Skip to main content

Submit an Access Request​

This submits the access request into IdentityNow, where it will follow any IdentityNow approval processes.

Access requests are processed asynchronously by IdentityNow. A success response from this endpoint means the request has been submitted to IDN and is queued for processing. Because this endpoint is asynchronous, it will not return an error if you submit duplicate access requests in quick succession, or you submit an access request for access that is already in progress, approved, or rejected. It is best practice to check for any existing access requests that reference the same access items before submitting a new access request. This can be accomplished by using the access request status or the pending access request approvals endpoints. You can also use the search API to check the existing access items that an identity has before submitting an access request to ensure you are not requesting access that is already granted.

There are two types of access request:

GRANT_ACCESS

  • Can be requested for multiple identities in a single request.
  • Supports self request and request on behalf of other users, see '/beta/access-request-config' endpoint for request configuration options.
  • Allows any authenticated token (except API) to call this endpoint to request to grant access to themselves. Depending on the configuration, a user can request access for others.
  • Roles, Access Profiles and Entitlements can be requested.
  • While requesting entitlements, maximum of 25 entitlements and 10 recipients are allowed in a request.

REVOKE_ACCESS

  • Can only be requested for a single identity at a time.
  • Does not support self request. Only manager can request to revoke access for their directly managed employees.
  • If removeDate is specified, then the access will be removed on that date and time only for Roles and Access Profiles. Entitlements are currently unsupported for removeDate.
  • Roles, Access Profiles, and Entitlements can be requested for revocation.
  • Revoke requests for entitlements are limited to 1 entitlement per access request currently.
  • [Roles, Access Profiles] RemoveData can be specified only if access don't have a sunset date.
  • Allows a manager to request to revoke access for direct employees. A token with ORG_ADMIN authority can also request to revoke access from anyone.

NOTE: There is no indication to the approver in the IdentityNow UI that the approval request is for a revoke action. Take this into consideration when calling this API.

A token with API authority cannot be used to call this endpoint.

Request Body required
  • requestedFor string[] required

    A list of Identity IDs for whom the Access is requested. If it's a Revoke request, there can only be one Identity ID.

  • requestType string

    Possible values: [GRANT_ACCESS, REVOKE_ACCESS]

    Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field.

  • requestedItems object[] required
  • type string required

    Possible values: [ACCESS_PROFILE, ROLE, ENTITLEMENT]

    The type of the item being requested.

  • id string required

    ID of Role, Access Profile or Entitlement being requested.

  • comment string

    Comment provided by requester.

    • Comment is required when the request is of type Revoke Access.
  • clientMetadata object

    Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities and /access-request-status.

  • property name* string
  • removeDate date-time

    The date the role or access profile is no longer assigned to the specified identity.

    • Specify a date in the future.
    • The current SLA for the deprovisioning is 24 hours.
    • This date can be modified to either extend or decrease the duration of access item assignments for the specified identity.
    • Currently it is not supported for entitlements.
    • If sunset date for role or access profile specified, removeDate cannot be established. This rule doesn't apply for entitlements.
  • clientMetadata object

    Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities.

  • property name* string
Responses

Accepted - Returned if the request was successfully accepted into the system.

Schema
  • object
Loading...