Skip to main content

Get a Role

GET 
https://sailpoint.api.identitynow.com/beta/roles/:id

This API returns a Role by its ID. A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a token with ROLE_SUBADMIN authority may only call this API if all Access Profiles included in the Role are associated to Sources with management workgroups of which the ROLE_SUBADMIN is a member.

Request

Path Parameters

    id stringrequired

    ID of the Role

    Example: 2c91808a7813090a017814121e121518

Responses

List of all Roles

Schema
    idstring

    The id of the Role. This field must be left null when creating an Role, otherwise a 400 Bad Request error will result.

    Example: 2c918086749d78830174a1a40e121518
    namestringrequired

    The human-readable display name of the Role

    Possible values: <= 128 characters

    Example: Role 2567
    createddate-time

    Date the Role was created

    Example: 2021-03-01T22:32:58.104Z
    modifieddate-time

    Date the Role was last modified.

    Example: 2021-03-02T20:22:28.104Z
    descriptionstringnullable

    A human-readable description of the Role

    Example: Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.
    owner objectrequired

    Owner of the object.

    typestring

    Owner type. This field must be either left null or set to 'IDENTITY' on input, otherwise a 400 Bad Request error will result.

    Possible values: [IDENTITY]

    Example: IDENTITY
    idstring

    Owner's identity ID.

    Example: 2c9180a46faadee4016fb4e018c20639
    namestring

    Owner's name. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner's display name, otherwise a 400 Bad Request error will result.

    Example: support
    accessProfiles object[]nullable
  • Array [
    • idstring

    ID of the Access Profile

    Example: ff808081751e6e129f1518161919ecca
    typestring

    Type of requested object. This field must be either left null or set to 'ACCESS_PROFILE' when creating an Access Profile, otherwise a 400 Bad Request error will result.

    Possible values: [ACCESS_PROFILE]

    Example: ACCESS_PROFILE
    namestring

    Human-readable display name of the Access Profile. This field is ignored on input.

    Example: Access Profile 2567
  • ]
    • entitlements object[]
  • Array [
    • typestring

    Entitlement's DTO type.

    Possible values: [ENTITLEMENT]

    Example: ENTITLEMENT
    idstring

    Entitlement's ID.

    Example: 2c91809773dee32014e13e122092014e
    namestringnullable

    Entitlement's display name.

    Example: CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local
  • ]
    • membership objectnullable

    When present, specifies that the Role is to be granted to Identities which either satisfy specific criteria or which are members of a given list of Identities.

    typestring

    This enum characterizes the type of a Role's membership selector. Only the following two are fully supported:

    STANDARD: Indicates that Role membership is defined in terms of a criteria expression

    IDENTITY_LIST: Indicates that Role membership is conferred on the specific identities listed

    Possible values: [STANDARD, IDENTITY_LIST]

    Example: IDENTITY_LIST
    criteria objectnullable

    Defines STANDARD type Role membership

    operationstring

    An operation

    Possible values: [EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, ENDS_WITH, AND, OR]

    Example: EQUALS
    key objectnullable

    Refers to a specific Identity attribute, Account attibute, or Entitlement used in Role membership criteria

    typestringrequired

    Indicates whether the associated criteria represents an expression on identity attributes, account attributes, or entitlements, respectively.

    Possible values: [IDENTITY, ACCOUNT, ENTITLEMENT]

    Example: ACCOUNT
    propertystringrequired

    The name of the attribute or entitlement to which the associated criteria applies.

    Example: attribute.email
    sourceIdstringnullable

    ID of the Source from which an account attribute or entitlement is drawn. Required if type is ACCOUNT or ENTITLEMENT

    Example: 2c9180867427f3a301745aec18211519
    stringValuestringnullable

    String value to test the Identity attribute, Account attribute, or Entitlement specified in the key w/r/t the specified operation. If this criteria is a leaf node, that is, if the operation is one of EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, or ENDS_WITH, this field is required. Otherwise, specifying it is an error.

    Example: carlee.cert1c9f9b6fd@mailinator.com
    children object[]nullable

    Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes. Additionally, AND nodes can only be children or OR nodes and vice-versa.

  • Array [
    • operationstring

    An operation

    Possible values: [EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, ENDS_WITH, AND, OR]

    Example: EQUALS
    key objectnullable

    Refers to a specific Identity attribute, Account attibute, or Entitlement used in Role membership criteria

    typestringrequired

    Indicates whether the associated criteria represents an expression on identity attributes, account attributes, or entitlements, respectively.

    Possible values: [IDENTITY, ACCOUNT, ENTITLEMENT]

    Example: ACCOUNT
    propertystringrequired

    The name of the attribute or entitlement to which the associated criteria applies.

    Example: attribute.email
    sourceIdstringnullable

    ID of the Source from which an account attribute or entitlement is drawn. Required if type is ACCOUNT or ENTITLEMENT

    Example: 2c9180867427f3a301745aec18211519
    stringValuestringnullable

    String value to test the Identity attribute, Account attribute, or Entitlement specified in the key w/r/t the specified operation. If this criteria is a leaf node, that is, if the operation is one of EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, or ENDS_WITH, this field is required. Otherwise, specifying it is an error.

    Example: carlee.cert1c9f9b6fd@mailinator.com
    children object[]nullable

    Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes. Additionally, AND nodes can only be children or OR nodes and vice-versa.

  • Array [
    • operationstring

    An operation

    Possible values: [EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, ENDS_WITH, AND, OR]

    Example: EQUALS
    key objectnullable

    Refers to a specific Identity attribute, Account attibute, or Entitlement used in Role membership criteria

    typestringrequired

    Indicates whether the associated criteria represents an expression on identity attributes, account attributes, or entitlements, respectively.

    Possible values: [IDENTITY, ACCOUNT, ENTITLEMENT]

    Example: ACCOUNT
    propertystringrequired

    The name of the attribute or entitlement to which the associated criteria applies.

    Example: attribute.email
    sourceIdstringnullable

    ID of the Source from which an account attribute or entitlement is drawn. Required if type is ACCOUNT or ENTITLEMENT

    Example: 2c9180867427f3a301745aec18211519
    stringValuestring

    String value to test the Identity attribute, Account attribute, or Entitlement specified in the key w/r/t the specified operation. If this criteria is a leaf node, that is, if the operation is one of EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, or ENDS_WITH, this field is required. Otherwise, specifying it is an error.

    Example: carlee.cert1c9f9b6fd@mailinator.com
  • ]
  • ]
    • identities object[]nullable

    Defines role membership as being exclusive to the specified Identities, when type is IDENTITY_LIST.

  • Array [
    • typestringnullable

    An enumeration of the types of DTOs supported within the IdentityNow infrastructure.

    Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, MACHINE_IDENTITY, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

    Example: IDENTITY
    idstring

    Identity id

    Example: 2c9180a46faadee4016fb4e018c20639
    namestringnullable

    Human-readable display name of the Identity.

    Example: Thomas Edison
    aliasNamestringnullable

    User name of the Identity

    Example: t.edison
  • ]
    • legacyMembershipInfo objectnullable

    This field is not directly modifiable and is generally expected to be null. In very rare instances, some Roles may have been created using membership selection criteria that are no longer fully supported. While these Roles will still work, they should be migrated to STANDARD or IDENTITY_LIST selection criteria. This field exists for informational purposes as an aid to such migration.

    property name*anynullable

    This field is not directly modifiable and is generally expected to be null. In very rare instances, some Roles may have been created using membership selection criteria that are no longer fully supported. While these Roles will still work, they should be migrated to STANDARD or IDENTITY_LIST selection criteria. This field exists for informational purposes as an aid to such migration.

    Example: {"type":"IDENTITY_LIST"}
    enabledboolean

    Whether the Role is enabled or not.

    Default value: false
    Example: true
    requestableboolean

    Whether the Role can be the target of access requests.

    Default value: false
    Example: true
    accessRequestConfig object
    commentsRequiredbooleannullable

    Whether the requester of the containing object must provide comments justifying the request

    Default value: false
    Example: true
    denialCommentsRequiredbooleannullable

    Whether an approver must provide comments when denying the request

    Default value: false
    Example: true
    reauthorizationRequiredbooleannullable

    Indicates whether reauthorization is required for the request.

    Default value: false
    Example: true
    approvalSchemes object[]

    List describing the steps in approving the request

  • Array [
    • approverTypestring

    Describes the individual or group that is responsible for an approval step. Values are as follows.

    OWNER: Owner of the associated Role

    MANAGER: Manager of the Identity making the request

    GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

    Possible values: [OWNER, MANAGER, GOVERNANCE_GROUP]

    Example: GOVERNANCE_GROUP
    approverIdstringnullable

    Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

    Example: 46c79819-a69f-49a2-becb-12c971ae66c6
  • ]
    • revocationRequestConfig object
    commentsRequiredbooleannullable

    Whether the requester of the containing object must provide comments justifying the request

    Default value: false
    Example: false
    denialCommentsRequiredbooleannullable

    Whether an approver must provide comments when denying the request

    Default value: false
    Example: false
    approvalSchemes object[]

    List describing the steps in approving the revocation request

  • Array [
    • approverTypestring

    Describes the individual or group that is responsible for an approval step. Values are as follows.

    OWNER: Owner of the associated Role

    MANAGER: Manager of the Identity making the request

    GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

    Possible values: [OWNER, MANAGER, GOVERNANCE_GROUP]

    Example: GOVERNANCE_GROUP
    approverIdstringnullable

    Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

    Example: 46c79819-a69f-49a2-becb-12c971ae66c6
  • ]
    • segmentsstring[]nullable

    List of IDs of segments, if any, to which this Role is assigned.

    Example: ["f7b1b8a3-5fed-4fd4-ad29-82014e137e19","29cb6c06-1da8-43ea-8be4-b3125f248f2a"]
    dimensionalbooleannullable

    Whether the Role is dimensional.

    Default value: false
    dimensionRefs object[]nullable

    List of references to dimensions to which this Role is assigned. This field is only relevant if the Role is dimensional.

  • Array [
    • typestring

    The type of the object to which this reference applies

    Possible values: [DIMENSION]

    Example: DIMENSION
    idstring

    ID of the object to which this reference applies

    Example: 2c91808568c529c60168cca6f90c1313
    namestring

    Human-readable display name of the object to which this reference applies

    Example: Role 2
  • ]
    • accessModelMetadata object
    attributes object[]nullable
  • Array [
    • keystring

    Technical name of the Attribute. This is unique and cannot be changed after creation.

    Example: iscPrivacy
    namestring

    The display name of the key.

    Example: Privacy
    multiselectboolean

    Indicates whether the attribute can have multiple values.

    Default value: false
    Example: false
    statusstring

    The status of the Attribute.

    Example: active
    typestring

    The type of the Attribute. This can be either "custom" or "governance".

    Example: governance
    objectTypesstring[]nullable

    An array of object types this attributes values can be applied to. Possible values are "all" or "entitlement". Value "all" means this attribute can be used with all object types that are supported.

    Example: ["entitlement"]
    descriptionstring

    The description of the Attribute.

    Example: Specifies the level of privacy associated with an access item.
    values object[]nullable
  • Array [
    • valuestring

    Technical name of the Attribute value. This is unique and cannot be changed after creation.

    Example: public
    namestring

    The display name of the Attribute value.

    Example: Public
    statusstring

    The status of the Attribute value.

    Example: active
  • ]
  • ]

Authorization: oauth2

type: Personal Access Token
scopes: idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read
user levels: ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN

View SDK Reference

package main

import (
  "context"
  "fmt"
  "os"
    "encoding/json"
    beta "github.com/sailpoint-oss/golang-sdk/v2/api_beta"
  sailpoint "github.com/sailpoint-oss/golang-sdk/v2"
)

func main() {
  id := `2c91808a7813090a017814121e121518` // string | ID of the Role # string | ID of the Role

  


 	configuration := sailpoint.NewDefaultConfiguration()
  apiClient := sailpoint.NewAPIClient(configuration)
  resp, r, err := apiClient.Beta.RolesAPI.GetRole(context.Background(), id).Execute()
  //resp, r, err := apiClient.Beta.RolesAPI.GetRole(context.Background(), id).Execute()
  if err != nil {
    fmt.Fprintf(os.Stderr, "Error when calling `RolesAPI.GetRole``: %v\n", err)
    fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
  }
  // response from `GetRole`: Role
  fmt.Fprintf(os.Stdout, "Response from `RolesAPI.GetRole`: %v\n", resp)
}
Request Collapse all
Base URL
https://sailpoint.api.identitynow.com/beta
Auth
Parameters
— pathrequired
ResponseClear

Click the Send API Request button above and see the response here!