Cancel pending access request for non-existing access profile

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Is there a way to cancel/close/delete pending access request when permission that was requested via it no longer exist?

Some time ago we were using only access profiles to grant access to users when new functionality with requestable entitlements was implemented we decide to switch some sources to requestable entitlements instead of access profiles.

Due to those changes, some access profiles no longer exist, but there are old access requests for those profiles that are pending approvals. We need to clean them as they are no longer valid.

I tried to use API endpoint /beta/access-requests/cancel to reject them, unfortunately, API Call returns an error:

{

"detailCode": "404 Not found",

"trackingId": "01ee30fde1674409894db86396e62c76",

"messages": [

    {

        "locale": "en-US",

        "localeOrigin": "DEFAULT",

        "text": "The server did not find a current representation for the target resource."

    }

],

"causes": []

}

Is there any other API endpoint that can be used to close those ‘orphaned’ access requests?

2

Hello Tomasz,

You have the correct API, POST /beta/access-requests/cancel

Can you confirm you are using the correct id when attempting to call the cancel API?

Below is an example from one of our test tenants.

To get access request items POST to /beta/access-request-status/

[{
    "name": "Engineering Role",
    "type": "ROLE",
    "cancelledRequestDetails": null,
    "errorMessages": null,
    "state": "EXECUTING",
    "approvalDetails": [],
    "manualWorkItemDetails": null,
    "accessRequestPhases": [{
        "started": "2021-10-22T20:54:26.023988Z",
        "finished": null,
        "name": "SOD_PHASE",
        "result": null,
        "state": "EXECUTING",
        "phaseReference": "sodViolationContext"
    }],
    "accountActivityItemId": "2c9180867ca8f73a017ca9c88eb22537",
    "requestType": "GRANT_ACCESS",
    "modified": "2021-10-22T20:54:26.085Z",
    "created": "2021-10-22T20:54:25.721Z",
    "requester": {
        "type": "IDENTITY",
        "id": "ff80818155fe8c080155fe8d925b0316",
        "name": "SailPoint Services"
    },
    "requestedFor": {
        "type": "IDENTITY",
        "id": "2c9180906fedeebe01701e0aa5e4140c",
        "name": "Aaron.Nichols"
    },
    "requesterComment": null,
    "sodViolationContext": null,
    "provisioningDetails": null,
    "preApprovalTriggerDetails": null,
    "description": "Access granted to all Engineering staff.",
    "removeDate": null,
    "cancelable": true,
    "accessRequestId": "7d9f7bb38db84168ae24c8a03b8cb3cf"
},
...
]

To cancel the access request you will POST to /beta/access-requests/cancel where accessRequestId == accountActivityId

{
  "accountActivityId": "7d9f7bb38db84168ae24c8a03b8cb3cf",
  "comment": "Cancelling this access"
}
3

Hello Tyler,

I confirm.

This is one of the requests I want to cancell:

Details came from /beta/access-request-status/

 {
        "name": "eTMF:CPS Business Admin",
        "type": "ACCESS_PROFILE",
        "cancelledRequestDetails": null,
        "errorMessages": null,
        "state": "EXECUTING",
        "approvalDetails": [
            {
                "scheme": "GOVERNANCE_GROUP",
                "errorMessages": null,
                "comment": null,
                "removeDate": null,
                "forwarded": false,
                "forwardHistory": null,
                "originalOwner": {
                    "type": "GOVERNANCE_GROUP",
                    "id": "458fe9b7-a40f-434f-89d7-2d46a2b3ec32",
                    "name": "BPM approval for eTMF Business Admin Role"
                },
                "currentOwner": null,
                "modified": null,
                "status": "PENDING",
                "reviewedBy": null
            }
        ],
        "manualWorkItemDetails": null,
        "accessRequestPhases": null,
        "accountActivityItemId": "2c9180837941ad2b017942203b7667fa",
        "requestType": "GRANT_ACCESS",
        "modified": "2021-05-06T14:41:35.661Z",
        "created": "2021-05-06T14:41:19.257Z",
        "requester": {
            "type": "IDENTITY",
            "id": "2c91808873354f5201734cc4ca054e2f",
            "name": "Access Manager, Global {~Kaiseraugst}"
        },
        "requestedFor": {
            "type": "IDENTITY",
            "id": "2c918084778744b801778b10450302a2",
            "name": "AB DeVilliers"
        },
        "requesterComment": {
            "comment": "wrqr",
            "author": {
                "type": "IDENTITY",
                "id": "2c91808873354f5201734cc4ca054e2f",
                "name": "Access Manager, Global {~Kaiseraugst}"
            },
            "created": "2021-05-06T14:41:19.257Z"
        },
        "sodViolationContext": {
            "state": "SUCCESS",
            "violationCheckResult": {
                "message": {
                    "locale": "en-US",
                    "localeOrigin": "DEFAULT",
                    "text": ""
                },
                "violatedPolicies": [],
                "violationContexts": [],
                "clientMetadata": {
                    "identityRequestItemId": "2c9180837941ad2b017942203b7667fa",
                    "identityRequestId": "5ee652a277104977aa1219f47fa9a972",
                    "workflowCaseId": "2c9180837941ad2b01794220389e67f7"
                }
            },
            "uuid": "f5783e5a-8eab-4cf5-813f-9823f4f47e49"
        },
        "provisioningDetails": null,
        "preApprovalTriggerDetails": null,
        "description": null,
        "removeDate": "2021-05-27T18:30Z",
        "cancelable": true,
        "accessRequestId": "5ee652a277104977aa1219f47fa9a972"
    }

POST to {{api-url}}/beta/access-requests/cancel

With Body:

{
  "accountActivityId": "5ee652a277104977aa1219f47fa9a972",
  "comment": "Cancelling Request"
}

Results with:

{
    "detailCode": "404 Not found",
    "trackingId": "15892a3dfcbe490c97b65dc6fb8e0991",
    "messages": [
        {
            "locale": "en-US",
            "localeOrigin": "DEFAULT",
            "text": "The server did not find a current representation for the target resource."
        }
    ],
    "causes": []
}
4

Hi Tomasz,

Thank you for confirming the ID. This appears to be a bug in our system.

Can you submit a support ticket for this issue here: Contact Support-Compass

This way you will get updates as the bug is tracked and fixed.

5

Running into the same issue where I’m trying to cancel PENDING requests.

“/beta/access-request-status” does not seem to return the correct data. Also, how do you parse this result set to get only the PENDING ones?

6

Hi @tyler_mairose

“accountActivityId” does not get returned from “/beta/access-request-status/”

Is this the bug you were referring to? If so, is it still open? This looks like a major bug.

7

Hello Mario,

The bug I was referring to above was for the endpoint not working correctly, given the correct information needed for canceling a request.

The accountActivityId key is not returned in /beta/access-request-status/ as accountActivityId but rather as the key accessRequestId. So when you request to cancel the payload will be:

{
  "accountActivityId": "<accessRequestId from /beta/access-request-status>",
  "comment": "<The reason you are cancelling the request>"
}

As for only getting PENDING requests, I am looking into the best way to do this and will let you know when I have found a good solution.

8

Hello Tomasz,

Were you able to get a support ticket in for your issue with cancelling requests?

9

Thanks @tyler_mairose ! That’s what I was seeing too: I used the “accessRequestId” and filtered on
“executing”. Is that correct? Or do I need to filter on PENDING in the “approvalDetails” node?

{
“name”: “Mobility Pacific Northwest)”,
“type”: “ACCESS_PROFILE”,
“cancelledRequestDetails”: null,
“errorMessages”: null,
"state": “EXECUTING”,
“approvalDetails”: [
{
“scheme”: “MANAGER”,
“errorMessages”: null,
“comment”: null,
“removeDate”: null,
“forwarded”: false,
“forwardHistory”: null,
“originalOwner”: {
“type”: “IDENTITY”,
“id”: “23423180867b7df2d1017b7e49fca806f5”,
“name”: “John Doe”
},
“currentOwner”: {
“type”: “IDENTITY”,
“id”: “xxxxx9180867b7df2d1017xxxxx6f5”,
“name”: “John Doe”
},
“modified”: null,
"status": “PENDING”,
“reviewedBy”: null
},
{
“scheme”: “GOVERNANCE_GROUP”,
“errorMessages”: null,
“comment”: null,
“removeDate”: null,
“forwarded”: false,
“forwardHistory”: null,
“originalOwner”: {
“type”: “GOVERNANCE_GROUP”,
“id”: “a91sdkjsdff”,
“name”: “OMG EPIC Role Approvers”
},
“currentOwner”: null,
“modified”: null,
“status”: “PENDING”,
“reviewedBy”: null
}
],
“manualWorkItemDetails”: null,
“accessRequestPhases”: [
{
“started”: “2021-12-07T15:24:29.557228Z”,
“finished”: “2021-12-07T15:24:51.954180Z”,
“name”: “SOD_PHASE”,
“result”: null,
“state”: “COMPLETED”,
“phaseReference”: “sodViolationContext”
},
{
“started”: “2021-12-07T15:24:53.027361Z”,
“finished”: null,
“name”: “APPROVAL_PHASE”,
“result”: null,
“state”: “EXECUTING”,
“phaseReference”: “approvalDetails”
}
],
“accountActivityItemId”: “342342e017d957f01c61abb”,
“requestType”: “GRANT_ACCESS”,
“modified”: “2021-12-07T15:24:54.269Z”,
“created”: “2021-12-07T15:24:28.523Z”,
“requester”: {
“type”: “IDENTITY”,
“id”: “234239e017b7e4a129f0728”,
“name”: “Jake Satison”
},
“requestedFor”: {
“type”: “IDENTITY”,
“id”: “werwerwe017b7e4a129f0728”,
“name”: “Makenzie Satison”
},
“requesterComment”: {
“comment”: “Train”,
“author”: {
“type”: “IDENTITY”,
“id”: “werwerwef29e017b7e4a129f0728”,
“name”: “Jake Satison”
},
“created”: “2021-12-07T15:24:28.523Z”
},
“sodViolationContext”: {
“state”: “SUCCESS”,
“violationCheckResult”: {
“message”: {
“locale”: “en-US”,
“localeOrigin”: “DEFAULT”,
“text”: “”
},
“violatedPolicies”: ,
“violationContexts”: ,
“clientMetadata”: {
“identityRequestItemId”: “2387234h827d92b37e017d957f01c61abb”,
“identityRequestId”: “56767827d92b37e017d957f01eb1abc”,
“workflowCaseId”: “ffrter827d92b37e017d957eff431aba”
}
},
“uuid”: “erwerwer-4831-8d25-5ff11f6c465e”
},
“provisioningDetails”: null,
“preApprovalTriggerDetails”: null,
“description”: “Training/Testing access in Mobility instance”,
“removeDate”: null,
“cancelable”: true,
“accessRequestId”: “jdgf8934983fa44d4b2046c44c10a0db1”
}

10

@tyler_mairose. I’ve reported a bug as you advised, and since that time ticket is still opened, with consecutive updates from the support that the “Engineering team is checking the issue”.

11

@tuliszet do you have a ticket number? You can direct message @tyler_mairose or myself and we’ll contact support to see what the hold up is.

12

Hello @mario_rod,

I would filter on the state. Below are all possible states of an access request, depending on what your goal is, you may want to filter on more than just EXECUTING. For example, if you have access requests that are in the system that are in an ERROR state and wanted to cancel those requests as well to clear them out of the system.

  • EXECUTING: The request is executing, which indicates the system is doing some processing.
  • REQUEST_COMPLETED: Indicates the request has been completed.
  • CANCELLED: The request fwas cancelled with no user input.
  • TERMINATED: The request has been terminated before it was able to complete.
  • PROVISIONING_VERIFICATION_PENDING: The request has finished any approval steps and provisioning is waiting to be verified.
  • REJECTED: The request was rejected.
  • PROVISIONING_FAILED: The request has failed to complete.
  • NOT_ALL_ITEMS_PROVISIONED: One or more of the requested items failed to complete, but there were one or more successes.
  • ERROR: An error occurred during request processing.

Another note, I would also check that the access request can be cancelled by looking at the cancelable field that is returned by the /beta/access-request-status endpoint.

13

Thanks Tyler! Will do that and provide an update