Skip to main content

List Access Profiles

This API returns a list of Access Profiles.

A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Query Parameters
  • for-subadmin string

    If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN or SOURCE_SUBADMIN Identity. The value of the parameter is either an Identity ID, or the special value me, which is shorthand for the calling Identity's ID.

    A 400 Bad Request error is returned if the for-subadmin parameter is specified for an Identity that is not a subadmin.

    Example: 8c190e6787aa4ed9a90bd9d5344523fb
  • limit int32

    Possible values: <= 50

    Default value: 50

    Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.

    Example: 50
  • offset int32

    Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

  • count boolean

    If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

    Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

    See V3 API Standard Collection Parameters for more information.

    Example: true
  • filters string

    Filter results using the standard syntax described in V3 API Standard Collection Parameters

    Filtering is supported for the following fields and operators:

    id: eq, in

    name: eq, sw

    created, modified: gt, lt, ge, le

    owner.id: eq, in

    requestable: eq

    source.id: eq, in

    Example: name eq "SailPoint Support"
  • sorters comma-separated

    Sort results using the standard syntax described in V3 API Standard Collection Parameters

    Sorting is supported for the following fields: name, created, modified

    Example: name,-modified
  • for-segment-ids comma-separated

    If present and not empty, additionally filters Access Profiles to those which are assigned to the Segment(s) with the specified IDs.

    If segmentation is currently unavailable, specifying this parameter results in an error.

    Example: 0b5c9f25-83c6-4762-9073-e38f7bb2ae26,2e8d8180-24bc-4d21-91c6-7affdb473b0d
  • include-unsegmented boolean

    Default value: true

    Whether or not the response list should contain unsegmented Access Profiles. If for-segment-ids is absent or empty, specifying include-unsegmented as false results in an error.

Responses

List of Access Profiles


Schema array
  • id string

    The ID of the Access Profile

  • name string

    Name of the Access Profile

  • description string

    Information about the Access Profile

  • created date-time

    Date the Access Profile was created

  • modified date-time

    Date the Access Profile was last modified.

  • enabled boolean

    Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.

  • owner object

    Owner of the Access Profile

  • type string

    Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY]

    Owner type. This field must be either left null or set to 'IDENTITY' on input, otherwise a 400 Bad Request error will result.

  • id string

    Identity id

  • name string

    Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner's display name, otherwise a 400 Bad Request error will result.

  • source object
  • id string

    The ID of the Source with with which the Access Profile is associated

  • type string

    Possible values: [SOURCE]

    The type of the Source, will always be SOURCE

  • name string

    The display name of the associated Source

  • entitlements object[]

    A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.

  • id string

    The ID of the Entitlement

  • type string

    Possible values: [ENTITLEMENT]

    The type of the Entitlement, will always be ENTITLEMENT

  • name string

    The display name of the Entitlement

  • requestable boolean

    Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value false in this field results in a 400 error.

  • accessRequestConfig object

    Access request configuration for this object

  • commentsRequired boolean

    Whether the requester of the containing object must provide comments justifying the request

  • denialCommentsRequired boolean

    Whether an approver must provide comments when denying the request

  • approvalSchemes object[]

    List describing the steps in approving the request

  • approverType string

    Possible values: [APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, GOVERNANCE_GROUP]

    Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application

    OWNER: Owner of the associated Access Profile or Role

    SOURCE_OWNER: Owner of the Source associated with an Access Profile

    MANAGER: Manager of the Identity making the request

    GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

  • approverId string

    Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

  • revocationRequestConfig object

    Revocation request configuration for this object.

  • approvalSchemes object[]

    List describing the steps in approving the revocation request

  • approverType string

    Possible values: [APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, GOVERNANCE_GROUP]

    Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application

    OWNER: Owner of the associated Access Profile or Role

    SOURCE_OWNER: Owner of the Source associated with an Access Profile

    MANAGER: Manager of the Identity making the request

    GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

  • approverId string

    Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

  • segments string[]

    List of IDs of segments, if any, to which this Access Profile is assigned.

  • provisioningCriteria object

    When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.

  • operation string

    Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

    Supported operations on ProvisioningCriteria

  • attribute string

    Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

  • value string

    String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

  • children object[]

    Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.

  • operation string

    Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

    Supported operations on ProvisioningCriteria

  • attribute string

    Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

  • value string

    String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

  • children object[]

    Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.

  • operation string

    Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

    Supported operations on ProvisioningCriteria

  • attribute string

    Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

  • value string

    String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

Loading...