Access-requests: clientMetadata

RTASB · October 25, 2023, 3:49am

Hi all,

The v3/access-requests api doco states the following about clientMetadata:
clientMetadata object

Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities.

property name* string

Has anyone used this successfully. Unfortunately what’s observed is that this information goes into the ether and is not retrievable anywhere, (assuming it’s set at the time of access request submission).

To that end, the request response is 202 implying the access request was successful and this can be confirmed with other endpoints but clientMetadata always shows up as either blank or null in these API endpoints (e.g. v3/search/accountactivities, access-request-approvals etc…)

Thanks

mcheek · October 25, 2023, 1:26pm

Yes, I use clientMetadata in my access requests, and while the data is not directly searchable in IdentityNow, I can leverage it in a PowerBI report.

Here’s an example API request body for an access request. I include the number and Id of the request, as well as the Id of the catalog item it came from, since we use multiple catalog items in our ServiceNow instance that send in access requests.

{
    "requestedFor": [
        "2c918088804308340180474a372d5773"
    ],
    "requestedItems": [
        {
            "type": "ACCESS_PROFILE",
            "id": "4bc441cc76704d81904a3d5266214c0c",
            "comment": "Created via ServiceNow Request Item RITM0121796 Requestor Comments: INEOS access to support data export."
        }
    ],
    "clientMetadata": {
        "catalogItem": "5eb5e1181bc7091062a9ececbc4bcbf9",
        "requestedItemId": "3a3c08564746f5104887861f536d4316",
        "requestedItemNumber": "RITM0121796"
    }
}

Here is the request in the /v3/access-request-status call, notice there is no clientMetadata there, but there is an attribute called “accessRequestId”. That is the Id of the associated Account Activity

{
    "name": "SecWV10TSA-INEOSProd",
    "type": "ACCESS_PROFILE",
    "cancelledRequestDetails": null,
    "errorMessages": null,
    "state": "REQUEST_COMPLETED",
    "approvalDetails": [],
    "manualWorkItemDetails": null,
    "accessRequestPhases": [
        {
            "started": "2023-10-24T21:13:59.391297Z",
            "finished": "2023-10-24T21:14:09.381300Z",
            "name": "SOD_PHASE",
            "result": null,
            "state": "COMPLETED",
            "phaseReference": "sodViolationContext"
        },
        {
            "started": "2023-10-24T21:14:09.718323Z",
            "finished": "2023-10-24T21:14:09.869180Z",
            "name": "APPROVAL_PHASE",
            "result": null,
            "state": "COMPLETED",
            "phaseReference": "approvalDetails"
        },
        {
            "started": "2023-10-24T21:14:10.009554Z",
            "finished": "2023-10-24T21:14:15.785302Z",
            "name": "PROVISIONING_PHASE",
            "result": "SUCCESSFUL",
            "state": "COMPLETED",
            "phaseReference": null
        }
    ],
    "accountActivityItemId": "9760258cb7ab4e56b0f4528787d4a747",
    "requestType": "GRANT_ACCESS",
    "modified": "2023-10-24T21:14:18.645Z",
    "created": "2023-10-24T21:13:59.054Z",
    "requester": {
        "type": "IDENTITY",
        "id": "2c918087802a65bd01803d456238178d",
        "name": "ServiceNow"
    },
    "requestedFor": {
        "type": "IDENTITY",
        "id": "2c918088804308340180474a372d5773",
        "name": "Megan F"
    },
    "requesterComment": {
        "comment": "Created via ServiceNow Request Item RITM0121796 Requestor Comments: INEOS access to support data export.",
        "author": {
            "type": "IDENTITY",
            "id": "2c918087802a65bd01803d456238178d",
            "name": "ServiceNow"
        },
        "created": "2023-10-24T21:13:59.054Z"
    },
    "sodViolationContext": {
        "state": "SUCCESS",
        "violationCheckResult": {
            "message": {
                "locale": "en-US",
                "localeOrigin": "DEFAULT",
                "text": ""
            },
            "violatedPolicies": [],
            "violationContexts": [],
            "clientMetadata": {
                "identityRequestItemId": "9760258cb7ab4e56b0f4528787d4a747",
                "identityRequestId": "ef46b9197c1c44ffbe7c6b8a9b32f7ea",
                "workflowCaseId": "c56a687da10f4b3ea35849c3168151b3"
            }
        },
        "uuid": "d66a22c9-5f82-47aa-b269-2608949702d2"
    },
    "provisioningDetails": null,
    "preApprovalTriggerDetails": null,
    "description": "Requested by Graham H - RITM0086418",
    "removeDate": null,
    "cancelable": false,
    "accessRequestId": "f21da68a5f38438ba7794a97ee7539bd",
    "clientMetadata": null
}

So, searching for the account activity using the Id from the access request, we get the following, notice the clientMetadata is there

{
    "completed": "2023-10-24T21:14:18.644Z",
    "completionStatus": "PENDING",
    "type": "appRequest",
    "requesterIdentitySummary": {
        "id": "2c918087802a65bd01803d456238178d",
        "name": "ServiceNow"
    },
    "targetIdentitySummary": {
        "id": "2c918088804308340180474a372d5773",
        "name": "Megan F"
    },
    "errors": null,
    "warnings": null,
    "items": [
        {
            "id": "03c899f1aba7474da9d3cf0eb5a6180a",
            "name": "03c899f1aba7474da9d3cf0eb5a6180a",
            "requested": "2023-10-24T21:14:10.291Z",
            "approvalStatus": "FINISHED",
            "provisioningStatus": "COMMITED",
            "requesterComment": {
                "commenterId": "2c918087802a65bd01803d456238178d",
                "commenterName": "ServiceNow",
                "body": "Created via ServiceNow Request Item RITM0121796 Requestor Comments: INEOS access to support data export.",
                "date": "2023-10-24T21:13:59.054Z"
            },
            "reviewerIdentitySummary": null,
            "reviewerComment": null,
            "operation": "ADD",
            "attribute": "memberOf",
            "value": "CN=secWV10TSA-INEOSProd,OU=Security Groups,OU=Users and Groups,DC=chkenergy,DC=net",
            "nativeIdentity": "CN=Megan F,OU=Contractors,OU=Users and Groups,DC=chkenergy,DC=net",
            "sourceId": "2c9180877fdb6945017fe0b9ed8e5fef",
            "accountRequestInfo": null,
            "clientMetadata": null,
            "removeDate": null
        },
        {
            "id": "9760258cb7ab4e56b0f4528787d4a747",
            "name": "9760258cb7ab4e56b0f4528787d4a747",
            "requested": "2023-10-24T21:13:59.052Z",
            "approvalStatus": "FINISHED",
            "provisioningStatus": "FINISHED",
            "requesterComment": {
                "commenterId": "2c918087802a65bd01803d456238178d",
                "commenterName": "ServiceNow",
                "body": "Created via ServiceNow Request Item RITM0121796 Requestor Comments: INEOS access to support data export.",
                "date": "2023-10-24T21:13:59.054Z"
            },
            "reviewerIdentitySummary": null,
            "reviewerComment": null,
            "operation": "ADD",
            "attribute": "detectedRoles",
            "value": "SecWV10TSA-INEOSProd [AccessProfile-1678286379446]",
            "nativeIdentity": "202879",
            "sourceId": "IdentityNow",
            "accountRequestInfo": {
                "requestedObjectId": "4bc441cc76704d81904a3d5266214c0c",
                "requestedObjectName": "SecWV10TSA-INEOSProd",
                "requestedObjectType": "ACCESS_PROFILE"
            },
            "clientMetadata": null,
            "removeDate": null
        }
    ],
    "executionStatus": "VERIFYING",
    "clientMetadata": {
        "requestedItemNumber": "RITM0121796",
        "requestedItemId": "3a3c08564746f5104887861f536d4316",
        "catalogItem": "5eb5e1181bc7091062a9ececbc4bcbf9"
    },
    "id": "f21da68a5f38438ba7794a97ee7539bd",
    "name": "f21da68a5f38438ba7794a97ee7539bd",
    "created": "2023-10-24T21:13:59.054Z",
    "modified": "2023-10-24T21:14:18.645Z"
}

And we’re able to bring it together in Power BI

RTASB · October 26, 2023, 12:07am

Thanks for taking the time Mark, this is extremely helpful. Bit of a headscratcher though as to why it shows up with one endpoint but won’t with the other.

Another funny thing I’ve noticed is that using the accessRequestId or even the accountActivityItemId returned in the access-request-status response will not result in anything when using the v3/search/accountactivities endpoint; but will happily work with v3/account-activities endpoint.

Good to know it’s at-least not vanishing into the ether

Edit: Have you by any chance been able to obtain and use that value in an IDN workflow?
Edit Edit: Looks like one way is to grab it from the provisioning completed event.The account activity id shows up as the trackingNumber within a provisioning event and we can then use that to get to the account activity and it’s clientMetadata

system · December 25, 2023, 12:07am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pass clientmetadata in access request into ITSM ticket ISC Discussion and Questions identity-security-cloud	2	170	April 28, 2024
clientMetadata for Access Requests and Service Catalog ISC Discussion and Questions identity-security-cloud	5	389	October 15, 2023
Access request (created via Service Catalog) tracking in IdentityNow ISC Discussion and Questions	5	1317	August 15, 2023
Reading client metadata inside provisioning plan ISC Discussion and Questions apis , identity-security-cloud , provisioning , jdbc-connector	6	318	May 3, 2024
Ability to pass json object in ClientMetadata of an access request API call ISC Discussion and Questions apis	4	351	July 19, 2023

Access-requests: clientMetadata

Related topics