Patch a specified Role
PATCH/roles/:id
This API updates an existing role using JSON Patch syntax. The following fields are patchable:
- name
- description
- enabled
- owner
- accessProfiles
- membership
- requestable
- accessRequestConfig
- revokeRequestConfig
- segments
- accessModelMetadata
A user with ROLE_SUBADMIN authority may only call this API if all access profiles included in the role are associated to Sources with management workgroups of which the ROLE_SUBADMIN is a member.
The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing roles, however, any new roles as well as any updates to existing descriptions will be limited to 2000 characters.
When you use this API to modify a role's membership identities, you can only modify up to a limit of 500 membership identities at a time.
Request
Path Parameters
ID of the Role to patch
- application/json-patch+json
Body
array
required
Array [
- string
- boolean
- integer
- object
- array
Array [
- MOD1
- MOD2
- MOD3
]
]
Possible values: [add
, remove
, replace
, move
, copy
, test
]
The operation to be performed
A string JSON Pointer representing the target path to an element to be affected by the operation
value
object
The value to be used for the operation, required for "add" and "replace" operations
oneOf
string
boolean
integer
object
anyOf
string
integer
object
Responses
- 200
- 400
- 401
- 403
- 429
- 500
Responds with the Role as updated.
- application/json
- Schema
- Example (from schema)
Schema
Array [
]
Array [
]
Array [
Array [
]
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
Array [
]
]
The id of the Role. This field must be left null when creating an Role, otherwise a 400 Bad Request error will result.
Possible values: <= 128 characters
The human-readable display name of the Role
Date the Role was created
Date the Role was last modified.
A human-readable description of the Role
owner
object
required
The owner of this object.
Possible values: [IDENTITY
]
Owner type. This field must be either left null or set to 'IDENTITY' on input, otherwise a 400 Bad Request error will result.
Identity id
Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner's display name, otherwise a 400 Bad Request error will result.
accessProfiles
object[]
nullable
ID of the Access Profile
Possible values: [ACCESS_PROFILE
]
Type of requested object. This field must be either left null or set to 'ACCESS_PROFILE' when creating an Access Profile, otherwise a 400 Bad Request error will result.
Human-readable display name of the Access Profile. This field is ignored on input.
entitlements
object[]
Possible values: [ENTITLEMENT
]
Entitlement's DTO type.
Entitlement's ID.
Entitlement's display name.
membership
object
nullable
When present, specifies that the Role is to be granted to Identities which either satisfy specific criteria or which are members of a given list of Identities.
Possible values: [STANDARD
, IDENTITY_LIST
]
This enum characterizes the type of a Role's membership selector. Only the following two are fully supported:
STANDARD: Indicates that Role membership is defined in terms of a criteria expression
IDENTITY_LIST: Indicates that Role membership is conferred on the specific identities listed
criteria
object
nullable
Defines STANDARD type Role membership
Possible values: [EQUALS
, NOT_EQUALS
, CONTAINS
, STARTS_WITH
, ENDS_WITH
, AND
, OR
]
An operation
key
object
nullable
Refers to a specific Identity attribute, Account attibute, or Entitlement used in Role membership criteria
Possible values: [IDENTITY
, ACCOUNT
, ENTITLEMENT
]
Indicates whether the associated criteria represents an expression on identity attributes, account attributes, or entitlements, respectively.
The name of the attribute or entitlement to which the associated criteria applies.
ID of the Source from which an account attribute or entitlement is drawn. Required if type is ACCOUNT or ENTITLEMENT
String value to test the Identity attribute, Account attribute, or Entitlement specified in the key w/r/t the specified operation. If this criteria is a leaf node, that is, if the operation is one of EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, or ENDS_WITH, this field is required. Otherwise, specifying it is an error.
children
object[]
nullable
Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes. Additionally, AND nodes can only be children or OR nodes and vice-versa.
Possible values: [EQUALS
, NOT_EQUALS
, CONTAINS
, STARTS_WITH
, ENDS_WITH
, AND
, OR
]
An operation
key
object
nullable
Refers to a specific Identity attribute, Account attibute, or Entitlement used in Role membership criteria
Possible values: [IDENTITY
, ACCOUNT
, ENTITLEMENT
]
Indicates whether the associated criteria represents an expression on identity attributes, account attributes, or entitlements, respectively.
The name of the attribute or entitlement to which the associated criteria applies.
ID of the Source from which an account attribute or entitlement is drawn. Required if type is ACCOUNT or ENTITLEMENT
String value to test the Identity attribute, Account attribute, or Entitlement specified in the key w/r/t the specified operation. If this criteria is a leaf node, that is, if the operation is one of EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, or ENDS_WITH, this field is required. Otherwise, specifying it is an error.
children
object[]
nullable
Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes. Additionally, AND nodes can only be children or OR nodes and vice-versa.
Possible values: [EQUALS
, NOT_EQUALS
, CONTAINS
, STARTS_WITH
, ENDS_WITH
, AND
, OR
]
An operation
key
object
nullable
Refers to a specific Identity attribute, Account attibute, or Entitlement used in Role membership criteria
Possible values: [IDENTITY
, ACCOUNT
, ENTITLEMENT
]
Indicates whether the associated criteria represents an expression on identity attributes, account attributes, or entitlements, respectively.
The name of the attribute or entitlement to which the associated criteria applies.
ID of the Source from which an account attribute or entitlement is drawn. Required if type is ACCOUNT or ENTITLEMENT
String value to test the Identity attribute, Account attribute, or Entitlement specified in the key w/r/t the specified operation. If this criteria is a leaf node, that is, if the operation is one of EQUALS, NOT_EQUALS, CONTAINS, STARTS_WITH, or ENDS_WITH, this field is required. Otherwise, specifying it is an error.
identities
object[]
nullable
Defines role membership as being exclusive to the specified Identities, when type is IDENTITY_LIST.
Possible values: [ACCOUNT_CORRELATION_CONFIG
, ACCESS_PROFILE
, ACCESS_REQUEST_APPROVAL
, ACCOUNT
, APPLICATION
, CAMPAIGN
, CAMPAIGN_FILTER
, CERTIFICATION
, CLUSTER
, CONNECTOR_SCHEMA
, ENTITLEMENT
, GOVERNANCE_GROUP
, IDENTITY
, IDENTITY_PROFILE
, IDENTITY_REQUEST
, MACHINE_IDENTITY
, LIFECYCLE_STATE
, PASSWORD_POLICY
, ROLE
, RULE
, SOD_POLICY
, SOURCE
, TAG
, TAG_CATEGORY
, TASK_RESULT
, REPORT_RESULT
, SOD_VIOLATION
, ACCOUNT_ACTIVITY
, WORKGROUP
]
An enumeration of the types of DTOs supported within the IdentityNow infrastructure.
Identity id
Human-readable display name of the Identity.
User name of the Identity
legacyMembershipInfo
object
nullable
This field is not directly modifiable and is generally expected to be null. In very rare instances, some Roles may have been created using membership selection criteria that are no longer fully supported. While these Roles will still work, they should be migrated to STANDARD or IDENTITY_LIST selection criteria. This field exists for informational purposes as an aid to such migration.
This field is not directly modifiable and is generally expected to be null. In very rare instances, some Roles may have been created using membership selection criteria that are no longer fully supported. While these Roles will still work, they should be migrated to STANDARD or IDENTITY_LIST selection criteria. This field exists for informational purposes as an aid to such migration.
Whether the Role is enabled or not.
Whether the Role can be the target of access requests.
accessRequestConfig
object
nullable
Access request configuration for this object
Whether the requester of the containing object must provide comments justifying the request
Whether an approver must provide comments when denying the request
approvalSchemes
object[]
List describing the steps in approving the request
Possible values: [OWNER
, MANAGER
, GOVERNANCE_GROUP
]
Describes the individual or group that is responsible for an approval step. Values are as follows.
OWNER: Owner of the associated Role
MANAGER: Manager of the Identity making the request
GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field
Id of the specific approver, used only when approverType is GOVERNANCE_GROUP
revocationRequestConfig
object
nullable
Revocation request configuration for this object.
Whether the requester of the containing object must provide comments justifying the request
Whether an approver must provide comments when denying the request
approvalSchemes
object[]
List describing the steps in approving the revocation request
Possible values: [OWNER
, MANAGER
, GOVERNANCE_GROUP
]
Describes the individual or group that is responsible for an approval step. Values are as follows.
OWNER: Owner of the associated Role
MANAGER: Manager of the Identity making the request
GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field
Id of the specific approver, used only when approverType is GOVERNANCE_GROUP
List of IDs of segments, if any, to which this Role is assigned.
Whether the Role is dimensional.
dimensionRefs
object[]
nullable
List of references to dimensions to which this Role is assigned. This field is only relevant if the Role is dimensional.
Possible values: [DIMENSION
]
The type of the object to which this reference applies
ID of the object to which this reference applies
Human-readable display name of the object to which this reference applies
accessModelMetadata
object
attributes
object[]
nullable
Technical name of the Attribute. This is unique and cannot be changed after creation.
The display name of the key.
Indicates whether the attribute can have multiple values.
The status of the Attribute.
The type of the Attribute. This can be either "custom" or "governance".
An array of object types this attributes values can be applied to. Possible values are "all" or "entitlement". Value "all" means this attribute can be used with all object types that are supported.
The description of the Attribute.
values
object[]
nullable
Technical name of the Attribute value. This is unique and cannot be changed after creation.
The display name of the Attribute value.
The status of the Attribute value.
{
"id": "2c918086749d78830174a1a40e121518",
"name": "Role 2567",
"created": "2021-03-01T22:32:58.104Z",
"modified": "2021-03-02T20:22:28.104Z",
"description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
"owner": {
"type": "IDENTITY",
"id": "2c9180a46faadee4016fb4e018c20639",
"name": "support"
},
"accessProfiles": [
{
"id": "ff808081751e6e129f1518161919ecca",
"type": "ACCESS_PROFILE",
"name": "Access Profile 2567"
}
],
"entitlements": [
{
"type": "ENTITLEMENT",
"id": "2c91809773dee32014e13e122092014e",
"name": "CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local"
}
],
"membership": {
"type": "IDENTITY_LIST",
"criteria": {
"operation": "EQUALS",
"key": {
"type": "ACCOUNT",
"property": "attribute.email",
"sourceId": "2c9180867427f3a301745aec18211519"
},
"stringValue": "[email protected]",
"children": [
{
"operation": "EQUALS",
"key": {
"type": "ACCOUNT",
"property": "attribute.email",
"sourceId": "2c9180867427f3a301745aec18211519"
},
"stringValue": "[email protected]",
"children": [
{
"operation": "EQUALS",
"key": {
"type": "ACCOUNT",
"property": "attribute.email",
"sourceId": "2c9180867427f3a301745aec18211519"
},
"stringValue": "[email protected]"
}
]
}
]
},
"identities": [
{
"type": "IDENTITY",
"id": "2c9180a46faadee4016fb4e018c20639",
"name": "Thomas Edison",
"aliasName": "t.edison"
}
]
},
"legacyMembershipInfo": {
"type": "IDENTITY_LIST"
},
"enabled": true,
"requestable": true,
"accessRequestConfig": {
"commentsRequired": true,
"denialCommentsRequired": true,
"approvalSchemes": [
{
"approverType": "GOVERNANCE_GROUP",
"approverId": "46c79819-a69f-49a2-becb-12c971ae66c6"
}
]
},
"revocationRequestConfig": {
"commentsRequired": false,
"denialCommentsRequired": false,
"approvalSchemes": [
{
"approverType": "GOVERNANCE_GROUP",
"approverId": "46c79819-a69f-49a2-becb-12c971ae66c6"
}
]
},
"segments": [
"f7b1b8a3-5fed-4fd4-ad29-82014e137e19",
"29cb6c06-1da8-43ea-8be4-b3125f248f2a"
],
"dimensional": false,
"dimensionRefs": [
{
"type": "DIMENSION",
"id": "2c91808568c529c60168cca6f90c1313",
"name": "Role 2"
}
],
"accessModelMetadata": [
{
"key": "iscFederalClassifications",
"name": "Federal Classifications",
"multiselect": true,
"status": "active",
"type": "governance",
"objectTypes": [
"general"
],
"description": "Classification used by government organizations to specify the level of confidentiality for an access item.",
"values": [
{
"value": "secret",
"name": "Secret",
"status": "active"
}
]
}
]
}
Client Error - Returned if the request body is invalid.
- application/json
- Schema
- Example (from schema)
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"error": "JWT validation failed: JWT is expired"
}
Forbidden - Returned if the user you are running as, doesn't have access to this end-point.
- application/json
- Schema
- Example (from schema)
- 403
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 403 response object
{
"detailCode": "403 Forbidden",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The server understood the request but refuses to authorize it."
}
]
}
Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"message": " Rate Limit Exceeded "
}
Internal Server Error - Returned if there is an unexpected error.
- application/json
- Schema
- Example (from schema)
- 500
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT
, REQUEST
, null
]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 500 response object
{
"detailCode": "500.0 Internal Fault",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "An internal fault occurred."
}
]
}