Skip to main content

List of Access Review Items

GET 

/certifications/:id/access-review-items

This API returns a list of access review items for an identity campaign certification. A token with ORG_ADMIN or CERT_ADMIN authority is required to call this API. Reviewers for this certification can also call this API. This API does not support requests for certifications assigned to Governance Groups.

Request

Path Parameters

    id stringrequired

    The identity campaign certification ID

    Example: ef38f94347e94562b5bb8424a56397d8

Query Parameters

    limit int32

    Possible values: <= 250

    Default value: 250

    Max number of results to return. See V3 API Standard Collection Parameters for more information.

    Example: 250
    offset int32

    Default value: 0

    Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

    Example: 0
    count boolean

    If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

    Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

    See V3 API Standard Collection Parameters for more information.

    Example: true
    filters string

    Filter results using the standard syntax described in V3 API Standard Collection Parameters

    Filtering is supported for the following fields and operators:

    id: eq, in

    type: eq

    access.type: eq

    completed: eq, ne

    identitySummary.id: eq, in

    identitySummary.name: eq, sw

    access.id: eq, in

    access.name: eq, sw

    entitlement.sourceName: eq, sw

    accessProfile.sourceName: eq, sw

    Example: id eq "ef38f94347e94562b5bb8424a56397d8"
    sorters comma-separated

    Sort results using the standard syntax described in V3 API Standard Collection Parameters

    Sorting is supported for the following fields: identitySummary.name, access.name, access.type, entitlement.sourceName, accessProfile.sourceName

    Example: access.name,-accessProfile.sourceName
    entitlements string

    Filter results to view access review items that pertain to any of the specified comma-separated entitlement IDs.

    An error will occur if this param is used with access-profiles or roles as only one of these query params can be used at a time.

    Example: identityEntitlement
    access-profiles string

    Filter results to view access review items that pertain to any of the specified comma-separated access-profle IDs.

    An error will occur if this param is used with entitlements or roles as only one of these query params can be used at a time.

    Example: accessProfile1
    roles string

    Filter results to view access review items that pertain to any of the specified comma-separated role IDs.

    An error will occur if this param is used with entitlements or access-profiles as only one of these query params can be used at a time.

    Example: userRole

Responses

A list of access review items

Schema

  • Array [

  • accessSummary

    object

    An object holding the access that is being reviewed

    access

    object

    type DtoType (string)

    Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

    The type of item being certified

    id string

    The ID of the item being certified

    name string

    The name of the item being certified

    entitlement

    object

    nullable

    id string

    The id for the entitlement

    name string

    The name of the entitlement

    description stringnullable

    Information about the entitlement

    privileged boolean

    Indicates if the entitlement is a privileged entitlement

    owner

    object

    nullable

    type string

    The type can only be IDENTITY. This is read-only.

    id string

    Identity ID.

    name string

    Identity's human-readable display name. This is read-only.

    email string

    Identity's email address. This is read-only.

    attributeName string

    The name of the attribute on the source

    attributeValue string

    The value of the attribute on the source

    sourceSchemaObjectType string

    The schema object type on the source used to represent the entitlement and its attributes

    sourceName string

    The name of the source for which this entitlement belongs

    sourceType string

    The type of the source for which the entitlement belongs

    sourceId string

    The ID of the source for which the entitlement belongs

    hasPermissions boolean

    Indicates if the entitlement has permissions

    isPermission boolean

    Indicates if the entitlement is a representation of an account permission

    revocable boolean

    Indicates whether the entitlement can be revoked

    cloudGoverned boolean

    True if the entitlement is cloud governed

    containsDataAccess boolean

    True if the entitlement has DAS data

    dataAccess

    object

    nullable

    DAS data for the entitlement

    policies

    object[]

    List of classification policies that apply to resources the entitlement \ groups has access to

  • Array [

  • value string

    Value of the policy

  • ]

  • categories

    object[]

    List of classification categories that apply to resources the entitlement \ groups has access to

  • Array [

  • value string

    Value of the category

    matchCount integer

    Number of matched for each category

  • ]

  • impactScore

    object

    value string

    Impact Score for this data

    account

    object

    nullable

    Information about the status of the entitlement

    nativeIdentity string

    The native identity for this account

    disabled boolean

    Indicates whether this account is currently disabled

    locked boolean

    Indicates whether this account is currently locked

    type DtoType (string)

    Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

    An enumeration of the types of DTOs supported within the IdentityNow infrastructure.

    id stringnullable

    The id associated with the account

    name stringnullable

    The account name

    created date-timenullable

    When the account was created

    modified date-timenullable

    When the account was last modified

    activityInsights

    object

    Insights into account activity

    accountID string

    UUID of the account

    usageDays int32

    Possible values: <= 90

    The number of days of activity

    usageDaysState string

    Possible values: [COMPLETE, UNKNOWN]

    Status indicating if the activity is complete or unknown

    accessProfile

    object

    id string

    The id of the Access Profile

    name string

    Name of the Access Profile

    description string

    Information about the Access Profile

    privileged boolean

    Indicates if the entitlement is a privileged entitlement

    cloudGoverned boolean

    True if the entitlement is cloud governed

    endDate date-timenullable

    The date at which a user's access expires

    owner

    object

    nullable

    Owner of the Access Profile

    type string

    The type can only be IDENTITY. This is read-only.

    id string

    Identity ID.

    name string

    Identity's human-readable display name. This is read-only.

    email string

    Identity's email address. This is read-only.

    entitlements

    object[]

    A list of entitlements associated with this Access Profile

  • Array [

  • id string

    The id for the entitlement

    name string

    The name of the entitlement

    description stringnullable

    Information about the entitlement

    privileged boolean

    Indicates if the entitlement is a privileged entitlement

    owner

    object

    nullable

    type string

    The type can only be IDENTITY. This is read-only.

    id string

    Identity ID.

    name string

    Identity's human-readable display name. This is read-only.

    email string

    Identity's email address. This is read-only.

    attributeName string

    The name of the attribute on the source

    attributeValue string

    The value of the attribute on the source

    sourceSchemaObjectType string

    The schema object type on the source used to represent the entitlement and its attributes

    sourceName string

    The name of the source for which this entitlement belongs

    sourceType string

    The type of the source for which the entitlement belongs

    sourceId string

    The ID of the source for which the entitlement belongs

    hasPermissions boolean

    Indicates if the entitlement has permissions

    isPermission boolean

    Indicates if the entitlement is a representation of an account permission

    revocable boolean

    Indicates whether the entitlement can be revoked

    cloudGoverned boolean

    True if the entitlement is cloud governed

    containsDataAccess boolean

    True if the entitlement has DAS data

    dataAccess

    object

    nullable

    DAS data for the entitlement

    policies

    object[]

    List of classification policies that apply to resources the entitlement \ groups has access to

  • Array [

  • value string

    Value of the policy

  • ]

  • categories

    object[]

    List of classification categories that apply to resources the entitlement \ groups has access to

  • Array [

  • value string

    Value of the category

    matchCount integer

    Number of matched for each category

  • ]

  • impactScore

    object

    value string

    Impact Score for this data

    account

    object

    nullable

    Information about the status of the entitlement

    nativeIdentity string

    The native identity for this account

    disabled boolean

    Indicates whether this account is currently disabled

    locked boolean

    Indicates whether this account is currently locked

    type DtoType (string)

    Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

    An enumeration of the types of DTOs supported within the IdentityNow infrastructure.

    id stringnullable

    The id associated with the account

    name stringnullable

    The account name

    created date-timenullable

    When the account was created

    modified date-timenullable

    When the account was last modified

    activityInsights

    object

    Insights into account activity

    accountID string

    UUID of the account

    usageDays int32

    Possible values: <= 90

    The number of days of activity

    usageDaysState string

    Possible values: [COMPLETE, UNKNOWN]

    Status indicating if the activity is complete or unknown

  • ]

  • created date-time

    Date the Access Profile was created.

    modified date-time

    Date the Access Profile was last modified.

    role

    object

    nullable

    id string

    The id for the Role

    name string

    The name of the Role

    description string

    Information about the Role

    privileged boolean

    Indicates if the entitlement is a privileged entitlement

    owner

    object

    nullable

    type string

    The type can only be IDENTITY. This is read-only.

    id string

    Identity ID.

    name string

    Identity's human-readable display name. This is read-only.

    email string

    Identity's email address. This is read-only.

    revocable boolean

    Indicates whether the Role can be revoked or requested

    endDate date-time

    The date when a user's access expires.

    accessProfiles

    object[]

    The list of Access Profiles associated with this Role

  • Array [

  • id string

    The id of the Access Profile

    name string

    Name of the Access Profile

    description string

    Information about the Access Profile

    privileged boolean

    Indicates if the entitlement is a privileged entitlement

    cloudGoverned boolean

    True if the entitlement is cloud governed

    endDate date-timenullable

    The date at which a user's access expires

    owner

    object

    nullable

    Owner of the Access Profile

    type string

    The type can only be IDENTITY. This is read-only.

    id string

    Identity ID.

    name string

    Identity's human-readable display name. This is read-only.

    email string

    Identity's email address. This is read-only.

    entitlements

    object[]

    A list of entitlements associated with this Access Profile

  • Array [

  • id string

    The id for the entitlement

    name string

    The name of the entitlement

    description stringnullable

    Information about the entitlement

    privileged boolean

    Indicates if the entitlement is a privileged entitlement

    owner

    object

    nullable

    type string

    The type can only be IDENTITY. This is read-only.

    id string

    Identity ID.

    name string

    Identity's human-readable display name. This is read-only.

    email string

    Identity's email address. This is read-only.

    attributeName string

    The name of the attribute on the source

    attributeValue string

    The value of the attribute on the source

    sourceSchemaObjectType string

    The schema object type on the source used to represent the entitlement and its attributes

    sourceName string

    The name of the source for which this entitlement belongs

    sourceType string

    The type of the source for which the entitlement belongs

    sourceId string

    The ID of the source for which the entitlement belongs

    hasPermissions boolean

    Indicates if the entitlement has permissions

    isPermission boolean

    Indicates if the entitlement is a representation of an account permission

    revocable boolean

    Indicates whether the entitlement can be revoked

    cloudGoverned boolean

    True if the entitlement is cloud governed

    containsDataAccess boolean

    True if the entitlement has DAS data

    dataAccess

    object

    nullable

    DAS data for the entitlement

    policies

    object[]

    List of classification policies that apply to resources the entitlement \ groups has access to

  • Array [

  • value string

    Value of the policy

  • ]

  • categories

    object[]

    List of classification categories that apply to resources the entitlement \ groups has access to

  • Array [

  • value string

    Value of the category

    matchCount integer

    Number of matched for each category

  • ]

  • impactScore

    object

    value string

    Impact Score for this data

    account

    object

    nullable

    Information about the status of the entitlement

    nativeIdentity string

    The native identity for this account

    disabled boolean

    Indicates whether this account is currently disabled

    locked boolean

    Indicates whether this account is currently locked

    type DtoType (string)

    Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

    An enumeration of the types of DTOs supported within the IdentityNow infrastructure.

    id stringnullable

    The id associated with the account

    name stringnullable

    The account name

    created date-timenullable

    When the account was created

    modified date-timenullable

    When the account was last modified

    activityInsights

    object

    Insights into account activity

    accountID string

    UUID of the account

    usageDays int32

    Possible values: <= 90

    The number of days of activity

    usageDaysState string

    Possible values: [COMPLETE, UNKNOWN]

    Status indicating if the activity is complete or unknown

  • ]

  • created date-time

    Date the Access Profile was created.

    modified date-time

    Date the Access Profile was last modified.

  • ]

  • entitlements

    object[]

    The list of entitlements associated with this Role

  • Array [

  • id string

    The id for the entitlement

    name string

    The name of the entitlement

    description stringnullable

    Information about the entitlement

    privileged boolean

    Indicates if the entitlement is a privileged entitlement

    owner

    object

    nullable

    type string

    The type can only be IDENTITY. This is read-only.

    id string

    Identity ID.

    name string

    Identity's human-readable display name. This is read-only.

    email string

    Identity's email address. This is read-only.

    attributeName string

    The name of the attribute on the source

    attributeValue string

    The value of the attribute on the source

    sourceSchemaObjectType string

    The schema object type on the source used to represent the entitlement and its attributes

    sourceName string

    The name of the source for which this entitlement belongs

    sourceType string

    The type of the source for which the entitlement belongs

    sourceId string

    The ID of the source for which the entitlement belongs

    hasPermissions boolean

    Indicates if the entitlement has permissions

    isPermission boolean

    Indicates if the entitlement is a representation of an account permission

    revocable boolean

    Indicates whether the entitlement can be revoked

    cloudGoverned boolean

    True if the entitlement is cloud governed

    containsDataAccess boolean

    True if the entitlement has DAS data

    dataAccess

    object

    nullable

    DAS data for the entitlement

    policies

    object[]

    List of classification policies that apply to resources the entitlement \ groups has access to

  • Array [

  • value string

    Value of the policy

  • ]

  • categories

    object[]

    List of classification categories that apply to resources the entitlement \ groups has access to

  • Array [

  • value string

    Value of the category

    matchCount integer

    Number of matched for each category

  • ]

  • impactScore

    object

    value string

    Impact Score for this data

    account

    object

    nullable

    Information about the status of the entitlement

    nativeIdentity string

    The native identity for this account

    disabled boolean

    Indicates whether this account is currently disabled

    locked boolean

    Indicates whether this account is currently locked

    type DtoType (string)

    Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

    An enumeration of the types of DTOs supported within the IdentityNow infrastructure.

    id stringnullable

    The id associated with the account

    name stringnullable

    The account name

    created date-timenullable

    When the account was created

    modified date-timenullable

    When the account was last modified

    activityInsights

    object

    Insights into account activity

    accountID string

    UUID of the account

    usageDays int32

    Possible values: <= 90

    The number of days of activity

    usageDaysState string

    Possible values: [COMPLETE, UNKNOWN]

    Status indicating if the activity is complete or unknown

  • ]

  • identitySummary

    object

    id string

    The ID of the identity summary

    name string

    Name of the linked identity

    identityId string

    The ID of the identity being certified

    completed boolean

    Indicates whether the review items for the linked identity's certification have been completed

    id string

    The review item's id

    completed boolean

    Whether the review item is complete

    newAccess boolean

    Indicates whether the review item is for new access to a source

    decision CertificationDecision (string)

    Possible values: [APPROVE, REVOKE]

    The decision to approve or revoke the review item

    comments stringnullable

    Comments for this review item

  • ]

Loading...