Skip to main content

Access Request Status

GET 
/access-request-status

Use this API to return a list of access request statuses based on the specified query parameters. If an access request was made for access that an identity already has, the API ignores the access request. These ignored requests do not display in the list of access request statuses. Any user with any user level can get the status of their own access requests. A user with ORG_ADMIN is required to call this API to get a list of statuses for other users.

Request

Query Parameters

    requested-for string

    Filter the results by the identity the requests were made for. me indicates the current user. Mutually exclusive with regarding-identity.

    Example: 2c9180877b2b6ea4017b2c545f971429
    requested-by string

    Filter the results by the identity twho made the requests. me indicates the current user. Mutually exclusive with regarding-identity.

    Example: 2c9180877b2b6ea4017b2c545f971429
    regarding-identity string

    Filter the results by the specified identity who is either the requester or target of the requests. me indicates the current user. Mutually exclusive with requested-for and requested-by.

    Example: 2c9180877b2b6ea4017b2c545f971429
    assigned-to string

    Filter the results by the specified identity who is the owner of the Identity Request Work Item. me indicates the current user.

    Example: 2c9180877b2b6ea4017b2c545f971429
    count boolean

    If this is true, the X-Total-Count response header populates with the number of results that would be returned if limit and offset were ignored.

    Example: false
    limit int32

    Possible values: <= 250

    Default value: 250

    Max number of results to return.

    Example: 100
    offset int32

    Offset into the full result set. Usually specified with limit to paginate through the results. Defaults to 0 if not specified.

    Example: 10
    filters string

    Filter results using the standard syntax described in V3 API Standard Collection Parameters

    Filtering is supported for the following fields and operators:

    accountActivityItemId: eq, in, ge, gt, le, lt, ne, isnull, sw

    Example: accountActivityItemId eq "2c918086771c86df0177401efcdf54c0"
    sorters comma-separated

    Sort results using the standard syntax described in V3 API Standard Collection Parameters

    Sorting is supported for the following fields: created, modified, accountActivityItemId, name

    Example: created

Responses

List of requested item statuses.

Schema

  • Array [

    • name stringnullable

    Human-readable display name of the item being requested.

    type stringnullable

    Possible values: [ACCESS_PROFILE, ROLE, ENTITLEMENT, null]

    Type of requested object.

    cancelledRequestDetails

    object

    Provides additional details for a request that has been cancelled.

    comment string

    Comment made by the owner when cancelling the associated request.

    owner

    object

    Owner's identity.

    type string

    Possible values: [IDENTITY]

    Owner's DTO type.

    id string

    Owner's identity ID.

    name string

    Owner's name.

    modified date-time

    Date comment was added by the owner when cancelling the associated request.

    errorMessages array[]nullable

    List of list of localized error messages, if any, encountered during the approval/provisioning process.

    state RequestedItemStatusRequestState (string)

    Possible values: [EXECUTING, REQUEST_COMPLETED, CANCELLED, TERMINATED, PROVISIONING_VERIFICATION_PENDING, REJECTED, PROVISIONING_FAILED, NOT_ALL_ITEMS_PROVISIONED, ERROR]

    Indicates the state of an access request:

    • EXECUTING: The request is executing, which indicates the system is doing some processing.
    • REQUEST_COMPLETED: Indicates the request has been completed.
    • CANCELLED: The request was cancelled with no user input.
    • TERMINATED: The request has been terminated before it was able to complete.
    • PROVISIONING_VERIFICATION_PENDING: The request has finished any approval steps and provisioning is waiting to be verified.
    • REJECTED: The request was rejected.
    • PROVISIONING_FAILED: The request has failed to complete.
    • NOT_ALL_ITEMS_PROVISIONED: One or more of the requested items failed to complete, but there were one or more successes.
    • ERROR: An error occurred during request processing.

    approvalDetails

    object[]

    Approval details for each item.

  • Array [

    • forwarded boolean

    True if the request for this item was forwarded from one owner to another.

    originalOwner

    object

    Identity of orginal approval owner.

    type string

    Possible values: [GOVERNANCE_GROUP, IDENTITY]

    DTO type of original approval owner's identity.

    id string

    ID of original approval owner's identity.

    name string

    Display name of original approval owner.

    currentOwner

    object

    Identity who reviewed the access item request.

    type string

    Possible values: [IDENTITY]

    DTO type of identity who reviewed the access item request.

    id string

    ID of identity who reviewed the access item request.

    name string

    Human-readable display name of identity who reviewed the access item request.

    modified date-timenullable

    Time at which item was modified.

    status ManualWorkItemState (string)

    Possible values: [PENDING, APPROVED, REJECTED, EXPIRED, CANCELLED, ARCHIVED]

    Indicates the state of the request processing for this item:

    • PENDING: The request for this item is awaiting processing.
    • APPROVED: The request for this item has been approved.
    • REJECTED: The request for this item was rejected.
    • EXPIRED: The request for this item expired with no action taken.
    • CANCELLED: The request for this item was cancelled with no user action.
    • ARCHIVED: The request for this item has been archived after completion.
    scheme ApprovalScheme (string)

    Possible values: [APP_OWNER, SOURCE_OWNER, MANAGER, ROLE_OWNER, ACCESS_PROFILE_OWNER, ENTITLEMENT_OWNER, GOVERNANCE_GROUP]

    Describes the individual or group that is responsible for an approval step.

    errorMessages

    object[]

    nullable

    If the request failed, includes any error messages that were generated.

  • Array [

    • locale stringnullable

    The locale for the message text, a BCP 47 language tag.

    localeOrigin LocaleOrigin (string)nullable

    Possible values: [DEFAULT, REQUEST, null]

    An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

    text string

    Actual text of the error message in the indicated locale.

  • ]

    • comment stringnullable

    Comment, if any, provided by the approver.

    removeDate date-timenullable

    The date the role or access profile or entitlement is no longer assigned to the specified identity.

  • ]

    • manualWorkItemDetails

    object[]

    nullable

    Manual work items created for provisioning the item.

  • Array [

    • forwarded boolean

    True if the request for this item was forwarded from one owner to another.

    originalOwner

    object

    nullable

    Identity of original work item owner, if the work item has been forwarded.

    type string

    Possible values: [GOVERNANCE_GROUP, IDENTITY]

    DTO type of original work item owner's identity.

    id string

    ID of original work item owner's identity.

    name string

    Display name of original work item owner.

    currentOwner

    object

    nullable

    Identity of current work item owner.

    type string

    Possible values: [GOVERNANCE_GROUP, IDENTITY]

    DTO type of current work item owner's identity.

    id string

    ID of current work item owner's identity.

    name string

    Display name of current work item owner.

    modified date-time

    Time at which item was modified.

    status ManualWorkItemState (string)

    Possible values: [PENDING, APPROVED, REJECTED, EXPIRED, CANCELLED, ARCHIVED]

    Indicates the state of the request processing for this item:

    • PENDING: The request for this item is awaiting processing.
    • APPROVED: The request for this item has been approved.
    • REJECTED: The request for this item was rejected.
    • EXPIRED: The request for this item expired with no action taken.
    • CANCELLED: The request for this item was cancelled with no user action.
    • ARCHIVED: The request for this item has been archived after completion.

    forwardHistory

    object[]

    nullable

    The history of approval forward action.

  • Array [

    • oldApproverName string

    Display name of approver from whom the approval was forwarded.

    newApproverName string

    Display name of approver to whom the approval was forwarded.

    comment stringnullable

    Comment made while forwarding.

    modified date-time

    Time at which approval was forwarded.

    forwarderName stringnullable

    Display name of forwarder who forwarded the approval.

    reassignmentType ReassignmentType (string)

    Possible values: [MANUAL_REASSIGNMENT, AUTOMATIC_REASSIGNMENT, AUTO_ESCALATION, SELF_REVIEW_DELEGATION]

    The approval reassignment type.

    • MANUAL_REASSIGNMENT: An approval with this reassignment type has been specifically reassigned by the approval task's owner, from their queue to someone else's.
    • AUTOMATIC_REASSIGNMENT: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to that approver's reassignment configuration. The approver's reassignment configuration may be set up to automatically reassign approval tasks for a defined (or possibly open-ended) period of time.
    • AUTO_ESCALATION: An approval with this reassignment type has been automatically reassigned from another approver's queue, according to the request's escalation configuration. For more information about escalation configuration, refer to Setting Global Reminders and Escalation Policies.
    • SELF_REVIEW_DELEGATION: An approval with this reassignment type has been automatically reassigned by the system to prevent self-review. This helps prevent situations like a requester being tasked with approving their own request. For more information about preventing self-review, refer to Self-review Prevention and Preventing Self-approval.

  • ]

  • ]

    • accountActivityItemId string

    Id of associated account activity item.

    requestType AccessRequestType (string)nullable

    Possible values: [GRANT_ACCESS, REVOKE_ACCESS, null]

    Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field.

    modified date-timenullable

    When the request was last modified.

    created date-time

    When the request was created.

    requester

    object

    Access item requester's identity.

    type string

    Possible values: [IDENTITY]

    Access item requester's DTO type.

    id string

    Access item requester's identity ID.

    name string

    Access item owner's human-readable display name.

    requestedFor

    object

    Identity access was requested for.

    type string

    Possible values: [IDENTITY]

    Type of the object to which this reference applies

    id string

    ID of the object to which this reference applies

    name string

    Human-readable display name of the object to which this reference applies

    requesterComment

    object

    The requester's comment.

    comment stringnullable

    Comment content.

    created date-time

    Date and time comment was created.

    author

    object

    Author of the comment

    type string

    Possible values: [IDENTITY]

    The type of object

    id string

    The unique ID of the object

    name string

    The display name of the object

    sodViolationContext

    object

    An object referencing a completed SOD violation check

    state stringnullable

    Possible values: [SUCCESS, ERROR, null]

    The status of SOD violation check

    uuid stringnullable

    The id of the Violation check event

    violationCheckResult

    object

    The inner object representing the completed SOD Violation check

    message

    object

    If the request failed, this includes any error message that was generated.

    locale stringnullable

    The locale for the message text, a BCP 47 language tag.

    localeOrigin LocaleOrigin (string)nullable

    Possible values: [DEFAULT, REQUEST, null]

    An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

    text string

    Actual text of the error message in the indicated locale.

    clientMetadata

    object

    nullable

    Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on completion of the violation check.

    property name* string

    violationContexts

    object[]

    nullable

  • Array [

    • policy

    object

    SOD policy.

    type string

    Possible values: [SOD_POLICY]

    SOD policy DTO type.

    id string

    SOD policy ID.

    name string

    SOD policy display name.

    conflictingAccessCriteria

    object

    The object which contains the left and right hand side of the entitlements that got violated according to the policy.

    leftCriteria

    object

    criteriaList

    object[]

  • Array [

    • existing boolean

    If the entitlement already belonged to the user or not.

    type DtoType (string)

    Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

    An enumeration of the types of DTOs supported within the IdentityNow infrastructure.

    id string

    Entitlement ID

    name string

    Entitlement name

  • ]

    • rightCriteria

    object

    criteriaList

    object[]

  • Array [

    • existing boolean

    If the entitlement already belonged to the user or not.

    type DtoType (string)

    Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

    An enumeration of the types of DTOs supported within the IdentityNow infrastructure.

    id string

    Entitlement ID

    name string

    Entitlement name

  • ]

  • ]

    • violatedPolicies

    object[]

    nullable

    A list of the SOD policies that were violated.

  • Array [

    • type string

    Possible values: [SOD_POLICY]

    SOD policy DTO type.

    id string

    SOD policy ID.

    name string

    SOD policy display name.

  • ]

    • provisioningDetails

    object

    Provides additional details about provisioning for this request.

    orderedSubPhaseReferences string

    Ordered CSV of sub phase references to objects that contain more information about provisioning. For example, this can contain "manualWorkItemDetails" which indicate that there is further information in that object for this phase.

    preApprovalTriggerDetails

    object

    Provides additional details about the pre-approval trigger for this request.

    comment string

    Comment left for the pre-approval decision

    reviewer string

    The reviewer of the pre-approval decision

    decision string

    Possible values: [APPROVED, REJECTED]

    The decision of the pre-approval trigger

    accessRequestPhases

    object[]

    nullable

    A list of Phases that the Access Request has gone through in order, to help determine the status of the request.

  • Array [

    • started date-time

    The time that this phase started.

    finished date-timenullable

    The time that this phase finished.

    name string

    The name of this phase.

    state string

    Possible values: [PENDING, EXECUTING, COMPLETED, CANCELLED, NOT_EXECUTED]

    The state of this phase.

    result stringnullable

    Possible values: [SUCCESSFUL, FAILED, null]

    The state of this phase.

    phaseReference stringnullable

    A reference to another object on the RequestedItemStatus that contains more details about the phase. Note that for the Provisioning phase, this will be empty if there are no manual work items.

  • ]

    • description stringnullable

    Description associated to the requested object.

    removeDate date-timenullable

    When the role access is scheduled for removal.

    cancelable boolean

    True if the request can be canceled.

    accessRequestId string

    This is the account activity id.

    clientMetadata

    object

    nullable

    Arbitrary key-value pairs, if any were included in the corresponding access request

    property name* string

  • ]

Loading...