Help Needed: Revoking a Requestable Role via Access Request API

Hi Community,

Has anyone successfully revoked a role via Access Request API? If so, could you share the correct request body or any pointers?

I’m trying to revoke a requestable role using the SailPoint IdentityNow Access Request API (https://sailpoint.api.identitynow.com/v3/access-requests). According to the documentation, roles, access profiles, and entitlements can be requested for revocation.

I have successfully revoked access profiles and entitlements using the API, but when I try the same for roles, it fails. The role was originally assigned via an access request.

Here’s the request body I’m using:

{

"clientMetadata": {

    "requestedAppId": "d8311f59063643edaf13fd92bb387efb",

    "requestedAppName": "AD App - LitHold"

},

"requestType": "REVOKE_ACCESS",

"requestedFor": \[

    "{{$.loop.loopInput.identity.id}}"

\],

"requestedItems": \[

    {

        "assignmentId": "30ba59ed162144cca49231a311d06cd0",

        "clientMetadata": {

            "requestedAppId": "d8311f59063643edaf13fd92bb387efb",

            "requestedAppName": "AD App - LitHold"

        },

        "comment": "Revoking ENTITLEMENT for {{$.loop.loopInput.identity.name}} with multiple AD accounts",

        "id": "aa01295cc1794c6e860b0fe515ac6f70",

        "nativeIdentity": "{{$.loop.loopInput.nativeIdentity}}",

                   "type": "Role"

    }

\]

And here’s the response I get:

“detailCode”: “400.1 Bad request content”,

“trackingId”: “468f8b28032c45d9ae72f9ac79ab5583”,

“messages”: [

{

  "text": "The following access item(s) cannot be revoked from identity (\\"f40b9ac158274b6a9dad06a531a0f319\\"): e2e72619c74d443484411f125a6661      "text": "The following access item(s) cannot be revoked from identity (\\"f40b9ac158274b6a9dad06a531a0f319\\"): e2e72619c74d443484411f125a6661cd."

}

]

Also, does anyone know if roles assigned via an access request behave differently than roles assigned directly when it comes to revocation?

Thanks in advance!

Hi Ade,

Is there any role membership criteria specified on the role? Is it possible they also fit the role criteria?

Also can you confirm you are using client credentials that have Admin, Role Admin, or Role Sub-Admin user levels?

Thanks,

Liam

Hi @aomololu01,

How was the role granted to user, via access request or based on criteria ?

Hello!
Here is an example of the body:

{
    "requestedFor": [
        "3fe1cbd8706749cf8410fced03cd54ff"
    ],
    "requestType": "REVOKE_ACCESS",
    "requestedItems": [
        {
            "type": "ROLE",
            "id": "274ef0de8cde48d6b5cb24d5f8ee0883",
            "comment": "Request from API IdentityNow"
        }
        
    ]
}

As mentioned, if the role has criteria, it will be returned to the user.

No role membership criteria. The account being used has Admin ISC user level.

The role was granted via access request.

Is it possible to revoke a role if that role was used to provision the same Active Directory (AD) group membership across all AD accounts linked to the same identity?

Does the user have another role that also grants some of the groups granted by the role we are trying to revoke ?

yes. the user has another role that grants the same entitlement

Hi @aomololu01,

Thank you for your question. I could spot a typo in your payload; type: Role in your payload should be ROLE instead. But if that was the issue you would have got a 400 series error with invalid type in text.

I successfully replicated your error and found the text with 400 error you received is because of invalid ID provided, possibly: assignment ID: -

image1390×305 31.9 KB

You do not need to provide assignment ID, perhaps change your payload to hold only the required fields as per create-access-request | SailPoint Developer Community.

image1075×403 30.7 KB

Good luck

Hi Ade,

Look at your roles with ID’s e2e72619c74d443484411f125a6661 and e2e72619c74d443484411f125a6661cd

Are those roles requestable? are users assigned those roles via request, or were they added to that role?

the roles are requestable.