Create and validate access request through the API

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello,

I am trying to create a script to do a bulk import of access profile for our users. For this, I am trying to create a script which creates access request, and just after the script is going to validate the access request.

I am currently facing an issue using the API. Each time I’m trying to create an access request, the API request is validated. But when I am going to the UI, I can see that my access request is in error with the following message : “An unexpected error occurred: Requested AppRole Id not found for Access Profile:”.

I am using the following API :

https://api.sailpoint.com/api_reference/beta/access-requests/createaccessrequest

Here is the body of my API request :

{“requestedFor”: [“2c918084774f435c01774f83d5bf012c”], “requestType”: “GRANT_ACCESS”, “requestedItems”: [{“type”: “ACCESS_PROFILE”, “id”: “2c91808a775e1fc0017768e0c6450cd6”, “comment”: “Bulk access profile attribution script request”, “removeDate”: “2021-06-10T00:00:00.000Z”}]}

To get the access profile identity, I am using the following GET API call :

“https://” + IdentityNow_tenantID + “.api.identitynow.com/v2/access-profiles”

I tried manually to create a request with the same user and the same access profile with the UI (with the request center, requesting an application access), and it works perfectly, so the error is not coming from the user or the access profile.

Have any of you encountered this problem before?

Best regards

2

Hi masarsa,
I responded to your posting on the IdentityNow Forum - seems you still have the problem!
My next suggestion would be to pair back the access request to a minimum - remove the “removeDate” the “requestType” and the “comment” items from the request to see if it makes a difference.
Regards, Adrian

1 Like
3

Hello Adrian,

I did some test with the following request :

{
  "requestedFor": [
    "2c918084774f435c01774f83d5bf012c"
  ],
  "requestedItems": [
    {
      "type": "ACCESS_PROFILE",
      "id": "2c91808a775e1fc0017768e0c6450cd6",
      "comment": "string"
    }
  ]
}

{
  "requestedFor": [
    "2c918084774f435c01774f83d5bf012c"
  ],
  "requestType": "GRANT_ACCESS",
  "requestedItems": [
    {
      "type": "ACCESS_PROFILE",
      "id": "2c91808a775e1fc0017768e0c6450cd6",
      "comment": "string"
    }
  ]
}

The result is still the same error :

An unexpected error occurred: Requested AppRole Id not found for Access Profile: XXXXX

I also tried to delete the comment with the following request:

{
  "requestedFor": [
    "2c918084774f435c01774f83d5bf012c"
  ],
  "requestType": "GRANT_ACCESS",
  "requestedItems": [
    {
      "type": "ACCESS_PROFILE",
      "id": "2c91808a775e1fc0017768e0c6450cd6"
    }
  ]
}

But with this, I am getting the following error :

{
  "detailCode": "400.1.0 Required data missing or empty",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "Required field \"comment\" for object with id \"2c91808a775e1fc0017768e0c6450cd6\" was missing or empty."
    }
  ],
  "trackingId": "b6fa5e1ec7ce4ce0a7af089d71382760"
}

So I can imagine the comment is needed.

Best regards,

Alexandre

4

I see that you linked us to the beta endpoint for access requests. There is a production endpoint for access requests:

/v3/access-requests

Are you using the beta or production endpoint?

5

Hello Colin,

I can confirm you that I have done tests with both endpoints: v3 and Beta. The result is still the same.

Best regards,

Alexandre

6

Hi Alexandre,

Can you please provide the response you get when you make a call to:

GET /beta/access-request-config

7

Hello Adam,

You will find below the configuration regarding access request :

{
  "approvalReminderAndEscalationConfig": {
    "daysBetweenReminders": 3,
    "daysUntilEscalation": 100,
    "fallbackApproverRef": {
      "email": null,
      "id": "2c9180847667851001766a8f1782144b",
      "name": "XXXXXXXXXXXXX",
      "type": "IDENTITY"
    },
    "maxReminders": 15
  },
  "approvalsMustBeExternal": false,
  "autoApprovalEnabled": false,
  "requestOnBehalfOfConfig": {
    "allowRequestOnBehalfOfAnyoneByAnyone": false,
    "allowRequestOnBehalfOfEmployeeByManager": true
  }
}

I have also tried to change this configuration to have :

allowRequestOnBehalfOfAnyoneByAnyone": true

But it does not change anything…

Best regards,
Alexandre

8

Another followup - what does the ‘Access Request Approval Process’ look like for this Access Profile?

9

Bonjour Adam,

The access request approval process is the validation by the application manager.

Best regards.

10

Gotcha - out of curiosity does this request work successfully if you remove the approval requirement from the access profile?

11

Hello Adam,

Good idea, and when I am reproving the approval workflow (automatic validation), the request is working perfectly.

Do you know why it is not working with access profile used with approval workflows ?

12

Hey Mazarsa,

There’s a chance there might a bug at work here. It sounds like you have done the steps correctly but are not getting the intended result. You may wish to file a support ticket. Our Support Team will review the ticket and pass it along to Support Engineering to fix it if needed.

I hope this helps and I hope we can get this resolved for you quickly!

13

Hi Colin, to call this POST/ access-request API which is the kind of OAuth 2.0 you are using?
Is it “Grant Type - Authorization Code”?
Could you please help me with that?
Thanks in advance!

14

@Ritu_Raj

Which type of OAuth2 you use depends on your use case. If you are developing an application that users will be using, then you should use the Authorization Code grant type, which will require the user to sign in to their IDN account to retrieve their token. This is commonly used in web apps where users sign in.

If this is a script that is running in the background, then you can use a personal access token of an IDN admin to request access on behalf of other users.

15

@colin_mckibben is there an example for how to request “on-behalf” of someone using the REST API [create-access-request | SailPoint Developer Community]. In the documentation, I don’t see the key to use for the “on-behalf” feature?

16

Hi Shail,

You will add one or more identity IDs to the requestedFor parameter in the body to request on behalf of someone.

17

Hey @colin_mckibben, I realize I should re-phrase the question.

Can the API set a different “requestedBy” using an IDN admin token? I am good on the “requestedFor” piece. I want check if any way the IDN audit shows the real end user as the requester rather than the IDN admin whose token is being used?

18

The API will use the API token details of the caller to determine the requester. You can’t set this directly in the API. However, you could use the clientMetadata object in the body to create a custom attribute to track who the real requester is. For example:

POST https://{tenant}.api.identitynow.com/v3/access-requests

{
  "requestedFor": [
    "2c918084660f45d6016617daa9210584"
  ],
  "requestType": "GRANT_ACCESS",
  "requestedItems": [
    {
      "type": "ACCESS_PROFILE",
      "id": "2c9180835d2e5168015d32f890ca1581",
      "comment": "Requesting access profile for John Doe",
      "clientMetadata": {
        "requestedAppName": "test-app",
        "requestedAppId": "2c91808f7892918f0178b78da4a305a1"
      },
      "removeDate": "2020-07-11T21:23:15.000Z"
    }
  ],
  "clientMetadata": {
    "requesterId": "3c918084660f45d6016617daa9210585",
    "requesterName": "John Doe"
  }
}

When you go to look up the status of the request using the account activities endpoint, you can find your custom attributes in the clientMetadata property in the response body.