Update SOD policy by ID

This updates a specified SOD policy. Requires role of ORG_ADMIN.

Path Parameters

id string required
The ID of the SOD policy to update.
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

application/json

Request Body required

name string

Policy Business Name

description string nullable

Optional description of the SOD policy

ownerRef object

type DtoType

Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

DTO type

id string

ID of the object to which this reference applies

name string

Human-readable display name of the object to which this reference applies

externalPolicyReference string nullable

Optional External Policy Reference

policyQuery string

Search query of the SOD policy

compensatingControls string nullable

Optional compensating controls(Mitigating Controls)

correctionAdvice string nullable

Optional correction advice

state string

Possible values: [ENFORCED, NOT_ENFORCED]

whether the policy is enforced or not

tags string[]

tags for this policy object

violationOwnerAssignmentConfig object nullable

assignmentRule string nullable

Possible values: [MANAGER, STATIC, null]

Details about the violations owner. MANAGER - identity's manager STATIC - Governance Group or Identity

ownerRef object nullable

type DtoType

Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

DTO type

id string

ID of the object to which this reference applies

name string

Human-readable display name of the object to which this reference applies

scheduled boolean

Default value: false

defines whether a policy has been scheduled or not

type string

Possible values: [GENERAL, CONFLICTING_ACCESS_BASED]

Default value: GENERAL

whether a policy is query based or conflicting access based

conflictingAccessCriteria object nullable
leftCriteria object
name string
Business name for the access construct list
criteriaList object[]
Possible values: >= 1, <= 50
List of criteria. There is a min of 1 and max of 50 items in the list.
Array [
type string
Possible values: [ENTITLEMENT]
Type of the propery to which this reference applies to
id string
ID of the object to which this reference applies to
name string
Human-readable display name of the object to which this reference applies to
]
rightCriteria object
name string
Business name for the access construct list
criteriaList object[]
Possible values: >= 1, <= 50
List of criteria. There is a min of 1 and max of 50 items in the list.
Array [
type string
Possible values: [ENTITLEMENT]
Type of the propery to which this reference applies to
id string
ID of the object to which this reference applies to
name string
Human-readable display name of the object to which this reference applies to
]

Responses

• 200
• 400
• 401
• 403
• 404
• 429
• 500

---

SOD Policy by ID

application/json

Schema

Example (from schema)

Conflicting Access Based Policy

General Policy

---

Schema

name string

Policy Business Name

description string nullable

Optional description of the SOD policy

ownerRef object

type DtoType

Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

DTO type

id string

ID of the object to which this reference applies

name string

Human-readable display name of the object to which this reference applies

externalPolicyReference string nullable

Optional External Policy Reference

policyQuery string

Search query of the SOD policy

compensatingControls string nullable

Optional compensating controls(Mitigating Controls)

correctionAdvice string nullable

Optional correction advice

state string

Possible values: [ENFORCED, NOT_ENFORCED]

whether the policy is enforced or not

tags string[]

tags for this policy object

violationOwnerAssignmentConfig object nullable

assignmentRule string nullable

Possible values: [MANAGER, STATIC, null]

Details about the violations owner. MANAGER - identity's manager STATIC - Governance Group or Identity

ownerRef object nullable

type DtoType

Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY, WORKGROUP]

DTO type

id string

ID of the object to which this reference applies

name string

Human-readable display name of the object to which this reference applies

scheduled boolean

Default value: false

defines whether a policy has been scheduled or not

type string

Possible values: [GENERAL, CONFLICTING_ACCESS_BASED]

Default value: GENERAL

whether a policy is query based or conflicting access based

conflictingAccessCriteria object nullable
leftCriteria object
name string
Business name for the access construct list
criteriaList object[]
Possible values: >= 1, <= 50
List of criteria. There is a min of 1 and max of 50 items in the list.
Array [
type string
Possible values: [ENTITLEMENT]
Type of the propery to which this reference applies to
id string
ID of the object to which this reference applies to
name string
Human-readable display name of the object to which this reference applies to
]
rightCriteria object
name string
Business name for the access construct list
criteriaList object[]
Possible values: >= 1, <= 50
List of criteria. There is a min of 1 and max of 50 items in the list.
Array [
type string
Possible values: [ENTITLEMENT]
Type of the propery to which this reference applies to
id string
ID of the object to which this reference applies to
name string
Human-readable display name of the object to which this reference applies to
]

{
  "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "name": "policy-xyz",
  "created": "2020-01-01T00:00:00.000000Z",
  "modified": "2020-01-01T00:00:00.000000Z",
  "description": "This policy ensures compliance of xyz",
  "ownerRef": {
    "type": "IDENTITY",
    "id": "2c91808568c529c60168cca6f90c1313",
    "name": "William Wilson"
  },
  "externalPolicyReference": "XYZ policy",
  "policyQuery": "@access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdg) AND @access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdf)",
  "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  "state": "ENFORCED",
  "tags": [
    "TAG1",
    "TAG2"
  ],
  "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "violationOwnerAssignmentConfig": {
    "assignmentRule": "MANAGER",
    "ownerRef": {
      "type": "IDENTITY",
      "id": "2c91808568c529c60168cca6f90c1313",
      "name": "William Wilson"
    }
  },
  "scheduled": true,
  "type": "GENERAL",
  "conflictingAccessCriteria": {
    "leftCriteria": {
      "name": "money-in",
      "criteriaList": [
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a66",
          "name": "Administrator"
        },
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a67",
          "name": "Administrator"
        }
      ]
    },
    "rightCriteria": {
      "name": "money-in",
      "criteriaList": [
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a66",
          "name": "Administrator"
        },
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a67",
          "name": "Administrator"
        }
      ]
    }
  }
}

{
  "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "name": "Conflicting-Policy-Name",
  "created": "2020-01-01T00:00:00.000000Z",
  "modified": "2020-01-01T00:00:00.000000Z",
  "description": "Modified description",
  "ownerRef": {
    "type": "IDENTITY",
    "id": "2c91808568c529c60168cca6f90c1313",
    "name": "Owner Name"
  },
  "externalPolicyReference": "XYZ policy",
  "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c9180866166b5b0016167c32ef31a68 OR id:2c9180866166b5b0016167c32ef31a69)",
  "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  "state": "ENFORCED",
  "tags": [
    "string"
  ],
  "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "violationOwnerAssignmentConfig": {
    "assignmentRule": "MANAGER",
    "ownerRef": {
      "type": "IDENTITY",
      "id": "2c91808568c529c60168cca6f90c1313",
      "name": "Violation Owner Name"
    }
  },
  "scheduled": true,
  "type": "CONFLICTING_ACCESS_BASED",
  "conflictingAccessCriteria": {
    "leftCriteria": {
      "name": "money-in",
      "criteriaList": [
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a66"
        },
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a67"
        }
      ]
    },
    "rightCriteria": {
      "name": "money-out",
      "criteriaList": [
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a68"
        },
        {
          "type": "ENTITLEMENT",
          "id": "2c9180866166b5b0016167c32ef31a69"
        }
      ]
    }
  }
}

{
  "description": "Modified Description",
  "ownerRef": {
    "type": "IDENTITY",
    "id": "2c918087682f9a86016839c05e8f1aff",
    "name": "Owner Name"
  },
  "externalPolicyReference": "New policy",
  "policyQuery": "policy query implementation",
  "compensatingControls": "Compensating controls",
  "correctionAdvice": "Correction advice",
  "tags": [],
  "state": "ENFORCED",
  "scheduled": false,
  "creatorId": "2c918087682f9a86016839c05e8f1aff",
  "modifierId": null,
  "violationOwnerAssignmentConfig": null,
  "type": "GENERAL",
  "conflictingAccessCriteria": null,
  "id": "52c11db4-733e-4c31-949a-766c95ec95f1",
  "name": "General-Policy-Name",
  "created": "2020-05-12T19:47:38Z",
  "modified": "2020-05-12T19:47:38Z"
}

Client Error - Returned if the request body is invalid.

application/json

Schema

Example (from schema)

---

Schema

detailCode string

Fine-grained error code providing more detail of the error.

trackingId string

Unique tracking id for the error.

messages object[]
Generic localized reason for error
Array [
locale string
The locale for the message text, a BCP 47 language tag.
localeOrigin LocaleOrigin
Possible values: [DEFAULT, REQUEST]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
text string
Actual text of the error message in the indicated locale.
]
causes object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
Array [
locale string
The locale for the message text, a BCP 47 language tag.
localeOrigin LocaleOrigin
Possible values: [DEFAULT, REQUEST]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
text string
Actual text of the error message in the indicated locale.
]

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.

application/json

Schema

Example (from schema)

---

Schema

error

A message describing the error

{
  "error": "JWT validation failed: JWT is expired"
}

Forbidden - Returned if the user you are running as, doesn't have access to this end-point.

application/json

Schema

Example (from schema)

403

---

Schema

detailCode string

Fine-grained error code providing more detail of the error.

trackingId string

Unique tracking id for the error.

messages object[]
Generic localized reason for error
Array [
locale string
The locale for the message text, a BCP 47 language tag.
localeOrigin LocaleOrigin
Possible values: [DEFAULT, REQUEST]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
text string
Actual text of the error message in the indicated locale.
]
causes object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
Array [
locale string
The locale for the message text, a BCP 47 language tag.
localeOrigin LocaleOrigin
Possible values: [DEFAULT, REQUEST]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
text string
Actual text of the error message in the indicated locale.
]

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 403 response object

{
  "detailCode": "403 Forbidden",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The server understood the request but refuses to authorize it."
    }
  ]
}

Not Found - returned if the request URL refers to a resource or object that does not exist

application/json

Schema

Example (from schema)

404

---

Schema

detailCode string

Fine-grained error code providing more detail of the error.

trackingId string

Unique tracking id for the error.

messages object[]
Generic localized reason for error
Array [
locale string
The locale for the message text, a BCP 47 language tag.
localeOrigin LocaleOrigin
Possible values: [DEFAULT, REQUEST]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
text string
Actual text of the error message in the indicated locale.
]
causes object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
Array [
locale string
The locale for the message text, a BCP 47 language tag.
localeOrigin LocaleOrigin
Possible values: [DEFAULT, REQUEST]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
text string
Actual text of the error message in the indicated locale.
]

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 404 response object

{
  "detailCode": "404 Not found",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The server did not find a current representation for the target resource."
    }
  ]
}

Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.

application/json

Schema

Example (from schema)

---

Schema

message

A message describing the error

{
  "message": " Rate Limit Exceeded "
}

Internal Server Error - Returned if there is an unexpected error.

application/json

Schema

Example (from schema)

500

---

Schema

detailCode string

Fine-grained error code providing more detail of the error.

trackingId string

Unique tracking id for the error.

messages object[]
Generic localized reason for error
Array [
locale string
The locale for the message text, a BCP 47 language tag.
localeOrigin LocaleOrigin
Possible values: [DEFAULT, REQUEST]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
text string
Actual text of the error message in the indicated locale.
]
causes object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
Array [
locale string
The locale for the message text, a BCP 47 language tag.
localeOrigin LocaleOrigin
Possible values: [DEFAULT, REQUEST]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
text string
Actual text of the error message in the indicated locale.
]

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 500 response object

{
  "detailCode": "500.0 Internal Fault",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "An internal fault occurred."
    }
  ]
}

Loading...