Create an Access Profile

This API creates an Access Profile. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API. In addition, a token with only ROLE_SUBADMIN or SOURCE_SUBADMIN authority must be associated with the Access Profile's Source. The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing access profiles, however, any new access profiles as well as any updates to existing descriptions will be limited to 2000 characters.

application/json

Request Body required

• name string required

  Name of the Access Profile

• description string

  Information about the Access Profile

• enabled boolean

  Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.

• owner object required

  Owner of the Access Profile

  type string

  Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY]

  Owner type. This field must be either left null or set to 'IDENTITY' on input, otherwise a 400 Bad Request error will result.

  id string

  Identity id

  name string

  Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner's display name, otherwise a 400 Bad Request error will result.

• source object required

  id string

  The ID of the Source with with which the Access Profile is associated

  type string

  Possible values: [SOURCE]

  The type of the Source, will always be SOURCE

  name string

  The display name of the associated Source

• entitlements object[]

  A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.

  id string

  The ID of the Entitlement

  type string

  Possible values: [ENTITLEMENT]

  The type of the Entitlement, will always be ENTITLEMENT

  name string

  The display name of the Entitlement

• requestable boolean

  Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value false in this field results in a 400 error.

• accessRequestConfig object

  Access request configuration for this object

  commentsRequired boolean

  Whether the requester of the containing object must provide comments justifying the request

  denialCommentsRequired boolean

  Whether an approver must provide comments when denying the request

  approvalSchemes object[]

  List describing the steps in approving the request

  approverType string

  Possible values: [APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, GOVERNANCE_GROUP]

  Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application

  OWNER: Owner of the associated Access Profile or Role

  SOURCE_OWNER: Owner of the Source associated with an Access Profile

  MANAGER: Manager of the Identity making the request

  GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

  approverId string

  Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

• revocationRequestConfig object

  Revocation request configuration for this object.

  commentsRequired boolean

  Default value: false

  Whether the requester of the containing object must provide comments justifying the request

  denialCommentsRequired boolean

  Default value: false

  Whether an approver must provide comments when denying the request

  approvalSchemes object[]

  List describing the steps in approving the revocation request

  approverType string

  Possible values: [APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, GOVERNANCE_GROUP]

  Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application

  OWNER: Owner of the associated Access Profile or Role

  SOURCE_OWNER: Owner of the Source associated with an Access Profile

  MANAGER: Manager of the Identity making the request

  GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

  approverId string

  Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

• segments string[]

  List of IDs of segments, if any, to which this Access Profile is assigned.

• provisioningCriteria object

  When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.

  operation string

  Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

  Supported operations on ProvisioningCriteria

  attribute string

  Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

  value string

  String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

  children object[]

  Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.

  operation string

  Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

  Supported operations on ProvisioningCriteria

  attribute string

  Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

  value string

  String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

  children object[]

  Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.

  operation string

  Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

  Supported operations on ProvisioningCriteria

  attribute string

  Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

  value string

  String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

Responses

• 201
• 400
• 401
• 403
• 429
• 500

---

Access Profile created

application/json

• Schema
• Example (from schema)

---

Schema

• id string

  The ID of the Access Profile

• name string

  Name of the Access Profile

• description string

  Information about the Access Profile

• created date-time

  Date the Access Profile was created

• modified date-time

  Date the Access Profile was last modified.

• enabled boolean

  Whether the Access Profile is enabled. If the Access Profile is enabled then you must include at least one Entitlement.

• owner object

  Owner of the Access Profile

  type string

  Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY]

  Owner type. This field must be either left null or set to 'IDENTITY' on input, otherwise a 400 Bad Request error will result.

  id string

  Identity id

  name string

  Human-readable display name of the owner. It may be left null or omitted in a POST or PATCH. If set, it must match the current value of the owner's display name, otherwise a 400 Bad Request error will result.

• source object

  id string

  The ID of the Source with with which the Access Profile is associated

  type string

  Possible values: [SOURCE]

  The type of the Source, will always be SOURCE

  name string

  The display name of the associated Source

• entitlements object[]

  A list of entitlements associated with the Access Profile. If enabled is false this is allowed to be empty otherwise it needs to contain at least one Entitlement.

  id string

  The ID of the Entitlement

  type string

  Possible values: [ENTITLEMENT]

  The type of the Entitlement, will always be ENTITLEMENT

  name string

  The display name of the Entitlement

• requestable boolean

  Whether the Access Profile is requestable via access request. Currently, making an Access Profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an Access Profile with a value false in this field results in a 400 error.

• accessRequestConfig object

  Access request configuration for this object

  commentsRequired boolean

  Whether the requester of the containing object must provide comments justifying the request

  denialCommentsRequired boolean

  Whether an approver must provide comments when denying the request

  approvalSchemes object[]

  List describing the steps in approving the request

  approverType string

  Possible values: [APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, GOVERNANCE_GROUP]

  Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application

  OWNER: Owner of the associated Access Profile or Role

  SOURCE_OWNER: Owner of the Source associated with an Access Profile

  MANAGER: Manager of the Identity making the request

  GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

  approverId string

  Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

• revocationRequestConfig object

  Revocation request configuration for this object.

  commentsRequired boolean

  Default value: false

  Whether the requester of the containing object must provide comments justifying the request

  denialCommentsRequired boolean

  Default value: false

  Whether an approver must provide comments when denying the request

  approvalSchemes object[]

  List describing the steps in approving the revocation request

  approverType string

  Possible values: [APP_OWNER, OWNER, SOURCE_OWNER, MANAGER, GOVERNANCE_GROUP]

  Describes the individual or group that is responsible for an approval step. Values are as follows. APP_OWNER: The owner of the Application

  OWNER: Owner of the associated Access Profile or Role

  SOURCE_OWNER: Owner of the Source associated with an Access Profile

  MANAGER: Manager of the Identity making the request

  GOVERNANCE_GROUP: A Governance Group, the ID of which is specified by the approverId field

  approverId string

  Id of the specific approver, used only when approverType is GOVERNANCE_GROUP

• segments string[]

  List of IDs of segments, if any, to which this Access Profile is assigned.

• provisioningCriteria object

  When an Identity has multiple Accounts on the Source with which an Access Profile is associated, this expression is evaluated against those Accounts to choose one to provision with the Access Profile.

  operation string

  Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

  Supported operations on ProvisioningCriteria

  attribute string

  Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

  value string

  String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

  children object[]

  Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.

  operation string

  Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

  Supported operations on ProvisioningCriteria

  attribute string

  Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

  value string

  String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

  children object[]

  Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum of three levels of criteria are supported, including leaf nodes.

  operation string

  Possible values: [EQUALS, NOT_EQUALS, CONTAINS, HAS, AND, OR]

  Supported operations on ProvisioningCriteria

  attribute string

  Name of the Account attribute to be tested. If operation is one of EQUALS, NOT_EQUALS, CONTAINS, or HAS, this field is required. Otherwise, specifying it is an error.

  value string

  String value to test the Account attribute w/r/t the specified operation. If the operation is one of EQUALS, NOT_EQUALS, or CONTAINS, this field is required. Otherwise, specifying it is an error. If the Attribute is not String-typed, it will be converted to the appropriate type.

{
  "id": "2c91808a7190d06e01719938fcd20792",
  "name": "Employee-database-read-write",
  "description": "Collection of entitlements to read/write the employee database",
  "created": "2021-03-01T22:32:58.104Z",
  "modified": "2021-03-02T20:22:28.104Z",
  "enabled": true,
  "owner": {
    "type": "IDENTITY",
    "id": "2c9180a46faadee4016fb4e018c20639",
    "name": "support"
  },
  "source": {
    "id": "2c91809773dee3610173fdb0b6061ef4",
    "type": "SOURCE",
    "name": "ODS-AD-SOURCE"
  },
  "entitlements": [
    {
      "id": "2c91809773dee32014e13e122092014e",
      "type": "ENTITLEMENT",
      "name": "CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local"
    }
  ],
  "requestable": true,
  "accessRequestConfig": {
    "commentsRequired": true,
    "denialCommentsRequired": true,
    "approvalSchemes": [
      {
        "approverType": "GOVERNANCE_GROUP",
        "approverId": "46c79819-a69f-49a2-becb-12c971ae66c6"
      }
    ]
  },
  "revocationRequestConfig": {
    "commentsRequired": false,
    "denialCommentsRequired": false,
    "approvalSchemes": [
      {
        "approverType": "GOVERNANCE_GROUP",
        "approverId": "46c79819-a69f-49a2-becb-12c971ae66c6"
      }
    ]
  },
  "segments": [
    "f7b1b8a3-5fed-4fd4-ad29-82014e137e19",
    "29cb6c06-1da8-43ea-8be4-b3125f248f2a"
  ],
  "provisioningCriteria": {
    "operation": "OR",
    "children": [
      {
        "operation": "AND",
        "children": [
          {
            "attribute": "dn",
            "operation": "CONTAINS",
            "value": "useast"
          },
          {
            "attribute": "manager",
            "operation": "CONTAINS",
            "value": "Scott.Clark"
          }
        ]
      },
      {
        "operation": "AND",
        "children": [
          {
            "attribute": "dn",
            "operation": "EQUALS",
            "value": "Gibson"
          },
          {
            "attribute": "telephoneNumber",
            "operation": "CONTAINS",
            "value": "512"
          }
        ]
      }
    ]
  }
}

Client Error - Returned if the request body is invalid.

application/json

• Schema
• Example (from schema)

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.

application/json

• Schema
• Example (from schema)

---

Schema

• error

  A message describing the error

{
  "error": "JWT validation failed: JWT is expired"
}

Forbidden - Returned if the user you are running as, doesn't have access to this end-point.

application/json

• Schema
• Example (from schema)
• 403

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 403 response object

{
  "detailCode": "403 Forbidden",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The server understood the request but refuses to authorize it."
    }
  ]
}

Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.

application/json

• Schema
• Example (from schema)

---

Schema

• message

  A message describing the error

{
  "message": " Rate Limit Exceeded "
}

Internal Server Error - Returned if there is an unexpected error.

application/json

• Schema
• Example (from schema)
• 500

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 500 response object

{
  "detailCode": "500.0 Internal Fault",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "An internal fault occurred."
    }
  ]
}

Loading...