: type: object properties: approvalsMustBeExternal: type: boolean description: 'If true, then approvals must be processed by external system.' example: true autoApprovalEnabled: type: boolean description: 'If true and requester and reviewer are the same, then automatically approve the approval.' example: true requestOnBehalfOfConfig: description: Request On Behalf Of Configuration. type: object properties: allowRequestOnBehalfOfAnyoneByAnyone: type: boolean description: If anyone can request access for anyone. example: true allowRequestOnBehalfOfEmployeeByManager: type: boolean description: If a manager can request access for his/her direct reports. example: true approvalReminderAndEscalationConfig: description: Approval Reminder and Escalation Configuration. type: object properties: daysUntilEscalation: type: integer description: 'Number of days to wait before the first reminder. If no reminders are configured, then this is the number of days to wait before escalation.' format: int32 example: 0 daysBetweenReminders: type: integer description: Number of days to wait between reminder notifications. format: int32 example: 0 maxReminders: type: integer description: Maximum number of reminder notification to send to the reviewer before approval escalation. format: int32 example: 0 fallbackApproverRef: type: object nullable: true properties: type: type: string description: The type can only be IDENTITY. This is read-only example: IDENTITY id: type: string description: Identity id. example: 5168015d32f890ca15812c9180835d2e name: type: string description: Human-readable display name of identity. This is read-only example: Alison Ferguso email: type: string description: Email address of identity. This is read-only example: alison.ferguso@identitysoon.com entitlementRequestConfig: description: Entitlement Request Configuration. type: object properties: allowEntitlementRequest: type: boolean description: Flag for allowing entitlement request. example: true requestCommentsRequired: type: boolean description: Flag for requiring comments while submitting an entitlement request. default: false example: false deniedCommentsRequired: type: boolean description: Flag for requiring comments while rejecting an entitlement request. default: false example: false grantRequestApprovalSchemes: type: string description: | Approval schemes for granting entitlement request. This can be empty if no approval is needed. Multiple schemes must be comma-separated. The valid schemes are "entitlementOwner", "sourceOwner", "manager" and "workgroup:{id}". Multiple workgroups (governance groups) can be used. default: sourceOwner example: 'entitlementOwner, sourceOwner, manager, workgroup:2c918084660f45d6016617daa9210584' '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. put: operationId: updateAccessRequestConfig summary: Update Access Request Configuration tags: - Access Requests description: |- This endpoint replaces the current access-request configuration. A token with ORG_ADMIN authority is required to call this API. requestBody: required: true content: application/json: schema: type: object properties: approvalsMustBeExternal: type: boolean description: 'If true, then approvals must be processed by external system.' example: true autoApprovalEnabled: type: boolean description: 'If true and requester and reviewer are the same, then automatically approve the approval.' example: true requestOnBehalfOfConfig: description: Request On Behalf Of Configuration. type: object properties: allowRequestOnBehalfOfAnyoneByAnyone: type: boolean description: If anyone can request access for anyone. example: true allowRequestOnBehalfOfEmployeeByManager: type: boolean description: If a manager can request access for his/her direct reports. example: true approvalReminderAndEscalationConfig: description: Approval Reminder and Escalation Configuration. type: object properties: daysUntilEscalation: type: integer description: 'Number of days to wait before the first reminder. If no reminders are configured, then this is the number of days to wait before escalation.' format: int32 example: 0 daysBetweenReminders: type: integer description: Number of days to wait between reminder notifications. format: int32 example: 0 maxReminders: type: integer description: Maximum number of reminder notification to send to the reviewer before approval escalation. format: int32 example: 0 fallbackApproverRef: type: object nullable: true properties: type: type: string description: The type can only be IDENTITY. This is read-only example: IDENTITY id: type: string description: Identity id. example: 5168015d32f890ca15812c9180835d2e name: type: string description: Human-readable display name of identity. This is read-only example: Alison Ferguso email: type: string description: Email address of identity. This is read-only example: alison.ferguso@identitysoon.com entitlementRequestConfig: description: Entitlement Request Configuration. type: object properties: allowEntitlementRequest: type: boolean description: Flag for allowing entitlement request. example: true requestCommentsRequired: type: boolean description: Flag for requiring comments while submitting an entitlement request. default: false example: false deniedCommentsRequired: type: boolean description: Flag for requiring comments while rejecting an entitlement request. default: false example: false grantRequestApprovalSchemes: type: string description: | Approval schemes for granting entitlement request. This can be empty if no approval is needed. Multiple schemes must be comma-separated. The valid schemes are "entitlementOwner", "sourceOwner", "manager" and "workgroup:{id}". Multiple workgroups (governance groups) can be used. default: sourceOwner example: 'entitlementOwner, sourceOwner, manager, workgroup:2c918084660f45d6016617daa9210584' responses: '200': description: Access Request Configuration Details. content: application/json: schema: type: object properties: approvalsMustBeExternal: type: boolean description: 'If true, then approvals must be processed by external system.' example: true autoApprovalEnabled: type: boolean description: 'If true and requester and reviewer are the same, then automatically approve the approval.' example: true requestOnBehalfOfConfig: description: Request On Behalf Of Configuration. type: object properties: allowRequestOnBehalfOfAnyoneByAnyone: type: boolean description: If anyone can request access for anyone. example: true allowRequestOnBehalfOfEmployeeByManager: type: boolean description: If a manager can request access for his/her direct reports. example: true approvalReminderAndEscalationConfig: description: Approval Reminder and Escalation Configuration. type: object properties: daysUntilEscalation: type: integer description: 'Number of days to wait before the first reminder. If no reminders are configured, then this is the number of days to wait before escalation.' format: int32 example: 0 daysBetweenReminders: type: integer description: Number of days to wait between reminder notifications. format: int32 example: 0 maxReminders: type: integer description: Maximum number of reminder notification to send to the reviewer before approval escalation. format: int32 example: 0 fallbackApproverRef: type: object nullable: true properties: type: type: string description: The type can only be IDENTITY. This is read-only example: IDENTITY id: type: string description: Identity id. example: 5168015d32f890ca15812c9180835d2e name: type: string description: Human-readable display name of identity. This is read-only example: Alison Ferguso email: type: string description: Email address of identity. This is read-only example: alison.ferguso@identitysoon.com entitlementRequestConfig: description: Entitlement Request Configuration. type: object properties: allowEntitlementRequest: type: boolean description: Flag for allowing entitlement request. example: true requestCommentsRequired: type: boolean description: Flag for requiring comments while submitting an entitlement request. default: false example: false deniedCommentsRequired: type: boolean description: Flag for requiring comments while rejecting an entitlement request. default: false example: false grantRequestApprovalSchemes: type: string description: | Approval schemes for granting entitlement request. This can be empty if no approval is needed. Multiple schemes must be comma-separated. The valid schemes are "entitlementOwner", "sourceOwner", "manager" and "workgroup:{id}". Multiple workgroups (governance groups) can be used. default: sourceOwner example: 'entitlementOwner, sourceOwner, manager, workgroup:2c918084660f45d6016617daa9210584' '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /access-request-status: get: operationId: listAccessRequestStatus tags: - Access Requests summary: Access Request Status description: |- The Access Request Status API returns a list of access request statuses based on the specified query parameters. Any token with any authority can request their own status. A token with ORG_ADMIN authority is required to call this API to get a list of statuses for other users. parameters: - in: query name: requested-for schema: type: string example: 2c9180877b2b6ea4017b2c545f971429 description: Filter the results by the identity for which the requests were made. *me* indicates the current user. Mutually exclusive with *regarding-identity*. required: false - in: query name: requested-by schema: type: string example: 2c9180877b2b6ea4017b2c545f971429 description: Filter the results by the identity that made the requests. *me* indicates the current user. Mutually exclusive with *regarding-identity*. required: false - in: query name: regarding-identity schema: type: string example: 2c9180877b2b6ea4017b2c545f971429 description: Filter the results by the specified identity which is either the requester or target of the requests. *me* indicates the current user. Mutually exclusive with *requested-for* and *requested-by*. required: false - in: query name: count description: If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. required: false schema: type: boolean default: false example: false - in: query name: limit description: Max number of results to return. required: false schema: type: integer format: int32 minimum: 0 maximum: 250 default: 250 example: 100 - in: query name: offset description: Offset into the full result set. Usually specified with *limit* to paginate through the results. Defaults to 0 if not specified. required: false schema: type: integer format: int32 minimum: 0 example: 10 - in: query name: filters schema: type: string example: accountActivityItemId eq "2c918086771c86df0177401efcdf54c0" description: |- Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **accountActivityItemId**: *eq, in* required: false - in: query name: sorters schema: type: string format: comma-separated description: |- Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **created, modified, accountActivityItemId** example: created required: false responses: '200': description: List of requested item status. content: application/json: schema: type: array items: type: object properties: name: type: string description: Human-readable display name of the item being requested. example: AccessProfile1 type: type: string enum: - ACCESS_PROFILE - ROLE - ENTITLEMENT description: Type of requested object. example: ACCESS_PROFILE cancelledRequestDetails: nullable: true type: object properties: comment: type: string description: Comment made by the owner when cancelling the associated request. example: Nisl quis ipsum quam quisque condimentum nunc ut dolor nunc. owner: type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson modified: type: string format: date-time description: Date comment was added by the owner when cancelling the associated request example: '2019-12-20T09:17:12.192Z' description: Provides additional details for a request that has been cancelled. errorMessages: type: array nullable: true items: type: array items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. description: 'List of list of localized error messages, if any, encountered during the approval/provisioning process.' state: type: string enum: - EXECUTING - REQUEST_COMPLETED - CANCELLED - TERMINATED - PROVISIONING_VERIFICATION_PENDING - REJECTED - PROVISIONING_FAILED - NOT_ALL_ITEMS_PROVISIONED - ERROR description: |- Indicates the state of an access request: * EXECUTING: The request is executing, which indicates the system is doing some processing. * REQUEST_COMPLETED: Indicates the request has been completed. * CANCELLED: The request was cancelled with no user input. * TERMINATED: The request has been terminated before it was able to complete. * PROVISIONING_VERIFICATION_PENDING: The request has finished any approval steps and provisioning is waiting to be verified. * REJECTED: The request was rejected. * PROVISIONING_FAILED: The request has failed to complete. * NOT_ALL_ITEMS_PROVISIONED: One or more of the requested items failed to complete, but there were one or more successes. * ERROR: An error occurred during request processing. example: EXECUTING approvalDetails: type: array items: type: object properties: forwarded: type: boolean description: True if the request for this item was forwarded from one owner to another. example: false originalOwner: description: 'Base identity/workgroup reference object representing the original owner, if forwarded.' type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson currentOwner: description: Base reference of approver that will make decision. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson reviewedBy: description: The identity who has reviewed the approval. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson modified: type: string format: date-time description: Time at which item was modified. example: '2019-08-23T18:52:57.398Z' status: type: string enum: - PENDING - APPROVED - REJECTED - EXPIRED - CANCELLED - ARCHIVED description: |- Indicates the state of the request processing for this item: * PENDING: The request for this item is awaiting processing. * APPROVED: The request for this item has been approved. * REJECTED: The request for this item was rejected. * EXPIRED: The request for this item expired with no action taken. * CANCELLED: The request for this item was cancelled with no user action. * ARCHIVED: The request for this item has been archived after completion. example: PENDING scheme: type: string enum: - APP_OWNER - SOURCE_OWNER - MANAGER - ROLE_OWNER - ACCESS_PROFILE_OWNER - ENTITLEMENT_OWNER - GOVERNANCE_GROUP description: Describes the individual or group that is responsible for an approval step. example: MANAGER errorMessages: type: array items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. description: 'If the request failed, includes any error messages that were generated.' comment: type: string description: 'Comment, if any, provided by the approver.' example: I approve this request removeDate: type: string description: The date the role or access profile is no longer assigned to the specified identity. format: date-time example: '2020-07-11T00:00:00Z' description: Approval details for each item. manualWorkItemDetails: type: array nullable: true items: type: object properties: forwarded: type: boolean description: True if the request for this item was forwarded from one owner to another. example: true originalOwner: description: 'Base identity/workgroup reference object representing the original owner, if forwarded.' type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson currentOwner: description: Base reference of approver that will make decision. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson modified: type: string format: date-time description: Time at which item was modified. example: '2019-08-23T18:52:57.398Z' status: type: string enum: - PENDING - APPROVED - REJECTED - EXPIRED - CANCELLED - ARCHIVED description: |- Indicates the state of the request processing for this item: * PENDING: The request for this item is awaiting processing. * APPROVED: The request for this item has been approved. * REJECTED: The request for this item was rejected. * EXPIRED: The request for this item expired with no action taken. * CANCELLED: The request for this item was cancelled with no user action. * ARCHIVED: The request for this item has been archived after completion. example: PENDING forwardHistory: type: array items: type: object properties: oldApproverName: type: string description: Display name of approver from whom the approval was forwarded. example: Frank Mir newApproverName: type: string description: Display name of approver to whom the approval was forwarded. example: Al Volta comment: type: string nullable: true description: Comment made while forwarding. example: Forwarding from Frank to Al modified: type: string format: date-time description: Time at which approval was forwarded. example: '2019-08-23T18:52:57.398Z' forwarderName: type: string nullable: true description: Display name of forwarder who forwarded the approval. example: William Wilson reassignmentType: description: |- The approval reassignment type. * MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's. * AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time. * AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to [Setting Global Reminders and Escalation Policies](https://documentation.sailpoint.com/saas/help/requests/config_emails.html). * SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to [Self-review Prevention](https://documentation.sailpoint.com/saas/help/users/work_reassignment.html#self-review-prevention) and [Preventing Self-approval](https://documentation.sailpoint.com/saas/help/requests/config_ap_roles.html#preventing-self-approval). example: AUTOMATIC_REASSIGNMENT type: string enum: - MANUAL_REASSIGNMENT - AUTOMATIC_REASSIGNMENT - AUTO_ESCALATION - SELF_REVIEW_DELEGATION description: The history of approval forward action. description: Manual work items created for provisioning the item. accountActivityItemId: type: string description: Id of associated account activity item. example: 2c9180926cbfbddd016cbfc7c3b10010 requestType: type: string enum: - GRANT_ACCESS - REVOKE_ACCESS description: Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field. example: GRANT_ACCESS modified: type: string format: date-time description: When the request was last modified. example: '2019-08-23T18:52:59.162Z' created: type: string format: date-time description: When the request was created. example: '2019-08-23T18:40:35.772Z' requester: description: The identity that requested the item. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson requestedFor: description: The identity for whom the Access Request Status is requested for. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson requesterComment: nullable: true description: The requester's comment. type: object properties: comment: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat author: type: object properties: type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: type: string description: ID of the author example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy created: type: string format: date-time description: Date and time comment was created example: '2017-07-11T18:45:37.098Z' sodViolationContext: nullable: true description: The details of the SOD violations for the associated approval. type: object properties: state: type: string enum: - SUCCESS - ERROR description: The status of SOD violation check example: SUCCESS uuid: description: The id of the Violation check event type: string example: f73d16e9-a038-46c5-b217-1246e15fdbdd violationCheckResult: description: The inner object representing the completed SOD Violation check type: object properties: message: description: 'If the request failed, includes any error message that was generated.' example: - locale: en-US localeOrigin: DEFAULT text: An error has occurred during the SOD violation check type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. clientMetadata: type: object additionalProperties: type: string description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check. example: requestedAppName: test-app requestedAppId: 2c91808f7892918f0178b78da4a305a1 violationContexts: type: array items: description: The contextual information of the violated criteria type: object properties: policy: description: Reference to the Policy that is being violated. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson conflictingAccessCriteria: type: object description: The object which contains the left and right hand side of the entitlements that got violated according to the policy. properties: leftCriteria: type: object properties: criteriaList: type: array items: description: Details of the Entitlement criteria type: object properties: existing: type: boolean example: true description: If the entitlement already belonged to the user or not. type: example: ENTITLEMENT type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. id: type: string description: Entitlement ID example: 2c918085771e9d3301773b3cb66f6398 name: type: string description: Entitlement name example: My HR Entitlement rightCriteria: type: object properties: criteriaList: type: array items: description: Details of the Entitlement criteria type: object properties: existing: type: boolean example: true description: If the entitlement already belonged to the user or not. type: example: ENTITLEMENT type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. id: type: string description: Entitlement ID example: 2c918085771e9d3301773b3cb66f6398 name: type: string description: Entitlement name example: My HR Entitlement violatedPolicies: type: array description: A list of the Policies that were violated items: description: Reference to the policy that was violated example: - type: SOD_POLICY id: 69129440-422d-4a23-aadd-35c828d5bfda name: HR Policy type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson provisioningDetails: nullable: true type: object properties: orderedSubPhaseReferences: type: string description: 'Ordered CSV of sub phase references to objects that contain more information about provisioning. For example, this can contain "manualWorkItemDetails" which indicate that there is further information in that object for this phase.' example: manualWorkItemDetails description: Provides additional details about provisioning for this request. preApprovalTriggerDetails: nullable: true type: object properties: comment: type: string description: Comment left for the pre-approval decision example: Access is Approved reviewer: type: string description: The reviewer of the pre-approval decision example: John Doe decision: type: string enum: - APPROVED - REJECTED description: The decision of the pre-approval trigger example: APPROVED description: Provides additional details about the pre-approval trigger for this request. accessRequestPhases: type: array items: type: object properties: started: type: string description: The time that this phase started. format: date-time example: '2020-07-11T00:00:00Z' finished: type: string description: The time that this phase finished. format: date-time example: '2020-07-12T00:00:00Z' name: type: string description: The name of this phase. example: APPROVAL_PHASE state: type: string enum: - PENDING - EXECUTING - COMPLETED - CANCELLED description: The state of this phase. example: COMPLETED result: type: string enum: - SUCCESSFUL - FAILED description: The state of this phase. example: SUCCESSFUL phaseReference: type: string description: 'A reference to another object on the RequestedItemStatus that contains more details about the phase. Note that for the Provisioning phase, this will be empty if there are no manual work items.' example: approvalDetails description: Provides additional details about this access request phase. description: 'A list of Phases that the Access Request has gone through in order, to help determine the status of the request.' description: type: string description: Description associated to the requested object. example: This is the Engineering role that engineers are granted. removeDate: type: string format: date-time nullable: true description: When the role access is scheduled for removal. example: '2019-10-23T00:00:00.000Z' cancelable: type: boolean description: True if the request can be canceled. example: true accessRequestId: type: string format: string description: This is the account activity id. example: 2b838de9-db9b-abcf-e646-d4f274ad4238 clientMetadata: nullable: true type: object additionalProperties: type: string description: 'Arbitrary key-value pairs, if any were included in the corresponding access request' example: key1: value1 key2: value2 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /access-request-approvals/pending: get: operationId: listPendingApprovals summary: Pending Access Request Approvals List tags: - Access Request Approvals description: This endpoint returns a list of pending approvals. See "owner-id" query parameter below for authorization info. parameters: - in: query name: owner-id schema: type: string description: |- If present, the value returns only pending approvals for the specified identity. * ORG_ADMIN users can call this with any identity ID value. * ORG_ADMIN users can also fetch all the approvals in the org, when owner-id is not used. * Non-ORG_ADMIN users can only specify *me* or pass their own identity ID value. example: 2c91808568c529c60168cca6f90c1313 required: false - in: query name: limit description: |- Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 250 schema: type: integer format: int32 minimum: 0 maximum: 250 default: 250 - in: query name: offset description: |- Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 0 schema: type: integer format: int32 minimum: 0 default: 0 - in: query name: count description: |- If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: true schema: type: boolean default: false - in: query name: filters required: false schema: type: string description: |- Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **id**: *eq, in* **requestedFor.id**: *eq, in* **modified**: *gt, lt, ge, le* example: id eq "2c91808568c529c60168cca6f90c1313" - in: query name: sorters required: false schema: type: string format: comma-separated description: |- Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **created, modified** example: modified responses: '200': description: List of Pending Approvals. content: application/json: schema: type: array items: type: object properties: id: type: string description: The approval id. example: id12345 name: type: string description: The name of the approval. example: aName created: type: string format: date-time description: When the approval was created. example: '2017-07-11T18:45:37.098Z' modified: type: string format: date-time description: When the approval was modified last time. example: '2018-07-25T20:22:28.104Z' requestCreated: type: string format: date-time description: When the access-request was created. example: '2017-07-11T18:45:35.098Z' requestType: description: If the access-request was for granting or revoking access. type: string enum: - GRANT_ACCESS - REVOKE_ACCESS example: GRANT_ACCESS requester: description: The identity that requested the item. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson requestedFor: description: The identity for whom the item is requested for. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson owner: description: The owner or approver of the approval. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson requestedObject: description: The requested access item. type: object properties: id: type: string description: Id of the object. example: 2c9180835d2e5168015d32f890ca1581 name: type: string description: Name of the object. example: Applied Research Access description: type: string description: Description of the object. example: 'Access to research information, lab results, and schematics' type: type: string enum: - ACCESS_PROFILE - ROLE - ENTITLEMENT description: Type of the object. example: ROLE requesterComment: description: The requester's comment. type: object properties: comment: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat author: type: object properties: type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: type: string description: ID of the author example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy created: type: string format: date-time description: Date and time comment was created example: '2017-07-11T18:45:37.098Z' previousReviewersComments: type: array items: type: object properties: comment: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat author: type: object properties: type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: type: string description: ID of the author example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy created: type: string format: date-time description: Date and time comment was created example: '2017-07-11T18:45:37.098Z' description: The history of the previous reviewers comments. forwardHistory: type: array items: type: object properties: oldApproverName: type: string description: Display name of approver from whom the approval was forwarded. example: Frank Mir newApproverName: type: string description: Display name of approver to whom the approval was forwarded. example: Al Volta comment: type: string nullable: true description: Comment made while forwarding. example: Forwarding from Frank to Al modified: type: string format: date-time description: Time at which approval was forwarded. example: '2019-08-23T18:52:57.398Z' forwarderName: type: string nullable: true description: Display name of forwarder who forwarded the approval. example: William Wilson reassignmentType: description: |- The approval reassignment type. * MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's. * AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time. * AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to [Setting Global Reminders and Escalation Policies](https://documentation.sailpoint.com/saas/help/requests/config_emails.html). * SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to [Self-review Prevention](https://documentation.sailpoint.com/saas/help/users/work_reassignment.html#self-review-prevention) and [Preventing Self-approval](https://documentation.sailpoint.com/saas/help/requests/config_ap_roles.html#preventing-self-approval). example: AUTOMATIC_REASSIGNMENT type: string enum: - MANUAL_REASSIGNMENT - AUTOMATIC_REASSIGNMENT - AUTO_ESCALATION - SELF_REVIEW_DELEGATION description: The history of approval forward action. commentRequiredWhenRejected: type: boolean description: When true the rejector has to provide comments when rejecting example: true actionInProcess: description: 'Action that is performed on this approval, and system has not finished performing that action yet.' type: string enum: - APPROVED - REJECTED - FORWARDED example: APPROVED removeDate: type: string description: The date the role or access profile is no longer assigned to the specified identity. format: date-time example: '2020-07-11T00:00:00Z' removeDateUpdateRequested: type: boolean description: 'If true, then the request is to change the remove date or sunset date.' example: true currentRemoveDate: type: string description: The remove date or sunset date that was assigned at the time of the request. format: date-time example: '2020-07-11T00:00:00Z' sodViolationContext: description: The details of the SOD violations for the associated approval. type: object properties: state: type: string enum: - SUCCESS - ERROR description: The status of SOD violation check example: SUCCESS uuid: description: The id of the Violation check event type: string example: f73d16e9-a038-46c5-b217-1246e15fdbdd violationCheckResult: description: The inner object representing the completed SOD Violation check type: object properties: message: description: 'If the request failed, includes any error message that was generated.' example: - locale: en-US localeOrigin: DEFAULT text: An error has occurred during the SOD violation check type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. clientMetadata: type: object additionalProperties: type: string description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check. example: requestedAppName: test-app requestedAppId: 2c91808f7892918f0178b78da4a305a1 violationContexts: type: array items: description: The contextual information of the violated criteria type: object properties: policy: description: Reference to the Policy that is being violated. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson conflictingAccessCriteria: type: object description: The object which contains the left and right hand side of the entitlements that got violated according to the policy. properties: leftCriteria: type: object properties: criteriaList: type: array items: description: Details of the Entitlement criteria type: object properties: existing: type: boolean example: true description: If the entitlement already belonged to the user or not. type: example: ENTITLEMENT type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. id: type: string description: Entitlement ID example: 2c918085771e9d3301773b3cb66f6398 name: type: string description: Entitlement name example: My HR Entitlement rightCriteria: type: object properties: criteriaList: type: array items: description: Details of the Entitlement criteria type: object properties: existing: type: boolean example: true description: If the entitlement already belonged to the user or not. type: example: ENTITLEMENT type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. id: type: string description: Entitlement ID example: 2c918085771e9d3301773b3cb66f6398 name: type: string description: Entitlement name example: My HR Entitlement violatedPolicies: type: array description: A list of the Policies that were violated items: description: Reference to the policy that was violated example: - type: SOD_POLICY id: 69129440-422d-4a23-aadd-35c828d5bfda name: HR Policy type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /access-request-approvals/completed: get: operationId: listCompletedApprovals summary: Completed Access Request Approvals List tags: - Access Request Approvals description: This endpoint returns list of completed approvals. See *owner-id* query parameter below for authorization info. parameters: - in: query name: owner-id required: false schema: type: string description: |- If present, the value returns only completed approvals for the specified identity. * ORG_ADMIN users can call this with any identity ID value. * ORG_ADMIN users can also fetch all the approvals in the org, when owner-id is not used. * Non-ORG_ADMIN users can only specify *me* or pass their own identity ID value. example: 2c91808568c529c60168cca6f90c1313 - in: query name: limit description: |- Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 250 schema: type: integer format: int32 minimum: 0 maximum: 250 default: 250 - in: query name: offset description: |- Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 0 schema: type: integer format: int32 minimum: 0 default: 0 - in: query name: count description: |- If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: true schema: type: boolean default: false - in: query name: filters required: false schema: type: string description: |- Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **id**: *eq, in* **requestedFor.id**: *eq, in* **modified**: *gt, lt, ge, le* example: id eq "2c91808568c529c60168cca6f90c1313" - in: query name: sorters required: false schema: type: string format: comma-separated description: |- Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **created, modified** example: modified responses: '200': description: List of Completed Approvals. content: application/json: schema: type: array items: type: object properties: id: type: string description: The approval id. example: id12345 name: type: string description: The name of the approval. example: aName created: type: string format: date-time description: When the approval was created. example: '2017-07-11T18:45:37.098Z' modified: type: string format: date-time description: When the approval was modified last time. example: '2018-07-25T20:22:28.104Z' requestCreated: type: string format: date-time description: When the access-request was created. example: '2017-07-11T18:45:35.098Z' requestType: description: If the access-request was for granting or revoking access. type: string enum: - GRANT_ACCESS - REVOKE_ACCESS example: GRANT_ACCESS requester: description: The identity that requested the item. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson requestedFor: description: The identity for whom the item is requested for. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson reviewedBy: description: The identity who has reviewed the approval. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson owner: description: The owner or approver of the approval. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson requestedObject: description: The requested access item. type: object properties: id: type: string description: Id of the object. example: 2c9180835d2e5168015d32f890ca1581 name: type: string description: Name of the object. example: Applied Research Access description: type: string description: Description of the object. example: 'Access to research information, lab results, and schematics' type: type: string enum: - ACCESS_PROFILE - ROLE - ENTITLEMENT description: Type of the object. example: ROLE requesterComment: description: The requester's comment. type: object properties: comment: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat author: type: object properties: type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: type: string description: ID of the author example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy created: type: string format: date-time description: Date and time comment was created example: '2017-07-11T18:45:37.098Z' reviewerComment: allOf: - type: object properties: comment: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat author: type: object properties: type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: type: string description: ID of the author example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy created: type: string format: date-time description: Date and time comment was created example: '2017-07-11T18:45:37.098Z' description: The approval's reviewer's comment. nullable: true previousReviewersComments: type: array items: type: object properties: comment: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat author: type: object properties: type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: type: string description: ID of the author example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy created: type: string format: date-time description: Date and time comment was created example: '2017-07-11T18:45:37.098Z' description: The history of the previous reviewers comments. forwardHistory: type: array items: type: object properties: oldApproverName: type: string description: Display name of approver from whom the approval was forwarded. example: Frank Mir newApproverName: type: string description: Display name of approver to whom the approval was forwarded. example: Al Volta comment: type: string nullable: true description: Comment made while forwarding. example: Forwarding from Frank to Al modified: type: string format: date-time description: Time at which approval was forwarded. example: '2019-08-23T18:52:57.398Z' forwarderName: type: string nullable: true description: Display name of forwarder who forwarded the approval. example: William Wilson reassignmentType: description: |- The approval reassignment type. * MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's. * AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time. * AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to [Setting Global Reminders and Escalation Policies](https://documentation.sailpoint.com/saas/help/requests/config_emails.html). * SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to [Self-review Prevention](https://documentation.sailpoint.com/saas/help/users/work_reassignment.html#self-review-prevention) and [Preventing Self-approval](https://documentation.sailpoint.com/saas/help/requests/config_ap_roles.html#preventing-self-approval). example: AUTOMATIC_REASSIGNMENT type: string enum: - MANUAL_REASSIGNMENT - AUTOMATIC_REASSIGNMENT - AUTO_ESCALATION - SELF_REVIEW_DELEGATION description: The history of approval forward action. commentRequiredWhenRejected: type: boolean description: When true the rejector has to provide comments when rejecting example: true state: description: The final state of the approval type: string enum: - APPROVED - REJECTED example: APPROVED removeDate: type: string description: The date the role or access profile is no longer assigned to the specified identity. format: date-time example: '2020-07-11T00:00:00Z' nullable: true removeDateUpdateRequested: type: boolean description: 'If true, then the request was to change the remove date or sunset date.' example: true currentRemoveDate: type: string description: The remove date or sunset date that was assigned at the time of the request. format: date-time example: '2020-07-11T00:00:00Z' nullable: true sodViolationContext: description: The details of the SOD violations for the associated approval. type: object properties: state: type: string enum: - SUCCESS - ERROR description: The status of SOD violation check example: SUCCESS uuid: description: The id of the Violation check event type: string example: f73d16e9-a038-46c5-b217-1246e15fdbdd violationCheckResult: description: The inner object representing the completed SOD Violation check type: object properties: message: description: 'If the request failed, includes any error message that was generated.' example: - locale: en-US localeOrigin: DEFAULT text: An error has occurred during the SOD violation check type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. clientMetadata: type: object additionalProperties: type: string description: Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check. example: requestedAppName: test-app requestedAppId: 2c91808f7892918f0178b78da4a305a1 violationContexts: type: array items: description: The contextual information of the violated criteria type: object properties: policy: description: Reference to the Policy that is being violated. type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson conflictingAccessCriteria: type: object description: The object which contains the left and right hand side of the entitlements that got violated according to the policy. properties: leftCriteria: type: object properties: criteriaList: type: array items: description: Details of the Entitlement criteria type: object properties: existing: type: boolean example: true description: If the entitlement already belonged to the user or not. type: example: ENTITLEMENT type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. id: type: string description: Entitlement ID example: 2c918085771e9d3301773b3cb66f6398 name: type: string description: Entitlement name example: My HR Entitlement rightCriteria: type: object properties: criteriaList: type: array items: description: Details of the Entitlement criteria type: object properties: existing: type: boolean example: true description: If the entitlement already belonged to the user or not. type: example: ENTITLEMENT type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. id: type: string description: Entitlement ID example: 2c918085771e9d3301773b3cb66f6398 name: type: string description: Entitlement name example: My HR Entitlement violatedPolicies: type: array description: A list of the Policies that were violated items: description: Reference to the policy that was violated example: - type: SOD_POLICY id: 69129440-422d-4a23-aadd-35c828d5bfda name: HR Policy type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/access-request-approvals/{approvalId}/approve': post: operationId: approveAccessRequest summary: Approves an access request approval. tags: - Access Request Approvals description: This endpoint approves an access request approval. Only the owner of the approval and ORG_ADMIN users are allowed to perform this action. parameters: - in: path name: approvalId schema: type: string required: true description: The id of the approval. example: 2c91808b7294bea301729568c68c002e requestBody: description: Reviewer's comment. required: false content: application/json: schema: type: object properties: comment: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat author: type: object properties: type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: type: string description: ID of the author example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy created: type: string format: date-time description: Date and time comment was created example: '2017-07-11T18:45:37.098Z' responses: '202': description: Accepted - Returned if the request was successfully accepted into the system. content: application/json: schema: type: object '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/access-request-approvals/{approvalId}/reject': post: operationId: rejectAccessRequest summary: Rejects an access request approval. tags: - Access Request Approvals description: This endpoint rejects an access request approval. Only the owner of the approval and admin users are allowed to perform this action. parameters: - in: path name: approvalId schema: type: string required: true description: The id of the approval. example: 2c91808b7294bea301729568c68c002e requestBody: description: Reviewer's comment. required: false content: application/json: schema: type: object properties: comment: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat author: type: object properties: type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: type: string description: ID of the author example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy created: type: string format: date-time description: Date and time comment was created example: '2017-07-11T18:45:37.098Z' responses: '202': description: Accepted - Returned if the request was successfully accepted into the system. content: application/json: schema: type: object '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/access-request-approvals/{approvalId}/forward': post: operationId: forwardAccessRequest summary: Forwards an access request approval. tags: - Access Request Approvals description: This endpoint forwards an access request approval to a new owner. Only the owner of the approval and ORG_ADMIN users are allowed to perform this action. parameters: - in: path name: approvalId schema: type: string required: true description: The id of the approval. example: 2c91808b7294bea301729568c68c002e requestBody: description: Information about the forwarded approval. required: true content: application/json: schema: type: object required: - newOwnerId - comment properties: newOwnerId: type: string description: The Id of the new owner example: 2c91808568c529c60168cca6f90c1314 minLength: 1 maxLength: 255 comment: type: string description: The comment provided by the forwarder example: 2c91808568c529c60168cca6f90c1313 minLength: 1 maxLength: 255 responses: '202': description: Accepted - Returned if the request was successfully accepted into the system. content: application/json: schema: type: object '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /access-request-approvals/approval-summary: get: operationId: getAccessRequestApprovalSummary summary: Get the number of access-requests-approvals tags: - Access Request Approvals description: 'This endpoint returns the number of pending, approved and rejected access requests approvals. See "owner-id" query parameter below for authorization info.' parameters: - in: query name: owner-id schema: type: string description: |- The id of the owner or approver identity of the approvals. If present, the value returns approval summary for the specified identity. * ORG_ADMIN users can call this with any identity ID value. * ORG_ADMIN user can also fetch all the approvals in the org, when owner-id is not used. * Non ORG_ADMIN users can only specify *me* or pass their own identity ID value. example: 2c91808568c529c60168cca6f90c1313 required: false - in: query name: from-date schema: type: string description: From date is the date and time from which the results will be shown. It should be in a valid ISO-8601 format example: 'from-date=2020-03-19T19:59:11Z' required: false responses: '200': description: 'Number of pending, approved, rejected access request approvals.' content: application/json: schema: type: object properties: pending: type: integer description: The number of pending access requests approvals. format: int32 example: 0 approved: type: integer description: The number of approved access requests approvals. format: int32 example: 0 rejected: type: integer description: The number of rejected access requests approvals. format: int32 example: 0 '400': description: Client Error - Returned if the query parameter is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /accounts: get: operationId: listAccounts tags: - Accounts summary: Accounts List description: |- This returns a list of accounts. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts:read' parameters: - in: query name: limit description: |- Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 250 schema: type: integer format: int32 minimum: 0 maximum: 250 default: 250 - in: query name: offset description: |- Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 0 schema: type: integer format: int32 minimum: 0 default: 0 - in: query name: count description: |- If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: true schema: type: boolean default: false - in: query name: filters schema: type: string example: identityId eq "2c9180858082150f0180893dbaf44201" description: |- Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **id**: *eq, in* **identityId**: *eq* **name**: *eq, in* **nativeIdentity**: *eq, in* **sourceId**: *eq, in* **uncorrelated**: *eq* required: false responses: '200': description: List of account objects content: application/json: schema: type: array items: allOf: - type: object required: - name properties: id: description: System-generated unique ID of the Object type: string example: id12345 readOnly: true name: description: Name of the Object type: string example: aName created: description: Creation date of the Object type: string example: '2015-05-28T14:07:17Z' format: date-time readOnly: true modified: description: Last modification date of the Object type: string example: '2015-05-28T14:07:17Z' format: date-time readOnly: true - type: object required: - sourceId - sourceName - attributes - authoritative - disabled - locked - nativeIdentity - systemAccount - uncorrelated - manuallyCorrelated - hasEntitlements properties: sourceId: type: string example: 2c9180835d2e5168015d32f890ca1581 description: The unique ID of the source this account belongs to sourceName: type: string example: Employees description: The display name of the source this account belongs to identityId: type: string example: 2c9180835d2e5168015d32f890ca1581 description: The unique ID of the identity this account is correlated to attributes: type: object additionalProperties: true description: The account attributes that are aggregated example: firstName: SailPoint lastName: Support displayName: SailPoint Support authoritative: type: boolean description: Indicates if this account is from an authoritative source example: false description: type: string description: A description of the account nullable: true example: null disabled: type: boolean description: Indicates if the account is currently disabled example: false locked: type: boolean description: Indicates if the account is currently locked example: false nativeIdentity: type: string description: The unique ID of the account generated by the source system example: '552775' systemAccount: type: boolean example: false description: 'If true, this is a user account within IdentityNow. If false, this is an account from a source system.' uncorrelated: type: boolean description: Indicates if this account is not correlated to an identity example: false uuid: type: string description: The unique ID of the account as determined by the account schema example: slpt.support nullable: true manuallyCorrelated: type: boolean description: Indicates if the account has been manually correlated to an identity example: false hasEntitlements: type: boolean description: Indicates if the account has entitlements example: true '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. post: operationId: createAccount tags: - Accounts summary: Create Account description: |- This API submits an account creation task and returns the task ID. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts:manage' requestBody: required: true content: application/json: schema: type: object required: - attributes properties: attributes: description: The schema attribute values for the account type: object required: - sourceId properties: sourceId: type: string description: Target source to create an account example: 34bfcbe116c9407464af37acbaf7a4dc additionalProperties: type: string example: sourceId: 34bfcbe116c9407464af37acbaf7a4dc city: Austin displayName: John Doe userName: jdoe sAMAccountName: jDoe mail: john.doe@sailpoint.com responses: '202': description: Async task details content: application/json: schema: description: Accounts async response containing details on started async process required: - id type: object properties: id: description: id of the task type: string example: 2c91808474683da6017468693c260195 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/accounts/{id}': get: operationId: getAccount tags: - Accounts summary: Account Details description: |- This API returns the details for a single account based on the ID. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts:read' parameters: - in: path name: id schema: type: string required: true description: The account ID example: ef38f94347e94562b5bb8424a56397d8 responses: '200': description: An account object content: application/json: schema: allOf: - type: object required: - name properties: id: description: System-generated unique ID of the Object type: string example: id12345 readOnly: true name: description: Name of the Object type: string example: aName created: description: Creation date of the Object type: string example: '2015-05-28T14:07:17Z' format: date-time readOnly: true modified: description: Last modification date of the Object type: string example: '2015-05-28T14:07:17Z' format: date-time readOnly: true - type: object required: - sourceId - sourceName - attributes - authoritative - disabled - locked - nativeIdentity - systemAccount - uncorrelated - manuallyCorrelated - hasEntitlements properties: sourceId: type: string example: 2c9180835d2e5168015d32f890ca1581 description: The unique ID of the source this account belongs to sourceName: type: string example: Employees description: The display name of the source this account belongs to identityId: type: string example: 2c9180835d2e5168015d32f890ca1581 description: The unique ID of the identity this account is correlated to attributes: type: object additionalProperties: true description: The account attributes that are aggregated example: firstName: SailPoint lastName: Support displayName: SailPoint Support authoritative: type: boolean description: Indicates if this account is from an authoritative source example: false description: type: string description: A description of the account nullable: true example: null disabled: type: boolean description: Indicates if the account is currently disabled example: false locked: type: boolean description: Indicates if the account is currently locked example: false nativeIdentity: type: string description: The unique ID of the account generated by the source system example: '552775' systemAccount: type: boolean example: false description: 'If true, this is a user account within IdentityNow. If false, this is an account from a source system.' uncorrelated: type: boolean description: Indicates if this account is not correlated to an identity example: false uuid: type: string description: The unique ID of the account as determined by the account schema example: slpt.support nullable: true manuallyCorrelated: type: boolean description: Indicates if the account has been manually correlated to an identity example: false hasEntitlements: type: boolean description: Indicates if the account has entitlements example: true '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. patch: operationId: updateAccount tags: - Accounts summary: Update Account description: |- Use this API to modify the following fields: * `identityId` * `manuallyCorrelated` >**NOTE: All other fields can not be modified.** The request must provide a JSONPatch payload. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts:manage' parameters: - in: path name: id schema: type: string required: true description: The account ID example: ef38f94347e94562b5bb8424a56397d8 requestBody: required: true description: 'A list of account update operations according to the [JSON Patch](https://tools.ietf.org/html/rfc6902) standard.' content: application/json-patch+json: schema: type: array items: type: object description: 'A JSONPatch Operation as defined by [RFC 6902 - JSON Patch](https://tools.ietf.org/html/rfc6902)' required: - op - path properties: op: type: string description: The operation to be performed enum: - add - remove - replace - move - copy - test example: replace path: type: string description: A string JSON Pointer representing the target path to an element to be affected by the operation example: /description value: anyOf: - type: string - type: integer - type: object - type: array items: anyOf: - type: string - type: integer - type: object description: 'The value to be used for the operation, required for "add" and "replace" operations' example: New description example: - op: replace path: /identityId value: 2c9180845d1edece015d27a975983e21 responses: '202': description: Accepted. Update request accepted and is in progress. content: application/json: schema: type: object '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. put: operationId: putAccount tags: - Accounts summary: Update Account description: |- This API submits an account update task and returns the task ID. A token with ORG_ADMIN authority is required to call this API. >**NOTE: The PUT Account API is designated only for Delimited File sources.** security: - oauth2: - 'idn:accounts:manage' parameters: - in: path name: id schema: type: string required: true description: The account ID example: ef38f94347e94562b5bb8424a56397d8 requestBody: required: true content: application/json: schema: type: object required: - attributes properties: attributes: description: The schema attribute values for the account type: object additionalProperties: true example: city: Austin displayName: John Doe userName: jdoe sAMAccountName: jDoe mail: john.doe@sailpoint.com responses: '202': description: Async task details content: application/json: schema: description: Accounts async response containing details on started async process required: - id type: object properties: id: description: id of the task type: string example: 2c91808474683da6017468693c260195 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. delete: operationId: deleteAccount tags: - Accounts summary: Delete Account description: |- This API submits an account delete task and returns the task ID. This operation can only be used on Flat File Sources. Any attempt to execute this request on the source of other type will result in an error response with a status code of 400. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts:manage' parameters: - in: path name: id schema: type: string required: true description: The account ID example: ef38f94347e94562b5bb8424a56397d8 responses: '202': description: Async task details content: application/json: schema: description: Accounts async response containing details on started async process required: - id type: object properties: id: description: id of the task type: string example: 2c91808474683da6017468693c260195 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/accounts/{id}/entitlements': get: operationId: getAccountEntitlements tags: - Accounts summary: Account Entitlements description: |- This API returns entitlements of the account. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts:read' parameters: - in: query name: limit description: |- Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 250 schema: type: integer format: int32 minimum: 0 maximum: 250 default: 250 - in: query name: offset description: |- Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 0 schema: type: integer format: int32 minimum: 0 default: 0 - in: query name: count description: |- If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: true schema: type: boolean default: false - in: path name: id schema: type: string required: true description: The account id example: ef38f94347e94562b5bb8424a56397d8 responses: '200': description: An array of account entitlements content: application/json: schema: type: array items: allOf: - type: object required: - name properties: id: description: System-generated unique ID of the Object type: string example: id12345 readOnly: true name: description: Name of the Object type: string example: aName created: description: Creation date of the Object type: string example: '2015-05-28T14:07:17Z' format: date-time readOnly: true modified: description: Last modification date of the Object type: string example: '2015-05-28T14:07:17Z' format: date-time readOnly: true - type: object description: Entitlement object that represents entitlement properties: attribute: description: Name of the entitlement attribute type: string example: authorizationType value: description: Raw value of the entitlement type: string example: 'CN=Users,dc=sailpoint,dc=com' description: description: Entitlment description type: string example: Active Directory DC attributes: description: Entitlement attributes type: object additionalProperties: true example: GroupType: Security sAMAccountName: Buyer sourceSchemaObjectType: description: Schema objectType on the given application that maps to an Account Group type: string example: group privileged: description: Determines if this Entitlement is privileged. type: boolean example: false cloudGoverned: description: Determines if this Entitlement is goverened in the cloud. type: boolean example: false source: description: Reference to the source this entitlment belongs to. example: - type: SOURCE id: 2c9180835d191a86015d28455b4b232a name: HR Active Directory type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/accounts/{id}/reload': post: operationId: reloadAccount tags: - Accounts summary: Reload Account description: |- This API asynchronously reloads the account directly from the connector and performs a one-time aggregation process. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts-state:manage' parameters: - in: path name: id schema: type: string required: true description: The account id example: ef38f94347e94562b5bb8424a56397d8 responses: '202': description: Async task details content: application/json: schema: description: Accounts async response containing details on started async process required: - id type: object properties: id: description: id of the task type: string example: 2c91808474683da6017468693c260195 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/accounts/{id}/enable': post: operationId: enableAccount tags: - Accounts summary: Enable Account description: |- This API submits a task to enable account and returns the task ID. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts-state:manage' parameters: - in: path name: id schema: type: string required: true description: The account id example: ef38f94347e94562b5bb8424a56397d8 requestBody: required: true content: application/json: schema: description: Request used for account enable/disable type: object properties: externalVerificationId: description: 'If set, an external process validates that the user wants to proceed with this request.' type: string example: 3f9180835d2e5168015d32f890ca1581 forceProvisioning: description: 'If set, provisioning updates the account attribute at the source. This option is used when the account is not synced to ensure the attribute is updated. Providing ''true'' for an unlocked account will add and process ''Unlock'' operation by the workflow.' type: boolean example: false responses: '202': description: Async task details content: application/json: schema: description: Accounts async response containing details on started async process required: - id type: object properties: id: description: id of the task type: string example: 2c91808474683da6017468693c260195 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/accounts/{id}/disable': post: operationId: disableAccount tags: - Accounts summary: Disable Account description: |- This API submits a task to disable the account and returns the task ID. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts-state:manage' parameters: - in: path name: id schema: type: string required: true description: The account id example: ef38f94347e94562b5bb8424a56397d8 requestBody: required: true content: application/json: schema: description: Request used for account enable/disable type: object properties: externalVerificationId: description: 'If set, an external process validates that the user wants to proceed with this request.' type: string example: 3f9180835d2e5168015d32f890ca1581 forceProvisioning: description: 'If set, provisioning updates the account attribute at the source. This option is used when the account is not synced to ensure the attribute is updated. Providing ''true'' for an unlocked account will add and process ''Unlock'' operation by the workflow.' type: boolean example: false responses: '202': description: Async task details content: application/json: schema: description: Accounts async response containing details on started async process required: - id type: object properties: id: description: id of the task type: string example: 2c91808474683da6017468693c260195 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/accounts/{id}/unlock': post: operationId: unlockAccount tags: - Accounts summary: Unlock Account description: |- This API submits a task to unlock an account and returns the task ID. A token with ORG_ADMIN authority is required to call this API. security: - oauth2: - 'idn:accounts-state:manage' parameters: - in: path name: id schema: type: string required: true description: The account id example: ef38f94347e94562b5bb8424a56397d8 requestBody: required: true content: application/json: schema: description: Request used for account unlock type: object properties: externalVerificationId: description: 'If set, an external process validates that the user wants to proceed with this request.' type: string example: 3f9180835d2e5168015d32f890ca1581 unlockIDNAccount: description: 'If set, the IDN account is unlocked after the workflow completes.' type: boolean example: false forceProvisioning: description: 'If set, provisioning updates the account attribute at the source. This option is used when the account is not synced to ensure the attribute is updated.' type: boolean example: false responses: '202': description: Async task details content: application/json: schema: description: Accounts async response containing details on started async process required: - id type: object properties: id: description: id of the task type: string example: 2c91808474683da6017468693c260195 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /account-activities: get: operationId: listAccountActivities tags: - Account Activities summary: List Account Activities description: This gets a collection of account activities that satisfy the given query parameters. parameters: - in: query name: requested-for schema: type: string description: The identity that the activity was requested for. *me* indicates the current user. Mutually exclusive with *regarding-identity*. required: false example: 2c91808568c529c60168cca6f90c1313 - in: query name: requested-by schema: type: string description: The identity that requested the activity. *me* indicates the current user. Mutually exclusive with *regarding-identity*. required: false example: 2c91808568c529c60168cca6f90c1313 - in: query name: regarding-identity schema: type: string description: The specified identity will be either the requester or target of the account activity. *me* indicates the current user. Mutually exclusive with *requested-for* and *requested-by*. required: false example: 2c91808568c529c60168cca6f90c1313 - in: query name: limit description: |- Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 250 schema: type: integer format: int32 minimum: 0 maximum: 250 default: 250 - in: query name: offset description: |- Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 0 schema: type: integer format: int32 minimum: 0 default: 0 - in: query name: count description: |- If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: true schema: type: boolean default: false - in: query name: filters schema: type: string description: |- Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results). Filtering is supported for the following fields and operators: **type**: *eq, in* (See the `type` property in the response schema for possible values) **created**: *gt, lt, ge, le* **modified**: *gt, lt, ge, le* example: type eq "Identity Refresh" required: false - in: query name: sorters schema: type: string format: comma-separated description: |- Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **type, created, modified** example: created required: false responses: '200': description: List of account activities content: application/json: schema: type: array items: type: object properties: id: type: string description: Id of the account activity example: 2c9180835d2e5168015d32f890ca1581 name: type: string description: The name of the activity example: 2c9180835d2e5168015d32f890ca1581 created: description: When the activity was first created type: string format: date-time example: '2017-07-11T18:45:37.098Z' modified: description: When the activity was last modified type: string format: date-time example: '2018-06-25T20:22:28.104Z' nullable: true completed: description: When the activity was completed type: string format: date-time nullable: true example: '2018-10-19T13:49:37.385Z' completionStatus: nullable: true type: string description: The status after completion. enum: - SUCCESS - FAILURE - INCOMPLETE - PENDING example: SUCCESS type: nullable: true type: string example: appRequest description: | The type of action the activity performed. Please see the following list of types. This list may grow over time. - CloudAutomated - IdentityAttributeUpdate - appRequest - LifecycleStateChange - AccountStateUpdate - AccountAttributeUpdate - CloudPasswordRequest - Attribute Synchronization Refresh - Certification - Identity Refresh - Lifecycle Change Refresh [Learn more here](https://documentation.sailpoint.com/saas/help/search/searchable-fields.html#searching-account-activity-data). requesterIdentitySummary: type: object nullable: true properties: id: type: string description: ID of this identity summary example: ff80818155fe8c080155fe8d925b0316 name: type: string description: Human-readable display name of identity example: SailPoint Services identityId: type: string description: ID of the identity that this summary represents example: c15b9f5cca5a4e9599eaa0e64fa921bd completed: type: boolean description: Indicates if all access items for this summary have been decided on example: true targetIdentitySummary: type: object nullable: true properties: id: type: string description: ID of this identity summary example: ff80818155fe8c080155fe8d925b0316 name: type: string description: Human-readable display name of identity example: SailPoint Services identityId: type: string description: ID of the identity that this summary represents example: c15b9f5cca5a4e9599eaa0e64fa921bd completed: type: boolean description: Indicates if all access items for this summary have been decided on example: true errors: nullable: true description: 'A list of error messages, if any, that were encountered.' type: array items: type: string example: - 'sailpoint.connector.ConnectorException: java.lang.InterruptedException: Timeout waiting for response to message 0 from client 57a4ab97-ab3f-4aef-9fe2-0eaf15c73d26 after 60 seconds.' warnings: nullable: true description: 'A list of warning messages, if any, that were encountered.' type: array items: type: string example: - 'Some warning, another warning' items: type: array description: Individual actions performed as part of this account activity items: type: object properties: id: type: string description: Item id example: 48c545831b264409a81befcabb0e3c5a name: type: string description: Human-readable display name of item example: 48c545831b264409a81befcabb0e3c5a requested: type: string format: date-time description: Date and time item was requested example: '2017-07-11T18:45:37.098Z' approvalStatus: nullable: true type: string enum: - FINISHED - REJECTED - RETURNED - EXPIRED - PENDING - CANCELED example: FINISHED description: The state of a work item provisioningStatus: type: string enum: - PENDING - FINISHED - UNVERIFIABLE - COMMITED - FAILED - RETRY description: Provisioning state of an account activity item example: PENDING requesterComment: type: object nullable: true properties: commenterId: type: string description: Id of the identity making the comment example: 2c918084660f45d6016617daa9210584 commenterName: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy body: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat. date: type: string format: date-time description: Date and time comment was made example: '2017-07-11T18:45:37.098Z' reviewerIdentitySummary: type: object nullable: true properties: id: type: string description: ID of this identity summary example: ff80818155fe8c080155fe8d925b0316 name: type: string description: Human-readable display name of identity example: SailPoint Services identityId: type: string description: ID of the identity that this summary represents example: c15b9f5cca5a4e9599eaa0e64fa921bd completed: type: boolean description: Indicates if all access items for this summary have been decided on example: true reviewerComment: type: object nullable: true properties: commenterId: type: string description: Id of the identity making the comment example: 2c918084660f45d6016617daa9210584 commenterName: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy body: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat. date: type: string format: date-time description: Date and time comment was made example: '2017-07-11T18:45:37.098Z' operation: nullable: true type: string enum: - ADD - CREATE - MODIFY - DELETE - DISABLE - ENABLE - UNLOCK - LOCK - REMOVE description: Represents an operation in an account activity item example: ADD attribute: type: string description: Attribute to which account activity applies nullable: true example: detectedRoles value: type: string description: Value of attribute nullable: true example: 'Treasury Analyst [AccessProfile-1529010191212]' nativeIdentity: nullable: true type: string description: Native identity in the target system to which the account activity applies example: Sandie.Camero sourceId: type: string description: Id of Source to which account activity applies example: 2c91808363ef85290164000587130c0c accountRequestInfo: type: object nullable: true properties: requestedObjectId: type: string description: Id of requested object example: 2c91808563ef85690164001c31140c0c requestedObjectName: type: string description: Human-readable name of requested object example: Treasury Analyst requestedObjectType: type: string enum: - ACCESS_PROFILE - ROLE - ENTITLEMENT description: Enum represented the currently supported requestable object types. Additional values may be added in the future without notice. example: ACCESS_PROFILE description: 'If an account activity item is associated with an access request, captures details of that request.' clientMetadata: nullable: true type: object additionalProperties: type: string description: 'Arbitrary key-value pairs, if any were included in the corresponding access request item' example: customKey1: custom value 1 customKey2: custom value 2 removeDate: nullable: true type: string description: The date the role or access profile is no longer assigned to the specified identity. format: date-time example: '2020-07-11T00:00:00Z' executionStatus: type: string description: The current state of execution. enum: - EXECUTING - VERIFYING - TERMINATED - COMPLETED example: COMPLETED clientMetadata: nullable: true type: object additionalProperties: type: string description: 'Arbitrary key-value pairs, if any were included in the corresponding access request' example: customKey1: custom value 1 customKey2: custom value 2 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/account-activities/{id}': get: operationId: getAccountActivity tags: - Account Activities summary: Get an Account Activity description: This gets a single account activity by its id. parameters: - in: path name: id schema: type: string required: true description: The account activity id example: ef38f94347e94562b5bb8424a56397d8 responses: '200': description: An account activity object content: application/json: schema: type: object properties: id: type: string description: Id of the account activity example: 2c9180835d2e5168015d32f890ca1581 name: type: string description: The name of the activity example: 2c9180835d2e5168015d32f890ca1581 created: description: When the activity was first created type: string format: date-time example: '2017-07-11T18:45:37.098Z' modified: description: When the activity was last modified type: string format: date-time example: '2018-06-25T20:22:28.104Z' nullable: true completed: description: When the activity was completed type: string format: date-time nullable: true example: '2018-10-19T13:49:37.385Z' completionStatus: nullable: true type: string description: The status after completion. enum: - SUCCESS - FAILURE - INCOMPLETE - PENDING example: SUCCESS type: nullable: true type: string example: appRequest description: | The type of action the activity performed. Please see the following list of types. This list may grow over time. - CloudAutomated - IdentityAttributeUpdate - appRequest - LifecycleStateChange - AccountStateUpdate - AccountAttributeUpdate - CloudPasswordRequest - Attribute Synchronization Refresh - Certification - Identity Refresh - Lifecycle Change Refresh [Learn more here](https://documentation.sailpoint.com/saas/help/search/searchable-fields.html#searching-account-activity-data). requesterIdentitySummary: type: object nullable: true properties: id: type: string description: ID of this identity summary example: ff80818155fe8c080155fe8d925b0316 name: type: string description: Human-readable display name of identity example: SailPoint Services identityId: type: string description: ID of the identity that this summary represents example: c15b9f5cca5a4e9599eaa0e64fa921bd completed: type: boolean description: Indicates if all access items for this summary have been decided on example: true targetIdentitySummary: type: object nullable: true properties: id: type: string description: ID of this identity summary example: ff80818155fe8c080155fe8d925b0316 name: type: string description: Human-readable display name of identity example: SailPoint Services identityId: type: string description: ID of the identity that this summary represents example: c15b9f5cca5a4e9599eaa0e64fa921bd completed: type: boolean description: Indicates if all access items for this summary have been decided on example: true errors: nullable: true description: 'A list of error messages, if any, that were encountered.' type: array items: type: string example: - 'sailpoint.connector.ConnectorException: java.lang.InterruptedException: Timeout waiting for response to message 0 from client 57a4ab97-ab3f-4aef-9fe2-0eaf15c73d26 after 60 seconds.' warnings: nullable: true description: 'A list of warning messages, if any, that were encountered.' type: array items: type: string example: - 'Some warning, another warning' items: type: array description: Individual actions performed as part of this account activity items: type: object properties: id: type: string description: Item id example: 48c545831b264409a81befcabb0e3c5a name: type: string description: Human-readable display name of item example: 48c545831b264409a81befcabb0e3c5a requested: type: string format: date-time description: Date and time item was requested example: '2017-07-11T18:45:37.098Z' approvalStatus: nullable: true type: string enum: - FINISHED - REJECTED - RETURNED - EXPIRED - PENDING - CANCELED example: FINISHED description: The state of a work item provisioningStatus: type: string enum: - PENDING - FINISHED - UNVERIFIABLE - COMMITED - FAILED - RETRY description: Provisioning state of an account activity item example: PENDING requesterComment: type: object nullable: true properties: commenterId: type: string description: Id of the identity making the comment example: 2c918084660f45d6016617daa9210584 commenterName: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy body: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat. date: type: string format: date-time description: Date and time comment was made example: '2017-07-11T18:45:37.098Z' reviewerIdentitySummary: type: object nullable: true properties: id: type: string description: ID of this identity summary example: ff80818155fe8c080155fe8d925b0316 name: type: string description: Human-readable display name of identity example: SailPoint Services identityId: type: string description: ID of the identity that this summary represents example: c15b9f5cca5a4e9599eaa0e64fa921bd completed: type: boolean description: Indicates if all access items for this summary have been decided on example: true reviewerComment: type: object nullable: true properties: commenterId: type: string description: Id of the identity making the comment example: 2c918084660f45d6016617daa9210584 commenterName: type: string description: Human-readable display name of the identity making the comment example: Adam Kennedy body: type: string description: Content of the comment example: Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat. date: type: string format: date-time description: Date and time comment was made example: '2017-07-11T18:45:37.098Z' operation: nullable: true type: string enum: - ADD - CREATE - MODIFY - DELETE - DISABLE - ENABLE - UNLOCK - LOCK - REMOVE description: Represents an operation in an account activity item example: ADD attribute: type: string description: Attribute to which account activity applies nullable: true example: detectedRoles value: type: string description: Value of attribute nullable: true example: 'Treasury Analyst [AccessProfile-1529010191212]' nativeIdentity: nullable: true type: string description: Native identity in the target system to which the account activity applies example: Sandie.Camero sourceId: type: string description: Id of Source to which account activity applies example: 2c91808363ef85290164000587130c0c accountRequestInfo: type: object nullable: true properties: requestedObjectId: type: string description: Id of requested object example: 2c91808563ef85690164001c31140c0c requestedObjectName: type: string description: Human-readable name of requested object example: Treasury Analyst requestedObjectType: type: string enum: - ACCESS_PROFILE - ROLE - ENTITLEMENT description: Enum represented the currently supported requestable object types. Additional values may be added in the future without notice. example: ACCESS_PROFILE description: 'If an account activity item is associated with an access request, captures details of that request.' clientMetadata: nullable: true type: object additionalProperties: type: string description: 'Arbitrary key-value pairs, if any were included in the corresponding access request item' example: customKey1: custom value 1 customKey2: custom value 2 removeDate: nullable: true type: string description: The date the role or access profile is no longer assigned to the specified identity. format: date-time example: '2020-07-11T00:00:00Z' executionStatus: type: string description: The current state of execution. enum: - EXECUTING - VERIFYING - TERMINATED - COMPLETED example: COMPLETED clientMetadata: nullable: true type: object additionalProperties: type: string description: 'Arbitrary key-value pairs, if any were included in the corresponding access request' example: customKey1: custom value 1 customKey2: custom value 2 '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /campaigns: post: operationId: createCampaign tags: - Certification Campaigns summary: Create a campaign description: Creates a new Certification Campaign with the information provided in the request body. security: - oauth2: - 'idn:campaign:create' requestBody: required: true content: application/json: schema: type: object title: Campaign allOf: - type: object title: Slim Campaign required: - name - description - type properties: id: type: string readOnly: true description: Id of the campaign example: 2c9079b270a266a60170a2779fcb0007 name: description: 'The campaign name. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.' type: string example: Manager Campaign description: type: string description: 'The campaign description. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.' example: Everyone needs to be reviewed by their manager deadline: type: string format: date-time description: The campaign's completion deadline. example: '2020-03-15T10:00:01.456Z' type: type: string description: The type of campaign. Could be extended in the future. enum: - MANAGER - SOURCE_OWNER - SEARCH - ROLE_COMPOSITION example: MANAGER emailNotificationEnabled: type: boolean description: Enables email notification for this campaign default: false example: false autoRevokeAllowed: type: boolean description: Allows auto revoke for this campaign default: false example: false recommendationsEnabled: type: boolean description: Enables IAI for this campaign. Accepts true even if the IAI product feature is off. If IAI is turned off then campaigns generated from this template will indicate false. The real value will then be returned if IAI is ever enabled for the org in the future. default: false example: true status: type: string description: The campaign's current status. readOnly: true enum: - PENDING - STAGED - CANCELING - ACTIVATING - ACTIVE - COMPLETING - COMPLETED - ERROR - ARCHIVED example: ACTIVE correlatedStatus: type: string description: The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source). enum: - CORRELATED - UNCORRELATED example: CORRELATED - type: object properties: created: type: string readOnly: true format: date-time description: Created time of the campaign example: '2020-03-03T22:15:13.611Z' modified: type: string readOnly: true format: date-time description: Modified time of the campaign example: '2020-03-03T22:20:12.674Z' correlatedStatus: description: The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source). enum: - CORRELATED - UNCORRELATED example: CORRELATED filter: type: object description: Determines which items will be included in this campaign. The default campaign filter is used if this field is left blank. properties: id: type: string description: The ID of whatever type of filter is being used. example: 0fbe863c063c4c88a35fd7f17e8a3df5 type: type: string description: Type of the filter enum: - CAMPAIGN_FILTER - RULE example: CAMPAIGN_FILTER name: type: string description: Name of the filter example: Test Filter sunsetCommentsRequired: type: boolean description: Determines if comments on sunset date changes are required. default: true example: true sourceOwnerCampaignInfo: type: object description: Must be set only if the campaign type is SOURCE_OWNER. properties: sourceIds: type: array description: The list of sources to be included in the campaign. items: type: string example: - 0fbe863c063c4c88a35fd7f17e8a3df5 searchCampaignInfo: type: object description: Must be set only if the campaign type is SEARCH. properties: type: type: string description: The type of search campaign represented. enum: - IDENTITY - ACCESS example: ACCESS description: type: string description: 'Describes this search campaign. Intended for storing the query used, and possibly the number of identities selected/available.' example: Search Campaign description reviewer: description: 'If specified, this identity or governance group will be the reviewer for all certifications in this campaign. The allowed DTO types are IDENTITY and GOVERNANCE_GROUP' allOf: - type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson - type: object query: type: string description: The scope for the campaign. The campaign will cover identities returned by the query and identities that have access items returned by the query. One of `query` or `identityIds` must be set. example: Search Campaign query description identityIds: type: array description: A direct list of identities to include in this campaign. One of `identityIds` or `query` must be set. items: type: string maxItems: 1000 example: - 0fbe863c063c4c88a35fd7f17e8a3df5 accessConstraints: type: array description: Further reduces the scope of the campaign by excluding identities (from `query` or `identityIds`) that do not have this access. items: type: object properties: type: type: string enum: - ENTITLEMENT - ACCESS_PROFILE - ROLE description: Type of Access example: ENTITLEMENT ids: description: Must be set only if operator is SELECTED. type: array items: type: string example: - 2c90ad2a70ace7d50170acf22ca90010 operator: type: string enum: - ALL - SELECTED description: Used to determine whether the scope of the campaign should be reduced for selected ids or all. example: SELECTED required: - type - operator maxItems: 1000 required: - type roleCompositionCampaignInfo: type: object description: Optional configuration options for role composition campaigns. properties: reviewer: description: 'If specified, this identity or governance group will be the reviewer for all certifications in this campaign. The allowed DTO types are IDENTITY and GOVERNANCE_GROUP' allOf: - type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson - type: object roleIds: type: array description: 'Optional list of roles to include in this campaign. Only one of `roleIds` and `query` may be set; if neither are set, all roles are included.' items: type: string example: - 2c90ad2a70ace7d50170acf22ca90010 remediatorRef: type: object description: 'This determines who remediation tasks will be assigned to. Remediation tasks are created for each revoke decision on items in the campaign. The only legal remediator type is ''IDENTITY'', and the chosen identity must be a Role Admin or Org Admin.' properties: type: type: string enum: - IDENTITY description: Legal Remediator Type example: IDENTITY id: type: string description: The ID of the remediator. example: 2c90ad2a70ace7d50170acf22ca90010 name: type: string description: The name of the remediator. readOnly: true example: Role Admin required: - type - id query: type: string description: 'Optional search query to scope this campaign to a set of roles. Only one of `roleIds` and `query` may be set; if neither are set, all roles are included.' example: Search Query description: type: string description: 'Describes this role composition campaign. Intended for storing the query used, and possibly the number of roles selected/available.' example: Role Composition Description required: - remediatorRef alerts: type: array description: A list of errors and warnings that have accumulated. readOnly: true items: type: object properties: level: type: string enum: - ERROR - WARN - INFO description: Denotes the level of the message example: ERROR localizations: type: array items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. totalCertifications: type: integer description: The total number of certifications in this campaign. readOnly: true example: 100 completedCertifications: type: integer description: The number of completed certifications in this campaign. readOnly: true example: 10 sourcesWithOrphanEntitlements: type: array description: A list of sources in the campaign that contain \"orphan entitlements\" (entitlements without a corresponding Managed Attribute). An empty list indicates the campaign has no orphan entitlements. Null indicates there may be unknown orphan entitlements in the campaign (the campaign was created before this feature was implemented). readOnly: true items: type: object properties: id: type: string description: Id of the source example: 2c90ad2a70ace7d50170acf22ca90010 type: type: string enum: - SOURCE description: Type example: SOURCE name: type: string description: Name of the source example: Source with orphan entitlements examples: Manager: value: name: Manager Review description: A review of everyone's access by their manager. deadline: 2020-12-25T06:00:00.468Z type: MANAGER emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false filter: type: CAMPAIGN_FILTER id: 0c46fb26c6b20967a55517ee90d15b93 Search: value: name: Search Campaign description: Search Campaign deadline: 2020-12-25T06:00:00.468Z type: SEARCH emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false filter: type: CAMPAIGN_FILTER id: 0c46fb26c6b20967a55517ee90d15b93 searchCampaignInfo: type: ACCESS query: user Source Owner: value: name: Source Owner description: Source Owner Info deadline: 2020-12-25T06:00:00.468Z type: SOURCE_OWNER emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false filter: type: CAMPAIGN_FILTER id: 0c46fb26c6b20967a55517ee90d15b93 sourceOwnerCampaignInfo: sourceIds: - 612b31b1a0f04aaf83123bdb80e70db6 correlatedStatus: CORRELATED Role Composition: value: name: Role Composition Campaign description: A review done by a role owner. deadline: 2020-12-25T06:00:00.468Z type: ROLE_COMPOSITION emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false filter: type: CAMPAIGN_FILTER id: 0c46fb26c6b20967a55517ee90d15b93 roleCompositionCampaignInfo: remediatorRef: type: IDENTITY id: 7ec252acbd4245548bc25df22348cb75 name: SailPoint Support roleIds: - b15d609fc5c8434b865fe552315fda8f responses: '200': description: Indicates that the campaign requested was successfully created and returns its representation. content: application/json: schema: type: object title: Campaign allOf: - type: object title: Slim Campaign required: - name - description - type properties: id: type: string readOnly: true description: Id of the campaign example: 2c9079b270a266a60170a2779fcb0007 name: description: 'The campaign name. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.' type: string example: Manager Campaign description: type: string description: 'The campaign description. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.' example: Everyone needs to be reviewed by their manager deadline: type: string format: date-time description: The campaign's completion deadline. example: '2020-03-15T10:00:01.456Z' type: type: string description: The type of campaign. Could be extended in the future. enum: - MANAGER - SOURCE_OWNER - SEARCH - ROLE_COMPOSITION example: MANAGER emailNotificationEnabled: type: boolean description: Enables email notification for this campaign default: false example: false autoRevokeAllowed: type: boolean description: Allows auto revoke for this campaign default: false example: false recommendationsEnabled: type: boolean description: Enables IAI for this campaign. Accepts true even if the IAI product feature is off. If IAI is turned off then campaigns generated from this template will indicate false. The real value will then be returned if IAI is ever enabled for the org in the future. default: false example: true status: type: string description: The campaign's current status. readOnly: true enum: - PENDING - STAGED - CANCELING - ACTIVATING - ACTIVE - COMPLETING - COMPLETED - ERROR - ARCHIVED example: ACTIVE correlatedStatus: type: string description: The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source). enum: - CORRELATED - UNCORRELATED example: CORRELATED - type: object properties: created: type: string readOnly: true format: date-time description: Created time of the campaign example: '2020-03-03T22:15:13.611Z' modified: type: string readOnly: true format: date-time description: Modified time of the campaign example: '2020-03-03T22:20:12.674Z' correlatedStatus: description: The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source). enum: - CORRELATED - UNCORRELATED example: CORRELATED filter: type: object description: Determines which items will be included in this campaign. The default campaign filter is used if this field is left blank. properties: id: type: string description: The ID of whatever type of filter is being used. example: 0fbe863c063c4c88a35fd7f17e8a3df5 type: type: string description: Type of the filter enum: - CAMPAIGN_FILTER - RULE example: CAMPAIGN_FILTER name: type: string description: Name of the filter example: Test Filter sunsetCommentsRequired: type: boolean description: Determines if comments on sunset date changes are required. default: true example: true sourceOwnerCampaignInfo: type: object description: Must be set only if the campaign type is SOURCE_OWNER. properties: sourceIds: type: array description: The list of sources to be included in the campaign. items: type: string example: - 0fbe863c063c4c88a35fd7f17e8a3df5 searchCampaignInfo: type: object description: Must be set only if the campaign type is SEARCH. properties: type: type: string description: The type of search campaign represented. enum: - IDENTITY - ACCESS example: ACCESS description: type: string description: 'Describes this search campaign. Intended for storing the query used, and possibly the number of identities selected/available.' example: Search Campaign description reviewer: description: 'If specified, this identity or governance group will be the reviewer for all certifications in this campaign. The allowed DTO types are IDENTITY and GOVERNANCE_GROUP' allOf: - type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson - type: object query: type: string description: The scope for the campaign. The campaign will cover identities returned by the query and identities that have access items returned by the query. One of `query` or `identityIds` must be set. example: Search Campaign query description identityIds: type: array description: A direct list of identities to include in this campaign. One of `identityIds` or `query` must be set. items: type: string maxItems: 1000 example: - 0fbe863c063c4c88a35fd7f17e8a3df5 accessConstraints: type: array description: Further reduces the scope of the campaign by excluding identities (from `query` or `identityIds`) that do not have this access. items: type: object properties: type: type: string enum: - ENTITLEMENT - ACCESS_PROFILE - ROLE description: Type of Access example: ENTITLEMENT ids: description: Must be set only if operator is SELECTED. type: array items: type: string example: - 2c90ad2a70ace7d50170acf22ca90010 operator: type: string enum: - ALL - SELECTED description: Used to determine whether the scope of the campaign should be reduced for selected ids or all. example: SELECTED required: - type - operator maxItems: 1000 required: - type roleCompositionCampaignInfo: type: object description: Optional configuration options for role composition campaigns. properties: reviewer: description: 'If specified, this identity or governance group will be the reviewer for all certifications in this campaign. The allowed DTO types are IDENTITY and GOVERNANCE_GROUP' allOf: - type: object properties: type: description: DTO type type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: ID of the object to which this reference applies example: 2c91808568c529c60168cca6f90c1313 name: type: string description: Human-readable display name of the object to which this reference applies example: William Wilson - type: object roleIds: type: array description: 'Optional list of roles to include in this campaign. Only one of `roleIds` and `query` may be set; if neither are set, all roles are included.' items: type: string example: - 2c90ad2a70ace7d50170acf22ca90010 remediatorRef: type: object description: 'This determines who remediation tasks will be assigned to. Remediation tasks are created for each revoke decision on items in the campaign. The only legal remediator type is ''IDENTITY'', and the chosen identity must be a Role Admin or Org Admin.' properties: type: type: string enum: - IDENTITY description: Legal Remediator Type example: IDENTITY id: type: string description: The ID of the remediator. example: 2c90ad2a70ace7d50170acf22ca90010 name: type: string description: The name of the remediator. readOnly: true example: Role Admin required: - type - id query: type: string description: 'Optional search query to scope this campaign to a set of roles. Only one of `roleIds` and `query` may be set; if neither are set, all roles are included.' example: Search Query description: type: string description: 'Describes this role composition campaign. Intended for storing the query used, and possibly the number of roles selected/available.' example: Role Composition Description required: - remediatorRef alerts: type: array description: A list of errors and warnings that have accumulated. readOnly: true items: type: object properties: level: type: string enum: - ERROR - WARN - INFO description: Denotes the level of the message example: ERROR localizations: type: array items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. totalCertifications: type: integer description: The total number of certifications in this campaign. readOnly: true example: 100 completedCertifications: type: integer description: The number of completed certifications in this campaign. readOnly: true example: 10 sourcesWithOrphanEntitlements: type: array description: A list of sources in the campaign that contain \"orphan entitlements\" (entitlements without a corresponding Managed Attribute). An empty list indicates the campaign has no orphan entitlements. Null indicates there may be unknown orphan entitlements in the campaign (the campaign was created before this feature was implemented). readOnly: true items: type: object properties: id: type: string description: Id of the source example: 2c90ad2a70ace7d50170acf22ca90010 type: type: string enum: - SOURCE description: Type example: SOURCE name: type: string description: Name of the source example: Source with orphan entitlements examples: Manager: value: id: 5594f43b76804a6980ece5fdccf74be7 name: Manager Review description: A review of everyone's access by their manager. deadline: 2020-12-25T06:00:00.468Z type: MANAGER status: PENDING emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false created: 2022-08-02T20:21:18.421Z modified: null filter: type: CAMPAIGN_FILTER id: 0fbe863c063c4c88a35fd7f17e8a3df5 name: Test Manager Filter sunsetCommentsRequired: true sourceOwnerCampaignInfo: null searchCampaignInfo: null roleCompositionCampaignInfo: null alerts: null totalCertifications: 0 completedCertifications: 0 sourcesWithOrphanEntitlements: null Search: value: id: ec041831cb2147778b594feb9d8db44a name: Search Campaign description: Search Campaign deadline: 2020-12-25T06:00:00.468Z type: SEARCH status: PENDING emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false created: 2022-08-03T13:54:34.344Z modified: null filter: type: CAMPAIGN_FILTER id: 0fbe863c063c4c88a35fd7f17e8a3df5 name: Test Search Filter sunsetCommentsRequired: true sourceOwnerCampaignInfo: null searchCampaignInfo: type: ACCESS description: user reviewer: type: IDENTITY id: 7ec252acbd4245548bc25df22348cb75 name: null query: user identityIds: null accessConstraints: [] roleCompositionCampaignInfo: null alerts: null totalCertifications: 0 completedCertifications: 0 sourcesWithOrphanEntitlements: null Source Owner: value: id: fd7b76ba4ea042de8a9414aa12fc977a name: Source Owner description: Source Owner Info deadline: 2020-12-25T06:00:00.468Z type: SOURCE_OWNER status: PENDING emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false created: 2022-08-03T13:34:19.541Z modified: null filter: type: CAMPAIGN_FILTER id: 0fbe863c063c4c88a35fd7f17e8a3df5 name: Test Source Owner Filter sunsetCommentsRequired: true sourceOwnerCampaignInfo: null sourceIds: - 612b31b1a0f04aaf83123bdb80e70db6 searchCampaignInfo: null roleCompositionCampaignInfo: null alerts: null totalCertifications: 0 completedCertifications: 0 sourcesWithOrphanEntitlements: null correlatedStatus: CORRELATED Role Composition: value: id: 3b2e2e5821e84127b6d693d41c40623b name: Role Composition Campaign description: A review done by a role owner. deadline: 2020-12-25T06:00:00.468Z type: ROLE_COMPOSITION status: PENDING emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false created: 2022-08-02T20:30:46.083Z modified: null filter: type: CAMPAIGN_FILTER id: 0fbe863c063c4c88a35fd7f17e8a3df5 name: Test Role Composition Filter sunsetCommentsRequired: true sourceOwnerCampaignInfo: null searchCampaignInfo: null roleCompositionCampaignInfo: remediatorRef: type: IDENTITY id: 7ec252acbd4245548bc25df22348cb75 name: SailPoint Support reviewerId: null reviewer: null roleIds: - b15d609fc5c8434b865fe552315fda8f query: null description: null alerts: null totalCertifications: 0 completedCertifications: 0 sourcesWithOrphanEntitlements: null '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/campaigns/{id}': get: operationId: getCampaign tags: - Certification Campaigns summary: Get a campaign description: 'Retrieves information for an existing campaign using the campaign''s ID. Authorized callers must be a reviewer for this campaign, an ORG_ADMIN, or a CERT_ADMIN.' security: - oauth2: [] parameters: - in: path name: id schema: type: string required: true description: The ID of the campaign to be retrieved example: 2c91808571bcfcf80171c23e4b4221fc responses: '200': description: A campaign object content: application/json: schema: type: object title: Slim Campaign required: - name - description - type properties: id: type: string readOnly: true description: Id of the campaign example: 2c9079b270a266a60170a2779fcb0007 name: description: 'The campaign name. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.' type: string example: Manager Campaign description: type: string description: 'The campaign description. If this object is part of a template, special formatting applies; see the `/campaign-templates/{id}/generate` endpoint documentation for details.' example: Everyone needs to be reviewed by their manager deadline: type: string format: date-time description: The campaign's completion deadline. example: '2020-03-15T10:00:01.456Z' type: type: string description: The type of campaign. Could be extended in the future. enum: - MANAGER - SOURCE_OWNER - SEARCH - ROLE_COMPOSITION example: MANAGER emailNotificationEnabled: type: boolean description: Enables email notification for this campaign default: false example: false autoRevokeAllowed: type: boolean description: Allows auto revoke for this campaign default: false example: false recommendationsEnabled: type: boolean description: Enables IAI for this campaign. Accepts true even if the IAI product feature is off. If IAI is turned off then campaigns generated from this template will indicate false. The real value will then be returned if IAI is ever enabled for the org in the future. default: false example: true status: type: string description: The campaign's current status. readOnly: true enum: - PENDING - STAGED - CANCELING - ACTIVATING - ACTIVE - COMPLETING - COMPLETED - ERROR - ARCHIVED example: ACTIVE correlatedStatus: type: string description: The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source). enum: - CORRELATED - UNCORRELATED example: CORRELATED examples: Manager: value: id: 2c918086719eec070171a7e3355a360a name: Manager Review description: A review of everyone's access by their manager. deadline: '2020-12-25T06:00:00.123Z' type: MANAGER status: ACTIVE emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false Search: value: id: 7e1a731e3fb845cfbe58112ba4673ee4 name: Search Campaign description: Search Campaign Info deadline: 2022-07-26T15:42:44.000Z type: SEARCH status: ACTIVE emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false Source Owner: value: id: 2c918086719eec070171a7e3355a412b name: AD Source Review description: A review of our AD source. deadline: '2020-12-25T06:00:00.123Z' type: SOURCE_OWNER status: STAGED emailNotificationEnabled: true autoRevokeAllowed: false recommendationsEnabled: false correlatedStatus: CORRELATED RoleComposition: value: id: 3b2e2e5821e84127b6d693d41c40623b name: Role Composition Campaign description: A review done by a role owner. deadline: 2020-12-25T06:00:00.468Z type: ROLE_COMPOSITION status: ACTIVE emailNotificationEnabled: false autoRevokeAllowed: false recommendationsEnabled: false '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. /certifications: get: operationId: listIdentityCertifications tags: - Certifications summary: Identity Campaign Certifications by IDs description: 'This API returns a list of identity campaign certifications that satisfy the given query parameters. Any authenticated token can call this API, but only certifications you are authorized to review will be returned. This API does not support requests for certifications assigned to Governance Groups.' parameters: - in: query name: reviewer-identity schema: type: string example: me description: The ID of reviewer identity. *me* indicates the current user. required: false - in: query name: limit description: |- Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 250 schema: type: integer format: int32 minimum: 0 maximum: 250 default: 250 - in: query name: offset description: |- Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 0 schema: type: integer format: int32 minimum: 0 default: 0 - in: query name: count description: |- If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: true schema: type: boolean default: false - in: query name: filters required: false schema: type: string example: id eq "ef38f94347e94562b5bb8424a56397d8" description: |- Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **id**: *eq, in* **campaign.id**: *eq, in* **phase**: *eq* **completed**: *eq, ne* - in: query name: sorters required: false schema: type: string format: comma-separated example: 'name,due' description: |- Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **name, due, signed** responses: '200': description: List of identity campaign certifications content: application/json: schema: type: array items: type: object properties: id: example: 2c9180835d2e5168015d32f890ca1581 type: string description: id of the certification name: example: 'Source Owner Access Review for Employees [source]' type: string description: name of the certification campaign: type: object required: - id - name - type - campaignType - description properties: id: type: string description: The unique ID of the campaign. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the campaign. example: Campaign Name type: type: string enum: - CAMPAIGN description: The type of object that is being referenced. example: CAMPAIGN campaignType: type: string enum: - MANAGER - SOURCE_OWNER - SEARCH description: The type of the campaign. example: MANAGER description: type: string description: The description of the campaign set by the admin who created it. nullable: true example: A description of the campaign completed: type: boolean description: Have all decisions been made? example: true identitiesCompleted: type: integer description: The number of identities for whom all decisions have been made and are complete. example: 5 format: int32 identitiesTotal: type: integer description: 'The total number of identities in the Certification, both complete and incomplete.' example: 10 format: int32 created: example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: created date modified: example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: modified date decisionsMade: type: integer description: The number of approve/revoke/acknowledge decisions that have been made. example: 20 format: int32 decisionsTotal: type: integer description: The total number of approve/revoke/acknowledge decisions. example: 40 format: int32 due: type: string format: date-time description: The due date of the certification. example: '2018-10-19T13:49:37.385Z' signed: type: string format: date-time nullable: true description: The date the reviewer signed off on the Certification. example: '2018-10-19T13:49:37.385Z' reviewer: type: object properties: id: type: string description: The id of the reviewer. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the reviewer. example: Reviewer Name email: type: string description: The email of the reviewing identity. example: reviewer@test.com type: type: string enum: - IDENTITY description: The type of the reviewing identity. example: IDENTITY created: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The created date of the reviewing identity. modified: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The modified date of the reviewing identity. reassignment: type: object nullable: true properties: from: type: object properties: id: type: string description: The id of the certification. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the certification. example: Certification Name type: type: string enum: - CERTIFICATION example: CERTIFICATION reviewer: type: object properties: id: type: string description: The id of the reviewer. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the reviewer. example: Reviewer Name email: type: string description: The email of the reviewing identity. example: reviewer@test.com type: type: string enum: - IDENTITY description: The type of the reviewing identity. example: IDENTITY created: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The created date of the reviewing identity. modified: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The modified date of the reviewing identity. comment: type: string description: The comment entered when the Certification was reassigned example: Reassigned for a reason hasErrors: description: Identifies if the certification has an error type: boolean example: false errorMessage: description: Description of the certification error nullable: true type: string example: The certification has an error phase: type: string description: | The current phase of the campaign. * `STAGED`: The campaign is waiting to be activated. * `ACTIVE`: The campaign is active. * `SIGNED`: The reviewer has signed off on the campaign, and it is considered complete. enum: - STAGED - ACTIVE - SIGNED example: ACTIVE '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/certifications/{id}': get: operationId: getIdentityCertification tags: - Certifications summary: Identity Certification by ID description: This API returns a single identity campaign certification by its ID. A token with ORG_ADMIN or CERT_ADMIN authority is required to call this API. Reviewers for this certification can also call this API. This API does not support requests for certifications assigned to Governance Groups. parameters: - in: path name: id schema: type: string required: true description: The certification id example: ef38f94347e94562b5bb8424a56397d8 responses: '200': description: An identity campaign certification object content: application/json: schema: type: object properties: id: example: 2c9180835d2e5168015d32f890ca1581 type: string description: id of the certification name: example: 'Source Owner Access Review for Employees [source]' type: string description: name of the certification campaign: type: object required: - id - name - type - campaignType - description properties: id: type: string description: The unique ID of the campaign. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the campaign. example: Campaign Name type: type: string enum: - CAMPAIGN description: The type of object that is being referenced. example: CAMPAIGN campaignType: type: string enum: - MANAGER - SOURCE_OWNER - SEARCH description: The type of the campaign. example: MANAGER description: type: string description: The description of the campaign set by the admin who created it. nullable: true example: A description of the campaign completed: type: boolean description: Have all decisions been made? example: true identitiesCompleted: type: integer description: The number of identities for whom all decisions have been made and are complete. example: 5 format: int32 identitiesTotal: type: integer description: 'The total number of identities in the Certification, both complete and incomplete.' example: 10 format: int32 created: example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: created date modified: example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: modified date decisionsMade: type: integer description: The number of approve/revoke/acknowledge decisions that have been made. example: 20 format: int32 decisionsTotal: type: integer description: The total number of approve/revoke/acknowledge decisions. example: 40 format: int32 due: type: string format: date-time description: The due date of the certification. example: '2018-10-19T13:49:37.385Z' signed: type: string format: date-time nullable: true description: The date the reviewer signed off on the Certification. example: '2018-10-19T13:49:37.385Z' reviewer: type: object properties: id: type: string description: The id of the reviewer. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the reviewer. example: Reviewer Name email: type: string description: The email of the reviewing identity. example: reviewer@test.com type: type: string enum: - IDENTITY description: The type of the reviewing identity. example: IDENTITY created: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The created date of the reviewing identity. modified: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The modified date of the reviewing identity. reassignment: type: object nullable: true properties: from: type: object properties: id: type: string description: The id of the certification. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the certification. example: Certification Name type: type: string enum: - CERTIFICATION example: CERTIFICATION reviewer: type: object properties: id: type: string description: The id of the reviewer. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the reviewer. example: Reviewer Name email: type: string description: The email of the reviewing identity. example: reviewer@test.com type: type: string enum: - IDENTITY description: The type of the reviewing identity. example: IDENTITY created: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The created date of the reviewing identity. modified: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The modified date of the reviewing identity. comment: type: string description: The comment entered when the Certification was reassigned example: Reassigned for a reason hasErrors: description: Identifies if the certification has an error type: boolean example: false errorMessage: description: Description of the certification error nullable: true type: string example: The certification has an error phase: type: string description: | The current phase of the campaign. * `STAGED`: The campaign is waiting to be activated. * `ACTIVE`: The campaign is active. * `SIGNED`: The reviewer has signed off on the campaign, and it is considered complete. enum: - STAGED - ACTIVE - SIGNED example: ACTIVE '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/certifications/{id}/access-review-items': get: operationId: listIdentityAccessReviewItems tags: - Certifications summary: List of Access Review Items description: This API returns a list of access review items for an identity campaign certification. A token with ORG_ADMIN or CERT_ADMIN authority is required to call this API. Reviewers for this certification can also call this API. This API does not support requests for certifications assigned to Governance Groups. parameters: - in: path name: id schema: type: string required: true description: The identity campaign certification ID example: ef38f94347e94562b5bb8424a56397d8 - in: query name: limit description: |- Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 250 schema: type: integer format: int32 minimum: 0 maximum: 250 default: 250 - in: query name: offset description: |- Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: 0 schema: type: integer format: int32 minimum: 0 default: 0 - in: query name: count description: |- If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. required: false example: true schema: type: boolean default: false - in: query required: false name: filters schema: type: string description: |- Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **id**: *eq, in* **type / access.type**: *eq* **completed**: *eq, ne* **identitySummary.id**: *eq, in* **identitySummary.name**: *eq, sw* **access.id**: *eq, in* **access.name**: *eq, sw* **entitlement.sourceName**: *eq, sw* **accessProfile.sourceName**: *eq, sw* example: id eq "ef38f94347e94562b5bb8424a56397d8" - in: query name: sorters required: false schema: type: string format: comma-separated example: 'access.name,-accessProfile.sourceName' description: |- Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **identitySummary.name, access.name, access.type, entitlement.sourceName, accessProfile.sourceName** - in: query name: entitlements required: false schema: type: string example: identityEntitlement description: |- Filter results to view access review items that pertain to any of the specified comma-separated entitlement IDs. An error will occur if this param is used with **access-profiles** or **roles** as only one of these query params can be used at a time. - in: query name: access-profiles required: false schema: type: string example: accessProfile1 description: |- Filter results to view access review items that pertain to any of the specified comma-separated access-profle IDs. An error will occur if this param is used with **entitlements** or **roles** as only one of these query params can be used at a time. - in: query name: roles required: false schema: type: string example: userRole description: |- Filter results to view access review items that pertain to any of the specified comma-separated role IDs. An error will occur if this param is used with **entitlements** or **access-profiles** as only one of these query params can be used at a time. responses: '200': description: A list of access review items content: application/json: schema: type: array items: type: object properties: accessSummary: type: object description: An object holding the access that is being reviewed properties: access: type: object properties: type: description: The type of item being certified type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY example: IDENTITY id: type: string description: The ID of the item being certified example: 2c9180867160846801719932c5153fb7 name: type: string description: The name of the item being certified example: Entitlement for Company Database entitlement: type: object nullable: true properties: id: type: string description: The id for the entitlement example: 2c918085718230600171993742c63558 name: type: string description: The name of the entitlement example: CN=entitlement.bbb7c650 description: nullable: true type: string description: Information about the entitlement example: Gives read/write access to the company database privileged: type: boolean example: false description: Indicates if the entitlement is a privileged entitlement owner: type: object nullable: true properties: type: type: string description: The type can only be IDENTITY. This is read-only example: IDENTITY id: type: string description: Identity id. example: 5168015d32f890ca15812c9180835d2e name: type: string description: Human-readable display name of identity. This is read-only example: Alison Ferguso email: type: string description: Email address of identity. This is read-only example: alison.ferguso@identitysoon.com attributeName: type: string description: The name of the attribute on the source example: memberOf attributeValue: type: string description: The value of the attribute on the source example: CN=entitlement.bbb7c650 sourceSchemaObjectType: type: string description: The schema object type on the source used to represent the entitlement and its attributes example: groups sourceName: type: string description: The name of the source for which this entitlement belongs example: ODS-AD-Source sourceType: type: string description: The type of the source for which the entitlement belongs example: Active Directory - Direct hasPermissions: type: boolean description: Indicates if the entitlement has permissions example: false isPermission: type: boolean description: Indicates if the entitlement is a representation of an account permission example: false revocable: type: boolean description: Indicates whether the entitlement can be revoked example: true cloudGoverned: type: boolean description: True if the entitlement is cloud governed example: false account: type: object nullable: true description: Information about the status of the entitlement properties: nativeIdentity: type: string description: The native identity for this account example: CN=Alison Ferguso disabled: type: boolean example: false description: Indicates whether this account is currently disabled locked: type: boolean example: false description: Indicates whether this account is currently locked type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: nullable: true type: string description: The id associated with the account example: 2c9180857182305e0171993737eb29e6 name: nullable: true type: string description: The account name example: Alison Ferguso created: nullable: true type: string format: date-time description: When the account was created example: '2020-04-20T20:11:05.067Z' modified: nullable: true type: string format: date-time description: When the account was last modified example: '2020-05-20T18:57:16.987Z' accessProfile: type: object properties: id: type: string description: The id of the Access Profile example: 2c91808a7190d06e01719938fcd20792 name: type: string description: Name of the Access Profile example: Employee-database-read-write description: type: string description: Information about the Access Profile example: Collection of entitlements to read/write the employee database privileged: type: boolean description: Indicates if the entitlement is a privileged entitlement example: false cloudGoverned: type: boolean description: True if the entitlement is cloud governed example: false endDate: nullable: true type: string format: date-time description: The date at which a user's access expires example: '2021-12-25T00:00:00.000Z' owner: description: Owner of the Access Profile type: object nullable: true properties: type: type: string description: The type can only be IDENTITY. This is read-only example: IDENTITY id: type: string description: Identity id. example: 5168015d32f890ca15812c9180835d2e name: type: string description: Human-readable display name of identity. This is read-only example: Alison Ferguso email: type: string description: Email address of identity. This is read-only example: alison.ferguso@identitysoon.com entitlements: type: array description: A list of entitlements associated with this Access Profile items: type: object nullable: true properties: id: type: string description: The id for the entitlement example: 2c918085718230600171993742c63558 name: type: string description: The name of the entitlement example: CN=entitlement.bbb7c650 description: nullable: true type: string description: Information about the entitlement example: Gives read/write access to the company database privileged: type: boolean example: false description: Indicates if the entitlement is a privileged entitlement owner: type: object nullable: true properties: type: type: string description: The type can only be IDENTITY. This is read-only example: IDENTITY id: type: string description: Identity id. example: 5168015d32f890ca15812c9180835d2e name: type: string description: Human-readable display name of identity. This is read-only example: Alison Ferguso email: type: string description: Email address of identity. This is read-only example: alison.ferguso@identitysoon.com attributeName: type: string description: The name of the attribute on the source example: memberOf attributeValue: type: string description: The value of the attribute on the source example: CN=entitlement.bbb7c650 sourceSchemaObjectType: type: string description: The schema object type on the source used to represent the entitlement and its attributes example: groups sourceName: type: string description: The name of the source for which this entitlement belongs example: ODS-AD-Source sourceType: type: string description: The type of the source for which the entitlement belongs example: Active Directory - Direct hasPermissions: type: boolean description: Indicates if the entitlement has permissions example: false isPermission: type: boolean description: Indicates if the entitlement is a representation of an account permission example: false revocable: type: boolean description: Indicates whether the entitlement can be revoked example: true cloudGoverned: type: boolean description: True if the entitlement is cloud governed example: false account: type: object nullable: true description: Information about the status of the entitlement properties: nativeIdentity: type: string description: The native identity for this account example: CN=Alison Ferguso disabled: type: boolean example: false description: Indicates whether this account is currently disabled locked: type: boolean example: false description: Indicates whether this account is currently locked type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: nullable: true type: string description: The id associated with the account example: 2c9180857182305e0171993737eb29e6 name: nullable: true type: string description: The account name example: Alison Ferguso created: nullable: true type: string format: date-time description: When the account was created example: '2020-04-20T20:11:05.067Z' modified: nullable: true type: string format: date-time description: When the account was last modified example: '2020-05-20T18:57:16.987Z' created: type: string description: Date the Access Profile was created. format: date-time example: '2021-01-01T22:32:58.104Z' modified: type: string description: Date the Access Profile was last modified. format: date-time example: '2021-02-01T22:32:58.104Z' role: type: object nullable: true properties: id: type: string description: The id for the Role example: 2c91808a7190d06e0171993907fd0794 name: type: string description: The name of the Role example: Accounting-Employees description: type: string description: Information about the Role example: Role for members of the accounting department with the necessary Access Profiles privileged: type: boolean description: Indicates if the entitlement is a privileged entitlement example: false owner: type: object nullable: true properties: type: type: string description: The type can only be IDENTITY. This is read-only example: IDENTITY id: type: string description: Identity id. example: 5168015d32f890ca15812c9180835d2e name: type: string description: Human-readable display name of identity. This is read-only example: Alison Ferguso email: type: string description: Email address of identity. This is read-only example: alison.ferguso@identitysoon.com revocable: type: boolean description: Indicates whether the Role can be revoked or requested example: false endDate: type: string format: date-time description: The date when a user's access expires. example: '2021-12-25T00:00:00.000Z' accessProfiles: type: array description: The list of Access Profiles associated with this Role items: type: object properties: id: type: string description: The id of the Access Profile example: 2c91808a7190d06e01719938fcd20792 name: type: string description: Name of the Access Profile example: Employee-database-read-write description: type: string description: Information about the Access Profile example: Collection of entitlements to read/write the employee database privileged: type: boolean description: Indicates if the entitlement is a privileged entitlement example: false cloudGoverned: type: boolean description: True if the entitlement is cloud governed example: false endDate: nullable: true type: string format: date-time description: The date at which a user's access expires example: '2021-12-25T00:00:00.000Z' owner: description: Owner of the Access Profile type: object nullable: true properties: type: type: string description: The type can only be IDENTITY. This is read-only example: IDENTITY id: type: string description: Identity id. example: 5168015d32f890ca15812c9180835d2e name: type: string description: Human-readable display name of identity. This is read-only example: Alison Ferguso email: type: string description: Email address of identity. This is read-only example: alison.ferguso@identitysoon.com entitlements: type: array description: A list of entitlements associated with this Access Profile items: type: object nullable: true properties: id: type: string description: The id for the entitlement example: 2c918085718230600171993742c63558 name: type: string description: The name of the entitlement example: CN=entitlement.bbb7c650 description: nullable: true type: string description: Information about the entitlement example: Gives read/write access to the company database privileged: type: boolean example: false description: Indicates if the entitlement is a privileged entitlement owner: type: object nullable: true properties: type: type: string description: The type can only be IDENTITY. This is read-only example: IDENTITY id: type: string description: Identity id. example: 5168015d32f890ca15812c9180835d2e name: type: string description: Human-readable display name of identity. This is read-only example: Alison Ferguso email: type: string description: Email address of identity. This is read-only example: alison.ferguso@identitysoon.com attributeName: type: string description: The name of the attribute on the source example: memberOf attributeValue: type: string description: The value of the attribute on the source example: CN=entitlement.bbb7c650 sourceSchemaObjectType: type: string description: The schema object type on the source used to represent the entitlement and its attributes example: groups sourceName: type: string description: The name of the source for which this entitlement belongs example: ODS-AD-Source sourceType: type: string description: The type of the source for which the entitlement belongs example: Active Directory - Direct hasPermissions: type: boolean description: Indicates if the entitlement has permissions example: false isPermission: type: boolean description: Indicates if the entitlement is a representation of an account permission example: false revocable: type: boolean description: Indicates whether the entitlement can be revoked example: true cloudGoverned: type: boolean description: True if the entitlement is cloud governed example: false account: type: object nullable: true description: Information about the status of the entitlement properties: nativeIdentity: type: string description: The native identity for this account example: CN=Alison Ferguso disabled: type: boolean example: false description: Indicates whether this account is currently disabled locked: type: boolean example: false description: Indicates whether this account is currently locked type: type: string enum: - ACCOUNT_CORRELATION_CONFIG - ACCESS_PROFILE - ACCESS_REQUEST_APPROVAL - ACCOUNT - APPLICATION - CAMPAIGN - CAMPAIGN_FILTER - CERTIFICATION - CLUSTER - CONNECTOR_SCHEMA - ENTITLEMENT - GOVERNANCE_GROUP - IDENTITY - IDENTITY_PROFILE - IDENTITY_REQUEST - LIFECYCLE_STATE - PASSWORD_POLICY - ROLE - RULE - SOD_POLICY - SOURCE - TAG_CATEGORY - TASK_RESULT - REPORT_RESULT - SOD_VIOLATION - ACCOUNT_ACTIVITY description: An enumeration of the types of DTOs supported within the IdentityNow infrastructure. example: IDENTITY id: nullable: true type: string description: The id associated with the account example: 2c9180857182305e0171993737eb29e6 name: nullable: true type: string description: The account name example: Alison Ferguso created: nullable: true type: string format: date-time description: When the account was created example: '2020-04-20T20:11:05.067Z' modified: nullable: true type: string format: date-time description: When the account was last modified example: '2020-05-20T18:57:16.987Z' created: type: string description: Date the Access Profile was created. format: date-time example: '2021-01-01T22:32:58.104Z' modified: type: string description: Date the Access Profile was last modified. format: date-time example: '2021-02-01T22:32:58.104Z' identitySummary: type: object properties: id: type: string description: The ID of the identity summary example: 2c91808772a504f50172a9540e501ba7 name: type: string description: Name of the linked identity example: Alison Ferguso identityId: type: string description: The ID of the identity being certified example: 2c9180857182306001719937377a33de completed: type: boolean description: Indicates whether the review items for the linked identity's certification have been completed example: true id: type: string description: The review item's id example: ef38f94347e94562b5bb8424a56397d8 completed: type: boolean description: Whether the review item is complete example: false newAccess: type: boolean description: Indicates whether the review item is for new access to a source example: false decision: type: string description: The decision to approve or revoke the review item enum: - APPROVE - REVOKE example: APPROVE comments: nullable: true type: string description: Comments for this review item example: This user still needs access to this source '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server did not find a current representation for the target resource. '429': description: Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. content: application/json: schema: type: object properties: message: description: A message describing the error example: ' Rate Limit Exceeded ' '500': description: Internal Server Error - Returned if there is an unexpected error. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '500': summary: An example of a 500 response object value: detailCode: 500.0 Internal Fault trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: An internal fault occurred. '/certifications/{id}/decide': post: operationId: makeIdentityDecision tags: - Certifications summary: Decide on a Certification Item description: The API makes a decision to approve or revoke one or more identity campaign certification items. A token with ORG_ADMIN or CERT_ADMIN authority is required to call this API. Reviewers for this certification can also call this API. This API does not support requests for certifications assigned to Governance Groups. parameters: - in: path name: id schema: type: string required: true description: The ID of the identity campaign certification on which to make decisions example: ef38f94347e94562b5bb8424a56397d8 requestBody: required: true description: A non-empty array of decisions to be made. content: application/json: schema: type: array items: type: object properties: id: type: string description: The id of the review decision example: ef38f94347e94562b5bb8424a56397d8 decision: type: string description: The decision to approve or revoke the review item enum: - APPROVE - REVOKE example: APPROVE proposedEndDate: type: string format: date-time example: '2017-07-11T18:45:37.098Z' description: The date at which a user's access should be taken away. Should only be set for `REVOKE` decisions. bulk: type: boolean description: Indicates whether decision should be marked as part of a larger bulk decision example: true recommendation: nullable: true type: object properties: recommendation: type: string description: The recommendation from IAI at the time of the decision. This field will be null if no recommendation was made. example: null nullable: true reasons: type: array items: type: string description: A list of reasons for the recommendation. example: - Reason 1 - Reason 2 timestamp: type: string format: date-time description: The time at which the recommendation was recorded. example: '2020-06-01T13:49:37.385Z' comments: type: string description: Comments recorded when the decision was made example: This user no longer needs access to this source required: - id - decision - bulk minItems: 1 maxItems: 250 example: - id: ef38f94347e94562b5bb8424a56396b5 decision: APPROVE bulk: true comments: This user still needs access to this source. - id: ef38f94347e94562b5bb8424a56397d8 decision: APPROVE bulk: true comments: This user still needs access to this source too. responses: '200': description: An identity campaign certification object content: application/json: schema: type: object properties: id: example: 2c9180835d2e5168015d32f890ca1581 type: string description: id of the certification name: example: 'Source Owner Access Review for Employees [source]' type: string description: name of the certification campaign: type: object required: - id - name - type - campaignType - description properties: id: type: string description: The unique ID of the campaign. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the campaign. example: Campaign Name type: type: string enum: - CAMPAIGN description: The type of object that is being referenced. example: CAMPAIGN campaignType: type: string enum: - MANAGER - SOURCE_OWNER - SEARCH description: The type of the campaign. example: MANAGER description: type: string description: The description of the campaign set by the admin who created it. nullable: true example: A description of the campaign completed: type: boolean description: Have all decisions been made? example: true identitiesCompleted: type: integer description: The number of identities for whom all decisions have been made and are complete. example: 5 format: int32 identitiesTotal: type: integer description: 'The total number of identities in the Certification, both complete and incomplete.' example: 10 format: int32 created: example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: created date modified: example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: modified date decisionsMade: type: integer description: The number of approve/revoke/acknowledge decisions that have been made. example: 20 format: int32 decisionsTotal: type: integer description: The total number of approve/revoke/acknowledge decisions. example: 40 format: int32 due: type: string format: date-time description: The due date of the certification. example: '2018-10-19T13:49:37.385Z' signed: type: string format: date-time nullable: true description: The date the reviewer signed off on the Certification. example: '2018-10-19T13:49:37.385Z' reviewer: type: object properties: id: type: string description: The id of the reviewer. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the reviewer. example: Reviewer Name email: type: string description: The email of the reviewing identity. example: reviewer@test.com type: type: string enum: - IDENTITY description: The type of the reviewing identity. example: IDENTITY created: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The created date of the reviewing identity. modified: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The modified date of the reviewing identity. reassignment: type: object nullable: true properties: from: type: object properties: id: type: string description: The id of the certification. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the certification. example: Certification Name type: type: string enum: - CERTIFICATION example: CERTIFICATION reviewer: type: object properties: id: type: string description: The id of the reviewer. example: ef38f94347e94562b5bb8424a56397d8 name: type: string description: The name of the reviewer. example: Reviewer Name email: type: string description: The email of the reviewing identity. example: reviewer@test.com type: type: string enum: - IDENTITY description: The type of the reviewing identity. example: IDENTITY created: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The created date of the reviewing identity. modified: nullable: true example: '2018-06-25T20:22:28.104Z' format: date-time type: string description: The modified date of the reviewing identity. comment: type: string description: The comment entered when the Certification was reassigned example: Reassigned for a reason hasErrors: description: Identifies if the certification has an error type: boolean example: false errorMessage: description: Description of the certification error nullable: true type: string example: The certification has an error phase: type: string description: | The current phase of the campaign. * `STAGED`: The campaign is waiting to be activated. * `ACTIVE`: The campaign is active. * `SIGNED`: The reviewer has signed off on the campaign, and it is considered complete. enum: - STAGED - ACTIVE - SIGNED example: ACTIVE '400': description: Client Error - Returned if the request body is invalid. content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. '401': description: 'Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.' content: application/json: schema: type: object properties: error: description: A message describing the error example: 'JWT validation failed: JWT is expired' '403': description: 'Forbidden - Returned if the user you are running as, doesn''t have access to this end-point.' content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '403': summary: An example of a 403 response object value: detailCode: 403 Forbidden trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT text: The server understood the request but refuses to authorize it. '404': description: Not Found - returned if the request URL refers to a resource or object that does not exist content: application/json: schema: type: object properties: detailCode: type: string description: Fine-grained error code providing more detail of the error. example: 400.1 Bad Request Content trackingId: type: string description: Unique tracking id for the error. example: e7eab60924f64aa284175b9fa3309599 messages: type: array description: Generic localized reason for error items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. causes: type: array description: Plain-text descriptive reasons to provide additional detail to the text provided in the messages field items: type: object properties: locale: type: string description: 'The locale for the message text, a BCP 47 language tag.' example: en-US localeOrigin: type: string enum: - DEFAULT - REQUEST description: 'An indicator of how the locale was selected. *DEFAULT* means the locale is the system default. *REQUEST* means the locale was selected from the request context (i.e., best match based on the *Accept-Language* header). Additional values may be added in the future without notice.' example: DEFAULT text: type: string description: Actual text of the error message in the indicated locale. example: The request was syntactically correct but its content is semantically invalid. examples: '404': summary: An example of a 404 response object value: detailCode: 404 Not found trackingId: b21b1f7ce4da4d639f2c62a57171b427 messages: - locale: en-US localeOrigin: DEFAULT