Disable Access Profile Requests
Overview
In Identity Security Cloud, access profiles are groups of entitlements, which represent access rights on sources. By default, all access profiles are marked as requestable. This means that an organization's users can submit access requests for the access profiles in the Identity Security Cloud Request Center, where all access profiles are listed.
You can disable requests for access profiles to prevent users from gaining inappropriate or undesired access. In the UI, you can edit the individual access profile to disable requests for the access profile. You can also use the PATCH Access Profile endpoint to mark the individual access profile as non-requestable.
You may have many access profiles that you want to disable requests for, and you don't want one to get overlooked and then inappropriately accessed. There are three different processes you can use to ensure that you have disabled requests for all access profiles that aren't currently associated with applications configured for access requests. Read this guide to learn how to perform these processes.
Disable requests for individual access profiles with the UI
Follow these steps to use the Identity Security Cloud UI to individually disable requests for all access profiles that aren't currently associated with applications:
- Identify the access profiles that are associated with applications configured for access requests. Create a list of these associated access profiles.
- Go to Admin > Applications and open each application you use for access requests. These applications have both 'Visible in the Request Center' and 'Allow Access Requests' marked on the 'Configuration' tab.
- Go to the application's 'Access' tab and capture the names of each application's associated access profiles, recording them in your list of access profiles.
- Edit each access profile that is not in your list to disable access requests.
- Go to Admin > Access > Access Profiles to view a list of all access profiles.
- For each access profile that isn't in your list of those associated with applications configured for access requests, select 'Edit', go to the 'Access Requests' tab, and disable 'Allow Access Requests'. Then save your changes.
Once you have performed this process, all the access profiles that aren't currently associated with applications will no longer be requestable.
Disable requests for individual access profiles with the API
Follow these steps to use two API endpoints to individually disable access requests for all access profiles that aren't currently associated with applications:
- Use the Search endpoint to identify the access profiles that are not associated with applications configured for access requests. Sending the following query will return a list of these unassociated access profiles.
- Provide this request body. It will return all access profiles that have a null or empty
appslist.
{
"queryDsl": {
"bool": {
"must_not": [
{
"nested": {
"path": "apps",
"query": {
"exists": {
"field": "apps"
}
}
}
}
]
}
},
"queryType": "DSL",
"indices": [
"accessprofiles"
],
"sort": [
"name"
]
}
- The response body will include all the details of each unassociated access profile. Extract the
idfor each access profile returned.
- Use the PATCH Access Profile endpoint and provide the unassociated access profile's
idto update the specified access profile'srequestablefield.
- Provide this request body. It will use the
replaceoperation to update the value in the specified access profile'srequestablepath tofalse.
[
{
"op": "replace",
"path": "/requestable",
"value": "false"
}
]
- After a successful PATCH update, the response body will include all the specified access profile's details, including the updated
falsevalue in therequestablepath.
Once you have performed this process for each of the unassociated access profiles returned in your search, all the access profiles that aren't associated with applications will no longer be requestable.
Bulk disable requests for access profiles with the API
Follow these steps to use two API endpoints to bulk disable access requests for all access profiles that aren't currently associated with applications:
- Use the Search endpoint to identify the access profiles that are not associated with applications configured for access requests. Sending the following query will return a list of these unassociated access profiles.
- Provide this request body. It will return all access profiles that have a null or empty
appslist.
{
"queryDsl": {
"bool": {
"must_not": [
{
"nested": {
"path": "apps",
"query": {
"exists": {
"field": "apps"
}
}
}
}
]
}
},
"queryType": "DSL",
"indices": [
"accessprofiles"
],
"sort": [
"name"
]
}
- The response body will include all the details of each unassociated access profile. Extract the
idfor each access profile returned.
- Use the Update Requestability for Access Profiles endpoint and provide every unassociated access profile's
id, along with the updated values for theirrequestablefields.
- Provide this request body. It can bulk update all the access profiles you specify - you just need to specify each access profile's
idand therequestablevalue you want for the access profile.
[
{
"id": "813b1e19281645278f9c9f665ea911c9",
"requestable": "false"
},
{
"id": "c80bd9a30d42468f9a3646f39cdd7c74",
"requestable": "false"
}
]
- After a successful update, the response body will include the
idand newrequestablevalues for all the updated access profiles, along with confirmations that they were successfully updated.
Once you have performed this process for all the unassociated access profiles returned in your search, all the access profiles that aren't associated with applications will no longer be requestable.