List Access Profiles
GET/access-profiles
Use this API to get a list of access profiles. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.
Request
Query Parameters
If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN or SOURCE_SUBADMIN identity. The value of the parameter is either an identity ID, or the special value me, which is shorthand for the calling identity's ID.
A 400 Bad Request error is returned if the for-subadmin parameter is specified for an identity that is not a subadmin.
Possible values: <= 50
Default value: 50
Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.
Default value: 0
Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.
If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.
See V3 API Standard Collection Parameters for more information.
Filter results using the standard syntax described in V3 API Standard Collection Parameters
Filtering is supported for the following fields and operators:
id: eq, in
name: eq, sw
created: gt, lt, ge, le
modified: gt, lt, ge, le
owner.id: eq, in
requestable: eq
source.id: eq, in
Filtering is not supported for access profiles and entitlements that have the '+' symbol in their names.
Sort results using the standard syntax described in V3 API Standard Collection Parameters
Sorting is supported for the following fields: name, created, modified
If present and not empty, additionally filters access profiles to those which are assigned to the segment(s) with the specified IDs. If segmentation is currently unavailable, specifying this parameter results in an error.
Default value: true
Indicates whether the response list should contain unsegmented access profiles. If for-segment-ids is absent or empty, specifying include-unsegmented as false results in an error.
Responses
- 200
- 400
- 401
- 403
- 429
- 500
List of access profiles.
- application/json
- Schema
- Example (from schema)
Schema
Array [
Array [
]
Array [
]
Array [
]
Array [
Array [
]
]
]
The ID of the Access Profile
Name of the Access Profile
Information about the Access Profile
Date the Access Profile was created
Date the Access Profile was last modified.
Default value: true
Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.
owner
object
required
Owner of the Access Profile
Possible values: [IDENTITY
]
Owner type. This field must be either left null or set to 'IDENTITY' on input, otherwise a 400 Bad Request error will result.
Identity id
Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner's display name, otherwise a 400 Bad Request error will result.
source
object
required
The ID of the Source with with which the Access Profile is associated
Possible values: [SOURCE
]
The type of the Source, will always be SOURCE
The display name of the associated Source
entitlements
object[]
nullable
A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.
Possible values: [ENTITLEMENT
]
Entitlement's DTO type.
Entitlement's ID.
Entitlement's display name.
Default value: true
Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value false in this field results in a 400 error.
accessRequestConfig
object
nullable
Access request configuration for this object
Whether the requester of the containing object must provide comments justifying the request
Whether an approver must provide comments when denying the request
approvalSchemes
object[]
nullable
List describing the steps in approving the request
Possible values: [APP_OWNER
, OWNER
, SOURCE_OWNER
, MANAGER
, GOVERNANCE_GROUP
]
Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application
OWNER: Owner of the associated Access Profile or Role
SOURCE_OWNER: Owner of the Source associated with an Access Profile
MANAGER: Manager of the Identity making the request
GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field
Id of the specific approver, used only when approverType is GOVERNANCE_GROUP
revocationRequestConfig
object
nullable
Revocation request configuration for this object.
approvalSchemes
object[]
nullable
List describing the steps in approving the revocation request
Possible values: [APP_OWNER
, OWNER
, SOURCE_OWNER
, MANAGER
, GOVERNANCE_GROUP
]
Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application
OWNER: Owner of the associated Access Profile or Role
SOURCE_OWNER: Owner of the Source associated with an Access Profile
MANAGER: Manager of the Identity making the request
GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field
Id of the specific approver, used only when approverType is GOVERNANCE_GROUP
List of IDs of segments, if any, to which this Access Profile is assigned.
provisioningCriteria
object
nullable
When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.
Possible values: [EQUALS
, NOT_EQUALS
, CONTAINS
, HAS
, AND
, OR
]
Supported operations on ProvisioningCriteria
Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.
String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.
children
object[]
nullable
Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.
Possible values: [EQUALS
, NOT_EQUALS
, CONTAINS
, HAS
, AND
, OR
]
Supported operations on ProvisioningCriteria
Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.
String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.
children
object[]
nullable
Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.
Possible values: [EQUALS
, NOT_EQUALS
, CONTAINS
, HAS
, AND
, OR
]
Supported operations on ProvisioningCriteria
Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.
String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.
Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.
[
{
"id": "2c91808a7190d06e01719938fcd20792",
"name": "Employee-database-read-write",
"description": "Collection of entitlements to read/write the employee database",
"created": "2021-03-01T22:32:58.104Z",
"modified": "2021-03-02T20:22:28.104Z",
"enabled": true,
"owner": {
"type": "IDENTITY",
"id": "2c9180a46faadee4016fb4e018c20639",
"name": "support"
},
"source": {
"id": "2c91809773dee3610173fdb0b6061ef4",
"type": "SOURCE",
"name": "ODS-AD-SOURCE"
},
"entitlements": [
{
"type": "ENTITLEMENT",
"id": "2c91809773dee32014e13e122092014e",
"name": "CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local"
}
],
"requestable": true,
"accessRequestConfig": {
"commentsRequired": true,
"denialCommentsRequired": true,
"approvalSchemes": [
{
"approverType": "GOVERNANCE_GROUP",
"approverId": "46c79819-a69f-49a2-becb-12c971ae66c6"
}
]
},
"revocationRequestConfig": {
"approvalSchemes": [
{
"approverType": "GOVERNANCE_GROUP",
"approverId": "46c79819-a69f-49a2-becb-12c971ae66c6"
}
]
},
"segments": [
"f7b1b8a3-5fed-4fd4-ad29-82014e137e19",
"29cb6c06-1da8-43ea-8be4-b3125f248f2a"
],
"provisioningCriteria": {
"operation": "OR",
"children": [
{
"operation": "AND",
"children": [
{
"attribute": "dn",
"operation": "CONTAINS",
"value": "useast"
},
{
"attribute": "manager",
"operation": "CONTAINS",
"value": "Scott.Clark"
}
]
},
{
"operation": "AND",
"children": [
{
"attribute": "dn",
"operation": "EQUALS",
"value": "Gibson"
},
{
"attribute": "telephoneNumber",
"operation": "CONTAINS",
"value": "512"
}
]
}
]
}
}
]
Client Error - Returned if the request body is invalid.
- application/json
- Schema
- Example (from schema)
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"error": "JWT validation failed: JWT is expired"
}
Forbidden - Returned if the user you are running as, doesn't have access to this end-point.
- application/json
- Schema
- Example (from schema)
- 403
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 403 response object
{
"detailCode": "403 Forbidden",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The server understood the request but refuses to authorize it."
}
]
}
Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"message": " Rate Limit Exceeded "
}
Internal Server Error - Returned if there is an unexpected error.
- application/json
- Schema
- Example (from schema)
- 500
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 500 response object
{
"detailCode": "500.0 Internal Fault",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "An internal fault occurred."
}
]
}