Skip to main content

Patch a specified Access Profile

PATCH 

/access-profiles/:id

This API updates an existing Access Profile. The following fields are patchable:

name

description

enabled

owner

requestable

accessRequestConfig

revokeRequestConfig

segments

entitlements

provisioningCriteria

source (must be updated with entitlements belonging to new source in the same API call)

If you need to change the source of the access profile, you can do so only if you update the entitlements in the same API call. The new entitlements can only come from the target source that you want to change to. Look for the example "Replace Source" in the examples dropdown.

A user with SOURCE_SUBADMIN may only use this API to patch Access Profiles which are associated with Sources they are able to administer.

The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing access profiles, however, any new access profiles as well as any updates to existing descriptions will be limited to 2000 characters.

You can only add or replace entitlements that exist on the source that the access profile is attached to. You can use the list entitlements endpoint with the filters query parameter to get a list of available entitlements on the access profile's source.

Request

Path Parameters

    id stringrequired

    ID of the Access Profile to patch

Body

array

required

  • Array [

  • op stringrequired

    Possible values: [add, remove, replace, move, copy, test]

    The operation to be performed

    path stringrequired

    A string JSON Pointer representing the target path to an element to be affected by the operation

    value

    object

    The value to be used for the operation, required for "add" and "replace" operations

    oneOf

    string

  • ]

Responses

Responds with the Access Profile as updated.

Schema

    id string

    The ID of the Access Profile

    name stringrequired

    Name of the Access Profile

    description stringnullable

    Information about the Access Profile

    created date-time

    Date the Access Profile was created

    modified date-time

    Date the Access Profile was last modified.

    enabled boolean

    Default value: true

    Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.

    owner

    object

    required

    Owner of the Access Profile

    type string

    Possible values: [IDENTITY]

    Owner type. This field must be either left null or set to 'IDENTITY' on input, otherwise a 400 Bad Request error will result.

    id string

    Identity id

    name string

    Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner's display name, otherwise a 400 Bad Request error will result.

    source

    object

    required

    id string

    The ID of the Source with with which the Access Profile is associated

    type string

    Possible values: [SOURCE]

    The type of the Source, will always be SOURCE

    name string

    The display name of the associated Source

    entitlements

    object[]

    nullable

    A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.

  • Array [

  • type string

    Possible values: [ENTITLEMENT]

    Entitlement's DTO type.

    id string

    Entitlement's ID.

    name stringnullable

    Entitlement's display name.

  • ]

  • requestable boolean

    Default value: true

    Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value false in this field results in a 400 error.

    accessRequestConfig

    object

    nullable

    Access request configuration for this object

    commentsRequired booleannullable

    Whether the requester of the containing object must provide comments justifying the request

    denialCommentsRequired booleannullable

    Whether an approver must provide comments when denying the request

    approvalSchemes

    object[]

    nullable

    List describing the steps in approving the request

  • Array [

  • approverType string

    Possible values: [APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, GOVERNANCE_GROUP]

    Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application

    OWNER: Owner of the associated Access Profile or Role

    SOURCE_OWNER: Owner of the Source associated with an Access Profile

    MANAGER: Manager of the Identity making the request

    GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

    approverId stringnullable

    Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

  • ]

  • revocationRequestConfig

    object

    nullable

    Revocation request configuration for this object.

    approvalSchemes

    object[]

    nullable

    List describing the steps in approving the revocation request

  • Array [

  • approverType string

    Possible values: [APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, GOVERNANCE_GROUP]

    Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application

    OWNER: Owner of the associated Access Profile or Role

    SOURCE_OWNER: Owner of the Source associated with an Access Profile

    MANAGER: Manager of the Identity making the request

    GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

    approverId stringnullable

    Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

  • ]

  • segments string[]nullable

    List of IDs of segments, if any, to which this Access Profile is assigned.

    provisioningCriteria

    object

    nullable

    When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.

    operation ProvisioningCriteriaOperation (string)

    Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

    Supported operations on ProvisioningCriteria

    attribute stringnullable

    Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

    value stringnullable

    String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

    children

    object[]

    nullable

    Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.

  • Array [

  • operation ProvisioningCriteriaOperation (string)

    Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

    Supported operations on ProvisioningCriteria

    attribute stringnullable

    Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

    value stringnullable

    String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

    children

    object[]

    nullable

    Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.

  • Array [

  • operation ProvisioningCriteriaOperation (string)

    Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

    Supported operations on ProvisioningCriteria

    attribute stringnullable

    Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

    value string

    String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

    children stringnullable

    Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.

  • ]

  • ]

Loading...