This endpoint simulates provisioning a set of access items, and then checks against a set of policies to determine if granting the access items would cause creation of new policy violations.

POST 
/CheckedPolicyViolations

>This submits a set of access items to request and a set of policies to check after the access provisioning is simulated in order to determine if policy violations would be created by provisioning the access items. It receives a payload that includes:

An identity: Used as the recipient for the access items on the simulation.

A provisioning plan: To specify the changes to be simulatedly provisioned in the provided identity

A list of policies: to check after the simulation of provisioning plan was applied to the identity in order to determine if the access granted in the simulation causes new policy violations.

Optionally you can pass a list of attributes, as query params, to be included or excluded from the response, this setting is applicable only to top level attributes as defined in the schema urn:ietf:params:scim:schemas:sailpoint:1.0:CheckedPolicyViolation.

Valid values: - policies - identity - plan - violations - leftBundles - rightBundles

Request

Query Parameters

attributes string

A list of attributes to indicate what top level attributes to include in the response

authnPassword string

Password for authentication

authnUsername string

Username for authentication

excludedAttributes string

A list of attributes to indicate what top level attributes to exclude from the response

lookupByName boolean
This is not required in this endpoint, the returned object is a new PolicyViolation and not one returned from the persistence layer. This is inherited from the BaseSCIMResource and is used to override the default id based lookup, and use a name based lookup instead, if for any reason the artifact id is not present.
Example: false

application/json

Body

required

identity string

An identity for whom access is requested on the provisioning simulation

plan

object

A provisioning plan detailing the access to request on the simulation

value

object

accounts

object[]

Array [

op string

The operation to perform on the provisioning.

instance string

A particular instance to provision this access to

application string

The application that owns the access items in the request

attributes

object[]

Array [

op string

The operation to perform on the access item.

name string

The type of access item to provision.

value string

The name of the access item to provision.

]

]

type string
policies string[]

A list of policies to check for new policy violations on the access provisioned by the simulation.

Responses

201

Returns a list of violations based on simulated requested access

application/json

Schema

Schema

identity string

An identity for whom access was requested on the provisioning simulation

meta

object

resourceType string

violations

undefined[]

Array [

entitlements string[]

An array of the entitlements used in the provisioning simulation.

policyName string

The name of the policy that conflicted with the access items provisioned in the simulation causing policy violation.

policyType string

The type of the policy that conflicted with the access items provisioned in the simulation causing policy violation(s).

description string

The description of the policy violation(s) caused by the access provisioned in the simulation.

constraintName string

The specific constraint in the policy that conflicted with the access items provisioned in the simulation.

leftBundles string[]

The left set of entitlements defined in the policy constraint in order to check against another set of entitlements for compliance.

rightBundles string[]

The right set of entitlements defined in the policy constraint in order to check against another set of entitlements for compliance.

]

schemas string[]

The SCIM schema for Checked Policy Violations.

policies string[]

The set of policies used to check for conflicting access in the provisioning simulation

plan

object

A provisioning plan detailing the access to request on the simulation

value

object

accounts

object[]

Array [

op string

The operation performed on the access in the provisioning simulation.

instance string

A particular instance to provision this access to

application string

The application that owns the access provisioned in the simulation.

attributes

object[]

Array [

op string

The operation performed on the access in the provisioning simulation.

name string

The type of provisioned access.

value string

The name of the provisioned access items.

]

]

type string

Example (from schema)

{
  "identity": {
    "identity": "Ryan.Russell"
  },
  "meta": {
    "resourceType": "CheckedPolicyViolation"
  },
  "violations": [
    {
      "entitlements": [
        "a2a",
        "a2b",
        "benefits"
      ],
      "policyName": "SOD Policy",
      "policyType": "SOD",
      "description": "Security design should not be combined with administrative permissions.",
      "constraintName": " IT SOD-117",
      "leftBundles": [
        "Security Architect - IT"
      ],
      "rightBundles": [
        "Unix Administrator - IT"
      ]
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:schemas:sailpoint:1.0:CheckedPolicyViolation"
  ],
  "policies": [
    "SOD Policy",
    "Entitlement Policy",
    "RandomPolicyNotExisting"
  ],
  "plan": {
    "value": {
      "accounts": [
        {
          "op": "Modify",
          "instance": "null",
          "application": "Active_Directory",
          "attributes": [
            {
              "op": "Add",
              "name": "groupmbr",
              "value": "UnixAdministration"
            }
          ]
        }
      ]
    },
    "type": "application/sailpoint.object.ProvisioningPlan+json"
  }
}

Loading...