Limiting External Access Requests - API Not working

My team and i are trying to implement access request restriction as per this document Limiting External Access Requests.
We are looking at the option number one which is the API option. Basically we want to set the “approvalsMustBeExternal": true. However, this doesnt seems to be working. We have tried using just the body in the doc as docmented but still no luck. We have also tried doing a GET request on the access request config and pass the response of the GET request after updating the field but still no luck.

First error we got was :

{

"detailCode": "400.1 Bad request content",

"trackingId": "",

"messages": \[

    {

        "locale": "en-US",

        "localeOrigin": "DEFAULT",

        "text": "The request was syntactically correct but its content is semantically invalid."

    },

    {

        "locale": "und",

        "localeOrigin": "REQUEST",

        "text": "The request was syntactically correct but its content is semantically invalid."

    }

\],

"causes": \[\]

}

And the second error we got was:

{

"detailCode": "500.1 Downstream error",

"trackingId": "",

"messages": \[

    {

        "locale": "en-US",

        "localeOrigin": "DEFAULT",

        "text": "A call from this server to another component has failed."

    },

    {

        "locale": "und",

        "localeOrigin": "REQUEST",

        "text": "A call from this server to another component has failed."

    }

\],

"causes": \[

    {

        "locale": "en-US",

        "localeOrigin": "DEFAULT",

        "text": "Failed to update Configuration."

    }

\]

}

I will be glad if someone can help out…Thanks

Hi @Otunba_skillz

can you show the body and url (mask sensitive data)

For the URL, i tried both the BETA and V3 .
The URL is https:xxxxx/access-request-config and as for the body, i have tried different ones e.g

{

    "approvalsMustBeExternal": true,

    "autoApprovalEnabled": false,

    "reauthorizationEnabled": false,

    "requestOnBehalfOfConfig": {

        "allowRequestOnBehalfOfAnyoneByAnyone": true,

        "allowRequestOnBehalfOfEmployeeByManager": false,

        "allowRequestOnBehalfOfForMachineIdentity": true

    },

    "approvalReminderAndEscalationConfig": {

        "daysUntilEscalation": 0,

        "daysBetweenReminders": 0,

        "maxReminders": 0,

        "fallbackApproverRef": null

    },

    "entitlementRequestConfig": {

        "allowEntitlementRequest": true,

        "requestCommentsRequired": false,

        "deniedCommentsRequired": false,

        "grantRequestApprovalSchemes": null,

        "revokeRequestApprovalSchemes": null

    },

    "govGroupVisibilityEnabled": false,

    "fallbackAccessDurationInDays": null

}

I have also tried another body where i removed all the null values completely in the payload.

Also i have tried another body where i populated the null values with actual values from a user in my tenant but still all resulted in an error. You can try this in your tenant and let me know if that endpoint works with any body you try it with pls

Hello @Otunba_skillz , Can you try removing below objects from the body? I don’t see these fields in thr API documentation

image742×106 3.61 KB

Thanks Theja, i did that but still got an error. Did u try this on your end to see if it works? pls find the body and response below:

image1279×895 44 KB

@Otunba_skillz We set that couple of years back in our tenant and it worked fine. I think below is the json that we used,

{
“approvalsMustBeExternal”: true,
“autoApprovalEnabled”: true,
“requestOnBehalfOfConfig”: {
“allowRequestOnBehalfOfAnyoneByAnyone”: true,
“allowRequestOnBehalfOfEmployeeByManager”: true
},
“approvalReminderAndEscalationConfig”: {},
“entitlementRequestConfig”: {}
}

Please try if this still works.

If you still want to pass the values based on the Get request, remove the entries that has the value as null and try it as well.

Hello Vidya,
I tried exactly what you posted and still got the below error. i can confirm my tenant is up and running and other apis are working fine. Can u pls help verify by testing this in your sandbox tenant just so we verify the api endpoint is not broken.

image743×902 32.5 KB

Hello Theja,
I have tried this but still no luck. See my responses below in other user’s response

Hello Vidya,
I have tried this as well but no luck

@Otunba_skillz This seems SailPoint has added additional dependency and hence the old one is not working, I will try to check in my non prod env. and see if it works.

All good…i’ll wait and see what you come back with

@Otunba_skillz Some how in one of my new tenant, external approvals is already set to true. I am not sure who did it since many people use that common tenant.

But i tried to modify it with various versions of JSON, i am also getting the same semantically incorrect error. I am trying to reach out to others to see if they have any details about it

Okk thanks. Hopefully something comes outta it

@Otunba_skillz I got this working with the help of my great colleague. Below is the way to enable it,

Change to V2026 API and set the headers as below,

image729×212 10.7 KB

and call the API and it is working

image1094×770 43.8 KB

JSON used is below

{
  "approvalsMustBeExternal": true,
  "reauthorizationEnabled": false,
  "requestOnBehalfOfConfig": {
    "allowRequestOnBehalfOfAnyoneByAnyone": true,
    "allowRequestOnBehalfOfEmployeeByManager": false,
    "allowRequestOnBehalfOfForMachineIdentity": true
  },
  "entitlementRequestConfig": {
    "allowEntitlementRequest": true,
    "requestCommentsRequired": false,
    "deniedCommentsRequired": false,
    "grantRequestApprovalSchemes": null,
    "revokeRequestApprovalSchemes": null
  },
  "govGroupVisibilityEnabled": false,
  "fallbackAccessDurationInDays": null
}

Please let me know if it worked for you. If so, i request you to mark this as the solution.

Below is the python code for you to execute it. Modify the tenant, client id and client secret in the start of the program

import requests

# Set the necessary variables
tenant_id = ""
client_id = ""
client_secret = ""
base_url = f"https://{tenant_id}.api.identitynow.com"

# Get an access token
auth_url = f"{base_url}/oauth/token"
auth_data = {
    "grant_type": "client_credentials",
    "client_id": client_id,
    "client_secret": client_secret,
}
auth_response = requests.post(auth_url, data=auth_data)
print(auth_response)

#Extract the access token from the response
access_token = auth_response.json()["access_token"]
print(access_token)

# API Call to get Sources
url = f"{base_url}/v2026/access-request-config"
headers = {
    'Authorization': f'Bearer {access_token}',
	'Content-Type': 'application/json',
    'X-SailPoint-Experimental': 'true'
}

json = {
  "approvalsMustBeExternal": True,
  "reauthorizationEnabled": False,
  "requestOnBehalfOfConfig": {
    "allowRequestOnBehalfOfAnyoneByAnyone": True,
    "allowRequestOnBehalfOfEmployeeByManager": False,
    "allowRequestOnBehalfOfForMachineIdentity": True
  },
  "entitlementRequestConfig": {
    "allowEntitlementRequest": True,
    "requestCommentsRequired": False,
    "deniedCommentsRequired": False,
    "grantRequestApprovalSchemes": None,
    "revokeRequestApprovalSchemes": None
  },
  "govGroupVisibilityEnabled": False,
  "fallbackAccessDurationInDays": None
}


response = requests.request("PUT",url, headers=headers,json=json)

if response.status_code == 200:
    data = response.json()
    print(f"Successfully completed the modification and response is {data}")
  
else:
    print(f"Request for sources failed with status code: {response.status_code}")

Hello Vidya,
thanks alot for your response.
I tried it via postman and got the following error. Attached is the headers, body and endpoint.

image1137×687 36.6 KB

image1088×735 50.2 KB

I was able to get it to work with this Python script you shared. Thanks alot for this. Not sure why it didn’t work with postman but only with the script

Hello Vidya,
I finally got it to work in Postman by changing the collection to V2025. So both the script and Postman works fine in our Dev Tenant. However, the same change is not working in our Production Tenant. Be it the python script or the API collection, none of them is working for our Production Tenant. Below is the error message i am getting. Any help thoughts will be appreciated

{

"detailCode": "404 Not found",

"trackingId": "22xxxx37ef204ca98xxxxxx",

"messages": \[

    {

        "locale": "und",

        "localeOrigin": "REQUEST",

        "text": "The server did not find a current representation for the target resource."

    },

    {

        "locale": "en-US",

        "localeOrigin": "DEFAULT",

        "text": "The server did not find a current representation for the target resource."

    }

\],

"causes": \[\]

}

HTTP 404, probably URL is wrong ?