Use this API to implement and manage "separation of duties" (SOD) policies.
With SOD policy functionality in place, administrators can organize the access in their tenants to prevent individuals from gaining conflicting or excessive access.
"Separation of duties" refers to the concept that people shouldn't have conflicting sets of access - all their access should be configured in a way that protects your organization's assets and data.
For example, people who record monetary transactions shouldn't be able to issue payment for those transactions.
Any changes to major system configurations should be approved by someone other than the person requesting the change.
Organizations can use "separation of duties" (SOD) policies to enforce and track their internal security rules throughout their tenants.
These SOD policies limit each user's involvement in important processes and protects the organization from individuals gaining excessive access.
To create SOD policies in Identity Security Cloud, administrators use 'Search' and then access 'Policies'.
To create a policy, they must configure two lists of access items. Each access item can only be added to one of the two lists.
They can search for the entitlements they want to add to these access lists.
>Note: You can have a maximum of 500 policies of any type (including general policies) in your organization. In each access-based SOD policy, you can have a maximum of 50 entitlements in each access list.
Once a SOD policy is in place, if an identity has access items on both lists, a SOD violation will trigger.
These violations are included in SOD violation reports that other users will see in emails at regular intervals if they're subscribed to the SOD policy.
The other users can then better help to enforce these SOD policies.
To create a subscription to a SOD policy in Identity Security Cloud, administrators use 'Search' and then access 'Layers'.
They can create a subscription to the policy and schedule it to run at a regular interval.
Refer to Managing Policies for more information about SOD policies.
Refer to Subscribe to a SOD Policy for more information about SOD policy subscriptions.
All URIs are relative to https://sailpoint.api.identitynow.com/v3
create-sod-policy
This creates both General and Conflicting Access Based policy, with a limit of 50 entitlements for each (left & right) criteria for Conflicting Access Based SOD policy.
Requires role of ORG_ADMIN.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Body | SodPolicy | SodPolicy | True | |
Return type
SodPolicy
Responses
| Code | Description | Data Type |
|---|
| 201 | SOD policy created | SodPolicy |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: application/json
- Accept: application/json
Example
$SodPolicy = @"{
"conflictingAccessCriteria" : {
"leftCriteria" : {
"name" : "money-in",
"criteriaList" : [ {
"type" : "ENTITLEMENT",
"id" : "2c9180866166b5b0016167c32ef31a66",
"name" : "Administrator"
}, {
"type" : "ENTITLEMENT",
"id" : "2c9180866166b5b0016167c32ef31a67",
"name" : "Administrator"
} ]
},
"rightCriteria" : {
"name" : "money-in",
"criteriaList" : [ {
"type" : "ENTITLEMENT",
"id" : "2c9180866166b5b0016167c32ef31a66",
"name" : "Administrator"
}, {
"type" : "ENTITLEMENT",
"id" : "2c9180866166b5b0016167c32ef31a67",
"name" : "Administrator"
} ]
}
},
"ownerRef" : {
"name" : "Support",
"id" : "2c9180a46faadee4016fb4e018c20639",
"type" : "IDENTITY"
},
"created" : "2020-01-01T00:00:00Z",
"scheduled" : true,
"creatorId" : "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"modifierId" : "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"description" : "This policy ensures compliance of xyz",
"violationOwnerAssignmentConfig" : {
"assignmentRule" : "MANAGER",
"ownerRef" : {
"name" : "Support",
"id" : "2c9180a46faadee4016fb4e018c20639",
"type" : "IDENTITY"
}
},
"correctionAdvice" : "Based on the role of the employee, managers should remove access that is not required for their job function.",
"type" : "GENERAL",
"tags" : [ "TAG1", "TAG2" ],
"name" : "policy-xyz",
"modified" : "2020-01-01T00:00:00Z",
"policyQuery" : "@access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdg) AND @access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdf)",
"compensatingControls" : "Have a manager review the transaction decisions for their \"out of compliance\" employee",
"id" : "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"state" : "ENFORCED",
"externalPolicyReference" : "XYZ policy"
}"@
try {
$Result = ConvertFrom-JsonToSodPolicy -Json $SodPolicy
New-SodPolicy -SodPolicy $Result
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling New-SodPolicy"
Write-Host $_.ErrorDetails
}
[Back to top]
delete-sod-policy
This deletes a specified SOD policy.
Requires role of ORG_ADMIN.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The ID of the SOD Policy to delete. |
| Query | Logical | Boolean | (optional) (default to $true) | Indicates whether this is a soft delete (logical true) or a hard delete. Soft delete marks the policy as deleted and just save it with this status. It could be fully deleted or recovered further. Hard delete vise versa permanently delete SOD request during this call. |
Return type
(empty response body)
Responses
| Code | Description | Data Type |
|---|
| 204 | No content. | |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
$Id = "ef38f943-47e9-4562-b5bb-8424a56397d8"
$Logical = $true
try {
Remove-SodPolicy -Id $Id
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Remove-SodPolicy"
Write-Host $_.ErrorDetails
}
[Back to top]
delete-sod-policy-schedule
This deletes schedule for a specified SOD policy by ID.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The ID of the SOD policy the schedule must be deleted for. |
Return type
(empty response body)
Responses
| Code | Description | Data Type |
|---|
| 204 | No content response. | |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
$Id = "ef38f943-47e9-4562-b5bb-8424a56397d8"
try {
Remove-SodPolicySchedule -Id $Id
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Remove-SodPolicySchedule"
Write-Host $_.ErrorDetails
}
[Back to top]
get-custom-violation-report
This allows to download a specified named violation report for a given report reference.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | ReportResultId | String | True | The ID of the report reference to download. |
| Path | FileName | String | True | Custom Name for the file. |
Return type
System.IO.FileInfo
Responses
| Code | Description | Data Type |
|---|
| 200 | Returns the zip file with given custom name that contains the violation report file. | System.IO.FileInfo |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/zip, application/json
Example
$ReportResultId = "ef38f94347e94562b5bb8424a56397d8"
$FileName = "custom-name"
try {
Get-CustomViolationReport -ReportResultId $ReportResultId -FileName $FileName
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-CustomViolationReport"
Write-Host $_.ErrorDetails
}
[Back to top]
get-default-violation-report
This allows to download a violation report for a given report reference.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | ReportResultId | String | True | The ID of the report reference to download. |
Return type
System.IO.FileInfo
Responses
| Code | Description | Data Type |
|---|
| 200 | Returns the PolicyReport.zip that contains the violation report file. | System.IO.FileInfo |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/zip, application/json
Example
$ReportResultId = "ef38f94347e94562b5bb8424a56397d8"
try {
Get-DefaultViolationReport -ReportResultId $ReportResultId
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-DefaultViolationReport"
Write-Host $_.ErrorDetails
}
[Back to top]
get-sod-all-report-run-status
This endpoint gets the status for a violation report for all policy run.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
Return type
ReportResultReference
Responses
| Code | Description | Data Type |
|---|
| 200 | Status of the violation report run task for all policy run. | ReportResultReference |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
try {
Get-SodAllReportRunStatus
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-SodAllReportRunStatus"
Write-Host $_.ErrorDetails
}
[Back to top]
get-sod-policy
This gets specified SOD policy.
Requires role of ORG_ADMIN.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The ID of the SOD Policy to retrieve. |
Return type
SodPolicy
Responses
| Code | Description | Data Type |
|---|
| 200 | SOD policy ID. | SodPolicy |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
$Id = "ef38f943-47e9-4562-b5bb-8424a56397d8"
try {
Get-SodPolicy -Id $Id
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-SodPolicy"
Write-Host $_.ErrorDetails
}
[Back to top]
get-sod-policy-schedule
This endpoint gets a specified SOD policy's schedule.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The ID of the SOD policy schedule to retrieve. |
Return type
SodPolicySchedule
Responses
| Code | Description | Data Type |
|---|
| 200 | SOD policy schedule. | SodPolicySchedule |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
$Id = "ef38f943-47e9-4562-b5bb-8424a56397d8"
try {
Get-SodPolicySchedule -Id $Id
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-SodPolicySchedule"
Write-Host $_.ErrorDetails
}
[Back to top]
get-sod-violation-report-run-status
This gets the status for a violation report run task that has already been invoked.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | ReportResultId | String | True | The ID of the report reference to retrieve. |
Return type
ReportResultReference
Responses
| Code | Description | Data Type |
|---|
| 200 | Status of the violation report run task. | ReportResultReference |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
$ReportResultId = "2e8d8180-24bc-4d21-91c6-7affdb473b0d"
try {
Get-SodViolationReportRunStatus -ReportResultId $ReportResultId
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-SodViolationReportRunStatus"
Write-Host $_.ErrorDetails
}
[Back to top]
get-sod-violation-report-status
This gets the status for a violation report run task that has already been invoked.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The ID of the violation report to retrieve status for. |
Return type
ReportResultReference
Responses
| Code | Description | Data Type |
|---|
| 200 | Status of the violation report run task. | ReportResultReference |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
$Id = "ef38f943-47e9-4562-b5bb-8424a56397d8"
try {
Get-SodViolationReportStatus -Id $Id
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-SodViolationReportStatus"
Write-Host $_.ErrorDetails
}
[Back to top]
list-sod-policies
This gets list of all SOD policies.
Requires role of ORG_ADMIN
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Query | Limit | Int32 | (optional) (default to 250) | Max number of results to return. See V3 API Standard Collection Parameters for more information. |
| Query | Offset | Int32 | (optional) (default to 0) | Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information. |
| Query | Count | Boolean | (optional) (default to $false) | If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored. Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used. See V3 API Standard Collection Parameters for more information. |
| Query | Filters | String | (optional) | Filter results using the standard syntax described in V3 API Standard Collection Parameters Filtering is supported for the following fields and operators: id: eq, in name: eq, in state: eq, in |
| Query | Sorters | String | (optional) | Sort results using the standard syntax described in V3 API Standard Collection Parameters Sorting is supported for the following fields: id, name, created, modified, description |
Return type
SodPolicy[]
Responses
| Code | Description | Data Type |
|---|
| 200 | List of all SOD policies. | SodPolicy[] |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
$Limit = 250
$Offset = 0
$Count = $true
$Filters = 'id eq "bc693f07e7b645539626c25954c58554"'
$Sorters = "id,name"
try {
Get-SodPolicies
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-SodPolicies"
Write-Host $_.ErrorDetails
}
[Back to top]
patch-sod-policy
Allows updating SOD Policy fields other than ["id","created","creatorId","policyQuery","type"] using the JSON Patch standard.
Requires role of ORG_ADMIN.
This endpoint can only patch CONFLICTING_ACCESS_BASED type policies. Do not use this endpoint to patch general policies - doing so will build an API exception.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The ID of the SOD policy being modified. |
| Body | JsonPatchOperation | []JsonPatchOperation | True | A list of SOD Policy update operations according to the JSON Patch standard. The following fields are patchable: * name * description * ownerRef * externalPolicyReference * compensatingControls * correctionAdvice * state * tags * violationOwnerAssignmentConfig * scheduled * conflictingAccessCriteria |
Return type
SodPolicy
Responses
| Code | Description | Data Type |
|---|
| 200 | Indicates the PATCH operation succeeded, and returns the SOD policy's new representation. | SodPolicy |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: application/json-patch+json
- Accept: application/json
Example
$Id = "2c918083-5d19-1a86-015d-28455b4a2329"
$JsonPatchOperation = @"{
"op" : "replace",
"path" : "/description",
"value" : "New description"
}"@
try {
$Result = ConvertFrom-JsonToJsonPatchOperation -Json $JsonPatchOperation
Update-SodPolicy -Id $Id -JsonPatchOperation $Result
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Update-SodPolicy"
Write-Host $_.ErrorDetails
}
[Back to top]
put-policy-schedule
This updates schedule for a specified SOD policy.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The ID of the SOD policy to update its schedule. |
| Body | SodPolicySchedule | SodPolicySchedule | True | |
Return type
SodPolicySchedule
Responses
| Code | Description | Data Type |
|---|
| 200 | Created or updated SOD policy schedule. | SodPolicySchedule |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: application/json
- Accept: application/json
Example
$Id = "ef38f943-47e9-4562-b5bb-8424a56397d8"
$SodPolicySchedule = @"{
"schedule" : {
"hours" : {
"values" : [ "MON", "WED" ],
"interval" : 3,
"type" : "LIST"
},
"months" : {
"values" : [ "MON", "WED" ],
"interval" : 3,
"type" : "LIST"
},
"timeZoneId" : "America/Chicago",
"days" : {
"values" : [ "MON", "WED" ],
"interval" : 3,
"type" : "LIST"
},
"expiration" : "2018-06-25T20:22:28.104Z",
"type" : "WEEKLY"
},
"created" : "2020-01-01T00:00:00Z",
"recipients" : [ {
"name" : "Michael Michaels",
"id" : "2c7180a46faadee4016fb4e018c20642",
"type" : "IDENTITY"
}, {
"name" : "Michael Michaels",
"id" : "2c7180a46faadee4016fb4e018c20642",
"type" : "IDENTITY"
} ],
"name" : "SCH-1584312283015",
"creatorId" : "0f11f2a47c944bf3a2bd742580fe3bde",
"modifierId" : "0f11f2a47c944bf3a2bd742580fe3bde",
"modified" : "2020-01-01T00:00:00Z",
"description" : "Schedule for policy xyz",
"emailEmptyResults" : false
}"@
try {
$Result = ConvertFrom-JsonToSodPolicySchedule -Json $SodPolicySchedule
Send-PolicySchedule -Id $Id -SodPolicySchedule $Result
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Send-PolicySchedule"
Write-Host $_.ErrorDetails
}
[Back to top]
put-sod-policy
This updates a specified SOD policy.
Requires role of ORG_ADMIN.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The ID of the SOD policy to update. |
| Body | SodPolicy | SodPolicy | True | |
Return type
SodPolicy
Responses
| Code | Description | Data Type |
|---|
| 200 | SOD Policy by ID | SodPolicy |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: application/json
- Accept: application/json
Example
$Id = "ef38f943-47e9-4562-b5bb-8424a56397d8"
$SodPolicy = @"{
"conflictingAccessCriteria" : {
"leftCriteria" : {
"name" : "money-in",
"criteriaList" : [ {
"type" : "ENTITLEMENT",
"id" : "2c9180866166b5b0016167c32ef31a66",
"name" : "Administrator"
}, {
"type" : "ENTITLEMENT",
"id" : "2c9180866166b5b0016167c32ef31a67",
"name" : "Administrator"
} ]
},
"rightCriteria" : {
"name" : "money-in",
"criteriaList" : [ {
"type" : "ENTITLEMENT",
"id" : "2c9180866166b5b0016167c32ef31a66",
"name" : "Administrator"
}, {
"type" : "ENTITLEMENT",
"id" : "2c9180866166b5b0016167c32ef31a67",
"name" : "Administrator"
} ]
}
},
"ownerRef" : {
"name" : "Support",
"id" : "2c9180a46faadee4016fb4e018c20639",
"type" : "IDENTITY"
},
"created" : "2020-01-01T00:00:00Z",
"scheduled" : true,
"creatorId" : "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"modifierId" : "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"description" : "This policy ensures compliance of xyz",
"violationOwnerAssignmentConfig" : {
"assignmentRule" : "MANAGER",
"ownerRef" : {
"name" : "Support",
"id" : "2c9180a46faadee4016fb4e018c20639",
"type" : "IDENTITY"
}
},
"correctionAdvice" : "Based on the role of the employee, managers should remove access that is not required for their job function.",
"type" : "GENERAL",
"tags" : [ "TAG1", "TAG2" ],
"name" : "policy-xyz",
"modified" : "2020-01-01T00:00:00Z",
"policyQuery" : "@access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdg) AND @access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdf)",
"compensatingControls" : "Have a manager review the transaction decisions for their \"out of compliance\" employee",
"id" : "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
"state" : "ENFORCED",
"externalPolicyReference" : "XYZ policy"
}"@
try {
$Result = ConvertFrom-JsonToSodPolicy -Json $SodPolicy
Send-SodPolicy -Id $Id -SodPolicy $Result
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Send-SodPolicy"
Write-Host $_.ErrorDetails
}
[Back to top]
start-evaluate-sod-policy
Runs the scheduled report for the policy retrieved by passed policy ID. The report schedule is fetched from the policy retrieved by ID.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The SOD policy ID to run. |
Return type
ReportResultReference
Responses
| Code | Description | Data Type |
|---|
| 200 | Reference to the violation report run task. | ReportResultReference |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
$Id = "ef38f943-47e9-4562-b5bb-8424a56397d8"
try {
Start-EvaluateSodPolicy -Id $Id
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Start-EvaluateSodPolicy"
Write-Host $_.ErrorDetails
}
[Back to top]
start-sod-all-policies-for-org
Runs multi-policy report for the org. If a policy reports more than 5000 violations, the report mentions that the violation limit was exceeded for that policy. If the request is empty, the report runs for all policies. Otherwise, the report runs for only the filtered policy list provided.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Body | MultiPolicyRequest | MultiPolicyRequest | (optional) | |
Return type
ReportResultReference
Responses
| Code | Description | Data Type |
|---|
| 200 | Reference to the violation report run task. | ReportResultReference |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: application/json
- Accept: application/json
Example
$MultiPolicyRequest = @"{
"filteredPolicyList" : [ "[b868cd40-ffa4-4337-9c07-1a51846cfa94, 63a07a7b-39a4-48aa-956d-50c827deba2a]", "[b868cd40-ffa4-4337-9c07-1a51846cfa94, 63a07a7b-39a4-48aa-956d-50c827deba2a]" ]
}"@
try {
Start-SodAllPoliciesForOrg
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Start-SodAllPoliciesForOrg"
Write-Host $_.ErrorDetails
}
[Back to top]
start-sod-policy
This invokes processing of violation report for given SOD policy. If the policy reports more than 5000 violations, the report returns with violation limit exceeded message.
API Spec
Parameters
| Param Type | Name | Data Type | Required | Description |
|---|
| Path | Id | String | True | The SOD policy ID to run. |
Return type
ReportResultReference
Responses
| Code | Description | Data Type |
|---|
| 200 | Reference to the violation report run task. | ReportResultReference |
| 400 | Client Error - Returned if the request body is invalid. | ErrorResponseDto |
| 401 | Unauthorized - Returned if there is no authorization header, or if the JWT token is expired. | ListAccessProfiles401Response |
| 403 | Forbidden - Returned if the user you are running as, doesn't have access to this end-point. | ErrorResponseDto |
| 404 | Not Found - returned if the request URL refers to a resource or object that does not exist | ErrorResponseDto |
| 429 | Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again. | ListAccessProfiles429Response |
| 500 | Internal Server Error - Returned if there is an unexpected error. | ErrorResponseDto |
- Content-Type: Not defined
- Accept: application/json
Example
$Id = "ef38f943-47e9-4562-b5bb-8424a56397d8"
try {
Start-SodPolicy -Id $Id
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Start-SodPolicy"
Write-Host $_.ErrorDetails
}
[Back to top]