Access Request Status
GET/access-request-status
The Access Request Status API returns a list of access request statuses based on the specified query parameters. Any token with any authority can request their own status. A token with ORG_ADMIN authority is required to call this API to get a list of statuses for other users.
Request
Query Parameters
Filter the results by the identity for which the requests were made. me indicates the current user. Mutually exclusive with regarding-identity.
Filter the results by the identity that made the requests. me indicates the current user. Mutually exclusive with regarding-identity.
Filter the results by the specified identity which is either the requester or target of the requests. me indicates the current user. Mutually exclusive with requested-for and requested-by.
Filter the results by the specified identity which is the owner of the Identity Request Work Item. me indicates the current user.
If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.
Possible values: <= 250
Default value: 250
Max number of results to return.
Offset into the full result set. Usually specified with limit to paginate through the results. Defaults to 0 if not specified.
Filter results using the standard syntax described in V3 API Standard Collection Parameters
Filtering is supported for the following fields and operators:
accountActivityItemId: eq, in, ge, gt, le, lt, ne, isnull, sw
Sort results using the standard syntax described in V3 API Standard Collection Parameters
Sorting is supported for the following fields: created, modified, accountActivityItemId, name
Responses
- 200
- 400
- 401
- 403
- 429
- 500
List of requested item status.
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- EXECUTING: The request is executing, which indicates the system is doing some processing.
- REQUEST_COMPLETED: Indicates the request has been completed.
- CANCELLED: The request was cancelled with no user input.
- TERMINATED: The request has been terminated before it was able to complete.
- PROVISIONING_VERIFICATION_PENDING: The request has finished any approval steps and provisioning is waiting to be verified.
- REJECTED: The request was rejected.
- PROVISIONING_FAILED: The request has failed to complete.
- NOT_ALL_ITEMS_PROVISIONED: One or more of the requested items failed to complete, but there were one or more successes.
- ERROR: An error occurred during request processing.
- Array [
- PENDING: The request for this item is awaiting processing.
- APPROVED: The request for this item has been approved.
- REJECTED: The request for this item was rejected.
- EXPIRED: The request for this item expired with no action taken.
- CANCELLED: The request for this item was cancelled with no user action.
- ARCHIVED: The request for this item has been archived after completion.
- Array [
- ]
- ]
- Array [
- PENDING: The request for this item is awaiting processing.
- APPROVED: The request for this item has been approved.
- REJECTED: The request for this item was rejected.
- EXPIRED: The request for this item expired with no action taken.
- CANCELLED: The request for this item was cancelled with no user action.
- ARCHIVED: The request for this item has been archived after completion.
- Array [
- MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's.
- AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time.
- AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to Setting Global Reminders and Escalation Policies.
- SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to Self-review Prevention and Preventing Self-approval.
- ]
- ]
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- ]
Human-readable display name of the item being requested.
Possible values: [ACCESS_PROFILE
, ROLE
, ENTITLEMENT
, null
]
Type of requested object.
cancelledRequestDetails object
Provides additional details for a request that has been cancelled.
Comment made by the owner when cancelling the associated request.
owner object
Owner's identity.
Possible values: [IDENTITY
]
Owner's DTO type.
Owner's identity ID.
Owner's name.
Date comment was added by the owner when cancelling the associated request.
List of list of localized error messages, if any, encountered during the approval/provisioning process.
Possible values: [EXECUTING
, REQUEST_COMPLETED
, CANCELLED
, TERMINATED
, PROVISIONING_VERIFICATION_PENDING
, REJECTED
, PROVISIONING_FAILED
, NOT_ALL_ITEMS_PROVISIONED
, ERROR
]
Indicates the state of an access request:
approvalDetails object[]
Approval details for each item.
Default value: false
True if the request for this item was forwarded from one owner to another.
originalOwner object
Identity of orginal approval owner.
Possible values: [GOVERNANCE_GROUP
, IDENTITY
]
DTO type of original approval owner's identity.
ID of original approval owner's identity.
Display name of original approval owner.
currentOwner object
Identity who reviewed the access item request.
Possible values: [IDENTITY
]
DTO type of identity who reviewed the access item request.
ID of identity who reviewed the access item request.
Human-readable display name of identity who reviewed the access item request.
Time at which item was modified.
Possible values: [PENDING
, APPROVED
, REJECTED
, EXPIRED
, CANCELLED
, ARCHIVED
]
Indicates the state of the request processing for this item:
Possible values: [APP_OWNER
, SOURCE_OWNER
, MANAGER
, ROLE_OWNER
, ACCESS_PROFILE_OWNER
, ENTITLEMENT_OWNER
, GOVERNANCE_GROUP
]
Describes the individual or group that is responsible for an approval step.
errorMessages object[]nullable
If the request failed, includes any error messages that were generated.
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
Comment, if any, provided by the approver.
The date the role or access profile is no longer assigned to the specified identity.
manualWorkItemDetails object[]nullable
Manual work items created for provisioning the item.
Default value: false
True if the request for this item was forwarded from one owner to another.
originalOwner objectnullable
Identity of original work item owner, if the work item has been forwarded.
Possible values: [GOVERNANCE_GROUP
, IDENTITY
]
DTO type of original work item owner's identity.
ID of original work item owner's identity.
Display name of original work item owner.
currentOwner objectnullable
Identity of current work item owner.
Possible values: [GOVERNANCE_GROUP
, IDENTITY
]
DTO type of current work item owner's identity.
ID of current work item owner's identity.
Display name of current work item owner.
Time at which item was modified.
Possible values: [PENDING
, APPROVED
, REJECTED
, EXPIRED
, CANCELLED
, ARCHIVED
]
Indicates the state of the request processing for this item:
forwardHistory object[]nullable
The history of approval forward action.
Display name of approver from whom the approval was forwarded.
Display name of approver to whom the approval was forwarded.
Comment made while forwarding.
Time at which approval was forwarded.
Display name of forwarder who forwarded the approval.
Possible values: [MANUAL_REASSIGNMENT
, AUTOMATIC_REASSIGNMENT
, AUTO_ESCALATION
, SELF_REVIEW_DELEGATION
]
The approval reassignment type.
Id of associated account activity item.
Possible values: [GRANT_ACCESS
, REVOKE_ACCESS
, null
]
Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field.
When the request was last modified.
When the request was created.
requester object
Access item requester's identity.
Possible values: [IDENTITY
]
Access item requester's DTO type.
Access item requester's identity ID.
Access item owner's human-readable display name.
requestedFor object[]
Possible values: >= 1
, <= 10
Identities access was requested for.
Possible values: [IDENTITY
]
DTO type of identity the access item is requested for.
ID of identity the access item is requested for.
Human-readable display name of identity the access item is requested for.
requesterComment object
The requester's comment.
Comment content.
Date and time comment was created.
author object
Author of the comment
Possible values: [IDENTITY
]
The type of object
The unique ID of the object
The display name of the object
sodViolationContext object
An object referencing a completed SOD violation check
Possible values: [SUCCESS
, ERROR
, null
]
The status of SOD violation check
The id of the Violation check event
violationCheckResult object
The inner object representing the completed SOD Violation check
message object
If the request failed, this includes any error message that was generated.
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
clientMetadata objectnullable
Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check.
violationContexts object[]nullable
policy object
SOD policy.
Possible values: [SOD_POLICY
]
SOD policy DTO type.
SOD policy ID.
SOD policy display name.
conflictingAccessCriteria object
The object which contains the left and right hand side of the entitlements that got violated according to the policy.
leftCriteria object
criteriaList object[]
Default value: false
If the entitlement already belonged to the user or not.
Possible values: [ACCOUNT_CORRELATION_CONFIG
, ACCESS_PROFILE
, ACCESS_REQUEST_APPROVAL
, ACCOUNT
, APPLICATION
, CAMPAIGN
, CAMPAIGN_FILTER
, CERTIFICATION
, CLUSTER
, CONNECTOR_SCHEMA
, ENTITLEMENT
, GOVERNANCE_GROUP
, IDENTITY
, IDENTITY_PROFILE
, IDENTITY_REQUEST
, LIFECYCLE_STATE
, PASSWORD_POLICY
, ROLE
, RULE
, SOD_POLICY
, SOURCE
, TAG
, TAG_CATEGORY
, TASK_RESULT
, REPORT_RESULT
, SOD_VIOLATION
, ACCOUNT_ACTIVITY
, WORKGROUP
]
An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
Entitlement ID
Entitlement name
rightCriteria object
criteriaList object[]
Default value: false
If the entitlement already belonged to the user or not.
Possible values: [ACCOUNT_CORRELATION_CONFIG
, ACCESS_PROFILE
, ACCESS_REQUEST_APPROVAL
, ACCOUNT
, APPLICATION
, CAMPAIGN
, CAMPAIGN_FILTER
, CERTIFICATION
, CLUSTER
, CONNECTOR_SCHEMA
, ENTITLEMENT
, GOVERNANCE_GROUP
, IDENTITY
, IDENTITY_PROFILE
, IDENTITY_REQUEST
, LIFECYCLE_STATE
, PASSWORD_POLICY
, ROLE
, RULE
, SOD_POLICY
, SOURCE
, TAG
, TAG_CATEGORY
, TASK_RESULT
, REPORT_RESULT
, SOD_VIOLATION
, ACCOUNT_ACTIVITY
, WORKGROUP
]
An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
Entitlement ID
Entitlement name
violatedPolicies object[]nullable
A list of the SOD policies that were violated.
Possible values: [SOD_POLICY
]
SOD policy DTO type.
SOD policy ID.
SOD policy display name.
provisioningDetails object
Provides additional details about provisioning for this request.
Ordered CSV of sub phase references to objects that contain more information about provisioning. For example, this can contain "manualWorkItemDetails" which indicate that there is further information in that object for this phase.
preApprovalTriggerDetails object
Provides additional details about the pre-approval trigger for this request.
Comment left for the pre-approval decision
The reviewer of the pre-approval decision
Possible values: [APPROVED
, REJECTED
]
The decision of the pre-approval trigger
accessRequestPhases object[]nullable
A list of Phases that the Access Request has gone through in order, to help determine the status of the request.
The time that this phase started.
The time that this phase finished.
The name of this phase.
Possible values: [PENDING
, EXECUTING
, COMPLETED
, CANCELLED
, NOT_EXECUTED
]
The state of this phase.
Possible values: [SUCCESSFUL
, FAILED
, null
]
The state of this phase.
A reference to another object on the RequestedItemStatus that contains more details about the phase. Note that for the Provisioning phase, this will be empty if there are no manual work items.
Description associated to the requested object.
When the role access is scheduled for removal.
Default value: false
True if the request can be canceled.
This is the account activity id.
clientMetadata objectnullable
Arbitrary key-value pairs, if any were included in the corresponding access request
[
{
"name": "AccessProfile1",
"type": "ACCESS_PROFILE",
"cancelledRequestDetails": {
"comment": "This request must be cancelled.",
"owner": {
"type": "IDENTITY",
"id": "2c9180a46faadee4016fb4e018c20639",
"name": "Support"
},
"modified": "2019-12-20T09:17:12.192Z"
},
"errorMessages": [
[
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
],
"state": "EXECUTING",
"approvalDetails": [
{
"forwarded": false,
"originalOwner": {
"type": "IDENTITY",
"id": "2c7180a46faadee4016fb4e018c20642",
"name": "Michael Michaels"
},
"currentOwner": {
"type": "IDENTITY",
"id": "2c3780a46faadee4016fb4e018c20652",
"name": "Allen Albertson"
},
"modified": "2019-08-23T18:52:57.398Z",
"status": "PENDING",
"scheme": "MANAGER",
"errorMessages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"comment": "I approve this request",
"removeDate": "2020-07-11T00:00:00Z"
}
],
"manualWorkItemDetails": [
{
"forwarded": true,
"originalOwner": {
"type": "IDENTITY",
"id": "2c7180a46faadee4016fb4e018c20642",
"name": "Michael Michaels"
},
"currentOwner": {
"type": "IDENTITY",
"id": "2c3780a46faadee4016fb4e018c20652",
"name": "Allen Albertson"
},
"modified": "2019-08-23T18:52:57.398Z",
"status": "PENDING",
"forwardHistory": [
{
"oldApproverName": "Frank Mir",
"newApproverName": "Al Volta",
"comment": "Forwarding from Frank to Al",
"modified": "2019-08-23T18:52:57.398Z",
"forwarderName": "William Wilson",
"reassignmentType": "AUTOMATIC_REASSIGNMENT"
}
]
}
],
"accountActivityItemId": "2c9180926cbfbddd016cbfc7c3b10010",
"requestType": "GRANT_ACCESS",
"modified": "2019-08-23T18:52:59.162Z",
"created": "2019-08-23T18:40:35.772Z",
"requester": {
"type": "IDENTITY",
"id": "2c7180a46faadee4016fb4e018c20648",
"name": "William Wilson"
},
"requestedFor": [
{
"type": "IDENTITY",
"id": "2c4180a46faadee4016fb4e018c20626",
"name": "Robert Robinson"
}
],
"requesterComment": {
"comment": "This is a comment.",
"created": "2017-07-11T18:45:37.098Z",
"author": {
"type": "IDENTITY",
"id": "2c9180847e25f377017e2ae8cae4650b",
"name": "john.doe"
}
},
"sodViolationContext": {
"state": "SUCCESS",
"uuid": "f73d16e9-a038-46c5-b217-1246e15fdbdd",
"violationCheckResult": {
"message": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "An error has occurred during the SOD violation check"
}
],
"clientMetadata": {
"requestedAppName": "test-app",
"requestedAppId": "2c91808f7892918f0178b78da4a305a1"
},
"violationContexts": [
{
"policy": {
"type": "SOD_POLICY",
"id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"name": "Business SOD Policy"
},
"conflictingAccessCriteria": {
"leftCriteria": {
"criteriaList": [
{
"existing": true,
"type": "ENTITLEMENT",
"id": "2c918085771e9d3301773b3cb66f6398",
"name": "My HR Entitlement"
}
]
},
"rightCriteria": {
"criteriaList": [
{
"existing": true,
"type": "ENTITLEMENT",
"id": "2c918085771e9d3301773b3cb66f6398",
"name": "My HR Entitlement"
}
]
}
}
}
],
"violatedPolicies": [
{
"type": "SOD_POLICY",
"id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"name": "Business SOD Policy"
}
]
}
},
"provisioningDetails": {
"orderedSubPhaseReferences": "manualWorkItemDetails"
},
"preApprovalTriggerDetails": {
"comment": "Access is Approved",
"reviewer": "John Doe",
"decision": "APPROVED"
},
"accessRequestPhases": [
{
"started": "2020-07-11T00:00:00Z",
"finished": "2020-07-12T00:00:00Z",
"name": "APPROVAL_PHASE",
"state": "COMPLETED",
"result": "SUCCESSFUL",
"phaseReference": "approvalDetails"
}
],
"description": "This is the Engineering role that engineers are granted.",
"removeDate": "2019-10-23T00:00:00.000Z",
"cancelable": true,
"accessRequestId": "2b838de9-db9b-abcf-e646-d4f274ad4238",
"clientMetadata": {
"key1": "value1",
"key2": "value2"
}
}
]
Client Error - Returned if the request body is invalid.
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
- Array [
- ]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"error": "JWT validation failed: JWT is expired"
}
Forbidden - Returned if the user you are running as, doesn't have access to this end-point.
- application/json
- Schema
- Example (from schema)
- 403
Schema
- Array [
- ]
- Array [
- ]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 403 response object
{
"detailCode": "403 Forbidden",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The server understood the request but refuses to authorize it."
}
]
}
Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"message": " Rate Limit Exceeded "
}
Internal Server Error - Returned if there is an unexpected error.
- application/json
- Schema
- Example (from schema)
- 500
Schema
- Array [
- ]
- Array [
- ]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 500 response object
{
"detailCode": "500.0 Internal Fault",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "An internal fault occurred."
}
]
}