Update a SOD Policy

Allows updating SOD Policy fields other than ["id","created","creatorId","policyQuery","type"] using the JSON Patch standard. Requires role of ORG_ADMIN.

Path Parameters

• id string required

  The ID of the SOD Policy being modified.

  Example: 2c9180835d191a86015d28455b4a2329

application/json-patch+json

Request Body array required

A list of SOD Policy update operations according to the JSON Patch standard.

The following fields are patchable:

• name
• description
• ownerRef
• externalPolicyReference
• compensatingControls
• correctionAdvice
• state
• tags
• violationOwnerAssignmentConfig
• scheduled
• conflictingAccessCriteria

• type

Responses

• 200
• 400
• 401
• 403
• 404
• 429
• 500

---

Indicates the PATCH operation succeeded, and returns the SOD policy's new representation.

application/json

• Schema
• Example (from schema)
• Conflicting Access Based Policy
• General Policy

---

Schema

• id string

  Policy id

• name string

  Policy Business Name

• created date-time

  The time when this SOD policy is created.

• modified date-time

  The time when this SOD policy is modified.

• description string

  Optional description of the SOD policy

• ownerRef object

  type string

  Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY]

  DTO type

  id string

  ID of the object to which this reference applies

  name string

  Human-readable display name of the object to which this reference applies

• externalPolicyReference string

  Optional External Policy Reference

• policyQuery string

  Search query of the SOD policy

• compensatingControls string

  Optional compensating controls(Mitigating Controls)

• correctionAdvice string

  Optional correction advice

• state string

  Possible values: [ENFORCED, NOT_ENFORCED]

  whether the policy is enforced or not

• tags string[]

  tags for this policy object

• creatorId string

  Policy's creator ID

• modifierId string

  Policy's modifier ID

• violationOwnerAssignmentConfig object

  assignmentRule string

  Possible values: [MANAGER, STATIC]

  Details about the violations owner. MANAGER - identity's manager STATIC - Governance Group or Identity

  ownerRef object

  type string

  Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY]

  DTO type

  id string

  ID of the object to which this reference applies

  name string

  Human-readable display name of the object to which this reference applies

• scheduled boolean

  defines whether a policy has been scheduled or not

• type string

  Possible values: [GENERAL, CONFLICTING_ACCESS_BASED]

  Default value: GENERAL

  whether a policy is query based or conflicting access based

• conflictingAccessCriteria object

  leftCriteria object

  name string

  Business name for the access construct list

  criteriaList object[]

  List of criteria. There is a min of 1 and max of 50 items in the list.

  type string

  Possible values: [ENTITLEMENT]

  DTO type

  id string

  ID of the object to which this reference applies to

  name string

  Human-readable display name of the object to which this reference applies to

  rightCriteria object

  name string

  Business name for the access construct list

  criteriaList object[]

  List of criteria. There is a min of 1 and max of 50 items in the list.

  type string

  Possible values: [ENTITLEMENT]

  DTO type

  id string

  ID of the object to which this reference applies to

  name string

  Human-readable display name of the object to which this reference applies to

{
  "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "name": "policy-xyz",
  "created": "2020-01-01T00:00:00.000000Z",
  "modified": "2020-01-01T00:00:00.000000Z",
  "description": "This policy ensures compliance of xyz",
  "ownerRef": {
    "type": "IDENTITY",
    "id": "2c91808568c529c60168cca6f90c1313",
    "name": "William Wilson"
  },
  "externalPolicyReference": "XYZ policy",
  "policyQuery": "@access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdg) AND @access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdf)",
  "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  "state": "ENFORCED",
  "tags": [
    "TAG1",
    "TAG2"
  ],
  "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "violationOwnerAssignmentConfig": {
    "assignmentRule": "MANAGER",
    "ownerRef": {
      "type": "IDENTITY",
      "id": "2c91808568c529c60168cca6f90c1313",
      "name": "William Wilson"
    }
  },
  "scheduled": true,
  "type": "GENERAL",
  "conflictingAccessCriteria": {
    "leftCriteria": {
      "name": "money-in",
      "criteriaList": [
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a66",
          "name": "Administrator"
        },
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a67",
          "name": "Administrator"
        }
      ]
    },
    "rightCriteria": {
      "name": "money-in",
      "criteriaList": [
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a66",
          "name": "Administrator"
        },
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a67",
          "name": "Administrator"
        }
      ]
    }
  }
}

{
  "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "name": "Conflicting-Policy-Name",
  "created": "2020-01-01T00:00:00.000000Z",
  "modified": "2020-01-01T00:00:00.000000Z",
  "description": "Modified description",
  "ownerRef": {
    "type": "IDENTITY",
    "id": "2c91808568c529c60168cca6f90c1313",
    "name": "Owner Name"
  },
  "externalPolicyReference": "XYZ policy",
  "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c918087682f9a86016839c0509c1ab2)",
  "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  "state": "ENFORCED",
  "tags": [
    "string"
  ],
  "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "violationOwnerAssignmentConfig": {
    "assignmentRule": "MANAGER",
    "ownerRef": {
      "type": "IDENTITY",
      "id": "2c91808568c529c60168cca6f90c1313",
      "name": "Violation Owner Name"
    }
  },
  "scheduled": true,
  "type": "CONFLICTING_ACCESS_BASED",
  "conflictingAccessCriteria": {
    "leftCriteria": {
      "name": "money-in-modified",
      "criteriaList": [
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a66"
        },
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a67"
        }
      ]
    },
    "rightCriteria": {
      "name": "money-out-modified",
      "criteriaList": [
        {
          "type": "ENTITLEMENT",
          "id": "2c918087682f9a86016839c0509c1ab2"
        }
      ]
    }
  }
}

{
  "description": "Modified description",
  "ownerRef": {
    "type": "IDENTITY",
    "id": "2c918087682f9a86016839c05e8f1aff",
    "name": "Owner Name"
  },
  "externalPolicyReference": "New policy",
  "policyQuery": "policy query implementation",
  "compensatingControls": "Compensating controls",
  "correctionAdvice": "Correction advice",
  "tags": [],
  "state": "ENFORCED",
  "scheduled": false,
  "creatorId": "2c918087682f9a86016839c05e8f1aff",
  "modifierId": null,
  "violationOwnerAssignmentConfig": null,
  "type": "GENERAL",
  "conflictingAccessCriteria": null,
  "id": "52c11db4-733e-4c31-949a-766c95ec95f1",
  "name": "General-Policy-Name",
  "created": "2020-05-12T19:47:38Z",
  "modified": "2020-05-12T19:47:38Z"
}

Client Error - Returned if the request body is invalid.

application/json

• Schema
• Example (from schema)

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.

application/json

• Schema
• Example (from schema)

---

Schema

• error

  A message describing the error

{
  "error": "JWT validation failed: JWT is expired"
}

Forbidden - Returned if the user you are running as, doesn't have access to this end-point.

application/json

• Schema
• Example (from schema)
• 403

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 403 response object

{
  "detailCode": "403 Forbidden",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The server understood the request but refuses to authorize it."
    }
  ]
}

Not Found - returned if the request URL refers to a resource or object that does not exist

application/json

• Schema
• Example (from schema)
• 404

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 404 response object

{
  "detailCode": "404 Not found",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The server did not find a current representation for the target resource."
    }
  ]
}

Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.

application/json

• Schema
• Example (from schema)

---

Schema

• message

  A message describing the error

{
  "message": " Rate Limit Exceeded "
}

Internal Server Error - Returned if there is an unexpected error.

application/json

• Schema
• Example (from schema)
• 500

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 500 response object

{
  "detailCode": "500.0 Internal Fault",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "An internal fault occurred."
    }
  ]
}

Loading...