Create and validate access request through the API

Hello,

I am trying to create a script to do a bulk import of access profile for our users. For this, I am trying to create a script which creates access request, and just after the script is going to validate the access request.

I am currently facing an issue using the API. Each time I’m trying to create an access request, the API request is validated. But when I am going to the UI, I can see that my access request is in error with the following message : “An unexpected error occurred: Requested AppRole Id not found for Access Profile:”.

I am using the following API :

Submit an Access Request - Access Requests - Beta - API Reference

Here is the body of my API request :

{“requestedFor”: [“2c918084774f435c01774f83d5bf012c”], “requestType”: “GRANT_ACCESS”, “requestedItems”: [{“type”: “ACCESS_PROFILE”, “id”: “2c91808a775e1fc0017768e0c6450cd6”, “comment”: “Bulk access profile attribution script request”, “removeDate”: “2021-06-10T00:00:00.000Z”}]}

To get the access profile identity, I am using the following GET API call :

“https://” + IdentityNow_tenantID + “.api.identitynow.com/v2/access-profiles”

I tried manually to create a request with the same user and the same access profile with the UI (with the request center, requesting an application access), and it works perfectly, so the error is not coming from the user or the access profile.

Have any of you encountered this problem before?

Best regards

Hi masarsa,
I responded to your posting on the IdentityNow Forum - seems you still have the problem!
My next suggestion would be to pair back the access request to a minimum - remove the “removeDate” the “requestType” and the “comment” items from the request to see if it makes a difference.
Regards, Adrian

1 Like

Hello Adrian,

I did some test with the following request :

{
  "requestedFor": [
    "2c918084774f435c01774f83d5bf012c"
  ],
  "requestedItems": [
    {
      "type": "ACCESS_PROFILE",
      "id": "2c91808a775e1fc0017768e0c6450cd6",
      "comment": "string"
    }
  ]
}
{
  "requestedFor": [
    "2c918084774f435c01774f83d5bf012c"
  ],
  "requestType": "GRANT_ACCESS",
  "requestedItems": [
    {
      "type": "ACCESS_PROFILE",
      "id": "2c91808a775e1fc0017768e0c6450cd6",
      "comment": "string"
    }
  ]
}

The result is still the same error :

An unexpected error occurred: Requested AppRole Id not found for Access Profile: XXXXX

I also tried to delete the comment with the following request:

{
  "requestedFor": [
    "2c918084774f435c01774f83d5bf012c"
  ],
  "requestType": "GRANT_ACCESS",
  "requestedItems": [
    {
      "type": "ACCESS_PROFILE",
      "id": "2c91808a775e1fc0017768e0c6450cd6"
    }
  ]
}

But with this, I am getting the following error :

{
  "detailCode": "400.1.0 Required data missing or empty",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "Required field \"comment\" for object with id \"2c91808a775e1fc0017768e0c6450cd6\" was missing or empty."
    }
  ],
  "trackingId": "b6fa5e1ec7ce4ce0a7af089d71382760"
}

So I can imagine the comment is needed.

Best regards,

Alexandre

I see that you linked us to the beta endpoint for access requests. There is a production endpoint for access requests:

/v3/access-requests

Are you using the beta or production endpoint?

Hello Colin,

I can confirm you that I have done tests with both endpoints: v3 and Beta. The result is still the same.

Best regards,

Alexandre

Hi Alexandre,

Can you please provide the response you get when you make a call to:

GET /beta/access-request-config

Hello Adam,

You will find below the configuration regarding access request :

{
  "approvalReminderAndEscalationConfig": {
    "daysBetweenReminders": 3,
    "daysUntilEscalation": 100,
    "fallbackApproverRef": {
      "email": null,
      "id": "2c9180847667851001766a8f1782144b",
      "name": "XXXXXXXXXXXXX",
      "type": "IDENTITY"
    },
    "maxReminders": 15
  },
  "approvalsMustBeExternal": false,
  "autoApprovalEnabled": false,
  "requestOnBehalfOfConfig": {
    "allowRequestOnBehalfOfAnyoneByAnyone": false,
    "allowRequestOnBehalfOfEmployeeByManager": true
  }
}

I have also tried to change this configuration to have :

allowRequestOnBehalfOfAnyoneByAnyone": true

But it does not change anything…

Best regards,
Alexandre

Another followup - what does the ‘Access Request Approval Process’ look like for this Access Profile?

Bonjour Adam,

The access request approval process is the validation by the application manager.

Best regards.

Gotcha - out of curiosity does this request work successfully if you remove the approval requirement from the access profile?

Hello Adam,

Good idea, and when I am reproving the approval workflow (automatic validation), the request is working perfectly.

Do you know why it is not working with access profile used with approval workflows ?

Hey Mazarsa,

There’s a chance there might a bug at work here. It sounds like you have done the steps correctly but are not getting the intended result. You may wish to file a support ticket. Our Support Team will review the ticket and pass it along to Support Engineering to fix it if needed.

I hope this helps and I hope we can get this resolved for you quickly!

Hi Colin, to call this POST/ access-request API which is the kind of OAuth 2.0 you are using?
Is it “Grant Type - Authorization Code”?
Could you please help me with that?
Thanks in advance!

@Ritu_Raj

Which type of OAuth2 you use depends on your use case. If you are developing an application that users will be using, then you should use the Authorization Code grant type, which will require the user to sign in to their IDN account to retrieve their token. This is commonly used in web apps where users sign in.

If this is a script that is running in the background, then you can use a personal access token of an IDN admin to request access on behalf of other users.