Pending Access Request Approvals List
GET/access-request-approvals/pending
This endpoint returns a list of pending approvals. See "owner-id" query parameter below for authorization info.
Request
Query Parameters
- ORG_ADMIN users can call this with any identity ID value.
- ORG_ADMIN users can also fetch all the approvals in the org, when owner-id is not used.
- Non-ORG_ADMIN users can only specify me or pass their own identity ID value.
If present, the value returns only pending approvals for the specified identity.
Possible values: <= 250
Default value: 250
Max number of results to return. See V3 API Standard Collection Parameters for more information.
Default value: 0
Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.
If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.
See V3 API Standard Collection Parameters for more information.
Filter results using the standard syntax described in V3 API Standard Collection Parameters
Filtering is supported for the following fields and operators:
id: eq, in
requestedFor.id: eq, in
modified: gt, lt, ge, le, eq, in
Sort results using the standard syntax described in V3 API Standard Collection Parameters
Sorting is supported for the following fields: created, modified
Responses
- 200
- 401
- 403
- 429
- 500
List of Pending Approvals.
- application/json
- Schema
- Example (from schema)
Schema
Array [
Array [
]
Array [
]
Array [
- MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's.
- AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time.
- AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to Setting Global Reminders and Escalation Policies.
- SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to Self-review Prevention and Preventing Self-approval.
]
Array [
Array [
]
Array [
]
]
Array [
]
]
The approval id.
The name of the approval.
When the approval was created.
When the approval was modified last time.
When the access-request was created.
Possible values: [GRANT_ACCESS
, REVOKE_ACCESS
, null
]
Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field.
requester
object
Access item requester's identity.
Possible values: [IDENTITY
]
Access item requester's DTO type.
Access item requester's identity ID.
Access item owner's human-readable display name.
requestedFor
object[]
Possible values: >= 1
, <= 10
Identities access was requested for.
Possible values: [IDENTITY
]
DTO type of identity the access item is requested for.
ID of identity the access item is requested for.
Human-readable display name of identity the access item is requested for.
owner
object
Access item owner's identity.
Possible values: [IDENTITY
]
Access item owner's DTO type.
Access item owner's identity ID.
Access item owner's human-readable display name.
requestedObject
object
The requested access item.
Id of the object.
Name of the object.
Description of the object.
Possible values: [ACCESS_PROFILE
, ROLE
, ENTITLEMENT
]
Type of the object.
requesterComment
object
The requester's comment.
Comment content.
Date and time comment was created.
author
object
Author of the comment
Possible values: [IDENTITY
]
The type of object
The unique ID of the object
The display name of the object
previousReviewersComments
object[]
The history of the previous reviewers comments.
Comment content.
Date and time comment was created.
author
object
Author of the comment
Possible values: [IDENTITY
]
The type of object
The unique ID of the object
The display name of the object
forwardHistory
object[]
The history of approval forward action.
Display name of approver from whom the approval was forwarded.
Display name of approver to whom the approval was forwarded.
Comment made while forwarding.
Time at which approval was forwarded.
Display name of forwarder who forwarded the approval.
Possible values: [MANUAL_REASSIGNMENT
, AUTOMATIC_REASSIGNMENT
, AUTO_ESCALATION
, SELF_REVIEW_DELEGATION
]
The approval reassignment type.
When true the rejector has to provide comments when rejecting
Possible values: [APPROVED
, REJECTED
, FORWARDED
]
Action that is performed on this approval, and system has not finished performing that action yet.
The date the role or access profile or entitlement is no longer assigned to the specified identity.
If true, then the request is to change the remove date or sunset date.
The remove date or sunset date that was assigned at the time of the request.
sodViolationContext
object
nullable
The details of the SOD violations for the associated approval.
Possible values: [SUCCESS
, ERROR
]
The status of SOD violation check
The id of the Violation check event
violationCheckResult
object
The inner object representing the completed SOD Violation check
message
object
If the request failed, includes any error message that was generated.
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
clientMetadata
object
Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check.
violationContexts
object[]
policy
object
SOD policy.
Possible values: [SOD_POLICY
]
SOD policy DTO type.
SOD policy ID.
SOD policy display name.
conflictingAccessCriteria
object
The object which contains the left and right hand side of the entitlements that got violated according to the policy.
leftCriteria
object
criteriaList
object[]
If the entitlement already belonged to the user or not.
Possible values: [ACCOUNT_CORRELATION_CONFIG
, ACCESS_PROFILE
, ACCESS_REQUEST_APPROVAL
, ACCOUNT
, APPLICATION
, CAMPAIGN
, CAMPAIGN_FILTER
, CERTIFICATION
, CLUSTER
, CONNECTOR_SCHEMA
, ENTITLEMENT
, GOVERNANCE_GROUP
, IDENTITY
, IDENTITY_PROFILE
, IDENTITY_REQUEST
, MACHINE_IDENTITY
, LIFECYCLE_STATE
, PASSWORD_POLICY
, ROLE
, RULE
, SOD_POLICY
, SOURCE
, TAG
, TAG_CATEGORY
, TASK_RESULT
, REPORT_RESULT
, SOD_VIOLATION
, ACCOUNT_ACTIVITY
, WORKGROUP
]
An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
Entitlement ID
Entitlement name
rightCriteria
object
criteriaList
object[]
If the entitlement already belonged to the user or not.
Possible values: [ACCOUNT_CORRELATION_CONFIG
, ACCESS_PROFILE
, ACCESS_REQUEST_APPROVAL
, ACCOUNT
, APPLICATION
, CAMPAIGN
, CAMPAIGN_FILTER
, CERTIFICATION
, CLUSTER
, CONNECTOR_SCHEMA
, ENTITLEMENT
, GOVERNANCE_GROUP
, IDENTITY
, IDENTITY_PROFILE
, IDENTITY_REQUEST
, MACHINE_IDENTITY
, LIFECYCLE_STATE
, PASSWORD_POLICY
, ROLE
, RULE
, SOD_POLICY
, SOURCE
, TAG
, TAG_CATEGORY
, TASK_RESULT
, REPORT_RESULT
, SOD_VIOLATION
, ACCOUNT_ACTIVITY
, WORKGROUP
]
An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
Entitlement ID
Entitlement name
violatedPolicies
object[]
A list of the Policies that were violated.
Possible values: [SOD_POLICY
]
SOD policy DTO type.
SOD policy ID.
SOD policy display name.
[
{
"id": "2c9180835d2e5168015d32f890ca1581",
"name": "Pending approval name",
"created": "2017-07-11T18:45:37.098Z",
"modified": "2018-07-25T20:22:28.104Z",
"requestCreated": "2017-07-11T18:45:35.098Z",
"requestType": "GRANT_ACCESS",
"requester": {
"type": "IDENTITY",
"id": "2c7180a46faadee4016fb4e018c20648",
"name": "William Wilson"
},
"requestedFor": [
{
"type": "IDENTITY",
"id": "2c4180a46faadee4016fb4e018c20626",
"name": "Robert Robinson"
}
],
"owner": {
"type": "IDENTITY",
"id": "2c9180a46faadee4016fb4e018c20639",
"name": "Support"
},
"requestedObject": {
"id": "2c938083633d259901633d25c68c00fa",
"name": "Object Name",
"description": "Object Description",
"type": "ROLE"
},
"requesterComment": {
"comment": "This is a comment.",
"created": "2017-07-11T18:45:37.098Z",
"author": {
"type": "IDENTITY",
"id": "2c9180847e25f377017e2ae8cae4650b",
"name": "john.doe"
}
},
"previousReviewersComments": [
{
"comment": "This is a comment.",
"created": "2017-07-11T18:45:37.098Z",
"author": {
"type": "IDENTITY",
"id": "2c9180847e25f377017e2ae8cae4650b",
"name": "john.doe"
}
}
],
"forwardHistory": [
{
"oldApproverName": "Frank Mir",
"newApproverName": "Al Volta",
"comment": "Forwarding from Frank to Al",
"modified": "2019-08-23T18:52:57.398Z",
"forwarderName": "William Wilson",
"reassignmentType": "AUTOMATIC_REASSIGNMENT"
}
],
"commentRequiredWhenRejected": true,
"actionInProcess": "APPROVED",
"removeDate": "2020-07-11T00:00:00Z",
"removeDateUpdateRequested": true,
"currentRemoveDate": "2020-07-11T00:00:00Z",
"sodViolationContext": {
"state": "SUCCESS",
"uuid": "f73d16e9-a038-46c5-b217-1246e15fdbdd",
"violationCheckResult": {
"message": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "An error has occurred during the SOD violation check"
}
],
"clientMetadata": {
"requestedAppName": "test-app",
"requestedAppId": "2c91808f7892918f0178b78da4a305a1"
},
"violationContexts": [
{
"policy": {
"type": "SOD_POLICY",
"id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"name": "Business SOD Policy"
},
"conflictingAccessCriteria": {
"leftCriteria": {
"criteriaList": [
{
"existing": true,
"type": "ENTITLEMENT",
"id": "2c918085771e9d3301773b3cb66f6398",
"name": "My HR Entitlement"
}
]
},
"rightCriteria": {
"criteriaList": [
{
"existing": true,
"type": "ENTITLEMENT",
"id": "2c918085771e9d3301773b3cb66f6398",
"name": "My HR Entitlement"
}
]
}
}
}
],
"violatedPolicies": [
{
"type": "SOD_POLICY",
"id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"name": "Business SOD Policy"
}
]
}
}
}
]
Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"error": "JWT validation failed: JWT is expired"
}
Forbidden - Returned if the user you are running as, doesn't have access to this end-point.
- application/json
- Schema
- Example (from schema)
- 403
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 403 response object
{
"detailCode": "403 Forbidden",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The server understood the request but refuses to authorize it."
}
]
}
Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"message": " Rate Limit Exceeded "
}
Internal Server Error - Returned if there is an unexpected error.
- application/json
- Schema
- Example (from schema)
- 500
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 500 response object
{
"detailCode": "500.0 Internal Fault",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "An internal fault occurred."
}
]
}