Access Request Status
GET/access-request-status
Use this API to return a list of access request statuses based on the specified query parameters. If an access request was made for access that an identity already has, the API ignores the access request. These ignored requests do not display in the list of access request statuses. Any user with any user level can get the status of their own access requests. A user with ORG_ADMIN is required to call this API to get a list of statuses for other users.
Request
Query Parameters
Filter the results by the identity the requests were made for. me indicates the current user. Mutually exclusive with regarding-identity.
Filter the results by the identity twho made the requests. me indicates the current user. Mutually exclusive with regarding-identity.
Filter the results by the specified identity who is either the requester or target of the requests. me indicates the current user. Mutually exclusive with requested-for and requested-by.
Filter the results by the specified identity who is the owner of the Identity Request Work Item. me indicates the current user.
If this is true, the X-Total-Count response header populates with the number of results that would be returned if limit and offset were ignored.
Possible values: <= 250
Default value: 250
Max number of results to return.
Offset into the full result set. Usually specified with limit to paginate through the results. Defaults to 0 if not specified.
Filter results using the standard syntax described in V3 API Standard Collection Parameters
Filtering is supported for the following fields and operators:
accountActivityItemId: eq, in, ge, gt, le, lt, ne, isnull, sw
Sort results using the standard syntax described in V3 API Standard Collection Parameters
Sorting is supported for the following fields: created, modified, accountActivityItemId, name
Responses
- 200
- 400
- 401
- 403
- 429
- 500
List of requested item statuses.
- application/json
- Schema
- Example (from schema)
Schema
Array [
- EXECUTING: The request is executing, which indicates the system is doing some processing.
- REQUEST_COMPLETED: Indicates the request has been completed.
- CANCELLED: The request was cancelled with no user input.
- TERMINATED: The request has been terminated before it was able to complete.
- PROVISIONING_VERIFICATION_PENDING: The request has finished any approval steps and provisioning is waiting to be verified.
- REJECTED: The request was rejected.
- PROVISIONING_FAILED: The request has failed to complete.
- NOT_ALL_ITEMS_PROVISIONED: One or more of the requested items failed to complete, but there were one or more successes.
- ERROR: An error occurred during request processing.
Array [
- PENDING: The request for this item is awaiting processing.
- APPROVED: The request for this item has been approved.
- REJECTED: The request for this item was rejected.
- EXPIRED: The request for this item expired with no action taken.
- CANCELLED: The request for this item was cancelled with no user action.
- ARCHIVED: The request for this item has been archived after completion.
Array [
]
]
Array [
- PENDING: The request for this item is awaiting processing.
- APPROVED: The request for this item has been approved.
- REJECTED: The request for this item was rejected.
- EXPIRED: The request for this item expired with no action taken.
- CANCELLED: The request for this item was cancelled with no user action.
- ARCHIVED: The request for this item has been archived after completion.
Array [
- MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's.
- AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time.
- AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to Setting Global Reminders and Escalation Policies.
- SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to Self-review Prevention and Preventing Self-approval.
]
]
Array [
Array [
]
Array [
]
]
Array [
]
Array [
]
]
Human-readable display name of the item being requested.
Possible values: [ACCESS_PROFILE
, ROLE
, ENTITLEMENT
, null
]
Type of requested object.
cancelledRequestDetails
object
Provides additional details for a request that has been cancelled.
Comment made by the owner when cancelling the associated request.
owner
object
Owner's identity.
Possible values: [IDENTITY
]
Owner's DTO type.
Owner's identity ID.
Owner's name.
Date comment was added by the owner when cancelling the associated request.
List of list of localized error messages, if any, encountered during the approval/provisioning process.
Possible values: [EXECUTING
, REQUEST_COMPLETED
, CANCELLED
, TERMINATED
, PROVISIONING_VERIFICATION_PENDING
, REJECTED
, PROVISIONING_FAILED
, NOT_ALL_ITEMS_PROVISIONED
, ERROR
]
Indicates the state of an access request:
approvalDetails
object[]
Approval details for each item.
True if the request for this item was forwarded from one owner to another.
originalOwner
object
Identity of orginal approval owner.
Possible values: [GOVERNANCE_GROUP
, IDENTITY
]
DTO type of original approval owner's identity.
ID of original approval owner's identity.
Display name of original approval owner.
currentOwner
object
Identity who reviewed the access item request.
Possible values: [IDENTITY
]
DTO type of identity who reviewed the access item request.
ID of identity who reviewed the access item request.
Human-readable display name of identity who reviewed the access item request.
Time at which item was modified.
Possible values: [PENDING
, APPROVED
, REJECTED
, EXPIRED
, CANCELLED
, ARCHIVED
]
Indicates the state of the request processing for this item:
Possible values: [APP_OWNER
, SOURCE_OWNER
, MANAGER
, ROLE_OWNER
, ACCESS_PROFILE_OWNER
, ENTITLEMENT_OWNER
, GOVERNANCE_GROUP
]
Describes the individual or group that is responsible for an approval step.
errorMessages
object[]
nullable
If the request failed, includes any error messages that were generated.
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
Comment, if any, provided by the approver.
The date the role or access profile or entitlement is no longer assigned to the specified identity.
manualWorkItemDetails
object[]
nullable
Manual work items created for provisioning the item.
True if the request for this item was forwarded from one owner to another.
originalOwner
object
nullable
Identity of original work item owner, if the work item has been forwarded.
Possible values: [GOVERNANCE_GROUP
, IDENTITY
]
DTO type of original work item owner's identity.
ID of original work item owner's identity.
Display name of original work item owner.
currentOwner
object
nullable
Identity of current work item owner.
Possible values: [GOVERNANCE_GROUP
, IDENTITY
]
DTO type of current work item owner's identity.
ID of current work item owner's identity.
Display name of current work item owner.
Time at which item was modified.
Possible values: [PENDING
, APPROVED
, REJECTED
, EXPIRED
, CANCELLED
, ARCHIVED
]
Indicates the state of the request processing for this item:
forwardHistory
object[]
nullable
The history of approval forward action.
Display name of approver from whom the approval was forwarded.
Display name of approver to whom the approval was forwarded.
Comment made while forwarding.
Time at which approval was forwarded.
Display name of forwarder who forwarded the approval.
Possible values: [MANUAL_REASSIGNMENT
, AUTOMATIC_REASSIGNMENT
, AUTO_ESCALATION
, SELF_REVIEW_DELEGATION
]
The approval reassignment type.
Id of associated account activity item.
Possible values: [GRANT_ACCESS
, REVOKE_ACCESS
, null
]
Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field.
When the request was last modified.
When the request was created.
requester
object
Access item requester's identity.
Possible values: [IDENTITY
]
Access item requester's DTO type.
Access item requester's identity ID.
Access item owner's human-readable display name.
requestedFor
object
Identity access was requested for.
Possible values: [IDENTITY
]
Type of the object to which this reference applies
ID of the object to which this reference applies
Human-readable display name of the object to which this reference applies
requesterComment
object
The requester's comment.
Comment content.
Date and time comment was created.
author
object
Author of the comment
Possible values: [IDENTITY
]
The type of object
The unique ID of the object
The display name of the object
sodViolationContext
object
An object referencing a completed SOD violation check
Possible values: [SUCCESS
, ERROR
, null
]
The status of SOD violation check
The id of the Violation check event
violationCheckResult
object
The inner object representing the completed SOD Violation check
message
object
If the request failed, this includes any error message that was generated.
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
clientMetadata
object
nullable
Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check.
violationContexts
object[]
nullable
policy
object
SOD policy.
Possible values: [SOD_POLICY
]
SOD policy DTO type.
SOD policy ID.
SOD policy display name.
conflictingAccessCriteria
object
The object which contains the left and right hand side of the entitlements that got violated according to the policy.
leftCriteria
object
criteriaList
object[]
If the entitlement already belonged to the user or not.
Possible values: [ACCOUNT_CORRELATION_CONFIG
, ACCESS_PROFILE
, ACCESS_REQUEST_APPROVAL
, ACCOUNT
, APPLICATION
, CAMPAIGN
, CAMPAIGN_FILTER
, CERTIFICATION
, CLUSTER
, CONNECTOR_SCHEMA
, ENTITLEMENT
, GOVERNANCE_GROUP
, IDENTITY
, IDENTITY_PROFILE
, IDENTITY_REQUEST
, LIFECYCLE_STATE
, PASSWORD_POLICY
, ROLE
, RULE
, SOD_POLICY
, SOURCE
, TAG
, TAG_CATEGORY
, TASK_RESULT
, REPORT_RESULT
, SOD_VIOLATION
, ACCOUNT_ACTIVITY
, WORKGROUP
]
An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
Entitlement ID
Entitlement name
rightCriteria
object
criteriaList
object[]
If the entitlement already belonged to the user or not.
Possible values: [ACCOUNT_CORRELATION_CONFIG
, ACCESS_PROFILE
, ACCESS_REQUEST_APPROVAL
, ACCOUNT
, APPLICATION
, CAMPAIGN
, CAMPAIGN_FILTER
, CERTIFICATION
, CLUSTER
, CONNECTOR_SCHEMA
, ENTITLEMENT
, GOVERNANCE_GROUP
, IDENTITY
, IDENTITY_PROFILE
, IDENTITY_REQUEST
, LIFECYCLE_STATE
, PASSWORD_POLICY
, ROLE
, RULE
, SOD_POLICY
, SOURCE
, TAG
, TAG_CATEGORY
, TASK_RESULT
, REPORT_RESULT
, SOD_VIOLATION
, ACCOUNT_ACTIVITY
, WORKGROUP
]
An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
Entitlement ID
Entitlement name
violatedPolicies
object[]
nullable
A list of the SOD policies that were violated.
Possible values: [SOD_POLICY
]
SOD policy DTO type.
SOD policy ID.
SOD policy display name.
provisioningDetails
object
Provides additional details about provisioning for this request.
Ordered CSV of sub phase references to objects that contain more information about provisioning. For example, this can contain "manualWorkItemDetails" which indicate that there is further information in that object for this phase.
preApprovalTriggerDetails
object
Provides additional details about the pre-approval trigger for this request.
Comment left for the pre-approval decision
The reviewer of the pre-approval decision
Possible values: [APPROVED
, REJECTED
]
The decision of the pre-approval trigger
accessRequestPhases
object[]
nullable
A list of Phases that the Access Request has gone through in order, to help determine the status of the request.
The time that this phase started.
The time that this phase finished.
The name of this phase.
Possible values: [PENDING
, EXECUTING
, COMPLETED
, CANCELLED
, NOT_EXECUTED
]
The state of this phase.
Possible values: [SUCCESSFUL
, FAILED
, null
]
The state of this phase.
A reference to another object on the RequestedItemStatus that contains more details about the phase. Note that for the Provisioning phase, this will be empty if there are no manual work items.
Description associated to the requested object.
When the role access is scheduled for removal.
True if the request can be canceled.
This is the account activity id.
clientMetadata
object
nullable
Arbitrary key-value pairs, if any were included in the corresponding access request
[
{
"name": "AccessProfile1",
"type": "ACCESS_PROFILE",
"cancelledRequestDetails": {
"comment": "This request must be cancelled.",
"owner": {
"type": "IDENTITY",
"id": "2c9180a46faadee4016fb4e018c20639",
"name": "Support"
},
"modified": "2019-12-20T09:17:12.192Z"
},
"errorMessages": [
[
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
],
"state": "EXECUTING",
"approvalDetails": [
{
"forwarded": false,
"originalOwner": {
"type": "IDENTITY",
"id": "2c7180a46faadee4016fb4e018c20642",
"name": "Michael Michaels"
},
"currentOwner": {
"type": "IDENTITY",
"id": "2c3780a46faadee4016fb4e018c20652",
"name": "Allen Albertson"
},
"modified": "2019-08-23T18:52:57.398Z",
"status": "PENDING",
"scheme": "MANAGER",
"errorMessages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"comment": "I approve this request",
"removeDate": "2020-07-11T00:00:00Z"
}
],
"manualWorkItemDetails": [
{
"forwarded": true,
"originalOwner": {
"type": "IDENTITY",
"id": "2c7180a46faadee4016fb4e018c20642",
"name": "Michael Michaels"
},
"currentOwner": {
"type": "IDENTITY",
"id": "2c3780a46faadee4016fb4e018c20652",
"name": "Allen Albertson"
},
"modified": "2019-08-23T18:52:57.398Z",
"status": "PENDING",
"forwardHistory": [
{
"oldApproverName": "Frank Mir",
"newApproverName": "Al Volta",
"comment": "Forwarding from Frank to Al",
"modified": "2019-08-23T18:52:57.398Z",
"forwarderName": "William Wilson",
"reassignmentType": "AUTOMATIC_REASSIGNMENT"
}
]
}
],
"accountActivityItemId": "2c9180926cbfbddd016cbfc7c3b10010",
"requestType": "GRANT_ACCESS",
"modified": "2019-08-23T18:52:59.162Z",
"created": "2019-08-23T18:40:35.772Z",
"requester": {
"type": "IDENTITY",
"id": "2c7180a46faadee4016fb4e018c20648",
"name": "William Wilson"
},
"requestedFor": {
"type": "IDENTITY",
"id": "2c9180835d191a86015d28455b4b232a",
"name": "William Wilson"
},
"requesterComment": {
"comment": "This is a comment.",
"created": "2017-07-11T18:45:37.098Z",
"author": {
"type": "IDENTITY",
"id": "2c9180847e25f377017e2ae8cae4650b",
"name": "john.doe"
}
},
"sodViolationContext": {
"state": "SUCCESS",
"uuid": "f73d16e9-a038-46c5-b217-1246e15fdbdd",
"violationCheckResult": {
"message": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "An error has occurred during the SOD violation check"
}
],
"clientMetadata": {
"requestedAppName": "test-app",
"requestedAppId": "2c91808f7892918f0178b78da4a305a1"
},
"violationContexts": [
{
"policy": {
"type": "SOD_POLICY",
"id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"name": "Business SOD Policy"
},
"conflictingAccessCriteria": {
"leftCriteria": {
"criteriaList": [
{
"existing": true,
"type": "ENTITLEMENT",
"id": "2c918085771e9d3301773b3cb66f6398",
"name": "My HR Entitlement"
}
]
},
"rightCriteria": {
"criteriaList": [
{
"existing": true,
"type": "ENTITLEMENT",
"id": "2c918085771e9d3301773b3cb66f6398",
"name": "My HR Entitlement"
}
]
}
}
}
],
"violatedPolicies": [
{
"type": "SOD_POLICY",
"id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"name": "Business SOD Policy"
}
]
}
},
"provisioningDetails": {
"orderedSubPhaseReferences": "manualWorkItemDetails"
},
"preApprovalTriggerDetails": {
"comment": "Access is Approved",
"reviewer": "John Doe",
"decision": "APPROVED"
},
"accessRequestPhases": [
{
"started": "2020-07-11T00:00:00Z",
"finished": "2020-07-12T00:00:00Z",
"name": "APPROVAL_PHASE",
"state": "COMPLETED",
"result": "SUCCESSFUL",
"phaseReference": "approvalDetails"
}
],
"description": "This is the Engineering role that engineers are granted.",
"removeDate": "2019-10-23T00:00:00.000Z",
"cancelable": true,
"accessRequestId": "2b838de9-db9b-abcf-e646-d4f274ad4238",
"clientMetadata": {
"key1": "value1",
"key2": "value2"
}
}
]
Client Error - Returned if the request body is invalid.
- application/json
- Schema
- Example (from schema)
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"error": "JWT validation failed: JWT is expired"
}
Forbidden - Returned if the user you are running as, doesn't have access to this end-point.
- application/json
- Schema
- Example (from schema)
- 403
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 403 response object
{
"detailCode": "403 Forbidden",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The server understood the request but refuses to authorize it."
}
]
}
Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"message": " Rate Limit Exceeded "
}
Internal Server Error - Returned if there is an unexpected error.
- application/json
- Schema
- Example (from schema)
- 500
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 500 response object
{
"detailCode": "500.0 Internal Fault",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "An internal fault occurred."
}
]
}