API docs by Redocly

Identity Security Cloud V2025 API (v2025)

URL: https://developer.sailpoint.com/discuss/api-help License: MIT Terms of Service

Use these APIs to interact with the Identity Security Cloud platform to achieve repeatable, automated processes with greater scalability. We encourage you to join the SailPoint Developer Community forum at https://developer.sailpoint.com/discuss to connect with other developers using our APIs.

Access Model Metadata

Use this API to create and manage metadata attributes for your Access Model. Access Model Metadata allows you to add contextual information to your ISC Access Model items using pre-defined metadata for risk, regulations, privacy levels, etc., or by creating your own metadata attributes to reflect the unique needs of your organization. This release of the API includes support for entitlement metadata. Support for role and access profile metadata will be introduced in a subsequent release.

Common usages for Access Model metadata include:

  • Organizing and categorizing access items to make it easier for your users to search for and find the access rights they want to request, certify, or manage.

  • Providing richer information about access that is being acted on to allow stakeholders to make better decisions when approving, certifying, or managing access rights.

  • Identifying access that may requires additional approval requirements or be subject to more frequent review.

List access model metadata attributes

Get a list of Access Model Metadata Attributes

Authorizations:
Personal Access TokenClient Credentials
query Parameters
filters
string
Example: filters=name eq "Privacy"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

key: eq

name: eq

type: eq

status: eq

objectTypes: eq

Supported composite operators are and, or

sorters
string <comma-separated>
Example: sorters=name,-key

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, key

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create access model metadata attribute

Create a new Access Model Metadata Attribute.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

Attribute to create

key
string

Technical name of the Attribute. This is unique and cannot be changed after creation.

name
string

The display name of the key.

multiselect
boolean
Default: false

Indicates whether the attribute can have multiple values.

status
string

The status of the Attribute.

type
string

The type of the Attribute. This can be either "custom" or "governance".

objectTypes
Array of strings or null

An array of object types this attributes values can be applied to. Possible values are "all" or "entitlement". Value "all" means this attribute can be used with all object types that are supported.

description
string

The description of the Attribute.

Array of objects or null (AttributeValueDTO)

Responses

Request samples

Content type
application/json
{
  • "key": "iscPrivacy",
  • "name": "Privacy",
  • "multiselect": false,
  • "status": "active",
  • "type": "governance",
  • "objectTypes": [
    ],
  • "description": "Specifies the level of privacy associated with an access item.",
  • "values": [
    ]
}

Response samples

Content type
application/json
{
  • "key": "iscPrivacy",
  • "name": "Privacy",
  • "multiselect": false,
  • "status": "active",
  • "type": "governance",
  • "objectTypes": [
    ],
  • "description": "Specifies the level of privacy associated with an access item.",
  • "values": [
    ]
}

Get access model metadata attribute

Get single Access Model Metadata Attribute

Authorizations:
Personal Access TokenClient Credentials
path Parameters
key
required
string
Example: iscPrivacy

Technical name of the Attribute.

Responses

Response samples

Content type
application/json
{
  • "key": "iscPrivacy",
  • "name": "Privacy",
  • "multiselect": false,
  • "status": "active",
  • "type": "governance",
  • "objectTypes": [
    ],
  • "description": "Specifies the level of privacy associated with an access item.",
  • "values": [
    ]
}

Update access model metadata attribute

Update an existing Access Model Metadata Attribute.
The following fields are patchable: name, description, multiselect, values

Authorizations:
Personal Access TokenClient Credentials
path Parameters
key
required
string
Example: iscPrivacy

Technical name of the Attribute.

Request Body schema: application/json-patch+json

JSON Patch array to apply

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "key": "iscPrivacy",
  • "name": "Privacy",
  • "multiselect": false,
  • "status": "active",
  • "type": "governance",
  • "objectTypes": [
    ],
  • "description": "Specifies the level of privacy associated with an access item.",
  • "values": [
    ]
}

List access model metadata values

Get a list of Access Model Metadata Attribute Values

Authorizations:
Personal Access TokenClient Credentials
path Parameters
key
required
string
Example: iscPrivacy

Technical name of the Attribute.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create access model metadata value

Create a new value for an existing Access Model Metadata Attribute.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
key
required
string
Example: iscPrivacy

Technical name of the Attribute.

Request Body schema: application/json

Attribute value to create

value
string

Technical name of the Attribute value. This is unique and cannot be changed after creation.

name
string

The display name of the Attribute value.

status
string

The status of the Attribute value.

Responses

Request samples

Content type
application/json
{
  • "value": "public",
  • "name": "Public",
  • "status": "active"
}

Response samples

Content type
application/json
{
  • "value": "public",
  • "name": "Public",
  • "status": "active"
}

Get access model metadata value

Get single Access Model Metadata Attribute Value

Authorizations:
Personal Access TokenClient Credentials
path Parameters
key
required
string
Example: iscPrivacy

Technical name of the Attribute.

value
required
string
Example: public

Technical name of the Attribute value.

Responses

Response samples

Content type
application/json
{
  • "value": "public",
  • "name": "Public",
  • "status": "active"
}

Update access model metadata value

Update an existing Access Model Metadata Attribute Value.
The following fields are patchable: name

Authorizations:
Personal Access TokenClient Credentials
path Parameters
key
required
string
Example: iscPrivacy

Technical name of the Attribute.

value
required
string
Example: public

Technical name of the Attribute value.

Request Body schema: application/json-patch+json

JSON Patch array to apply

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "value": "public",
  • "name": "Public",
  • "status": "active"
}

Metadata Attribute update by filter Deprecated

Bulk update Access Model Metadata Attribute Values using a filter

Authorizations:
Personal Access Token
Request Body schema: application/json

Attribute metadata bulk update request body.

filters
string

Filter results using the standard syntax described in V3 API Standard Collection Parameters Filtering is supported for the following fields and operators:

id: eq

operation
string
Enum: "ADD" "REMOVE" "REPLACE"

Operation to perform on the attributes in the bulk update request.

replaceScope
string
Enum: "ALL" "ATTRIBUTE"

The choice of update scope.

Array of objects (BulkUpdateAMMKeyValue)

The metadata to be updated, including attribute and values.

Responses

Request samples

Content type
application/json
{
  • "filters": "id eq 2c9180867817ac4d017817c491119a20",
  • "operation": "add",
  • "replaceScope": "attribute",
  • "values": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "type": "Role",
  • "status": "CREATED",
  • "created": "2020-10-08T18:33:52.029Z"
}

Metadata Attribute update by query Deprecated

Bulk update Access Model Metadata Attribute Values using a query

Authorizations:
Personal Access Token
Request Body schema: application/json

Attribute metadata bulk update request body.

object (Search)
operation
string
Enum: "ADD" "REMOVE" "REPLACE"

Operation to perform on the attributes in the bulk update request.

replaceScope
string
Enum: "ALL" "ATTRIBUTE"

The choice of update scope.

Array of objects (BulkUpdateAMMKeyValue)

The metadata to be updated, including attribute and values.

Responses

Request samples

Content type
application/json
{
  • "query": {
    },
  • "operation": "add",
  • "replaceScope": "attribute",
  • "values": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "type": "Role",
  • "status": "CREATED",
  • "created": "2020-10-08T18:33:52.029Z"
}

Metadata Attribute update by ids Deprecated

Bulk update Access Model Metadata Attribute Values using ids.

Authorizations:
Personal Access Token
Request Body schema: application/json

Attribute metadata bulk update request body.

entitlements
Array of strings

List of entitlement IDs to update.

operation
string
Enum: "ADD" "REMOVE" "REPLACE"

Operation to perform on the attributes in the bulk update request.

replaceScope
string
Enum: "ALL" "ATTRIBUTE"

The choice of update scope.

Array of objects (BulkUpdateAMMKeyValue)

The metadata to be updated, including attribute and values.

Responses

Request samples

Content type
application/json
{
  • "entitlements": [
    ],
  • "operation": "add",
  • "replaceScope": "attribute",
  • "values": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "type": "Role",
  • "status": "CREATED",
  • "created": "2020-10-08T18:33:52.029Z"
}

Access Profiles

Use this API to implement and customize access profile functionality. With this functionality in place, administrators can create access profiles and configure them for use throughout Identity Security Cloud, enabling users to get the access they need quickly and securely.

Access profiles group entitlements, which represent access rights on sources.

For example, an Active Directory source in Identity Security Cloud can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.

An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.

When users only need Active Directory employee access, they can request access to the 'Employees' entitlement.

When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile.

Identity Security Cloud uses access profiles in many features, including the following:

  • Provisioning: When you use the Provisioning Service, lifecycle states and roles both grant access to users in the form of access profiles.

  • Certifications: You can approve or revoke access profiles in certification campaigns, just like entitlements.

  • Access Requests: You can assign access profiles to applications, and when a user requests access to the app associated with an access profile and someone approves the request, access is granted to both the application and its associated access profile.

  • Roles: You can group one or more access profiles into a role to quickly assign access items based on an identity's role.

In Identity Security Cloud, administrators can use the Access drop-down menu and select Access Profiles to view, configure, and delete existing access profiles, as well as create new ones. Administrators can enable and disable an access profile, and they can also make the following configurations:

  • Manage Entitlements: Manage the profile's access by adding and removing entitlements.

  • Access Requests: Configure access profiles to be requestable and establish an approval process for any requests that the access profile be granted or revoked. Do not configure an access profile to be requestable without first establishing a secure access request approval process for the access profile.

  • Multiple Account Options: Define the logic Identity Security Cloud uses to provision access to an identity with multiple accounts on the source.

Refer to Managing Access Profiles for more information about access profiles.

List access profiles

Get a list of access profiles.

Note: When you filter for access profiles that have the '+' symbol in their names, the response is blank.

Authorizations:
Personal Access Token
query Parameters
for-subadmin
string
Example: for-subadmin=8c190e6787aa4ed9a90bd9d5344523fb

Filters the returned list according to what is visible to the indicated ROLE_SUBADMIN or SOURCE_SUBADMIN identity. The value of the parameter is either an identity ID or the special value me, which is shorthand for the calling identity's ID.

If you specify an identity that isn't a subadmin, the API returns a 400 Bad Request error.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name eq "SailPoint Support"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

created: gt, ge, le

modified: gt, lt, ge, le

owner.id: eq, in

requestable: eq

source.id: eq, in

Supported composite operators are and, or

Filtering is not supported for access profiles and entitlements that have the '+' symbol in their names.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, modified

for-segment-ids
string <comma-separated>
Example: for-segment-ids=0b5c9f25-83c6-4762-9073-e38f7bb2ae26,2e8d8180-24bc-4d21-91c6-7affdb473b0d

Filters access profiles to only those assigned to the segment(s) with the specified IDs. If segmentation is currently unavailable, specifying this parameter results in an error.

include-unsegmented
boolean
Default: true

Indicates whether the response list should contain unsegmented access profiles. If for-segment-ids is absent or empty, specifying include-unsegmented as false results in an error.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create access profile

Create an access profile. A user with ROLE_SUBADMIN or SOURCE_SUBADMIN authority must be associated with the access profile's source. The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing access profiles. However, any new access profiles as well as any updates to existing descriptions are limited to 2000 characters.

Note: To use this endpoint, you need all the listed scopes.

Authorizations:
Personal Access Token
Request Body schema: application/json
name
required
string

Access profile name.

description
string or null

Access profile description.

enabled
boolean
Default: false

Indicates whether the access profile is enabled. If it's enabled, you must include at least one entitlement.

required
object or null (OwnerReference)

Owner of the object.

required
object (AccessProfileSourceRef)
Array of objects or null (EntitlementRef)

List of entitlements associated with the access profile. If enabled is false, this can be empty. Otherwise, it must contain at least one entitlement.

requestable
boolean
Default: true

Indicates whether the access profile is requestable by access request. Currently, making an access profile non-requestable is only supported for customers enabled with the new Request Center. Otherwise, attempting to create an access profile with a value false in this field results in a 400 error.

object or null (Requestability)
object or null (Revocability)
segments
Array of strings or null

List of segment IDs, if any, that the access profile is assigned to.

object (AttributeDTOList)
object or null (ProvisioningCriteriaLevel1)

Defines matching criteria for an account to be provisioned with a specific access profile.

Array of objects or null (AdditionalOwnerRef)

List of additional owner references beyond the primary owner. Each entry may be an identity (IDENTITY) or a governance group (GOVERNANCE_GROUP).

Responses

Request samples

Content type
application/json
{
  • "name": "Employee-database-read-write",
  • "description": "Collection of entitlements to read/write the employee database",
  • "enabled": true,
  • "owner": {
    },
  • "source": {
    },
  • "entitlements": [
    ],
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "accessModelMetadata": {
    },
  • "provisioningCriteria": {
    },
  • "additionalOwners": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2c91808a7190d06e01719938fcd20792",
  • "name": "Employee-database-read-write",
  • "description": "Collection of entitlements to read/write the employee database",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "enabled": true,
  • "owner": {
    },
  • "source": {
    },
  • "entitlements": [
    ],
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "accessModelMetadata": {
    },
  • "provisioningCriteria": {
    },
  • "additionalOwners": [
    ]
}

Get an access profile

This API returns an Access Profile by its ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180837ca6693d017ca8d097500149

ID of the Access Profile

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808a7190d06e01719938fcd20792",
  • "name": "Employee-database-read-write",
  • "description": "Collection of entitlements to read/write the employee database",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "enabled": true,
  • "owner": {
    },
  • "source": {
    },
  • "entitlements": [
    ],
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "accessModelMetadata": {
    },
  • "provisioningCriteria": {
    },
  • "additionalOwners": [
    ]
}

Patch a specified access profile

This API updates an existing Access Profile. The following fields are patchable:

name

description

enabled

owner

additionalOwners

requestable

accessRequestConfig

revokeRequestConfig

segments

entitlements

provisioningCriteria

source (must be updated with entitlements belonging to new source in the same API call)

If you need to change the source of the access profile, you can do so only if you update the entitlements in the same API call. The new entitlements can only come from the target source that you want to change to. Look for the example "Replace Source" in the examples dropdown.

A user with SOURCE_SUBADMIN may only use this API to patch Access Profiles which are associated with Sources they are able to administer.

The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing access profiles, however, any new access profiles as well as any updates to existing descriptions will be limited to 2000 characters.

You can only add or replace entitlements that exist on the source that the access profile is attached to. You can use the list entitlements endpoint with the filters query parameter to get a list of available entitlements on the access profile's source.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121919ecca

ID of the Access Profile to patch

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
Example

Add one or more entitlements to the end of the list

[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c91808a7190d06e01719938fcd20792",
  • "name": "Employee-database-read-write",
  • "description": "Collection of entitlements to read/write the employee database",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "enabled": true,
  • "owner": {
    },
  • "source": {
    },
  • "entitlements": [
    ],
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "accessModelMetadata": {
    },
  • "provisioningCriteria": {
    },
  • "additionalOwners": [
    ]
}

Delete the specified access profile

This API deletes an existing Access Profile.

The Access Profile must not be in use, for example, Access Profile can not be deleted if they belong to an Application, Life Cycle State or a Role. If it is, a 400 error is returned.

A user with SOURCE_SUBADMIN must be able to administer the Source associated with the Access Profile.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121919ecca

ID of the Access Profile to delete

Responses

Response samples

Content type
application/json

Returned when an access profile cannot be deleted as it's being used

{
  • "detailCode": "400.2.1.0 Object in use by another",
  • "trackingId": "c9c1033c55b84ebc9e93e926dcf8b8b3",
  • "messages": [
    ]
}

Delete access profile(s)

This endpoint initiates a bulk deletion of one or more access profiles. When the request is successful, the endpoint returns the bulk delete's task result ID. To follow the task, you can use Get Task Status by ID, which will return the task result's status and information. This endpoint can only bulk delete up to a limit of 50 access profiles per request. By default, if any of the indicated access profiles are in use, no deletions will be performed and the inUse field of the response indicates the usages that must be removed first. If the request field bestEffortOnly is true, however, usages are reported in the inUse response field but all other indicated access profiles will be deleted. A SOURCE_SUBADMIN user can only use this endpoint to delete access profiles associated with sources they're able to administer.

Authorizations:
Personal Access Token
Request Body schema: application/json
accessProfileIds
Array of strings

List of IDs of Access Profiles to be deleted.

bestEffortOnly
boolean

If true, silently skip over any of the specified Access Profiles if they cannot be deleted because they are in use. If false, no deletions will be attempted if any of the Access Profiles are in use.

Responses

Request samples

Content type
application/json
{
  • "bestEffortOnly": true,
  • "accessProfileIds": [
    ]
}

Response samples

Content type
application/json
{
  • "pending": [ ],
  • "inUse": [
    ]
}

List access profile's entitlements

Use this API to get a list of an access profile's entitlements. A SOURCE_SUBADMIN user must have access to the source associated with the specified access profile.

Note: When you filter for access profiles that have the '+' symbol in their names, the response is blank.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121919ecca

ID of the access profile containing the entitlements.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=attribute eq "memberOf"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

attribute: eq, sw

value: eq, sw

created: gt, lt, ge, le

modified: gt, lt, ge, le

owner.id: eq, in

source.id: eq, in

Filtering is not supported for access profiles and entitlements that have the '+' symbol in their names.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, attribute, value, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Update access profile(s) requestable field.

This API initiates a bulk update of field requestable for one or more Access Profiles.

If any of the indicated Access Profiles is exists in Organization,then those Access Profiles will be added in updated list of the response.Requestable field of these Access Profiles marked as true or false.

If any of the indicated Access Profiles is not does not exists in Organization,then those Access Profiles will be added in notFound list of the response. Access Profiles marked as notFound will not be updated. A SOURCE_SUBADMIN may only use this API to update Access Profiles which are associated with Sources they are able to administer.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
Array
id
string

Access Profile ID.

requestable
boolean

Access Profile is requestable or not.

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
[
  • {
    }
]

Access Request Approvals

Use this API to implement and customize access request approval functionality. With this functionality in place, administrators can delegate qualified users to review users' requests for access or managers' requests to revoke team members' access to applications, entitlements, or roles.
This enables more qualified users to review access requests and the others to spend their time on other tasks.

In Identity Security Cloud, users can request access to applications, entitlements, and roles, and managers can request that team members' access be revoked.
For applications and entitlements, administrators can set access profiles to require approval from the access profile owner, the application owner, the source owner, the requesting user's manager, or a governance group for access to be granted or revoked.
For roles, administrators can also set roles to allow access requests and require approval from the role owner, the requesting user's manager, or a governance group for access to be granted or revoked.
If the administrator designates a governance group as the required approver, any governance group member can approve the requests.

When a user submits an access request, Identity Security Cloud sends the first required approver in the queue an email notification, based on the access request configuration's approval and reminder escalation configuration.

In Approvals in Identity Security Cloud, required approvers can view pending access requests under the Requested tab and approve or deny them, or the approvers can reassign the requests to different reviewers for approval.
If the required approver approves the request and is the only reviewer required, Identity Security Cloud grants or revokes access, based on the request.
If multiple reviewers are required, Identity Security Cloud sends the request to the next reviewer in the queue, based on the access request configuration's approval reminder and escalation configuration.
The required approver can then view any completed access requests under the Reviewed tab.

Refer to Access Requests for more information about access request approvals.

Pending access request approvals list

This endpoint returns a list of pending approvals. See "owner-id" query parameter below for authorization info.

Authorizations:
Personal Access Token
query Parameters
owner-id
string
Example: owner-id=2c91808568c529c60168cca6f90c1313

If present, the value returns only pending approvals for the specified identity.

  • ORG_ADMIN users can call this with any identity ID value.
  • ORG_ADMIN users can also fetch all the approvals in the org, when owner-id is not used.
  • Non-ORG_ADMIN users can only specify me or pass their own identity ID value.
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "2c91808568c529c60168cca6f90c1313"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

requestedFor.id: eq, in

modified: gt, lt, ge, le, eq, in

accessRequestId: eq, in

created: gt, lt, ge, le, eq, in

sorters
string <comma-separated>
Example: sorters=modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Completed access request approvals list

This endpoint returns list of completed approvals. See owner-id query parameter below for authorization info.

Authorizations:
Personal Access Token
query Parameters
owner-id
string
Example: owner-id=2c91808568c529c60168cca6f90c1313

If present, the value returns only completed approvals for the specified identity.

  • ORG_ADMIN users can call this with any identity ID value.
  • ORG_ADMIN users can also fetch all the approvals in the org, when owner-id is not used.
  • Non-ORG_ADMIN users can only specify me or pass their own identity ID value.
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "2c91808568c529c60168cca6f90c1313"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in, ge, gt, le, lt, ne, isnull, sw

requestedFor.id: eq, in, ge, gt, le, lt, ne, isnull, sw

modified: gt, lt, ge, le, eq, in, ne, sw

sorters
string <comma-separated>
Example: sorters=modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Approve access request approval

Use this endpoint to approve an access request approval. Only the owner of the approval and ORG_ADMIN users are allowed to perform this action.

Authorizations:
Personal Access Token
path Parameters
approvalId
required
string
Example: 2c91808b7294bea301729568c68c002e

Approval ID.

Request Body schema: application/json

Reviewer's comment.

comment
string or null

Comment content.

created
string <date-time>

Date and time comment was created.

Responses

Request samples

Content type
application/json
{
  • "comment": "This is a comment.",
  • "created": "2017-07-11T18:45:37.098Z"
}

Response samples

Content type
application/json
{ }

Reject access request approval

Use this API to reject an access request approval. Only the owner of the approval and admin users are allowed to perform this action.

Authorizations:
Personal Access Token
path Parameters
approvalId
required
string
Example: 2c91808b7294bea301729568c68c002e

Approval ID.

Request Body schema: application/json

Reviewer's comment.

comment
string or null

Comment content.

created
string <date-time>

Date and time comment was created.

Responses

Request samples

Content type
application/json
{
  • "comment": "This is a comment.",
  • "created": "2017-07-11T18:45:37.098Z"
}

Response samples

Content type
application/json
{ }

Forward access request approval

Use this API to forward an access request approval to a new owner. Only the owner of the approval and ORG_ADMIN users are allowed to perform this action. Only the owner of the approval and ORG_ADMIN users are allowed to perform this action.

Authorizations:
Personal Access Token
path Parameters
approvalId
required
string
Example: 2c91808b7294bea301729568c68c002e

Approval ID.

Request Body schema: application/json

Information about the forwarded approval.

newOwnerId
required
string [ 1 .. 255 ] characters

The Id of the new owner

comment
required
string [ 1 .. 255 ] characters

The comment provided by the forwarder

Responses

Request samples

Content type
application/json
{
  • "newOwnerId": "2c91808568c529c60168cca6f90c1314",
  • "comment": "2c91808568c529c60168cca6f90c1313"
}

Response samples

Content type
application/json
{ }

Get access requests approvals number

Use this API to return the number of pending, approved and rejected access requests approvals. See the "owner-id" query parameter for authorization information. info.

Authorizations:
Personal Access Token
query Parameters
owner-id
string
Example: owner-id=2c91808568c529c60168cca6f90c1313

The ID of the owner or approver identity of the approvals. If present, the value returns approval summary for the specified identity.

  • ORG_ADMIN users can call this with any identity ID value.
  • ORG_ADMIN user can also fetch all the approvals in the org, when owner-id is not used.
  • Non ORG_ADMIN users can only specify me or pass their own identity ID value.
from-date
string
Example: from-date=from-date=2020-03-19T19:59:11Z

This is the date and time the results will be shown from. It must be in a valid ISO-8601 format.

Responses

Response samples

Content type
application/json
{
  • "pending": 0,
  • "approved": 0,
  • "rejected": 0
}

Access request approvers

This API endpoint returns the list of approvers for the given access request id.

Authorizations:
Personal Access Token
path Parameters
accessRequestId
required
string
Example: 2c91808568c529c60168cca6f90c1313

Access Request ID.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=100

Max number of results to return.

offset
integer <int32> >= 0
Example: offset=10

Offset into the full result set. Usually specified with limit to paginate through the results. Defaults to 0 if not specified.

count
boolean
Default: false

If this is true, the X-Total-Count response header populates with the number of results that would be returned if limit and offset were ignored.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Access Request Identity Metrics

Use this API to implement access request identity metrics functionality. With this functionality in place, access request reviewers can see relevant details about the requested access item and associated source activity. This allows reviewers to see how many of the identities who share a manager with the access requester have this same type of access and how many of them have had activity in the related source. This additional context about whether the access has been granted before and how often it has been used can help those approving access requests make more informed decisions.

Return access request identity metrics

Use this API to return information access metrics.

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: 7025c863-c270-4ba6-beea-edf3cb091573

Manager's identity ID.

requestedObjectId
required
string
Example: 2db501be-f0fb-4cc5-a695-334133c52891

Requested access item's ID.

type
required
string
Enum: "ENTITLEMENT" "ROLE" "ACCESS_PROFILE"
Example: ENTITLEMENT

Requested access item's type.

Responses

Response samples

Content type
application/json
{ }

Access Requests

Use this API to implement and customize access request functionality. With this functionality in place, users can request access to applications, entitlements, or roles, and managers can request that team members' access be revoked. This allows users to get access to the tools they need quickly and securely, and it allows managers to take away access to those tools.

Identity Security Cloud's Access Request service allows end users to request access that requires approval before it can be granted to users and enables qualified users to review those requests and approve or deny them.

In the Request Center in Identity Security Cloud, users can view available applications, roles, and entitlements and request access to them. If the requested tools requires approval, the requests appear as 'Pending' under the My Requests tab until the required approver approves, rejects, or cancels them.

Users can use My Requests to track and/or cancel the requests.

In My Team on the Identity Security Cloud Home, managers can submit requests to revoke their team members' access. They can use the My Requests tab under Request Center to track and/or cancel the requests.

Refer to Requesting Access for more information about access requests.

Submit access request

Use this API to submit an access request in Identity Security Cloud (ISC), where it follows any ISC approval processes.

Security: idn:access-request:manage is for ORG_ADMIN level. idn:access-request-self:manage is for USER level.

:::info The ability to request access using this API is constrained by the Access Request Segments defined in the API token's user context. :::

Access requests are processed asynchronously by ISC. A successful response from this endpoint means that the request has been submitted to ISC and is queued for processing. Because this endpoint is asynchronous, it does not return an error if you submit duplicate access requests in quick succession or submit an access request for access that is already in progress, approved, or rejected.

It is best practice to check for any existing access requests that reference the same access items before submitting a new access request. This can be accomplished by using the List Access Request Status or the Pending Access Request Approvals APIs. You can also use the Search API to check the existing access items an identity has before submitting an access request to ensure that you aren't requesting access that is already granted. If you use this API to request access that an identity already has, without changing the account details or end date information from the existing assignment, the API will cancel the request as a duplicate.

There are two types of access request:

GRANT_ACCESS

  • Can be requested for multiple identities in a single request.
  • Supports self request and request on behalf of other users. Refer to the Get Access Request Configuration endpoint for request configuration options.
  • Allows any authenticated token (except API) to call this endpoint to request to grant access to themselves. Depending on the configuration, a user can request access for others.
  • Roles, access profiles and entitlements can be requested.
  • You can specify a startDate to set or alter a sunrise date-time on an assignment. The startDate must be a future date-time, in the UTC timezone. Additionally, if the user already has the access assigned with a sunrise date and its yet to be provisioned, you can also submit a request without a startDate to request immediate provisioning after approval.
  • If a startDate is specified, then the requested role, access profile, or entitlement will be provisioned on that date and time.
  • You can specify a removeDate to set or alter a sunset date-time on an assignment. The removeDate must be a future date-time, in the UTC timezone. Additionally, if the user already has the access assigned with a sunset date, you can also submit a request without a removeDate to request removal of the sunset date and time.
  • If a removeDate is specified, then the requested role, access profile, or entitlement will be removed on that date and time.
  • Now supports an alternate field 'requestedForWithRequestedItems' for users to specify account selections while requesting items where they have more than one account on the source.

:::caution

If any entitlements are being requested, then the maximum number of entitlements that can be requested is 25, and the maximum number of identities that can be requested for is 10. If you exceed these limits, the request will fail with a 400 error. If you are not requesting any entitlements, then there are no limits.

:::

REVOKE_ACCESS

  • Can only be requested for a single identity at a time.
  • You cannot use an access request to revoke access from an identity if that access has been granted by role membership or by birthright provisioning.
  • Does not support self request. Only manager can request to revoke access for their directly managed employees.
  • If a removeDate is specified, then the requested role, access profile, or entitlement will be removed on that date and time.
  • Roles, access profiles, and entitlements can be requested for revocation.
  • Revoke requests for entitlements are limited to 1 entitlement per access request currently.
  • You cannot specify a 'startDate' in a REVOKE_ACCESS request, as startDate is only applicable for GRANT_ACCESS requests to indicate when the access should be provisioned, and it does not make sense in the context of revoking access.
  • You can specify a removeDate to add or alter a sunset date and time on an assignment. The removeDate must be a future date-time, in the UTC timezone. If the user already has the access assigned with a sunset date and time, the removeDate must be a date-time earlier than the existing sunset date and time.
  • Allows a manager to request to revoke access for direct employees. A user with ORG_ADMIN authority can also request to revoke access from anyone.
  • Now supports REVOKE_ACCESS requests for identities with multiple accounts on a single source, with the help of 'assignmentId' and 'nativeIdentity' fields. These fields should be used within the 'requestedItems' section for the revoke requests.
  • Usage of 'requestedForWithRequestedItems' field is not supported for revoke requests.
Authorizations:
Personal Access Token
Request Body schema: application/json
requestedFor
required
Array of strings

A list of Identity IDs for whom the Access is requested. If it's a Revoke request, there can only be one Identity ID.

requestType
string or null (AccessRequestType)
Enum: "GRANT_ACCESS" "REVOKE_ACCESS" "MODIFY_ACCESS" null

Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field. MODIFY_ACCESS type is used for updating access expiration dates or other access modifications.

required
Array of objects (Access Request Item) non-empty
object

Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities.

Array of objects or null (RequestedForDtoRef)

Additional submit data structure with requestedFor containing requestedItems allowing distinction for each request item and Identity.

  • Can only be used when 'requestedFor' and 'requestedItems' are not separately provided
  • Adds ability to specify which account the user wants the access on, in case they have multiple accounts on a source
  • Allows the ability to request items with different start dates
  • Allows the ability to request items with different remove dates
  • Also allows different combinations of request items and identities in the same request
  • Only for use in GRANT_ACCESS type requests

Responses

Request samples

Content type
application/json
{
  • "requestedFor": "2c918084660f45d6016617daa9210584",
  • "requestType": "GRANT_ACCESS",
  • "requestedItems": [
    ],
  • "clientMetadata": {
    },
  • "requestedForWithRequestedItems": [
    ]
}

Response samples

Content type
application/json
{
  • "newRequests": [
    ],
  • "existingRequests": [
    ]
}

Cancel access request

This API endpoint cancels a pending access request. An access request can be cancelled only if it has not passed the approval step. In addition to users with ORG_ADMIN, any user who originally submitted the access request may cancel it.

Authorizations:
Personal Access Token
Request Body schema: application/json
accountActivityId
required
string

This refers to the identityRequestId. To successfully cancel an access request, you must provide the identityRequestId.

comment
required
string

Reason for cancelling the pending access request.

Responses

Request samples

Content type
application/json
{
  • "accountActivityId": "2c91808568c529c60168cca6f90c1313",
  • "comment": "I requested this role by mistake."
}

Response samples

Content type
application/json
{ }

Close access request

This endpoint closes access requests that are stuck in a pending state. It can be used throughout a request's lifecycle even after the approval state, unlike the Cancel Access Request endpoint.

To find pending access requests with the UI, navigate to Search and use this query: status: Pending AND "Access Request". Use the Column Chooser to select 'Tracking Number', and use the 'Download' button to export a CSV containing the tracking numbers.

To find pending access requests with the API, use the List Account Activities endpoint.

Input the IDs from either source.

To track the status of endpoint requests, navigate to Search and use this query: name:"Close Identity Requests". Search will include "Close Identity Requests Started" audits when requests are initiated and "Close Identity Requests Completed" audits when requests are completed. The completion audit will list the identity request IDs that finished in error.

This API triggers the Provisioning Completed event trigger for each access request that is closed.

Authorizations:
Personal Access Token
Request Body schema: application/json
accessRequestIds
required
Array of strings

Access Request IDs for the requests to be closed. Accepts 1-500 Identity Request IDs per request.

message
string
Default: "The IdentityNow Administrator manually closed this request."

Reason for closing the access request. Displayed under Warnings in IdentityNow.

executionStatus
string
Default: "Terminated"
Enum: "Terminated" "Completed"

The request's provisioning status. Displayed as Stage in IdentityNow.

completionStatus
string
Default: "Failure"
Enum: "Success" "Incomplete" "Failure"

The request's overall status. Displayed as Status in IdentityNow.

Responses

Request samples

Content type
application/json
{
  • "accessRequestIds": [
    ],
  • "executionStatus": "Terminated",
  • "completionStatus": "Failure",
  • "message": "The IdentityNow Administrator manually closed this request."
}

Response samples

Content type
application/json
{ }

Bulk cancel access request

This API endpoint allows cancelling pending access requests in bulk. Maximum of 50 access request ids can be provided in the request for one single invocation. Only ORG_ADMIN or users with rights "idn:access-request-administration:write" can cancel the access requests in bulk.

Authorizations:
Personal Access Token
Request Body schema: application/json
accessRequestIds
required
Array of strings

List of access requests ids to cancel the pending requests

comment
required
string

Reason for cancelling the pending access request.

Responses

Request samples

Content type
application/json
{
  • "accessRequestIds": [
    ],
  • "comment": "I requested this role by mistake."
}

Response samples

Content type
application/json
{ }

Get accounts selections for identity

Use this API to fetch account information for an identity against the items in an access request.

Used to fetch accountSelection for the AccessRequest prior to submitting for async processing.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
requestedFor
required
Array of strings

A list of Identity IDs for whom the Access is requested.

requestType
string or null (AccessRequestType)
Enum: "GRANT_ACCESS" "REVOKE_ACCESS" "MODIFY_ACCESS" null

Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field. MODIFY_ACCESS type is used for updating access expiration dates or other access modifications.

required
Array of objects (Access Request Item) [ 1 .. 25 ] items
object

Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities.

Responses

Request samples

Content type
application/json
{
  • "requestedFor": "2c918084660f45d6016617daa9210584",
  • "requestType": "GRANT_ACCESS",
  • "requestedItems": [
    ],
  • "clientMetadata": {
    }
}

Response samples

Content type
application/json
{
  • "identities": [
    ]
}

Get access request configuration Deprecated

This endpoint returns the current access-request configuration.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "approvalsMustBeExternal": true,
  • "autoApprovalEnabled": true,
  • "reauthorizationEnabled": true,
  • "requestOnBehalfOfConfig": {
    },
  • "approvalReminderAndEscalationConfig": {
    },
  • "entitlementRequestConfig": {
    }
}

Update access request configuration Deprecated

This endpoint replaces the current access-request configuration.

Authorizations:
Personal Access Token
Request Body schema: application/json
approvalsMustBeExternal
boolean
Default: false

If this is true, approvals must be processed by an external system. Also, if this is true, it blocks Request Center access requests and returns an error for any user who isn't an org admin.

autoApprovalEnabled
boolean
Default: false

If this is true and the requester and reviewer are the same, the request is automatically approved.

reauthorizationEnabled
boolean
Default: false

If this is true, reauthorization will be enforced for appropriately configured access items. Enablement of this feature is currently in a limited state.

object (Request On Behalf Of Config)
object (Approval Reminder And Escalation Config)

Configuration for approval reminder and escalation behavior. Important: Modifying this object will override the sp-approval service's reminderConfig and escalationConfig settings. Changes made here take precedence over any configuration set directly in the sp-approval service.

object (Entitlement Request Config)

Responses

Request samples

Content type
application/json
{
  • "approvalsMustBeExternal": true,
  • "autoApprovalEnabled": true,
  • "reauthorizationEnabled": true,
  • "requestOnBehalfOfConfig": {
    },
  • "approvalReminderAndEscalationConfig": {
    },
  • "entitlementRequestConfig": {
    }
}

Response samples

Content type
application/json
{
  • "approvalsMustBeExternal": true,
  • "autoApprovalEnabled": true,
  • "reauthorizationEnabled": true,
  • "requestOnBehalfOfConfig": {
    },
  • "approvalReminderAndEscalationConfig": {
    },
  • "entitlementRequestConfig": {
    }
}

Access request status

Use this API to return a list of access request statuses based on the specified query parameters. If an access request was made for access that an identity already has, the API ignores the access request. These ignored requests do not display in the list of access request statuses. Any user with any user level can get the status of their own access requests. A user with ORG_ADMIN is required to call this API to get a list of statuses for other users.

Authorizations:
Personal Access Token
query Parameters
requested-for
string
Example: requested-for=2c9180877b2b6ea4017b2c545f971429

Filter the results by the identity the requests were made for. me indicates the current user. Mutually exclusive with regarding-identity.

requested-by
string
Example: requested-by=2c9180877b2b6ea4017b2c545f971429

Filter the results by the identity who made the requests. me indicates the current user. Mutually exclusive with regarding-identity.

regarding-identity
string
Example: regarding-identity=2c9180877b2b6ea4017b2c545f971429

Filter the results by the specified identity who is either the requester or target of the requests. me indicates the current user. Mutually exclusive with requested-for and requested-by.

assigned-to
string
Example: assigned-to=2c9180877b2b6ea4017b2c545f971429

Filter the results by the specified identity who is the owner of the Identity Request Work Item. me indicates the current user.

count
boolean
Default: false

If this is true, the X-Total-Count response header populates with the number of results that would be returned if limit and offset were ignored.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=100

Max number of results to return.

offset
integer <int32> >= 0
Example: offset=10

Offset into the full result set. Usually specified with limit to paginate through the results. Defaults to 0 if not specified.

filters
string
Example: filters=accountActivityItemId eq "2c918086771c86df0177401efcdf54c0"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

accessRequestId: eq, ge, gt, le, lt, ne, sw

accountActivityItemId: eq, in, ge, gt, le, ne, sw

created: eq, ge, gt, le, lt, ne

sorters
string <comma-separated>
Example: sorters=created

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: created, modified, accountActivityItemId, name

request-state
string
Example: request-state=request-state=EXECUTING

Filter the results by the state of the request. The only valid value is EXECUTING.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Access request status for administrators

Use this API to get access request statuses of all the access requests in the org based on the specified query parameters. Any user with user level ORG_ADMIN or scope idn:access-request-administration:read can access this endpoint to get the access request statuses

Authorizations:
Personal Access Token
query Parameters
requested-for
string
Example: requested-for=2c9180877b2b6ea4017b2c545f971429

Filter the results by the identity the requests were made for. me indicates the current user. Mutually exclusive with regarding-identity.

requested-by
string
Example: requested-by=2c9180877b2b6ea4017b2c545f971429

Filter the results by the identity who made the requests. me indicates the current user. Mutually exclusive with regarding-identity.

regarding-identity
string
Example: regarding-identity=2c9180877b2b6ea4017b2c545f971429

Filter the results by the specified identity who is either the requester or target of the requests. me indicates the current user. Mutually exclusive with requested-for and requested-by.

assigned-to
string
Example: assigned-to=2c9180877b2b6ea4017b2c545f971429

Filter the results by the specified identity who is the owner of the Identity Request Work Item. me indicates the current user.

count
boolean
Default: false

If this is true, the X-Total-Count response header populates with the number of results that would be returned if limit and offset were ignored.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=100

Max number of results to return.

offset
integer <int32> >= 0
Example: offset=10

Offset into the full result set. Usually specified with limit to paginate through the results. Defaults to 0 if not specified.

filters
string
Example: filters=accountActivityItemId eq "2c918086771c86df0177401efcdf54c0"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

accountActivityItemId: eq, in, ge, gt, le, lt, ne, isnull, sw

accessRequestId: in, eq, ne, ge, gt, le, lt, sw

status: in, eq, ne

created: eq, in, ge, gt, le, lt, ne, isnull, sw

sorters
string <comma-separated>
Example: sorters=created

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: created, modified, accountActivityItemId, name, accessRequestId

request-state
string
Example: request-state=request-state=EXECUTING

Filter the results by the state of the request. The only valid value is EXECUTING.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Bulk approve access request

This API endpoint allows approving pending access requests in bulk. Maximum of 50 approval ids can be provided in the request for one single invocation. ORG_ADMIN or users with rights "idn:access-request-administration:write" can approve the access requests in bulk.

Authorizations:
Personal Access Token
Request Body schema: application/json
approvalIds
required
Array of strings

List of approval ids to approve the pending requests

comment
required
string

Reason for approving the pending access request.

Responses

Request samples

Content type
application/json
{
  • "accessRequestIds": [
    ],
  • "comment": "I approve these request items"
}

Response samples

Content type
application/json
{ }

Identity entitlement details

Use this API to return the details for a entitlement on an identity including specific data relating to remove date and the ability to revoke the identity.

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: 7025c863c2704ba6beeaedf3cb091573

The identity ID.

entitlementId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The entitlement ID

Responses

Response samples

Content type
application/json
{
  • "identityId": "5928c61f-3f2e-417a-8d65-f76451e2050a",
  • "entitlement": {
    },
  • "sourceId": "b56728da-a24d-4177-a207-2bc4d42cba27",
  • "accountTargets": [
    ]
}

Account Activities

Use this API to implement account activity tracking functionality. With this functionality in place, users can track source account activity in Identity Security Cloud, which greatly improves traceability in the system.

An account activity refers to a log of each action performed on a source account. This is useful for auditing the changes performed on an account throughout its life. In Identity Security Cloud's Search, users can search for account activities and select the activity's row to get an overview of the activity's account action and view its progress, its involved sources, and its most basic metadata, such as the identity requesting the option and the recipient.

Account activity includes most actions Identity Security Cloud completes on source accounts. Users can search in Identity Security Cloud for the following account action types:

  • Access Request: These include any access requests the source account is involved in.

  • Account Attribute Updates: These include updates to a single attribute on an account on a source.

  • Account State Update: These include locking or unlocking actions on an account on a source.

  • Certification: These include actions removing an entitlement from an account on a source as a result of the entitlement's revocation during a certification.

  • Cloud Automated Lifecyclestate: These include automated lifecycle state changes that result in a source account's correlated identity being assigned to a different lifecycle state. Identity Security Cloud replaces the Lifecyclestate variable with the name of the lifecycle state it has moved the account's identity to.

  • Identity Attribute Update: These include updates to a source account's correlated identity attributes as the result of a provisioning action. When you update an identity attribute that also updates an identity's lifecycle state, the cloud automated Lifecyclestate event also displays. Account Activity does not include attribute updates that occur as a result of aggregation.

  • Identity Refresh: These include correlated identity refreshes that occur for an account on a source whenever the account's correlated identity profile gets a new role or updates. These also include refreshes that occur whenever Identity Security Cloud assigns an application to the account's correlated identity based on the application's being assigned to All Users From Source or Specific Users From Source.

  • Lifecycle State Refresh: These include the actions that took place when a lifecycle state changed. This event only occurs after a cloud automated Lifecyclestate change or a lifecycle state change.

  • Lifecycle State Change: These include the account activities that result from an identity's manual assignment to a null lifecycle state.

  • Password Change: These include password changes on sources.

Refer to Account Activity for more information about account activities.

List account activities

This gets a collection of account activities that satisfy the given query parameters.

Authorizations:
Personal Access Token
query Parameters
requested-for
string
Example: requested-for=2c91808568c529c60168cca6f90c1313

The identity that the activity was requested for. me indicates the current user. Mutually exclusive with regarding-identity.

requested-by
string
Example: requested-by=2c91808568c529c60168cca6f90c1313

The identity that requested the activity. me indicates the current user. Mutually exclusive with regarding-identity.

regarding-identity
string
Example: regarding-identity=2c91808568c529c60168cca6f90c1313

The specified identity will be either the requester or target of the account activity. me indicates the current user. Mutually exclusive with requested-for and requested-by.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=type eq "Identity Refresh"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

type: eq, in, ge, le, lt, ne, isnull, sw

created: gt, lt, ge, le, eq, in, ne, isnull, sw

modified: gt, lt, ge, le, eq, in, ne, isnull, sw

sorters
string <comma-separated>
Example: sorters=created

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: type, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get an account activity

This gets a single account activity by its id.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The account activity id

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "name": "2c9180835d2e5168015d32f890ca1581",
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "completed": "2018-10-19T13:49:37.385Z",
  • "completionStatus": "SUCCESS",
  • "type": "appRequest",
  • "requesterIdentitySummary": {
    },
  • "targetIdentitySummary": {
    },
  • "errors": [
    ],
  • "warnings": [
    ],
  • "items": [
    ],
  • "executionStatus": "COMPLETED",
  • "clientMetadata": {
    }
}

Account Aggregations

Use this API to implement account aggregation progress tracking functionality. With this functionality in place, administrators can view in-progress account aggregations, their statuses, and their relevant details.

An account aggregation refers to the process Identity Security Cloud uses to gather and load account data from a source into Identity Security Cloud.

Whenever Identity Security Cloud is in the process of aggregating a source, it adds an entry to the Aggregation Activity Log, along with its relevant details. To view aggregation activity, administrators can select the Connections drop-down menu, select Sources, and select the relevant source, select its Import Data tab, and select Account Aggregation. In Account Aggregation, administrators can view the account aggregations' statuses and details in the Account Activity Log.

Refer to Loading Account Data for more information about account aggregations.

If you are looking for the endpoint for account aggregations in a source, click here

In-progress account aggregation status

This API returns the status of an in-progress account aggregation, along with the total number of NEW, CHANGED and DELETED accounts found since the previous aggregation, and the number of those accounts that have been processed so far.

Accounts that have not changed since the previous aggregation are not included in totalAccounts and processedAccounts counts returned by this API. This is distinct from Accounts Scanned shown in the Aggregation UI, which indicates total accounts scanned regardless of whether they changed or not.

Since this endpoint reports on the status of an in-progress account aggregation, totalAccounts and processedAccounts may change between calls to this endpoint.

Only available up to an hour after the aggregation completes. May respond with 404 Not Found after that. required to call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808477a6b0c60177a81146b8110b

The account aggregation id

Responses

Response samples

Content type
application/json
{
  • "start": "2021-01-31T14:30:05.104Z",
  • "status": "ACCOUNTS_COLLECTED",
  • "totalAccounts": 520,
  • "processedAccounts": 150,
  • "totalAccountsMarkedForDeletion": 10,
  • "deletedAccounts": 5,
  • "totalIdentities": 300,
  • "processedIdentities": 250
}

Account Usages

Use this API to implement account usage insight functionality. With this functionality in place, administrators can gather information and insights about how their tenants' source accounts are being used. This allows organizations to get the information they need to start optimizing and securing source account usage.

Returns account usage insights

This API returns a summary of account usage insights for past 12 months.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
accountId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

ID of IDN account

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=-date

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: date

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Accounts

Use this API to implement and customize account functionality. With this functionality in place, administrators can manage users' access across sources in Identity Security Cloud.

In Identity Security Cloud, an account refers to a user's account on a supported source. This typically includes a unique identifier for the user, a unique password, a set of permissions associated with the source and a set of attributes. Identity Security Cloud loads accounts through the creation of sources in Identity Security Cloud.

Administrators can correlate users' identities with the users' accounts on the different sources they use. This allows Identity Security Cloud to govern the access of identities and all their correlated accounts securely and cohesively.

To view the accounts on a source and their correlated identities, administrators can use the Connections drop-down menu, select Sources, select the relevant source, and select its Account tab.

To view and edit source account statuses for an identity in Identity Security Cloud, administrators can use the Identities drop-down menu, select Identity List, select the relevant identity, and select its Accounts tab. Administrators can toggle an account's Actions to aggregate the account, enable/disable it, unlock it, or remove it from the identity.

Accounts can have the following statuses:

  • Enabled: The account is enabled. The user can access it.

  • Disabled: The account is disabled, and the user cannot access it, but the identity is not disabled in Identity Security Cloud. This can occur when an administrator disables the account or when the user's lifecycle state changes.

  • Locked: The account is locked. This may occur when someone has entered an incorrect password for the account too many times.

  • Pending: The account is currently updating. This status typically lasts seconds.

Administrators can select the source account to view its attributes, entitlements, and the last time the account's password was changed.

Refer to Managing User Accounts for more information about accounts.

Accounts list

List accounts.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

detailLevel
string
Enum: "SLIM" "FULL"
Example: detailLevel=FULL

This value determines whether the API provides SLIM or increased level of detail (FULL) for each account in the returned list. FULL is the default behavior.

filters
string
Example: filters=identityId eq "2c9180858082150f0180893dbaf44201"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in, sw

identityId: eq, in, sw

name: eq, in, sw

nativeIdentity: eq, in, sw

hasEntitlements: eq

sourceId: eq, in, sw

uncorrelated: eq

entitlements: eq

origin: eq, in

manuallyCorrelated: eq

identity.name: eq, in, sw

identity.correlated: eq

identity.identityState: eq, in

source.displayableName: eq, in

source.authoritative: eq

source.connectionType: eq, in

recommendation.method: eq, in, isnull

recommendation.type: eq, in, isnull

created: eq, ge, gt, le, lt

modified: eq, ge, gt, le, lt

sorters
string <comma-separated>
Example: sorters=id,name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, created, modified, sourceId, identityId, nativeIdentity, uuid, manuallyCorrelated, entitlements, origin, identity.name, identity.identityState, identity.correlated, source.displayableName, source.authoritative, source.connectionType

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create account

Submit an account creation task - the API then returns the task ID.

You must include the sourceId where the account will be created in the attributes object.

This endpoint creates an account on the source record in your ISC tenant. This is useful for Flat File (DelimitedFile) type sources because it allows you to aggregate new accounts without needing to import a new CSV file every time.

However, if you use this endpoint to create an account for a Direct Connection type source, you must ensure that the account also exists on the target source. The endpoint doesn't actually provision the account on the target source, which means that if the account doesn't also exist on the target source, an aggregation between the source and your tenant will remove it from your tenant.

By providing the account ID of an existing account in the request body, this API will function as a PATCH operation and update the account.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
required
object

The schema attribute values for the account

Responses

Request samples

Content type
application/json
{
  • "attributes": {
    }
}

Response samples

Content type
application/json
{
  • "id": "2c91808474683da6017468693c260195"
}

Account details

Use this API to return the details for a single account by its ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Account ID.

Responses

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "sourceId": "2c9180835d2e5168015d32f890ca1581",
  • "sourceName": "Employees",
  • "identityId": "2c9180835d2e5168015d32f890ca1581",
  • "cloudLifecycleState": "active",
  • "identityState": "ACTIVE",
  • "connectionType": "direct",
  • "isMachine": true,
  • "recommendation": {
    },
  • "attributes": {
    },
  • "authoritative": false,
  • "description": null,
  • "disabled": false,
  • "locked": false,
  • "nativeIdentity": "552775",
  • "systemAccount": false,
  • "uncorrelated": false,
  • "uuid": "{b0dce506-d6d4-44d2-8a32-d9a5b21fb175}",
  • "manuallyCorrelated": false,
  • "hasEntitlements": true,
  • "identity": {
    },
  • "sourceOwner": {
    },
  • "features": "ENABLE",
  • "origin": "AGGREGATED",
  • "ownerIdentity": {
    }
}

Update account

Use this API to update account details.

This API supports updating an account's correlation by modifying the identityId and manuallyCorrelated fields. To reassign an account from one identity to another, replace the current identityId with a new value. If the account you're assigning was provisioned by Identity Security Cloud (ISC), it's possible for ISC to create a new account for the previous identity as soon as the account is moved. If the account you're assigning is authoritative, this causes the previous identity to become uncorrelated and can even result in its deletion. All accounts that are reassigned will be set to manuallyCorrelated: true unless you specify otherwise.

Note: The attributes field can only be modified for flat file accounts.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Account ID.

Request Body schema: application/json-patch+json

A list of account update operations according to the JSON Patch standard.

Array
object

Responses

Request samples

Content type
application/json-patch+json
Example

Remove account from Identity

[
  • {
    }
]

Response samples

Content type
application/json
{ }

Update account

Use this API to update an account with a PUT request.

This endpoint submits an account update task and returns the task ID.

Note: You can only use this PUT endpoint to update accounts from flat file sources.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Account ID.

Request Body schema: application/json
required
object

The schema attribute values for the account

Responses

Request samples

Content type
application/json
{
  • "attributes": {
    }
}

Response samples

Content type
application/json
{
  • "id": "2c91808474683da6017468693c260195"
}

Delete account

Use this API to delete an account. This endpoint submits an account delete task and returns the task ID. This endpoint only deletes the account from IdentityNow, not the source itself, which can result in the account's returning with the next aggregation between the source and IdentityNow. To avoid this scenario, it is recommended that you disable accounts rather than delete them. This will also allow you to reenable the accounts in the future.

NOTE: You can only delete accounts from sources of the "DelimitedFile" type.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Account ID.

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808474683da6017468693c260195"
}

Account entitlements

This API returns entitlements of the account.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The account id

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Reload account

This API asynchronously reloads the account directly from the connector and performs a one-time aggregation process.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The account id

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808474683da6017468693c260195"
}

Enable account

This API submits a task to enable account and returns the task ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The account id

Request Body schema: application/json
externalVerificationId
string

If set, an external process validates that the user wants to proceed with this request.

forceProvisioning
boolean

If set, provisioning updates the account attribute at the source. This option is used when the account is not synced to ensure the attribute is updated. Providing 'true' for an unlocked account will add and process 'Unlock' operation by the workflow.

Responses

Request samples

Content type
application/json
{
  • "externalVerificationId": "3f9180835d2e5168015d32f890ca1581",
  • "forceProvisioning": false
}

Response samples

Content type
application/json
{
  • "id": "2c91808474683da6017468693c260195"
}

Disable account

This API submits a task to disable the account and returns the task ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The account id

Request Body schema: application/json
externalVerificationId
string

If set, an external process validates that the user wants to proceed with this request.

forceProvisioning
boolean

If set, provisioning updates the account attribute at the source. This option is used when the account is not synced to ensure the attribute is updated. Providing 'true' for an unlocked account will add and process 'Unlock' operation by the workflow.

Responses

Request samples

Content type
application/json
{
  • "externalVerificationId": "3f9180835d2e5168015d32f890ca1581",
  • "forceProvisioning": false
}

Response samples

Content type
application/json
{
  • "id": "2c91808474683da6017468693c260195"
}

Unlock account

This API submits a task to unlock an account and returns the task ID.
To use this endpoint to unlock an account that has the forceProvisioning option set to true, the idn:accounts-provisioning:manage scope is required.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The account ID.

Request Body schema: application/json
externalVerificationId
string

If set, an external process validates that the user wants to proceed with this request.

unlockIDNAccount
boolean

If set, the IDN account is unlocked after the workflow completes.

forceProvisioning
boolean

If set, provisioning updates the account attribute at the source. This option is used when the account is not synced to ensure the attribute is updated.

Responses

Request samples

Content type
application/json
{
  • "externalVerificationId": "3f9180835d2e5168015d32f890ca1581",
  • "unlockIDNAccount": false,
  • "forceProvisioning": false
}

Response samples

Content type
application/json
{
  • "id": "2c91808474683da6017468693c260195"
}

Remove account

Use this endpoint to remove accounts from the system without provisioning changes to the source. Accounts that are removed could be re-created during the next aggregation.

This endpoint is good for:

  • Removing accounts that no longer exist on the source.
  • Removing accounts that won't be aggregated following updates to the source configuration.
  • Forcing accounts to be re-created following the next aggregation to re-run account processing, support testing, etc.
Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: c350d6aa4f104c61b062cb632421ad10

The account id

Responses

Response samples

Content type
application/json
{
  • "type": "TASK_RESULT",
  • "id": "464ae7bf791e49fdb74606a2e4a89635",
  • "name": null
}

Enable idn account for identity

This API submits a task to enable IDN account for a single identity.

Learn more about enabling identities here
Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808384203c2d018437e631158309

The identity id.

Responses

Response samples

Content type
application/json
{ }

Disable idn account for identity

This API submits a task to disable IDN account for a single identity.

Learn more about disabling identities here
Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808384203c2d018437e631158309

The identity id.

Responses

Response samples

Content type
application/json
{ }

Enable idn accounts for identities

This API submits tasks to enable IDN account for each identity provided in the request body.

Learn more about enabling identities here
Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
identityIds
Array of strings

The ids of the identities for which enable/disable accounts.

Responses

Request samples

Content type
application/json
{
  • "identityIds": [
    ]
}

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Disable idn accounts for identities

This API submits tasks to disable IDN account for each identity provided in the request body.

Learn more about disabling identities here
Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
identityIds
Array of strings

The ids of the identities for which enable/disable accounts.

Responses

Request samples

Content type
application/json
{
  • "identityIds": [
    ]
}

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Api Usage

Use this API to retrieve metrics about an org's API usage. With this functionality in place, administrators can monitor the usage of APIs within a specified timespan, as well as a breakdown of commonly-used APIs sorted by number of requests.

Total number of API requests

This API gets an aggregated number of all API calls from an org in a specific timespan. Unless specified, the results are aggregated between the first day of the current month and today.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
filters
string
Example: filters=method eq "GET", startDate gt "2025-08-01"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

method: eq

startDate: gt, eq

endDate: lt, eq

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "NumberOfCalls": 1000
}

Get Api Summary

This API gets a list of APIs called by the org in a specific timespan, sorted by number of calls. Unless specified, the results are aggregated between the first day of the current month and today.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
filters
string
Example: filters=method eq "GET", startDate gt "2025-08-01"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

method: eq

startDate: gt, eq

endDate: lt, eq

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=100

Max number of results to return.

offset
integer <int32> >= 0
Example: offset=10

Offset into the full result set. Usually specified with limit to paginate through the results. Defaults to 0 if not specified.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Application Discovery

Use this API to implement application discovery functionality. With this functionality in place, you can discover applications within your Okta connector and receive connector recommendations by manually uploading application names.

Start Application Discovery

Use this API to discover applications.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
datasetIds
required
Array of strings

List of dataset Ids to discover applications

Responses

Request samples

Content type
application/json
{
  • "datasetIds": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "8886e5e3-63d0-462f-a195-d98da885b8dc",
  • "type": "QUARTZ",
  • "uniqueName": "Application Discovery - ID123",
  • "description": "Application Discovery - From given dataset IDs",
  • "parentName": "Parent Task",
  • "launcher": "System",
  • "target": {
    },
  • "created": "2020-07-11T21:23:15.000Z",
  • "modified": "2020-07-11T21:23:15.000Z",
  • "launched": "2020-07-11T21:23:15.000Z",
  • "completed": "2020-07-11T21:23:15.000Z",
  • "taskDefinitionSummary": {
    },
  • "completionStatus": "SUCCESS",
  • "messages": [
    ],
  • "returns": [
    ],
  • "attributes": {
    },
  • "progress": "Started",
  • "percentComplete": 100
}

Get discovered applications for tenant

Get a list of applications that have been identified within the environment. This includes details such as application names, discovery dates, potential correlated saas_vendors and related suggested connectors.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

detail
string
Enum: "SLIM" "FULL"
Example: detail=FULL

Determines whether slim, or increased level of detail is provided for each discovered application in the returned list. SLIM is the default behavior.

filter
string
Example: filter=name eq "Okta" and description co "Okta" and discoverySource in ("csv", "Okta Saas")

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: eq, sw, co

description: eq, sw, co

createdAtStart: eq, le, ge

createdAtEnd: eq, le, ge

discoveredAtStart: eq, le, ge

discoveredAtEnd: eq, le, ge

discoverySource: eq, in

discoverySourceName: eq, in

discoverySourceCategory: eq, in

sorters
string <comma-separated>
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, description, discoveredAt, discoverySource, discoverySourceName, discoverySourceCategory

Responses

Response samples

Content type
application/json
Example

List of discovered applications

[
  • {
    },
  • {
    },
  • {
    }
]

Download csv template for discovery

Download an example CSV file with two columns application_name and description. The CSV file contains a single row with the values 'Example Application' and 'Example Description'.

The downloaded template is specifically designed for use with the /manual-discover-applications endpoint.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
text/csv
application_name,description
Example Application,Example Description

Upload csv to discover applications

Uploading a CSV file with application data for manual correlation to specific ISC connectors. If a suitable ISC connector is unavailable, the system will recommend generic connectors instead.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: multipart/form-data
file
required
string <binary>

The CSV file to upload containing application_name and description columns. Each row represents an application to be discovered.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Approvals

Use this API to implement approval functionality. With this functionality in place, you can get generic approvals and modify them.

The main advantages this API has vs Access Request Approvals are that you can use it to get generic approvals individually or in batches and make changes to those approvals.

Get approvals

Gets a list of approvals.

One of the following query parameters should be present: 'mine', 'approverId', 'requesterId', 'requesteeId'.

The absence of all query parameters for non admins will default to mine=true (which is the equivalent of 'approverId=[your_identity_id]') while admins will default to mine=false (which will show all approvals in the org).

For lookups by access request ID please use the following:

'/generic-approvals?mine=false&filters=referenceType+eq+"accessRequestId"+and+referenceId+eq+"12345678901234567890123456789012"'

Authorizations:
Personal Access Token
query Parameters
mine
boolean
Default: false
Example: mine=true

Determines whether to return the list of approvals assigned to the current caller or all approvals in the org. Defaults to false if admin, true otherwise (which is the equivalent of 'approverId=[your_identity_id]').

requesterId
string
Example: requesterId=17e633e7d57e481569df76323169deb6a

Returns the list of approvals for a given requester ID. Must match the calling user's identity ID unless they are an admin.

requesteeId
string
Example: requesteeId=27e6334g757e481569df76323169db9sc

Returns the list of approvals for a given requesteeId ID. Must match the calling user's identity ID unless they are an admin.

approverId
string
Example: approverId=37e6334g557e481569df7g2d3169db9sb

Returns the list of approvals for a given approverId ID. Must match the calling user's identity ID unless they are an admin.

count
boolean
Default: false
Example: count=true

Adds X-Total-Count to the header to give the amount of total approvals returned from the query.

count-only
boolean
Default: false
Example: count-only=true

Adds X-Total-Count to the header to give the amount of total approvals returned from the query. Only returns the count and no approval objects.

include-comments
boolean
Default: false
Example: include-comments=true

If set to true in the query, the approval requests returned will include comments.

include-approvers
boolean
Default: false
Example: include-approvers=true

If set to true in the query, the approval requests returned will include approvers.

include-reassignment-history
boolean
Default: false
Example: include-reassignment-history=true

If set to true in the query, the approval requests returned will include reassignment history.

include-batch-info
boolean
Default: false
Example: include-batch-info=true

If set to true in the query, the approval requests returned will include batch information.

filters
string
Example: filters=filters=status eq "PENDING" and type eq "ACCESS_REQUEST_APPROVAL"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

status: eq, ne, in, co, sw

name: eq, ne, in, co, sw

priority: eq, ne, in, co, sw

type: eq, ne, in, co, sw

medium: eq, ne, in, co, sw

description: eq, ne, in, co, sw

batchId: eq, ne, in, co, sw

createdDate: eq, ne, in, co, sw, gt, ge, lt, le

dueDate: eq, ne, in, co, sw, gt, ge, lt, le

completedDate: eq, ne, in, co, sw, gt, ge, lt, le

search: eq, ne, in, co, sw

referenceId: eq, ne, in, co, sw

referenceType: eq, ne, in, co, sw

referenceName: eq, ne, in, co, sw

requestedTargetId: eq, ne, in, co, sw

requestedTargetType: eq, ne, in, co, sw

requestedTargetName: eq, ne, in, co, sw

requestedTargetRequestType: eq, ne, in, co, sw

modifiedDate: eq, ne, in, co, sw, gt, ge, lt, le

decisionDate: eq, ne, in, co, sw, gt, ge, lt, le

approvalId: eq, ne, in, co, sw

requesterId: eq, ne, in, co, sw

requesteeId: eq, ne, in, co, sw

approverId: eq, ne, in, co, sw

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get an approval

Fetches an approval request by it's approval ID. For lookups by access request ID please use the following: /generic-approvals?filters=referenceType+eq+"accessRequestId"+and+referenceId+eq+"12345678901234567890123456789012"

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 38453251-6be2-5f8f-df93-5ce19e295837

ID of the approval that is to be returned

Responses

Response samples

Content type
application/json
{
  • "id": "38453251-6be2-5f8f-df93-5ce19e295837",
  • "tenantId": "38453251-6be2-5f8f-df93-5ce19e295837",
  • "type": "ENTITLEMENT_DESCRIPTIONS",
  • "approvers": [
    ],
  • "createdDate": "2023-04-12T23:20:50.52Z",
  • "dueDate": "2024-05-12T23:10:50.11Z",
  • "escalationStep": 0,
  • "serialStep": 0,
  • "isEscalated": true,
  • "name": [
    ],
  • "batchRequest": {
    },
  • "approvalConfig": {
    },
  • "description": [
    ],
  • "medium": "EMAIL",
  • "priority": "HIGH",
  • "requester": {
    },
  • "requestee": {
    },
  • "comments": [
    ],
  • "approvedBy": [
    ],
  • "rejectedBy": [
    ],
  • "assignedTo": [
    ],
  • "completedDate": "2023-04-12T23:20:50.52Z",
  • "approvalCriteria": {
    },
  • "additionalAttributes": "{ \"llm_description\": \"generated description\" }",
  • "referenceData": [
    ],
  • "reassignmentHistory": [
    ],
  • "staticAttributes": {
    },
  • "modifiedDate": "2023-10-01T12:34:56.789Z",
  • "requestedTarget": [
    ]
}

Post Approvals Approve

Approves a specified approval request on behalf of the caller. The approval request must be in a state that allows it to be approved. This endpoint does not support access request IDs. If called by an admin and the admin is not listed as an approver, the approval request will be reassigned from a random approver to the admin user.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 38453251-6be2-5f8f-df93-5ce19e295837

Approval ID that correlates to an existing approval request that a user wants to approve.

Request Body schema: application/json
object

Additional attributes as key-value pairs that are not part of the standard schema but can be included for custom data.

comment
string

Comment associated with the request.

Responses

Request samples

Content type
application/json
{
  • "additionalAttributes": {
    },
  • "comment": "comment"
}

Response samples

Content type
application/json
{
  • "id": "38453251-6be2-5f8f-df93-5ce19e295837",
  • "tenantId": "38453251-6be2-5f8f-df93-5ce19e295837",
  • "type": "ENTITLEMENT_DESCRIPTIONS",
  • "approvers": [
    ],
  • "createdDate": "2023-04-12T23:20:50.52Z",
  • "dueDate": "2024-05-12T23:10:50.11Z",
  • "escalationStep": 0,
  • "serialStep": 0,
  • "isEscalated": true,
  • "name": [
    ],
  • "batchRequest": {
    },
  • "approvalConfig": {
    },
  • "description": [
    ],
  • "medium": "EMAIL",
  • "priority": "HIGH",
  • "requester": {
    },
  • "requestee": {
    },
  • "comments": [
    ],
  • "approvedBy": [
    ],
  • "rejectedBy": [
    ],
  • "assignedTo": [
    ],
  • "completedDate": "2023-04-12T23:20:50.52Z",
  • "approvalCriteria": {
    },
  • "additionalAttributes": "{ \"llm_description\": \"generated description\" }",
  • "referenceData": [
    ],
  • "reassignmentHistory": [
    ],
  • "staticAttributes": {
    },
  • "modifiedDate": "2023-10-01T12:34:56.789Z",
  • "requestedTarget": [
    ]
}

Post Approvals Attributes

Allows for the edit/addition/removal of the key/value pair additional attributes map for an existing approval request. This endpoint does not support access request IDs.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 38453251-6be2-5f8f-df93-5ce19e295837

Approval ID that correlates to an existing approval request that a user wants to change the attributes of.

Request Body schema: application/json
object

Additional attributes as key-value pairs that are not part of the standard schema but can be included for custom data.

comment
string

Comment associated with the request.

removeAttributeKeys
Array of strings

List of attribute keys to be removed.

Responses

Request samples

Content type
application/json
{
  • "additionalAttributes": {
    },
  • "comment": "comment",
  • "removeAttributeKeys": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "38453251-6be2-5f8f-df93-5ce19e295837",
  • "tenantId": "38453251-6be2-5f8f-df93-5ce19e295837",
  • "type": "ENTITLEMENT_DESCRIPTIONS",
  • "approvers": [
    ],
  • "createdDate": "2023-04-12T23:20:50.52Z",
  • "dueDate": "2024-05-12T23:10:50.11Z",
  • "escalationStep": 0,
  • "serialStep": 0,
  • "isEscalated": true,
  • "name": [
    ],
  • "batchRequest": {
    },
  • "approvalConfig": {
    },
  • "description": [
    ],
  • "medium": "EMAIL",
  • "priority": "HIGH",
  • "requester": {
    },
  • "requestee": {
    },
  • "comments": [
    ],
  • "approvedBy": [
    ],
  • "rejectedBy": [
    ],
  • "assignedTo": [
    ],
  • "completedDate": "2023-04-12T23:20:50.52Z",
  • "approvalCriteria": {
    },
  • "additionalAttributes": "{ \"llm_description\": \"generated description\" }",
  • "referenceData": [
    ],
  • "reassignmentHistory": [
    ],
  • "staticAttributes": {
    },
  • "modifiedDate": "2023-10-01T12:34:56.789Z",
  • "requestedTarget": [
    ]
}

Post Approvals Comments

Adds comments to a specified approval request. This endpoint does not support access request IDs.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 38453251-6be2-5f8f-df93-5ce19e295837

Approval ID that correlates to an existing approval request that a user wants to add a comment to.

Request Body schema: application/json
comment
string

Comment associated with the request.

Responses

Request samples

Content type
application/json
{
  • "comment": "Approval comment."
}

Response samples

Content type
application/json
{
  • "id": "38453251-6be2-5f8f-df93-5ce19e295837",
  • "tenantId": "38453251-6be2-5f8f-df93-5ce19e295837",
  • "type": "ENTITLEMENT_DESCRIPTIONS",
  • "approvers": [
    ],
  • "createdDate": "2023-04-12T23:20:50.52Z",
  • "dueDate": "2024-05-12T23:10:50.11Z",
  • "escalationStep": 0,
  • "serialStep": 0,
  • "isEscalated": true,
  • "name": [
    ],
  • "batchRequest": {
    },
  • "approvalConfig": {
    },
  • "description": [
    ],
  • "medium": "EMAIL",
  • "priority": "HIGH",
  • "requester": {
    },
  • "requestee": {
    },
  • "comments": [
    ],
  • "approvedBy": [
    ],
  • "rejectedBy": [
    ],
  • "assignedTo": [
    ],
  • "completedDate": "2023-04-12T23:20:50.52Z",
  • "approvalCriteria": {
    },
  • "additionalAttributes": "{ \"llm_description\": \"generated description\" }",
  • "referenceData": [
    ],
  • "reassignmentHistory": [
    ],
  • "staticAttributes": {
    },
  • "modifiedDate": "2023-10-01T12:34:56.789Z",
  • "requestedTarget": [
    ]
}

Post Approvals Reassign

Reassigns an approval request to another identity resulting in that identity being added as an authorized approver. This endpoint does not support access request IDs.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 38453251-6be2-5f8f-df93-5ce19e295837

Approval ID that correlates to an existing approval request that a user wants to reassign.

Request Body schema: application/json
comment
string

Comment associated with the reassign request.

reassignFrom
string

Identity from which the approval is being reassigned. If left blank, and the approval is currently assigned to the user calling this endpoint, it will use the calling user's identity. If left blank, and the approval is not currently assigned to the user calling this endpoint, you need to be an admin, which would add the reassignTo as a new approver.

reassignTo
string

Identity to which the approval is being reassigned.

Responses

Request samples

Content type
application/json
{
  • "comment": "comment",
  • "reassignFrom": "384532516be25f8fdf935ce19e295837",
  • "reassignTo": "152354832eb6f8f539fd738592e19ec5"
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Post Approvals Reject

Rejects a specified approval request on behalf of the caller. This endpoint does not support access request IDs. If called by an admin and the admin is not listed as an approver, the approval request will be reassigned from a random approver to the admin user and approved.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 38453251-6be2-5f8f-df93-5ce19e295837

Approval ID that correlates to an existing approval request that a user wants to reject.

Request Body schema: application/json
comment
string

Comment associated with the reject request.

Responses

Request samples

Content type
application/json
{
  • "comment": "string"
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get Approval Config

Retrieves a singular approval configuration that matches the given ID

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 1.2345678901234567e+31

The id of the object the config applies to, for example one of the following: [(approvalID), (roleID), (entitlementID), (accessProfileID), "ENTITLEMENT_DESCRIPTIONS", "ACCESS_REQUEST_APPROVAL", "ACCOUNT_CREATE_APPROVAL_REQUEST", "ACCOUNT_DELETE_APPROVAL_REQUEST", "MACHINE_ACCOUNT_CREATE_APPROVAL_REQUEST", "MACHINE_ACCOUNT_DELETE_APPROVAL_REQUEST", (tenantID)]

Responses

Response samples

Content type
application/json
{
  • "reminderConfig": {
    },
  • "escalationConfig": {
    },
  • "timeoutConfig": {
    },
  • "cronTimezone": {
    },
  • "serialChain": [
    ],
  • "requiresComment": "ALL",
  • "fallbackApprover": {
    },
  • "machineIdentityManagerAssignment": "MACHINE_IDENTITY_OWNER",
  • "circumventApprovalProcess": false,
  • "autoApprove": "OFF"
}

Put Approval Config

Upserts a singular approval configuration that matches the given configID and configScope. For example to update the approval configurations for all Access Request Approvals please use: '/generic-approvals/config/ACCESS_REQUEST_APPROVAL/APPROVAL_TYPE'

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ACCESS_REQUEST_APPROVAL

The ID defined by the scope field, where [[id]]:[[scope]] is the following [[roleID]]:ROLE [[entitlementID]]:ENTITLEMENT [[accessProfileID]]:ACCESS_PROFILE ENTITLEMENT_DESCRIPTIONS:APPROVAL_TYPE ACCESS_REQUEST_APPROVAL:APPROVAL_TYPE ACCOUNT_CREATE_APPROVAL_REQUEST:APPROVAL_TYPE ACCOUNT_DELETE_APPROVAL_REQUEST:APPROVAL_TYPE MACHINE_ACCOUNT_CREATE_APPROVAL_REQUEST:APPROVAL_TYPE MACHINE_ACCOUNT_DELETE_APPROVAL_REQUEST:APPROVAL_TYPE [[tenantID]]:TENANT [[domainObjectID]]:DOMAIN_OBJECT

scope
required
string
Enum: "DOMAIN_OBJECT" "ROLE" "ACCESS_PROFILE" "ENTITLEMENT" "APPROVAL_TYPE" "TENANT"
Example: APPROVAL_TYPE

The scope of the field, where [[id]]:[[scope]] is the following [[roleID]]:ROLE [[entitlementID]]:ENTITLEMENT [[accessProfileID]]:ACCESS_PROFILE ENTITLEMENT_DESCRIPTIONS:APPROVAL_TYPE ACCESS_REQUEST_APPROVAL:APPROVAL_TYPE ACCOUNT_CREATE_APPROVAL_REQUEST:APPROVAL_TYPE ACCOUNT_DELETE_APPROVAL_REQUEST:APPROVAL_TYPE MACHINE_ACCOUNT_CREATE_APPROVAL_REQUEST:APPROVAL_TYPE MACHINE_ACCOUNT_DELETE_APPROVAL_REQUEST:APPROVAL_TYPE [[tenantID]]:TENANT [[domainObjectID]]:DOMAIN_OBJECT

Request Body schema: application/json
object

Configuration for reminders.

object

Configuration for escalations.

object

TimeoutConfig contains configurations around when the approval request should expire.

object

Timezone configuration for cron schedules.

Array of objects

If the approval request has an approvalCriteria of SERIAL this chain will be used to determine the assignment order.

requiresComment
string
Enum: "APPROVAL" "REJECTION" "ALL" "OFF"

Determines whether a comment is required when approving or rejecting the approval request.

object

Configuration for fallback approver. Used if the user cannot be found for whatever reason and escalation config does not exist.

machineIdentityManagerAssignment
string
Default: "MANAGER_OF_REQUESTER"
Enum: "MANAGER_OF_REQUESTER" "MACHINE_IDENTITY_OWNER" "MANAGER_OF_MACHINE_IDENTITY_OWNER" "REQUESTED_TARGET_OWNER" "MANAGER_OF_REQUESTED_TARGET_OWNER" "ACCOUNT_OWNER" "MANAGER_OF_ACCOUNT_OWNER"

Specifies how to treat the identity type "MANAGER_OF" when the requestee is a machine identity.

circumventApprovalProcess
boolean
Default: false

When true, all approvals will be created with the status "PASSED".

autoApprove
string
Enum: "OFF" "DIRECT" "INDIRECT"

OFF will prevent the approval request from being assigned to the requester or requestee by assigning it to their manager instead. DIRECT will cause approval requests to be auto-approved when assigned directly and only to the requester. INDIRECT will auto-approve when the requester appears anywhere in the list of approvers, including in a governance group. This field will only be effective if requestedTarget.reauthRequired is set to false, otherwise the approval will have to be manually approved.

Responses

Request samples

Content type
application/json
{
  • "reminderConfig": {
    },
  • "escalationConfig": {
    },
  • "timeoutConfig": {
    },
  • "cronTimezone": {
    },
  • "serialChain": [
    ],
  • "requiresComment": "ALL",
  • "fallbackApprover": {
    },
  • "machineIdentityManagerAssignment": "MACHINE_IDENTITY_OWNER",
  • "circumventApprovalProcess": false,
  • "autoApprove": "OFF"
}

Response samples

Content type
application/json
{
  • "reminderConfig": {
    },
  • "escalationConfig": {
    },
  • "timeoutConfig": {
    },
  • "cronTimezone": {
    },
  • "serialChain": [
    ],
  • "requiresComment": "ALL",
  • "fallbackApprover": {
    },
  • "machineIdentityManagerAssignment": "MACHINE_IDENTITY_OWNER",
  • "circumventApprovalProcess": false,
  • "autoApprove": "OFF"
}

Delete Approval Configuration

Deletes an approval configuration. Configurations at the APPROVAL_REQUEST scope cannot be deleted.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ACCESS_REQUEST_APPROVAL

The ID defined by the scope field, where [[id]]:[[scope]] is the following [[roleID]]:ROLE [[entitlementID]]:ENTITLEMENT [[accessProfileID]]:ACCESS_PROFILE ENTITLEMENT_DESCRIPTIONS:APPROVAL_TYPE ACCESS_REQUEST_APPROVAL:APPROVAL_TYPE ACCOUNT_CREATE_APPROVAL_REQUEST:APPROVAL_TYPE ACCOUNT_DELETE_APPROVAL_REQUEST:APPROVAL_TYPE MACHINE_ACCOUNT_CREATE_APPROVAL_REQUEST:APPROVAL_TYPE MACHINE_ACCOUNT_DELETE_APPROVAL_REQUEST:APPROVAL_TYPE [[tenantID]]:TENANT [[domainObjectID]]:DOMAIN_OBJECT

scope
required
string
Enum: "DOMAIN_OBJECT" "ROLE" "ACCESS_PROFILE" "ENTITLEMENT" "APPROVAL_TYPE" "TENANT"
Example: APPROVAL_TYPE

The scope of the field, where [[id]]:[[scope]] is the following [[roleID]]:ROLE [[entitlementID]]:ENTITLEMENT [[accessProfileID]]:ACCESS_PROFILE ENTITLEMENT_DESCRIPTIONS:APPROVAL_TYPE ACCESS_REQUEST_APPROVAL:APPROVAL_TYPE ACCOUNT_CREATE_APPROVAL_REQUEST:APPROVAL_TYPE ACCOUNT_DELETE_APPROVAL_REQUEST:APPROVAL_TYPE MACHINE_ACCOUNT_CREATE_APPROVAL_REQUEST:APPROVAL_TYPE MACHINE_ACCOUNT_DELETE_APPROVAL_REQUEST:APPROVAL_TYPE [[tenantID]]:TENANT [[domainObjectID]]:DOMAIN_OBJECT

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Post Bulk Approve Approvals

Bulk Approves specified approval requests on behalf of the caller

Authorizations:
Personal Access Token
Request Body schema: application/json
approvalIds
Array of strings

Array of Approval IDs to be bulk approved

comment
string

Optional comment to include with the bulk approval request

object

Additional attributes to include with the bulk approval request

Responses

Request samples

Content type
application/json
{
  • "approvalIds": [
    ],
  • "comment": "Bulk approved by admin for monthly review",
  • "additionalAttributes": {
    }
}

Response samples

Content type
application/json
{ }

Post Bulk Reject Approvals

Bulk reject specified approval requests on behalf of the caller

Authorizations:
Personal Access Token
Request Body schema: application/json
approvalIds
Array of strings

Array of Approval IDs to be bulk rejected

comment
string

Optional comment to include with the bulk reject request

Responses

Request samples

Content type
application/json
{
  • "approvalIds": [
    ],
  • "comment": "Bulk reject by admin"
}

Response samples

Content type
application/json
{ }

Post Bulk Cancel Approvals

Bulk cancels specified approval requests on behalf of the caller. Note: To bulk cancel access request approvals, please use the following: /access-requests/bulk-cancel

Authorizations:
Personal Access Token
Request Body schema: application/json
approvalIds
Array of strings

Array of Approval IDs to be bulk cancelled

comment
string

Optional comment to include with the bulk cancellation request

Responses

Request samples

Content type
application/json
{
  • "approvalIds": [
    ],
  • "comment": "Bulk cancellation by admin"
}

Response samples

Content type
application/json
{ }

Post Bulk Reassign Approvals

Bulk reassigns specified approval requests on behalf of the caller

Authorizations:
Personal Access Token
Request Body schema: application/json
approvalIds
Array of strings

Array of Approval IDs to be bulk reassigned

comment
string

Optional comment to include with the bulk reassignment request

reassignFrom
string

Identity ID from which the approval requests are being reassigned

reassignTo
string

ReassignTo signifies the Identity ID that the approval request is being reassigned to

Responses

Request samples

Content type
application/json
{
  • "approvalIds": [
    ],
  • "comment": "Bulk reassignment by admin",
  • "reassignFrom": "12353251-6be2-5f8f-df93-5ce19b6e5837",
  • "reassignTo": "32454251-6ce2-5d8f-df93-5ce19e295238"
}

Response samples

Content type
application/json
{ }

Apps

Use this API to implement source application functionality. With this functionality in place, you can create, customize, and manage applications within sources.

Get source app by id

This API returns a source app by its ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the source app

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808874ff91550175097daaec161c",
  • "cloudAppId": "9854520",
  • "name": "my app",
  • "created": "2020-10-08T18:33:52.029Z",
  • "modified": "2020-10-08T18:33:52.029Z",
  • "enabled": true,
  • "provisionRequestEnabled": true,
  • "description": "the source app for engineers",
  • "matchAllAccounts": true,
  • "appCenterEnabled": true,
  • "accountSource": {
    },
  • "owner": {
    }
}

Patch source app by id

This API updates an existing source app using JSON Patch syntax. The following fields are patchable: name, description, enabled, owner, provisionRequestEnabled, appCenterEnabled, accountSource, matchAllAccounts and accessProfiles. Name, description and owner can't be empty or null.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the source app to patch

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
Example

This example shows how multiple fields may be updated with a single patch call.

[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c91808874ff91550175097daaec161c",
  • "cloudAppId": "9854520",
  • "name": "my app",
  • "created": "2020-10-08T18:33:52.029Z",
  • "modified": "2020-10-08T18:33:52.029Z",
  • "enabled": true,
  • "provisionRequestEnabled": true,
  • "description": "the source app for engineers",
  • "matchAllAccounts": true,
  • "appCenterEnabled": true,
  • "accessProfiles": [
    ],
  • "accountSource": {
    },
  • "owner": {
    }
}

Delete source app by id

Use this API to delete a specific source app

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

source app ID.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808874ff91550175097daaec161c",
  • "cloudAppId": "9854520",
  • "name": "my app",
  • "created": "2020-10-08T18:33:52.029Z",
  • "modified": "2020-10-08T18:33:52.029Z",
  • "enabled": true,
  • "provisionRequestEnabled": true,
  • "description": "the source app for engineers",
  • "matchAllAccounts": true,
  • "appCenterEnabled": true,
  • "accountSource": {
    },
  • "owner": {
    }
}

Bulk update source apps

This API updates source apps using JSON Patch syntax. It can update up to 50 source apps in a batch. The following fields can be updated: name, description, enabled, owner, provisionRequestEnabled, appCenterEnabled, accountSource, matchAllAccounts, and accessProfiles. Name, description and owner can't be empty or null.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
appIds
required
Array of strings <= 50 items

List of source app ids to update

required
Array of objects (Json Patch Operation)

The JSONPatch payload used to update the source app.

Responses

Request samples

Content type
application/json
{
  • "appIds": [
    ],
  • "jsonPatch": [
    ]
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List assigned source apps

This API returns the list of source apps assigned for logged in user.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, created, modified, accountSource.id

filters
string
Example: filters=name eq "source app name"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in, co, sw

created: gt, lt, ge, le

modified: gt, lt, ge, le

accountSource.id: eq, in

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List available source apps

This API returns the list of source apps available for access request.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, created, modified, owner.id, accountSource.id

filters
string
Example: filters=name eq "source app name"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in, co, sw

created: gt, lt, ge, le

modified: gt, lt, ge, le

accountSource.id: eq, in

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create source app

This endpoint creates a source app using the given source app payload

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
name
required
string

The source app name

description
required
string

The description of the source app

matchAllAccounts
boolean
Default: false

True if the source app match all accounts

required
object

Responses

Request samples

Content type
application/json
{
  • "name": "new app name",
  • "description": "app description",
  • "matchAllAccounts": true,
  • "accountSource": {
    }
}

Response samples

Content type
application/json
{
  • "id": "2c91808874ff91550175097daaec161c",
  • "cloudAppId": "9854520",
  • "name": "my app",
  • "created": "2020-10-08T18:33:52.029Z",
  • "modified": "2020-10-08T18:33:52.029Z",
  • "enabled": true,
  • "provisionRequestEnabled": true,
  • "description": "the source app for engineers",
  • "matchAllAccounts": true,
  • "appCenterEnabled": true,
  • "accountSource": {
    },
  • "owner": {
    }
}

List all source apps

This API returns the list of all source apps for the org.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, created, modified, owner.id, accountSource.id

filters
string
Example: filters=enabled eq true

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in, co, sw

created: gt, lt, ge, le

modified: gt, ge, le

owner.id: eq, in

enabled: eq

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List access profiles for the specified source app

This API returns the list of access profiles for the specified source app

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the source app

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name eq "developer access profile"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in

created: gt, lt, ge, le

modified: gt, lt, ge, le

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Bulk remove access profiles from the specified source app

This API returns the final list of access profiles for the specified source app after removing

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the source app

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
Array
string

Responses

Request samples

Content type
application/json
[
  • "c9575abb5e3a4e3db82b2f989a738aa2",
  • "c9dc28e148a24d65b3ccb5fb8ca5ddd9"
]

Response samples

Content type
application/json
[
  • {
    }
]

Patch user app by id

This API updates an existing user app using JSON Patch syntax. The following fields are patchable: account

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the user app to patch

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c91808874ff91550175097daaec161c",
  • "created": "2020-10-08T18:33:52.029Z",
  • "modified": "2020-10-08T18:33:52.029Z",
  • "hasMultipleAccounts": false,
  • "useForPasswordManagement": true,
  • "provisionRequestEnabled": true,
  • "appCenterEnabled": true,
  • "sourceApp": {
    },
  • "source": {
    },
  • "account": {
    },
  • "owner": {
    }
}

List available accounts for user app

This API returns the list of available accounts for the specified user app. The user app needs to belong lo logged in user.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the user app

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List owned user apps

This API returns the list of user apps assigned to logged in user

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name eq "user app name"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq

ownerName: eq, sw

ownerAlias: eq, sw

accountId: eq

sourceAppId: eq

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List all user apps

This API returns the list of all user apps with specified filters. This API must be used with filters query parameter.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

filters
required
string
Example: filters=name eq "user app name"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq

ownerId: eq

ownerName: eq, sw

ownerAlias: eq, sw

accountId: eq

sourceAppId: eq

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Auth Profile

Use this API to implement Auth Profile functionality. With this functionality in place, users can read authentication profiles and make changes to them.

An authentication profile represents an identity profile's authentication configuration. When the identity profile is created, its authentication profile is also created. An authentication profile includes information like its authentication profile type (BLOCK, MFA, NON_PTA, PTA`) and settings controlling whether or not it blocks access from off network or untrusted geographies.

Get list of auth profiles

This API returns a list of auth profiles.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get auth profile

This API returns auth profile information.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121919ecca

ID of the Auth Profile to patch.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "name": "EndToEnd-Profile",
  • "offNetwork": true,
  • "untrustedGeography": true,
  • "applicationId": "2c91808458ae7a4f0158b1bbf8af0628",
  • "applicationName": "EndToEnd-Source",
  • "type": "PTA",
  • "strongAuthLogin": true
}

Patch a specified auth profile

This API updates an existing Auth Profile. The following fields are patchable: offNetwork, untrustedGeography, applicationId, applicationName, type

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121919ecca

ID of the Auth Profile to patch.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "name": "EndToEnd-Profile",
  • "offNetwork": true,
  • "untrustedGeography": true,
  • "applicationId": "2c91808458ae7a4f0158b1bbf8af0628",
  • "applicationName": "EndToEnd-Source",
  • "type": "PTA",
  • "strongAuthLogin": true
}

Auth Users

Use this API to implement user authentication system functionality. With this functionality in place, users can get a user's authentication system details, including their capabilities, and modify those capabilities. The user's capabilities refer to their access to different systems, or authorization, within the tenant, like access to certifications (CERT_ADMIN) or reports (REPORT_ADMIN). These capabilities also determine a user's access to the different APIs. This API provides users with a way to determine a user's access and make quick and easy changes to that access.

Auth user details

Return the specified user's authentication system details.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Identity ID

Responses

Response samples

Content type
application/json
{
  • "tenant": "test-tenant",
  • "id": "2c91808458ae7a4f0158b1bbf8af0628",
  • "uid": "will.smith",
  • "profile": "2c91808458ae7a4f0158b1bbf8af0756",
  • "identificationNumber": "19-5588452",
  • "email": "william.smith@example.com",
  • "phone": "5555555555",
  • "workPhone": "5555555555",
  • "personalEmail": "william.smith@example.com",
  • "firstname": "Will",
  • "lastname": "Smith",
  • "displayName": "Will Smith",
  • "alias": "will.smith",
  • "lastPasswordChangeDate": "2021-03-08T22:37:33.901Z",
  • "lastLoginTimestamp": 1656327185832,
  • "currentLoginTimestamp": 1656327185832,
  • "lastUnlockTimestamp": "2021-03-08T22:37:33.901Z",
  • "capabilities": [
    ]
}

Auth user update

Use a PATCH request to update an existing user in the authentication system. Use this endpoint to modify these fields:

  • capabilities

A '400.1.1 Illegal update attempt' detail code indicates that you attempted to PATCH a field that is not allowed.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Identity ID

Request Body schema: application/json-patch+json

A list of auth user update operations according to the JSON Patch standard.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "tenant": "test-tenant",
  • "id": "2c91808458ae7a4f0158b1bbf8af0628",
  • "uid": "will.smith",
  • "profile": "2c91808458ae7a4f0158b1bbf8af0756",
  • "identificationNumber": "19-5588452",
  • "email": "william.smith@example.com",
  • "phone": "5555555555",
  • "workPhone": "5555555555",
  • "personalEmail": "william.smith@example.com",
  • "firstname": "Will",
  • "lastname": "Smith",
  • "displayName": "Will Smith",
  • "alias": "will.smith",
  • "lastPasswordChangeDate": "2021-03-08T22:37:33.901Z",
  • "lastLoginTimestamp": 1656327185832,
  • "currentLoginTimestamp": 1656327185832,
  • "lastUnlockTimestamp": "2021-03-08T22:37:33.901Z",
  • "capabilities": [
    ]
}

Branding

Use this API to implement and customize branding functionality. With this functionality in place, administrators can get and manage existing branding items, and they can also create new branding items and configure them for use throughout Identity Security Cloud. The Branding APIs provide administrators with a way to customize branding items. This customization includes details like their colors, logos, and other information. Refer to Certifications for more information about certifications.

List of branding items

This API endpoint returns a list of branding items.

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create a branding item

This API endpoint creates a branding item.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: multipart/form-data
name
required
string

name of branding item

productName
required
string or null

product name

actionButtonColor
string

hex value of color for action button

activeLinkColor
string

hex value of color for link

navigationColor
string

hex value of color for navigation bar

emailFromAddress
string

email from address

loginInformationalMessage
string

login information message

fileStandard
string <binary>

png file with logo

Responses

Response samples

Content type
application/json
{
  • "name": "default",
  • "productName": "product name",
  • "actionButtonColor": "0074D9",
  • "activeLinkColor": "011E69",
  • "navigationColor": "011E69",
  • "emailFromAddress": "no-reply@sailpoint.com",
  • "standardLogoURL": "",
  • "loginInformationalMessage": ""
}

Get a branding item

This API endpoint retrieves information for an existing branding item by name.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
name
required
string
Example: default

The name of the branding item to be retrieved

Responses

Response samples

Content type
application/json
{
  • "name": "default",
  • "productName": "product name",
  • "actionButtonColor": "0074D9",
  • "activeLinkColor": "011E69",
  • "navigationColor": "011E69",
  • "emailFromAddress": "no-reply@sailpoint.com",
  • "standardLogoURL": "",
  • "loginInformationalMessage": ""
}

Update a branding item

This API endpoint updates information for an existing branding item.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
name
required
string
Example: default

The name of the branding item to be retrieved

Request Body schema: multipart/form-data
name
required
string

name of branding item

productName
required
string or null

product name

actionButtonColor
string

hex value of color for action button

activeLinkColor
string

hex value of color for link

navigationColor
string

hex value of color for navigation bar

emailFromAddress
string

email from address

loginInformationalMessage
string

login information message

fileStandard
string <binary>

png file with logo

Responses

Response samples

Content type
application/json
{
  • "name": "default",
  • "productName": "product name",
  • "actionButtonColor": "0074D9",
  • "activeLinkColor": "011E69",
  • "navigationColor": "011E69",
  • "emailFromAddress": "no-reply@sailpoint.com",
  • "standardLogoURL": "",
  • "loginInformationalMessage": ""
}

Delete a branding item

This API endpoint delete information for an existing branding item by name.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
name
required
string
Example: default

The name of the branding item to be deleted

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Certification Campaign Filters

Use this API to implement the certification campaign filter functionality. These filters can be used to create a certification campaign that includes a subset of your entitlements or users to certify.

For example, if for a certification campaign an organization wants to certify only specific users or entitlements, then those can be included/excluded on the basis of campaign filters.

For more information about creating a campaign filter, refer to Creating a Campaign Filter

You can create campaign filters using any of the following criteria types:

  • Access Profile : This criteria type includes or excludes access profiles from a campaign.

  • Account Attribute : This criteria type includes or excludes certification items that match a specified value in an account attribute.

  • Entitlement : This criteria type includes or excludes entitlements from a campaign.

  • Identity : This criteria type includes or excludes specific identities from your campaign.

  • Identity Attribute : This criteria type includes or excludes identities based on whether they have an identity attribute that matches criteria you've chosen.

  • Role : This criteria type includes or excludes roles, as opposed to identities.

  • Source : This criteria type includes or excludes entitlements from a source you select.

For more information about these criteria types, refer to Types of Campaign Filters

Once the campaign filter is created, it can be linked while creating the campaign. The generated campaign will have the items to review as per the campaign filter.

For example, An inclusion campaign filter is created with a source of Source 1, an operation of Equals, and an entitlement of Entitlement 1. When this filter is selected, only users who have Entitlement 1 are included in the campaign, and only Entitlement 1 is shown in the certification.

Create campaign filter

Use this API to create a campaign filter based on filter details and criteria.

Authorizations:
Personal Access Token
Request Body schema: application/json
id
required
string

The unique ID of the campaign filter

name
required
string

Campaign filter name.

description
string

Campaign filter description.

owner
required
string or null

Owner of the filter. This field automatically populates at creation time with the current user.

mode
required
string
Enum: "INCLUSION" "EXCLUSION"

Mode/type of filter, either the INCLUSION or EXCLUSION type. The INCLUSION type includes the data in generated campaigns as per specified in the criteria, whereas the EXCLUSION type excludes the data in generated campaigns as per specified in criteria.

Array of objects

List of criteria.

isSystemFilter
required
boolean
Default: false

If true, the filter is created by the system. If false, the filter is created by a user.

Responses

Request samples

Content type
application/json
{
  • "id": "5ec18cef39020d6fd7a60ad3970aba61",
  • "name": "Identity Attribute Campaign Filter",
  • "description": "Campaign filter to certify data based on an identity attribute's specified property.",
  • "owner": "SailPoint Support",
  • "mode": "INCLUSION",
  • "criteriaList": [
    ],
  • "isSystemFilter": false
}

Response samples

Content type
application/json
{
  • "id": "5ec18cef39020d6fd7a60ad3970aba61",
  • "name": "Identity Attribute Campaign Filter",
  • "description": "Campaign filter to certify data based on an identity attribute's specified property.",
  • "owner": "SailPoint Support",
  • "mode": "INCLUSION",
  • "criteriaList": [
    ],
  • "isSystemFilter": false
}

List campaign filters

Use this API to list all campaign filters. You can reduce scope with standard V3 query parameters.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

start
integer <int32> >= 0
Default: 0

Start/Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

includeSystemFilters
boolean
Default: true
Example: includeSystemFilters=true

If this is true, the API includes system filters in the count and results. Otherwise it excludes them. If no value is provided, the default is true.

Responses

Response samples

Content type
application/json
{
  • "items": [
    ],
  • "count": 2
}

Get campaign filter by id

Retrieves information for an existing campaign filter using the filter's ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: e9f9a1397b842fd5a65842087040d3ac

The ID of the campaign filter to be retrieved.

Responses

Response samples

Content type
application/json
{
  • "id": "5ec18cef39020d6fd7a60ad3970aba61",
  • "name": "Identity Attribute Campaign Filter",
  • "description": "Campaign filter to certify data based on an identity attribute's specified property.",
  • "owner": "SailPoint Support",
  • "mode": "INCLUSION",
  • "criteriaList": [
    ],
  • "isSystemFilter": false
}

Updates a campaign filter

Updates an existing campaign filter using the filter's ID.

Authorizations:
Personal Access Token
path Parameters
filterId
required
string
Example: e9f9a1397b842fd5a65842087040d3ac

The ID of the campaign filter being modified.

Request Body schema: application/json

A campaign filter details with updated field values.

id
required
string

The unique ID of the campaign filter

name
required
string

Campaign filter name.

description
string

Campaign filter description.

owner
required
string or null

Owner of the filter. This field automatically populates at creation time with the current user.

mode
required
string
Enum: "INCLUSION" "EXCLUSION"

Mode/type of filter, either the INCLUSION or EXCLUSION type. The INCLUSION type includes the data in generated campaigns as per specified in the criteria, whereas the EXCLUSION type excludes the data in generated campaigns as per specified in criteria.

Array of objects

List of criteria.

isSystemFilter
required
boolean
Default: false

If true, the filter is created by the system. If false, the filter is created by a user.

Responses

Request samples

Content type
application/json
{
  • "id": "5ec18cef39020d6fd7a60ad3970aba61",
  • "name": "Identity Attribute Campaign Filter",
  • "description": "Campaign filter to certify data based on an identity attribute's specified property.",
  • "owner": "SailPoint Support",
  • "mode": "INCLUSION",
  • "criteriaList": [
    ],
  • "isSystemFilter": false
}

Response samples

Content type
application/json
{
  • "id": "5ec18cef39020d6fd7a60ad3970aba61",
  • "name": "Identity Attribute Campaign Filter",
  • "description": "Campaign filter to certify data based on an identity attribute's specified property.",
  • "owner": "SailPoint Support",
  • "mode": "INCLUSION",
  • "criteriaList": [
    ],
  • "isSystemFilter": false
}

Deletes campaign filters

Deletes campaign filters whose Ids are specified in the provided list of campaign filter Ids. Authorized callers must be an ORG_ADMIN or a CERT_ADMIN.

Authorizations:
Personal Access Token
Request Body schema: application/json

A json list of IDs of campaign filters to delete.

Array
string

Responses

Request samples

Content type
application/json
[
  • "0fbe863c063c4c88a35fd7f17e8a3df5",
  • "2efb374d392c4d88a34sv7b11e8a4eq6"
]

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Certification Campaigns

Use this API to implement certification campaign functionality. With this functionality in place, administrators can create, customize, and manage certification campaigns for their organizations' use. Certification campaigns provide Identity Security Cloud users with an interactive review process they can use to identify and verify access to systems. Campaigns help organizations reduce risk of inappropriate access and satisfy audit requirements.

A certification refers to Identity Security Cloud's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access. These certifications serve as a way of showing that a user's access has been reviewed and approved. Multiple certifications by different reviewers are often required to approve a user's access. A set of multiple certifications is called a certification campaign.

For example, an organization may use a Manager Certification campaign as a way of showing that a user's access has been reviewed and approved by multiple managers. Once this campaign has been completed, Identity Security Cloud would provision all the access the user needs, nothing more.

Identity Security Cloud provides two simple campaign types users can create without using search queries, Manager and Source Owner campaigns:

You can create these types of campaigns without using any search queries in Identity Security Cloud:

  • ManagerCampaign: Identity Security Cloud provides this campaign type as a way to ensure that an identity's access is certified by their managers. You only need to provide a name and description to create one.

  • Source Owner Campaign: Identity Security Cloud provides this campaign type as a way to ensure that an identity's access to a source is certified by its source owners. You only need to provide a name and description to create one. You can specify the sources whose owners you want involved or just run it across all sources.

For more information about these campaign types, refer to Starting a Manager or Source Owner Campaign.

One useful way to create certification campaigns in Identity Security Cloud is to use a specific search and then run a campaign on the results returned by that search. This allows you to be much more specific about whom you are certifying in your campaigns and what access you are certifying in your campaigns. For example, you can search for all identities who are managed by "Amanda.Ross" and also have the access to the "Accounting" role and then run a certification campaign based on that search to ensure that the returned identities are appropriately certified.

You can use Identity Security Cloud search queries to create these types of campaigns:

  • Identities: Use this campaign type to review and revoke access items for specific identities. You can either build a search query and create a campaign certifying all identities returned by that query, or you can search for individual identities and add those identities to the certification campaign.

  • Access Items: Use this campaign type to review and revoke a set of roles, access profiles, or entitlements from the identities that have them. You can either build a search query and create a campaign certifying all access items returned by that query, or you can search for individual access items and add those items to the certification campaign.

  • Role Composition: Use this campaign type to review a role's composition, including its title, description, and membership criteria. You can either build a search query and create a campaign certifying all roles returned by that query, or you can search for individual roles and add those roles to the certification campaign.

  • Uncorrelated Accounts: Use this campaign type to certify source accounts that aren't linked to an authoritative identity in Identity Security Cloud. You can use this campaign type to view all the uncorrelated accounts for a source and certify them.

For more information about search-based campaigns, refer to Starting a Campaign from Search.

Once you have generated your campaign, it becomes available for preview. An administrator can review the campaign and make changes, or if it's ready and accurate, activate it.

Once the campaign is active, organization administrators or certification administrators can designate other Identity Security Cloud users as certification reviewers. Those reviewers can view any of the certifications they either need to review (active) or have already reviewed (completed).

When a certification campaign is in progress, certification reviewers see the listed active certifications whose involved identities they can review. Reviewers can then make decisions to grant or revoke access, as well as reassign the certification to another reviewer. If the reviewer chooses this option, they must provide a reason for reassignment in the form of a comment.

Once a reviewer has made decisions on all the certification's involved access items, he or she must "Sign Off" to complete the review process. Doing so converts the certification into read-only status, preventing any further changes to the review decisions and deleting the work item (task) from the reviewer's list of work items.

Once all the reviewers have signed off, the certification campaign either completes or, if any reviewers decided to revoke access for any of the involved identities, it moves into a remediation phase. In the remediation phase, identities' entitlements are altered to remove any entitlements marked for revocation. In this situation, the certification campaign completes once all the remediation requests are completed.

The end of a certification campaign is determined by its deadline, its completion status, or by an administrator's decision.

For more information about certifications and certification campaigns, refer to Certifications.

List campaigns

Use this API to get a list of campaigns. This API can provide increased level of detail for each campaign for the correct provided query.

Authorizations:
Personal Access Token
query Parameters
detail
string
Enum: "SLIM" "FULL"
Example: detail=FULL

Determines whether slim, or increased level of detail is provided for each campaign in the returned list. Slim is the default behavior.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name eq "Manager Campaign"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

status: eq, in

sorters
string <comma-separated>
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created

Responses

Response samples

Content type
application/json
Example

List of Slim Campaigns that would result from not specifying detail or specifying SLIM

[
  • {
    },
  • {
    },
  • {
    },
  • {
    }
]

Create a campaign

Use this API to create a certification campaign with the information provided in the request body.

Authorizations:
Personal Access Token
Request Body schema: application/json
name
required
string

The campaign name. If this object is part of a template, special formatting applies; see the /campaign-templates/{id}/generate endpoint documentation for details.

description
required
string or null

The campaign description. If this object is part of a template, special formatting applies; see the /campaign-templates/{id}/generate endpoint documentation for details.

deadline
string or null <date-time>

The campaign's completion deadline. This date must be in the future in order to activate the campaign. If you try to activate a campaign with a deadline of today or in the past, you will receive a 400 error response.

type
required
string
Enum: "MANAGER" "SOURCE_OWNER" "SEARCH" "ROLE_COMPOSITION" "MACHINE_ACCOUNT"

The type of campaign. Could be extended in the future.

emailNotificationEnabled
boolean
Default: false

Enables email notification for this campaign

autoRevokeAllowed
boolean
Default: false

Allows auto revoke for this campaign

recommendationsEnabled
boolean
Default: false

Enables IAI for this campaign. Accepts true even if the IAI product feature is off. If IAI is turned off then campaigns generated from this template will indicate false. The real value will then be returned if IAI is ever enabled for the org in the future.

correlatedStatus
string
Enum: "CORRELATED" "UNCORRELATED"

The correlatedStatus of the campaign. Only SOURCE_OWNER campaigns can be Uncorrelated. An Uncorrelated certification campaign only includes Uncorrelated identities (An identity is uncorrelated if it has no accounts on an authoritative source).

object or null

Determines which items will be included in this campaign. The default campaign filter is used if this field is left blank.

sunsetCommentsRequired
boolean
Default: true

Determines if comments on sunset date changes are required.

object or null

Must be set only if the campaign type is SOURCE_OWNER.

object or null

Must be set only if the campaign type is SEARCH.

object or null

Optional configuration options for role composition campaigns.

object or null

Must be set only if the campaign type is MACHINE_ACCOUNT.

mandatoryCommentRequirement
string
Enum: "ALL_DECISIONS" "REVOKE_ONLY_DECISIONS" "NO_DECISIONS"

Determines whether comments are required for decisions during certification reviews. You can require comments for all decisions, revoke-only decisions, or no decisions. By default, comments are not required for decisions.

Responses

Request samples

Content type
application/json
Example
{
  • "name": "Manager Review",
  • "description": "A review of everyone's access by their manager.",
  • "deadline": "2020-12-25T06:00:00.468Z",
  • "type": "MANAGER",
  • "emailNotificationEnabled": false,
  • "autoRevokeAllowed": false,
  • "recommendationsEnabled": false,
  • "filter": {
    },
  • "mandatoryCommentRequirement": "NO_DECISIONS"
}

Response samples

Content type
application/json
Example
{
  • "id": "5594f43b76804a6980ece5fdccf74be7",
  • "name": "Manager Review",
  • "description": "A review of everyone's access by their manager.",
  • "deadline": "2020-12-25T06:00:00.468Z",
  • "type": "MANAGER",
  • "status": "PENDING",
  • "emailNotificationEnabled": false,
  • "autoRevokeAllowed": false,
  • "recommendationsEnabled": false,
  • "created": "2022-08-02T20:21:18.421Z",
  • "modified": null,
  • "filter": {
    },
  • "sunsetCommentsRequired": true,
  • "sourceOwnerCampaignInfo": null,
  • "searchCampaignInfo": null,
  • "roleCompositionCampaignInfo": null,
  • "machineAccountCampaignInfo": null,
  • "alerts": null,
  • "totalCertifications": 0,
  • "completedCertifications": 0,
  • "sourcesWithOrphanEntitlements": null,
  • "mandatoryCommentRequirement": "NO_DECISIONS"
}

Get campaign

Use this API to get information for an existing certification campaign by the campaign's ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808571bcfcf80171c23e4b4221fc

ID of the campaign to be retrieved.

query Parameters
detail
string
Enum: "SLIM" "FULL"
Example: detail=FULL

Determines whether slim, or increased level of detail is provided for each campaign in the returned list. Slim is the default behavior.

Responses

Response samples

Content type
application/json
Example
{
  • "id": "2c918086719eec070171a7e3355a360a",
  • "name": "Manager Review",
  • "description": "A review of everyone's access by their manager.",
  • "deadline": "2020-12-25T06:00:00.123Z",
  • "type": "MANAGER",
  • "status": "ACTIVE",
  • "emailNotificationEnabled": false,
  • "autoRevokeAllowed": false,
  • "recommendationsEnabled": false
}

Update a campaign

Use this API to update individual fields on a certification campaign, using the JSON Patch standard.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808571bcfcf80171c23e4b4221fc

ID of the campaign template being modified.

Request Body schema: application/json-patch+json

A list of campaign update operations according to the JSON Patch standard. The fields that can be patched differ based on the status of the campaign.

When the campaign is in the STAGED status, you can patch these fields:

  • name
  • description
  • recommendationsEnabled
  • deadline
  • emailNotificationEnabled
  • autoRevokeAllowed

When the campaign is in the ACTIVE status, you can patch these fields:

  • deadline
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
Example
{
  • "id": "2c918086719eec070171a7e3355a360a",
  • "name": "Manager Review",
  • "description": "A review of everyone's access by their manager.",
  • "deadline": "2020-12-25T06:00:00.123Z",
  • "type": "MANAGER",
  • "status": "ACTIVE",
  • "emailNotificationEnabled": false,
  • "autoRevokeAllowed": false,
  • "recommendationsEnabled": false
}

Reassign certifications

This API reassigns the specified certifications from one identity to another.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The certification campaign ID

Request Body schema: application/json
certificationIds
Array of strings [ 1 .. 250 ] items

List of certification IDs to reassign

object
reason
string

Comment to explain why the certification was reassigned

Responses

Request samples

Content type
application/json
{
  • "certificationIds": [
    ],
  • "reassignTo": {
    },
  • "reason": "reassigned for some reason"
}

Response samples

Content type
application/json
{
  • "id": "2c918086719eec070171a7e3355a360a",
  • "type": "ADMIN_REASSIGN",
  • "targetType": "CAMPAIGN",
  • "targetId": "2c918086719eec070171a7e3355a834c",
  • "status": "QUEUED",
  • "errors": [ ],
  • "created": "2020-09-24T18:10:47.693Z"
}

Activate a campaign

Use this API to submit a job to activate the certified campaign with the specified ID. The campaign must be staged.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Campaign ID.

Request Body schema: application/json

Optional. If no timezone is specified, the standard UTC timezone is used (i.e. UTC+00:00). Although this can take any timezone, the intended value is the caller's timezone. The activation time calculated from the given timezone may cause the campaign deadline time to be modified, but it will remain within the original date. The timezone must be in a valid ISO 8601 format.

timeZone
string
Default: "Z"

The timezone must be in a valid ISO 8601 format. Timezones in ISO 8601 are represented as UTC (represented as 'Z') or as an offset from UTC. The offset format can be +/-hh:mm, +/-hhmm, or +/-hh.

Responses

Request samples

Content type
application/json
{
  • "timeZone": "-05:00"
}

Response samples

Content type
application/json
{ }

Complete a campaign

:::caution

This endpoint will run successfully for any campaigns that are past due.

This endpoint will return a content error if the campaign is not past due.

:::

Use this API to complete a certification campaign. This functionality is provided to admins so that they can complete a certification even if all items have not been completed.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Campaign ID.

Request Body schema: application/json

Optional. Default behavior is for the campaign to auto-approve upon completion, unless autoCompleteAction=REVOKE

autoCompleteAction
string
Default: "APPROVE"
Enum: "APPROVE" "REVOKE"

Determines whether to auto-approve(APPROVE) or auto-revoke(REVOKE) upon campaign completion.

Responses

Request samples

Content type
application/json
{
  • "autoCompleteAction": "REVOKE"
}

Response samples

Content type
application/json
{ }

Delete campaigns

Use this API to delete certification campaigns whose IDs are specified in the provided list of campaign IDs.

Authorizations:
Personal Access Token
Request Body schema: application/json

IDs of the campaigns to delete.

ids
Array of strings

The ids of the campaigns to delete

Responses

Request samples

Content type
application/json
{
  • "ids": [
    ]
}

Response samples

Content type
application/json
{ }

Run campaign remediation scan

Use this API to run a remediation scan task for a certification campaign.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808571bcfcf80171c23e4b4221fc

ID of the campaign the remediation scan is being run for.

Responses

Response samples

Content type
application/json
{ }

Get campaign reports

Use this API to fetch all reports for a certification campaign by campaign ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808571bcfcf80171c23e4b4221fc

ID of the campaign whose reports are being fetched.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Run campaign report

Use this API to run a report for a certification campaign.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808571bcfcf80171c23e4b4221fc

ID of the campaign the report is being run for.

type
required
string (ReportType)
Enum: "CAMPAIGN_COMPOSITION_REPORT" "CAMPAIGN_REMEDIATION_STATUS_REPORT" "CAMPAIGN_STATUS_REPORT" "CERTIFICATION_SIGNOFF_REPORT"
Example: CAMPAIGN_COMPOSITION_REPORT

Type of the report to run.

Responses

Response samples

Content type
application/json
{ }

Get campaign reports configuration

Use this API to fetch the configuration for certification campaign reports. The configuration includes only one element - identity attributes defined as custom report columns.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "identityAttributeColumns": [
    ]
}

Set campaign reports configuration

Use this API to overwrite the configuration for campaign reports.

Authorizations:
Personal Access Token
Request Body schema: application/json

Campaign report configuration.

identityAttributeColumns
Array of strings or null

list of identity attribute columns

Responses

Request samples

Content type
application/json
{
  • "identityAttributeColumns": [
    ]
}

Response samples

Content type
application/json
{
  • "identityAttributeColumns": [
    ]
}

Create a campaign template

Use this API to create a certification campaign template based on campaign.

Authorizations:
Personal Access Token
Request Body schema: application/json
id
string

Id of the campaign template

name
required
string

This template's name. Has no bearing on generated campaigns' names.

description
required
string

This template's description. Has no bearing on generated campaigns' descriptions.

deadlineDuration
string or null

The time period during which the campaign should be completed, formatted as an ISO-8601 Duration. When this template generates a campaign, the campaign's deadline will be the current date plus this duration. For example, if generation occurred on 2020-01-01 and this field was "P2W" (two weeks), the resulting campaign's deadline would be 2020-01-15 (the current date plus 14 days).

required
object (Campaign)

Responses

Request samples

Content type
application/json
Example

This creates a template that can be used to generate manager campaigns. The campaigns will have a due date that is two weeks after their creation date, and will be named "{current date} Manager Review" (e.g. "2020-03-16 Manager Review").

{
  • "name": "Manager Review",
  • "description": "A review of everyone's access by their manager.",
  • "deadlineDuration": "P2W",
  • "campaign": {
    }
}

Response samples

Content type
application/json
Example
{
  • "id": "e7dbec99d49349c8951bd84f58a05120",
  • "name": "Manager Review",
  • "created": "2022-08-02T19:16:42.632Z",
  • "modified": null,
  • "description": "A review of everyone's access by their manager.",
  • "deadlineDuration": "P14D",
  • "ownerRef": {
    },
  • "scheduled": false,
  • "campaign": {
    }
}

List campaign templates

Use this API to get a list of all campaign templates. Scope can be reduced through standard V3 query params.

The API returns all campaign templates matching the query parameters.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, modified

filters
string <comma-separated>
Example: filters=name eq "manager template"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: eq, ge, gt, in, le, lt, ne, sw

id: eq, ge, gt, in, le, lt, ne, sw

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    },
  • {
    }
]

Update a campaign template

Use this API to update individual fields on a certification campaign template, using the JSON Patch standard.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

ID of the campaign template being modified.

Request Body schema: application/json-patch+json

A list of campaign update operations according to the JSON Patch standard.

The following fields are patchable:

  • name
  • description
  • deadlineDuration
  • campaign (all fields that are allowed during create)
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
Example
{
  • "id": "e7dbec99d49349c8951bd84f58a05120",
  • "name": "Manager Review",
  • "created": "2022-08-02T19:16:42.632Z",
  • "modified": null,
  • "description": "A review of everyone's access by their manager.",
  • "deadlineDuration": "P14D",
  • "ownerRef": {
    },
  • "scheduled": false,
  • "campaign": {
    }
}

Get a campaign template

Use this API to fetch a certification campaign template by ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

Requested campaign template's ID.

Responses

Response samples

Content type
application/json
Example
{
  • "id": "e7dbec99d49349c8951bd84f58a05120",
  • "name": "Manager Review",
  • "created": "2022-08-02T19:16:42.632Z",
  • "modified": null,
  • "description": "A review of everyone's access by their manager.",
  • "deadlineDuration": "P14D",
  • "ownerRef": {
    },
  • "scheduled": false,
  • "campaign": {
    }
}

Delete a campaign template

Use this API to delete a certification campaign template by ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

ID of the campaign template being deleted.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get campaign template schedule

Use this API to get the schedule for a certification campaign template. The API returns a 404 if there is no schedule set.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 04bedce387bd47b2ae1f86eb0bb36dee

ID of the campaign template whose schedule is being fetched.

Responses

Response samples

Content type
application/json
{
  • "type": "WEEKLY",
  • "months": {
    },
  • "days": {
    },
  • "hours": {
    },
  • "expiration": "2022-09-19 13:55:26",
  • "timeZoneId": "CST"
}

Set campaign template schedule

Use this API to set the schedule for a certification campaign template. If a schedule already exists, the API overwrites it with the new one.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 04bedce387bd47b2ae1f86eb0bb36dee

ID of the campaign template being scheduled.

Request Body schema: application/json
type
required
string
Enum: "WEEKLY" "MONTHLY" "ANNUALLY" "CALENDAR"

Determines the overall schedule cadence. In general, all time period fields smaller than the chosen type can be configured. For example, a DAILY schedule can have 'hours' set, but not 'days'; a WEEKLY schedule can have both 'hours' and 'days' set.

object or null

Specifies which months of a schedule are active. Only valid for ANNUALLY schedule types. Examples:

On February and March:

  • type LIST
  • values "2", "3"

Every 3 months, starting in January (quarterly):

  • type LIST
  • values "1"
  • interval 3

Every two months between July and December:

  • type RANGE
  • values "7", "12"
  • interval 2
object

Specifies which day(s) a schedule is active for. This is required for all schedule types. The "values" field holds different data depending on the type of schedule:

  • WEEKLY: days of the week (1-7)
  • MONTHLY: days of the month (1-31, L, L-1...)
  • ANNUALLY: if the "months" field is also set: days of the month (1-31, L, L-1...); otherwise: ISO-8601 dates without year ("--12-31")
  • CALENDAR: ISO-8601 dates ("2020-12-31")

Note that CALENDAR only supports the LIST type, and ANNUALLY does not support the RANGE type when provided with ISO-8601 dates without year.

Examples:

On Sundays:

  • type LIST
  • values "1"

The second to last day of the month:

  • type LIST
  • values "L-1"

From the 20th to the last day of the month:

  • type RANGE
  • values "20", "L"

Every March 2nd:

  • type LIST
  • values "--03-02"

On March 2nd, 2021:

  • type: LIST
  • values "2021-03-02"
required
object

Specifies which hour(s) a schedule is active for. Examples:

Every three hours starting from 8AM, inclusive:

  • type LIST
  • values "8"
  • interval 3

During business hours:

  • type RANGE
  • values "9", "5"

At 5AM, noon, and 5PM:

  • type LIST
  • values "5", "12", "17"
expiration
string or null <date-time>

Specifies the time after which this schedule will no longer occur.

timeZoneId
string

The time zone to use when running the schedule. For instance, if the schedule is scheduled to run at 1AM, and this field is set to "CST", the schedule will run at 1AM CST.

Responses

Request samples

Content type
application/json
Example

Runs on the 15th and last day of the month, at 5PM.

{
  • "type": "MONTHLY",
  • "hours": {
    },
  • "days": {
    }
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Delete campaign template schedule

Use this API to delete the schedule for a certification campaign template. The API returns a 404 if there is no schedule set.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 04bedce387bd47b2ae1f86eb0bb36dee

ID of the campaign template whose schedule is being deleted.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Generate a campaign from template

Use this API to generate a new certification campaign from a campaign template.

The campaign object contained in the template has special formatting applied to its name and description fields that determine the generated campaign's name/description. Placeholders in those fields are formatted with the current date and time upon generation.

Placeholders consist of a percent sign followed by a letter indicating what should be inserted. For example, "%Y" inserts the current year, and a campaign template named "Campaign for %y" generates a campaign called "Campaign for 2020" (assuming the year at generation time is 2020).

Valid placeholders are the date/time conversion suffix characters supported by java.util.Formatter.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

ID of the campaign template to use for generation.

Responses

Response samples

Content type
application/json
{
  • "id": "ef38f94347e94562b5bb8424a56397d8",
  • "name": "Campaign Name",
  • "type": "CAMPAIGN",
  • "campaignType": "MANAGER",
  • "description": "A description of the campaign",
  • "correlatedStatus": "CORRELATED",
  • "mandatoryCommentRequirement": "NO_DECISIONS"
}

Certification Summaries

Use this API to implement certification summary functionality. With this functionality in place, administrators and designated certification reviewers can review summaries of identity certification campaigns and draw conclusions about the campaigns' scope, security, and effectiveness. Implementing certification summary functionality improves organizations' ability to review their certifications and helps them satisfy audit and regulatory requirements by enabling them to trace access changes and the decisions made in their review processes.

A certification refers to Identity Security Cloud's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access. These certifications serve as a way of showing that a user's access has been reviewed and approved. Multiple certifications by different reviewers are often required to approve a user's access. A set of multiple certifications is called a certification campaign.

For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers. Once this certification has been completed, Identity Security Cloud would provision all the access the user needs, nothing more.

Certification summaries provide information about identity certification campaigns such as the identities involved, the number of decisions made, and the access changed. For example, an administrator or designated certification reviewer can examine the Manager Certification campaign to get an overview of how many entitlement decisions are made in that campaign as opposed to role decisions, which identities would be affected by changes to the campaign, and how those identities' access would be affected.

Summary of certification decisions

This API returns a summary of the decisions made on an identity campaign certification. The decisions are summarized by type. Reviewers for this certification can also call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The certification ID

query Parameters
filters
string
Example: filters=identitySummary.id eq "ef38f94347e94562b5bb8424a56397d8"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

identitySummary.id: eq, in

Responses

Response samples

Content type
application/json
{
  • "entitlementDecisionsMade": 3,
  • "accessProfileDecisionsMade": 5,
  • "roleDecisionsMade": 2,
  • "accountDecisionsMade": 4,
  • "entitlementDecisionsTotal": 6,
  • "accessProfileDecisionsTotal": 10,
  • "roleDecisionsTotal": 4,
  • "accountDecisionsTotal": 8,
  • "entitlementsApproved": 2,
  • "entitlementsRevoked": 1,
  • "accessProfilesApproved": 3,
  • "accessProfilesRevoked": 2,
  • "rolesApproved": 2,
  • "rolesRevoked": 0,
  • "accountsApproved": 1,
  • "accountsRevoked": 3
}

Identity summaries for campaign certification

This API returns a list of the identity summaries for a specific identity campaign certification. Reviewers for this certification can also call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The identity campaign certification ID

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "ef38f94347e94562b5bb8424a56397d8"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

completed: eq, ne

name: eq, sw

sorters
string <comma-separated>
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Access summaries

This API returns a list of access summaries for the specified identity campaign certification and type. Reviewers for this certification can also call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The identity campaign certification ID

type
required
string
Enum: "ROLE" "ACCESS_PROFILE" "ENTITLEMENT"
Example: ACCESS_PROFILE

The type of access review item to retrieve summaries for

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=access.id eq "ef38f94347e94562b5bb8424a56397d8"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

completed: eq, ne

access.id: eq, in

access.name: eq, sw

entitlement.sourceName: eq, sw

accessProfile.sourceName: eq, sw

sorters
string <comma-separated>
Example: sorters=access.name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: access.name

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Summary for identity

This API returns the summary for an identity on a specified identity campaign certification. Reviewers for this certification can also call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The identity campaign certification ID

identitySummaryId
required
string
Example: 2c91808772a504f50172a9540e501ba8

The identity summary ID

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808772a504f50172a9540e501ba7",
  • "name": "Alison Ferguso",
  • "identityId": "2c9180857182306001719937377a33de",
  • "completed": true
}

Certifications

Use this API to implement certification functionality. With this functionality in place, administrators and designated certification reviewers can review users' access certifications and decide whether to approve access, revoke it, or reassign the review to another reviewer. Implementing certifications improves organizations' data security by reducing inappropriate access through a distributed review process and helping them satisfy audit and regulatory requirements.

A certification refers to Identity Security Cloud's mechanism for reviewing a user's access to entitlements (sets of permissions) and approving or removing that access. These serve as a way of showing that a user's access has been reviewed and approved. Multiple certifications by different reviewers are often required to approve a user's access. A set of multiple certifications is called a certification campaign.

For example, an organization may use a Manager Certification as a way of showing that a user's access has been reviewed and approved by their manager, or if the certification is part of a campaign, that the user's access has been reviewed and approved by multiple managers. Once this certification has been completed, Identity Security Cloud would provision all the access the user needs, nothing more.

Organization administrators or certification administrators can designate other Identity Security Cloud users as certification reviewers. Those reviewers can select the 'Certifications' tab to view any of the certifications they either need to review or have already reviewed under the 'Active' and 'Completed' tabs, respectively.

When a certification campaign is in progress, certification reviewers will see certifications listed under 'Active,' where they can review the involved identities. Under the 'Decision' column on the right, next to each access item, reviewers can select the checkmark to approve access, select the 'X' to revoke access, or they can toggle the 'More Options' menu to reassign the certification to another reviewer and provide a reason for reassignment in the form of a comment.

Once a reviewer has made decisions on all the certification's involved access items, he or she must select 'Sign Off' to complete the review process. Doing so converts the certification into read-only status, preventing any further changes to the review decisions and deleting the work item (task) from the reviewer's list of work items.

Once all the reviewers have signed off, the certification campaign either completes or, if any reviewers decided to revoke access for any of the involved identities, it moves into a remediation phase. In the remediation phase, identities' entitlements are altered to remove any entitlements marked for revocation. In this situation, the certification campaign completes once all the remediation requests are completed.

List identity campaign certifications

Use this API to get a list of identity campaign certifications for the specified query parameters. Any authenticated token can call this API, but only certifications you are authorized to review will be returned. This API does not support requests for certifications assigned to governance groups.

Authorizations:
Personal Access Token
query Parameters
reviewer-identity
string
Example: reviewer-identity=me

Reviewer's identity. me indicates the current user.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "ef38f94347e94562b5bb8424a56397d8"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

campaign.id: eq, in

phase: eq

completed: eq

sorters
string <comma-separated>
Example: sorters=name,due

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, due, signed

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Identity certification by id

This API returns a single identity campaign certification by its ID. Reviewers for this certification can also call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The certification id

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "name": "Source Owner Access Review for Employees [source]",
  • "campaign": {
    },
  • "completed": true,
  • "identitiesCompleted": 5,
  • "identitiesTotal": 10,
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "decisionsMade": 20,
  • "decisionsTotal": 40,
  • "due": "2018-10-19T13:49:37.385Z",
  • "signed": "2018-10-19T13:49:37.385Z",
  • "reviewer": {
    },
  • "reassignment": {
    },
  • "hasErrors": false,
  • "errorMessage": "The certification has an error",
  • "phase": "ACTIVE"
}

List of access review items

This API returns a list of access review items for an identity campaign certification. Reviewers for this certification can also call this API. This API does not support requests for certifications assigned to Governance Groups.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The identity campaign certification ID

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "ef38f94347e94562b5bb8424a56397d8"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

type: eq

access.type: eq

completed: eq, ne

identitySummary.id: eq, in

identitySummary.name: eq, sw

access.id: eq, in

access.name: eq, sw

entitlement.sourceName: eq, sw

accessProfile.sourceName: eq, sw

sorters
string <comma-separated>
Example: sorters=access.name,-accessProfile.sourceName

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: identitySummary.name, access.name, access.type, entitlement.sourceName, accessProfile.sourceName

entitlements
string
Example: entitlements=identityEntitlement

Filter results to view access review items that pertain to any of the specified comma-separated entitlement IDs.

An error will occur if this param is used with access-profiles or roles as only one of these query params can be used at a time.

access-profiles
string
Example: access-profiles=accessProfile1

Filter results to view access review items that pertain to any of the specified comma-separated access-profle IDs.

An error will occur if this param is used with entitlements or roles as only one of these query params can be used at a time.

roles
string
Example: roles=userRole

Filter results to view access review items that pertain to any of the specified comma-separated role IDs.

An error will occur if this param is used with entitlements or access-profiles as only one of these query params can be used at a time.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Decide on a certification item

The API makes a decision to approve or revoke one or more identity campaign certification items. Reviewers for this certification can also call this API. This API does not support requests for certifications assigned to Governance Groups.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the identity campaign certification on which to make decisions

Request Body schema: application/json

A non-empty array of decisions to be made.

Array ([ 1 .. 250 ] items)
id
required
string

The id of the review decision

decision
required
string (CertificationDecision)
Enum: "APPROVE" "REVOKE"

The decision to approve or revoke the review item

proposedEndDate
string <date-time>

The date at which a user's access should be taken away. Should only be set for REVOKE decisions.

bulk
required
boolean

Indicates whether decision should be marked as part of a larger bulk decision

object (Review Recommendation)
comments
string

Comments recorded when the decision was made

Responses

Request samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "name": "Source Owner Access Review for Employees [source]",
  • "campaign": {
    },
  • "completed": true,
  • "identitiesCompleted": 5,
  • "identitiesTotal": 10,
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "decisionsMade": 20,
  • "decisionsTotal": 40,
  • "due": "2018-10-19T13:49:37.385Z",
  • "signed": "2018-10-19T13:49:37.385Z",
  • "reviewer": {
    },
  • "reassignment": {
    },
  • "hasErrors": false,
  • "errorMessage": "The certification has an error",
  • "phase": "ACTIVE"
}

Reassign identities or items

This API reassigns up to 50 identities or items in an identity campaign certification to another reviewer. A token with ORG_ADMIN or CERT_ADMIN authority is required to call this API. Reviewers for this certification can also call this API. This API does not support requests for certifications assigned to Governance Groups.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The identity campaign certification ID

Request Body schema: application/json
required
Array of objects (Reassign Reference)
reassignTo
required
string

The ID of the identity to which the certification is reassigned

reason
required
string

The reason comment for why the reassign was made

Responses

Request samples

Content type
application/json
{
  • "reassign": [
    ],
  • "reassignTo": "ef38f94347e94562b5bb8424a56397d8",
  • "reason": "reassigned for some reason"
}

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "name": "Source Owner Access Review for Employees [source]",
  • "campaign": {
    },
  • "completed": true,
  • "identitiesCompleted": 5,
  • "identitiesTotal": 10,
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "decisionsMade": 20,
  • "decisionsTotal": 40,
  • "due": "2018-10-19T13:49:37.385Z",
  • "signed": "2018-10-19T13:49:37.385Z",
  • "reviewer": {
    },
  • "reassignment": {
    },
  • "hasErrors": false,
  • "errorMessage": "The certification has an error",
  • "phase": "ACTIVE"
}

Finalize identity certification decisions

This API finalizes all decisions made on an identity campaign certification and initiates any remediations required. Reviewers for this certification can also call this API. This API does not support requests for certifications assigned to Governance Groups.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The identity campaign certification ID

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "name": "Source Owner Access Review for Employees [source]",
  • "campaign": {
    },
  • "completed": true,
  • "identitiesCompleted": 5,
  • "identitiesTotal": 10,
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "decisionsMade": 20,
  • "decisionsTotal": 40,
  • "due": "2018-10-19T13:49:37.385Z",
  • "signed": "2018-10-19T13:49:37.385Z",
  • "reviewer": {
    },
  • "reassignment": {
    },
  • "hasErrors": false,
  • "errorMessage": "The certification has an error",
  • "phase": "ACTIVE"
}

Permissions for entitlement certification item

This API returns the permissions associated with an entitlement certification item based on the certification item's ID. Reviewers for this certification can also call this API.

Authorizations:
Personal Access Token
path Parameters
certificationId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The certification ID

itemId
required
string
Example: 2c91808671bcbab40171bd945d961227

The certification item ID

query Parameters
filters
string
Example: filters=target eq "SYS.OBJAUTH2"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

target: eq, sw

rights: ca

Supported composite operators: and, or

All field values (second filter operands) are case-insensitive for this API.

Only a single and or or composite filter operator may be used. It must also be used between a target filter and a rights filter, not between 2 filters for the same field.

For example, the following is valid: ?filters=rights+ca+(%22CREATE%22)+and+target+eq+%22SYS.OBJAUTH2%22

The following is invalid: 1?filters=rights+ca+(%22CREATE%22)+and+rights+ca+(%SELECT%22)1

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List of reviewers for certification

This API returns a list of reviewers for the certification. Reviewers for this certification can also call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The certification ID

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name eq "Bob"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

email: eq, sw

sorters
string <comma-separated>
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, email

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Reassign certifications asynchronously

This API initiates a task to reassign up to 500 identities or items in an identity campaign certification to another reviewer. The certification-tasks API can be used to get an updated status on the task and determine when the reassignment is complete.

Reviewers for this certification can also call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The identity campaign certification ID

Request Body schema: application/json
required
Array of objects (Reassign Reference)
reassignTo
required
string

The ID of the identity to which the certification is reassigned

reason
required
string

The reason comment for why the reassign was made

Responses

Request samples

Content type
application/json
{
  • "reassign": [
    ],
  • "reassignTo": "ef38f94347e94562b5bb8424a56397d8",
  • "reason": "reassigned for some reason"
}

Response samples

Content type
application/json
{
  • "id": "2c918086719eec070171a7e3355a360a",
  • "type": "ADMIN_REASSIGN",
  • "targetType": "CAMPAIGN",
  • "targetId": "2c918086719eec070171a7e3355a834c",
  • "status": "QUEUED",
  • "errors": {
    },
  • "reassignmentTrailDTOs": {
    },
  • "created": "2020-09-24T18:10:47.693Z"
}

Certification task by id

This API returns the certification task for the specified ID. Reviewers for the specified certification can also call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 63b32151-26c0-42f4-9299-8898dc1c9daa

The task ID

Responses

Response samples

Content type
application/json
{
  • "id": "2c918086719eec070171a7e3355a360a",
  • "type": "ADMIN_REASSIGN",
  • "targetType": "CAMPAIGN",
  • "targetId": "2c918086719eec070171a7e3355a834c",
  • "status": "QUEUED",
  • "errors": {
    },
  • "reassignmentTrailDTOs": {
    },
  • "created": "2020-09-24T18:10:47.693Z"
}

List of pending certification tasks

This API returns a list of pending (QUEUED or IN_PROGRESS) certification tasks. Any authenticated token can call this API, but only certification tasks you are authorized to review will be returned.

Authorizations:
Personal Access Token
query Parameters
reviewer-identity
string
Example: reviewer-identity=Ada.1de82e55078344

The ID of reviewer identity. me indicates the current user.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=type eq "ADMIN_REASSIGN"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

targetId: eq, in

type: eq, in

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Classify Source

Classify source's all accounts

Use this API to classify all the accounts from a source. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID.

Responses

Response samples

Content type
application/json
{
  • "Accounts submitted for processing": 100
}

Cancel classify source's accounts process

Use this API to cancel account classification process on a source. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Source accounts classification status

Use this API to get the status of Machine Account Classification process for a source. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID.

Responses

Response samples

Content type
application/json
{
  • "status": "COMPLETED",
  • "started": "2017-07-11T18:45:37.098Z",
  • "updated": "2018-06-25T20:22:28.104Z",
  • "counts": {
    }
}

Configuration Hub

Use this API to implement and customize configuration settings management. With this functionality, you can access the Configuration Hub actions and build your own automated pipeline for Identity Security Cloud configuration change delivery and deployment.

Common usages for Configuration Hub includes:

  • Upload configuration file - Configuration files can be managed and deployed using Configuration Hub by uploading a JSON file which contains configuration data.
  • Manage object mapping - Create rules to map and substitute attributes when migrating configurations.
  • Manage backups for configuration settings
  • Manage configuration drafts
  • Upload configurations and manage object mappings between tenants.

Refer to Using the SailPoint Configuration Hub for more information about Configuration Hub.

Gets list of object mappings

This gets a list of existing object mappings between current org and source org. Source org should be "default" when getting object mappings that are not associated to any particular org. The request will need the following security scope:

  • sp:config-object-mapping:read
Authorizations:
Personal Access Token
path Parameters
sourceOrg
required
string
Example: source-org

The name of the source org.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Creates an object mapping

This creates an object mapping between current org and source org. Source org should be "default" when creating an object mapping that is not to be associated to any particular org. The request will need the following security scope:

  • sp:config-object-mapping:manage
Authorizations:
Personal Access Token
path Parameters
sourceOrg
required
string
Example: source-org

The name of the source org.

Request Body schema: application/json

The object mapping request body.

objectType
required
string
Enum: "ACCESS_PROFILE" "ACCESS_REQUEST_CONFIG" "ATTR_SYNC_SOURCE_CONFIG" "AUTH_ORG" "CAMPAIGN_FILTER" "ENTITLEMENT" "FORM_DEFINITION" "GOVERNANCE_GROUP" "IDENTITY" "IDENTITY_OBJECT_CONFIG" "IDENTITY_PROFILE" "LIFECYCLE_STATE" "NOTIFICATION_TEMPLATE" "PASSWORD_POLICY" "PASSWORD_SYNC_GROUP" "PUBLIC_IDENTITIES_CONFIG" "ROLE" "RULE" "SEGMENT" "SERVICE_DESK_INTEGRATION" "SOD_POLICY" "SOURCE" "TAG" "TRANSFORM" "TRIGGER_SUBSCRIPTION" "WORKFLOW"

Type of the object the mapping value applies to, must be one from enum

jsonPath
required
string

JSONPath expression denoting the path within the object where the mapping value should be applied

sourceValue
required
string

Original value at the jsonPath location within the object

targetValue
required
string

Value to be assigned at the jsonPath location within the object

enabled
boolean
Default: false

Whether or not this object mapping is enabled

Responses

Request samples

Content type
application/json
{
  • "objectType": "GOVERNANCE_GROUP",
  • "jsonPath": "$.description",
  • "sourceValue": "Sample Governance Group",
  • "targetValue": "Sample Governance Group - Updated",
  • "enabled": true
}

Response samples

Content type
application/json
{
  • "objectMappingId": "3d6e0144-963f-4bd6-8d8d-d77b4e507ce4",
  • "objectType": "GOVERNANCE_GROUP",
  • "jsonPath": "$.description",
  • "sourceValue": "Sample Governance Group",
  • "targetValue": "Sample Governance Group - Updated",
  • "enabled": true,
  • "created": "2024-03-19T23:18:53.732Z",
  • "modified": "2024-03-19T23:18:53.732Z"
}

Deletes an object mapping

This deletes an existing object mapping. Source org should be "default" when deleting an object mapping that is not associated to any particular org. The request will need the following security scope:

  • sp:config-object-mapping:manage
Authorizations:
Personal Access Token
path Parameters
sourceOrg
required
string
Example: source-org

The name of the source org.

objectMappingId
required
string
Example: 3d6e0144-963f-4bd6-8d8d-d77b4e507ce4

The id of the object mapping to be deleted.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Bulk creates object mappings

This creates a set of object mappings (Max 25) between current org and source org. Source org should be "default" when creating object mappings that are not to be associated to any particular org. The request will need the following security scope:

  • sp:config-object-mapping:manage
Authorizations:
Personal Access Token
path Parameters
sourceOrg
required
string
Example: source-org

The name of the source org.

Request Body schema: application/json

The bulk create object mapping request body.

required
Array of objects (Object Mapping Request)

Responses

Request samples

Content type
application/json
{
  • "newObjectsMappings": [
    ]
}

Response samples

Content type
application/json
{
  • "addedObjects": [
    ]
}

Bulk updates object mappings

This updates a set of object mappings, only enabled and targetValue fields can be updated. Source org should be "default" when updating object mappings that are not associated to any particular org. The request will need the following security scope:

  • sp:config-object-mapping:manage
Authorizations:
Personal Access Token
path Parameters
sourceOrg
required
string
Example: source-org

The name of the source org.

Request Body schema: application/json

The object mapping request body.

required
object

Map of id of the object mapping to a JsonPatchOperation describing what to patch on that object mapping.

Responses

Request samples

Content type
application/json
{
  • "patches": {
    }
}

Response samples

Content type
application/json
{
  • "patchedObjects": [
    ]
}

List scheduled actions

This API gets a list of existing scheduled actions for the current tenant.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create scheduled action

This API creates a new scheduled action for the current tenant.

Authorizations:
Personal Access Token
Request Body schema: application/json

The scheduled action creation request body.

jobType
required
string
Enum: "BACKUP" "CREATE_DRAFT" "CONFIG_DEPLOY_DRAFT"

Type of the scheduled job.

startTime
string <date-time>

The time when this scheduled action should start. Optional.

cronString
string

Cron expression defining the schedule for this action. Optional for repeated events.

timeZoneId
string

Time zone ID for interpreting the cron expression. Optional, will default to current time zone.

required
object

Responses

Request samples

Content type
application/json
{
  • "jobType": "BACKUP",
  • "startTime": "2024-08-16T14:16:58.389Z",
  • "cronString": "0 0 * * * *",
  • "timeZoneId": "America/Chicago",
  • "content": {
    }
}

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "created": "2024-08-16T14:16:58.389Z",
  • "jobType": "BACKUP",
  • "content": {
    },
  • "startTime": "2024-08-16T14:16:58.389Z",
  • "cronString": "0 0 * * * *"
}

Update scheduled action

This API updates an existing scheduled action using JSON Patch format.

Authorizations:
Personal Access Token
path Parameters
scheduledActionId
required
string
Example: 0f11f2a4-7c94-4bf3-a2bd-742580fe3bde

The ID of the scheduled action.

Request Body schema: application/json-patch+json

The JSON Patch document containing the changes to apply to the scheduled action.

Array of objects (Json Patch Operation)

Operations to be applied

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "created": "2024-08-16T14:16:58.389Z",
  • "jobType": "BACKUP",
  • "content": {
    },
  • "startTime": "2024-08-16T14:16:58.389Z",
  • "cronString": "0 0 9 * * ?"
}

Delete scheduled action

This API deletes an existing scheduled action.

Authorizations:
Personal Access Token
path Parameters
scheduledActionId
required
string
Example: 0f11f2a4-7c94-4bf3-a2bd-742580fe3bde

The ID of the scheduled action.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List uploaded configurations

This API gets a list of existing uploaded configurations for the current tenant.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=status eq "COMPLETE"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

status: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Upload a configuration

This API uploads a JSON configuration file into a tenant.

Configuration files can be managed and deployed via Configuration Hub by uploading a json file which contains configuration data. The JSON file should be the same as the one used by our import endpoints. The object types supported by upload configuration file functionality are the same as the ones supported by our regular backup functionality.

Refer to SaaS Configuration for more information about supported objects.

Authorizations:
Personal Access Token
Request Body schema: multipart/form-data

The body will consist of "data" which should contain the json file and name wish should be the name you want to assign to the uploaded file"

Example

data: "uploaded.json",
name: "A_NEW_UPLOADED_BACKUP"

Sample Upload File

{
  "version": 1,
  "tenant": "a-sample-tenant",
  "objects":
  [
    {
      "version": 1,
      "self":
        {
          "id": "0a59c7196d2917f8aa6d29686e6600fb",
          "type": "SOURCE",
          "name": "Extended Form"
        },
      "object":
        {
          "id": "0a59c7196d2917f8aa6d29686e6600fb",
          "name": "Extended Form",
          "type": "DelimitedFile",
          "connectorClass": "sailpoint.connector.DelimitedFileConnector",
          "connectorScriptName": "delimited-file-angularsc",
          "description": "Migrated app - Extended Form (original ID: 0a59c7196d2917f8aa6d29686e6600fb)",
          "deleteThreshold": 10,
          "provisionAsCsv": false,
          "owner":
            {
              "type": "IDENTITY",
              "id": "0a59c7196d2917f8816d29685fed00c3",
              "name": "slpt.services"
            },
          "connectorAttributes":
            {
              "beforemoveAccount": "Do Nothing",
              "beforemoverAccount": "Do Nothing",
              "busApp": "false",
              "file": "Empty",
              "filetransport": "local",
              "filterEmptyRecords": "true",
              "group.filetransport": "local",
              "group.filterEmptyRecords": "true",
              "group.partitionMode": "auto",
              "hasHeader": "true",
              "indexColumn": "ID",
              "isCaseInsensitiveMerge": "false",
              "isSortedByIndexColumn": "false",
              "loaProcess": "Do Nothing",
              "ltdProcess": "Do Nothing",
              "mergeRows": "false",
              "moverProcess": "Do Nothing",
              "moverRevocation": "Do Nothing",
              "nativeChangeDetectionAttributeScope": "entitlements",
              "nativeChangeDetectionEnabled": "false",
              "nativeChangeProcess": "Do Nothing",
              "parseType": "delimited",
              "partitionMode": "auto",
              "policyType": "Do Nothing",
              "rehireProcess": "Do Nothing",
              "reverseleaverProcess": "Do Nothing",
              "rtwloaProcess": "Do Nothing",
              "rtwltdProcess": "Do Nothing",
              "stopIfLineHasWrongColumnLength": "false",
              "templateApplication": "DelimitedFile Template",
              "terminationProcess": "Do Nothing"
            },
          "schemas":
            [],
          "provisioningPolicies":
            [],
          "features":
            [
              "DIRECT_PERMISSIONS",
              "NO_RANDOM_ACCESS",
              "DISCOVER_SCHEMA"
            ]
        }
    }
  ]

}

data
required
string <binary>

JSON file containing the objects to be imported.

name
required
string

Name that will be assigned to the uploaded configuration file.

Responses

Response samples

Content type
application/json
{
  • "jobId": "3469b87d-48ca-439a-868f-2160001da8c1",
  • "status": "COMPLETE",
  • "type": "BACKUP",
  • "tenant": "tenant-name",
  • "requesterName": "Requester Name",
  • "fileExists": true,
  • "created": "2021-05-11T22:23:16Z",
  • "modified": "2021-05-11T22:23:16Z",
  • "completed": "2021-05-11T22:23:16Z",
  • "name": "Backup Name",
  • "userCanDelete": false,
  • "isPartial": false,
  • "backupType": "MANUAL",
  • "options": {
    },
  • "hydrationStatus": "NOT_HYDRATED",
  • "totalObjectCount": 10,
  • "cloudStorageStatus": "SYNCED"
}

Get an uploaded configuration

This API gets an existing uploaded configuration for the current tenant.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 3d0fe04b-57df-4a46-a83b-8f04b0f9d10b

The id of the uploaded configuration.

Responses

Response samples

Content type
application/json
{
  • "jobId": "2ea830f3-2b14-4772-8a20-3d006742e419",
  • "status": "COMPLETE",
  • "type": "BACKUP",
  • "tenant": "someTenant",
  • "requesterName": "support",
  • "fileExists": true,
  • "created": "2024-02-20T22:08:31.064Z",
  • "modified": "2024-02-20T22:13:15.662Z",
  • "completed": "2024-02-20T22:08:31.689Z",
  • "name": "something new",
  • "userCanDelete": false,
  • "isPartial": false,
  • "backupType": "UPLOADED",
  • "hydrationStatus": "HYDRATED",
  • "totalObjectCount": 2
}

Delete an uploaded configuration

This API deletes an uploaded configuration based on Id.

On success, this endpoint will return an empty response.

The uploaded configuration id can be obtained from the response after a successful upload, or the list uploaded configurations endpoint.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 3d0fe04b-57df-4a46-a83b-8f04b0f9d10b

The id of the uploaded configuration.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List backups

This API gets a list of existing backups for the current tenant.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=status eq "COMPLETE"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

status: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Delete a backup

This API deletes an existing backup for the current tenant.

On success, this endpoint will return an empty response.

The backup id can be obtained from the response after a backup was successfully created, or from the list backups endpoint.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 07659d7d-2cce-47c0-9e49-185787ee565a

The id of the backup to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List drafts

This API gets a list of existing drafts for the current tenant.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=status eq "COMPLETE"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

status: eq

approvalStatus: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Delete a draft

This API deletes an existing draft for the current tenant.

On success, this endpoint will return an empty response.

The draft id can be obtained from the response after a draft was successfully created, or from the list drafts endpoint.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 07659d7d-2cce-47c0-9e49-185787ee565a

The id of the draft to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List deploys

This API gets a list of deploys for the current tenant.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "items": [
    ]
}

Create a deploy

This API performs a deploy based on an existing daft.

Authorizations:
Personal Access Token
Request Body schema: application/json

The deploy request body.

draftId
required
string

The id of the draft to be used by this deploy.

Responses

Request samples

Content type
application/json
{
  • "draftId": "c9a38d8c-5edf-4182-9d39-f6581d3ebd05"
}

Response samples

Content type
application/json
{
  • "jobId": "ce928190-b50a-4e9a-9854-b56959be8bb1",
  • "status": "NOT_STARTED",
  • "type": "CONFIG_DEPLOY_DRAFT",
  • "requesterName": "support",
  • "fileExists": false,
  • "created": "2024-09-19T19:28:58.503Z",
  • "modified": "2024-09-19T19:28:58.509Z",
  • "draftId": "ebee8250-841f-41de-b74f-288b81137d12",
  • "draftName": "Draft for 46207915-854f-4894-8723-782fdcc677d6"
}

Get a deploy

This API gets an existing deploy for the current tenant.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 3d0fe04b-57df-4a46-a83b-8f04b0f9d10b

The id of the deploy.

Responses

Response samples

Content type
application/json
{
  • "jobId": "3d0fe04b-57df-4a46-a83b-8f04b0f9d10b",
  • "status": "COMPLETE",
  • "type": "CONFIG_DEPLOY_DRAFT",
  • "message": "Deploy outcome message",
  • "requesterName": "requester.name",
  • "fileExists": true,
  • "created": "2023-08-29T01:54:37.069Z",
  • "modified": "2024-07-15T16:53:45.925Z",
  • "completed": "2023-08-29T01:54:41.924Z",
  • "draftId": "925e34e3-fa7c-4e7a-9b9a-cf3b8b4b1068",
  • "draftName": "Source draft name",
  • "cloudStorageStatus": "SYNCED"
}

Connector Customizers

Saas Connectivity Customizers are cloud-based connector customizers. The customizers allow you to customize the out of the box connectors in a similar way to how you can use rules to customize VA (virtual appliance) based connectors.

Use these APIs to implement connector customizers functionality.

List all connector customizers

List all connector customizers.

Authorizations:
Personal Access Token
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create connector customizer

Create a connector customizer.

Authorizations:
Personal Access Token
Request Body schema: application/json

Connector customizer to create.

name
string

Connector customizer name.

Responses

Request samples

Content type
application/json
{
  • "name": "My Custom Connector"
}

Response samples

Content type
application/json
{
  • "id": "b07dc46a-1498-4de8-bfbb-259a68e70c8a",
  • "name": "connector-customizer-name",
  • "tenantID": "2c91808568c529c60168cca6f90c1324",
  • "created": "2009-11-10 23:00:00 +0000 UTC"
}

Get connector customizer

Gets connector customizer by ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: b07dc46a-1498-4de8-bfbb-259a68e70c8a

ID of the connector customizer to get.

Responses

Response samples

Content type
application/json
{
  • "id": "b07dc46a-1498-4de8-bfbb-259a68e70c8a",
  • "name": "connector-customizer-name",
  • "imageVersion": 1,
  • "imageID": "2c91808568c529c60168cca6f90c1324",
  • "tenantID": "2c91808568c529c60168cca6f90c1324",
  • "created": "2009-11-10 23:00:00 +0000 UTC"
}

Update connector customizer

Update an existing connector customizer with the one provided in the request body. These fields are immutable: id, name, type.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: b07dc46a-1498-4de8-bfbb-259a68e70c8a

ID of the connector customizer to update.

Request Body schema: application/json

Connector rule with updated data.

name
string

Connector customizer name.

Responses

Request samples

Content type
application/json
{
  • "name": "My Custom Connector"
}

Response samples

Content type
application/json
{
  • "imageVersion": 1,
  • "imageID": "2c91808568c529c60168cca6f90c1324",
  • "id": "b07dc46a-1498-4de8-bfbb-259a68e70c8a",
  • "name": "connector-customizer-name",
  • "tenantID": "2c91808568c529c60168cca6f90c1324",
  • "created": "2009-11-10 23:00:00 +0000 UTC"
}

Delete connector customizer

Delete the connector customizer for the given ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: b07dc46a-1498-4de8-bfbb-259a68e70c8a

ID of the connector customizer to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Creates a connector customizer version

Creates a new version for the customizer.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: b07dc46a-1498-4de8-bfbb-259a68e70c8a

The id of the connector customizer.

Responses

Response samples

Content type
application/json
{
  • "customizerID": "b07dc46a-1498-4de8-bfbb-259a68e70c8a",
  • "imageID": "2c91808568c529c60168cca6f90c1324",
  • "version": 1,
  • "created": "2022-02-08T14:50:03.827Z"
}

Connector Rule Management

Use this API to implement connector rule management functionality. With this functionality in place, administrators can implement connector-executed rules in a programmatic, scalable way.

In Identity Security Cloud (ISC), rules serve as a flexible configuration framework you can leverage to perform complex or advanced configurations. Connector-executed rules are rules that are executed in the ISC virtual appliance (VA), usually extensions of the connector itself, the bridge between the data source and ISC.

This API allows administrators to view existing connector-executed rules, make changes to them, delete them, and create new ones from the available types.

List connector rules

List existing connector rules.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 50 ]
Default: 50
Example: limit=50

Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create connector rule

Create a connector rule from the available types.

Authorizations:
Personal Access Token
Request Body schema: application/json

Connector rule to create.

name
required
string [ 1 .. 128 ] characters

the name of the rule

description
string or null

a description of the rule's purpose

type
required
string
Enum: "BuildMap" "ConnectorAfterCreate" "ConnectorAfterDelete" "ConnectorAfterModify" "ConnectorBeforeCreate" "ConnectorBeforeDelete" "ConnectorBeforeModify" "JDBCBuildMap" "JDBCOperationProvisioning" "JDBCProvision" "PeopleSoftHRMSBuildMap" "PeopleSoftHRMSOperationProvisioning" "PeopleSoftHRMSProvision" "RACFPermissionCustomization" "ResourceObjectCustomization" "SAPBuildMap" "SapHrManagerRule" "SapHrOperationProvisioning" "SapHrProvision" "SuccessFactorsOperationProvisioning" "WebServiceAfterOperationRule" "WebServiceBeforeOperationRule" "ResourceObjectCustomization"

the type of rule

object

The rule's function signature. Describes the rule's input arguments and output (if any)

required
object (Source Code)

SourceCode

attributes
object or null

a map of string to objects

Responses

Request samples

Content type
application/json
{
  • "name": "WebServiceBeforeOperationRule",
  • "description": "This rule does that",
  • "type": "BuildMap",
  • "signature": {
    },
  • "sourceCode": {
    },
  • "attributes": { }
}

Response samples

Content type
application/json
{
  • "name": "WebServiceBeforeOperationRule",
  • "description": "This rule does that",
  • "type": "BuildMap",
  • "signature": {
    },
  • "sourceCode": {
    },
  • "attributes": { },
  • "id": "8113d48c0b914f17b4c6072d4dcb9dfe",
  • "created": "021-07-22T15:59:23Z",
  • "modified": "021-07-22T15:59:23Z"
}

Get connector rule

Get a connector rule by ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

ID of the connector rule to get.

Responses

Response samples

Content type
application/json
{
  • "name": "WebServiceBeforeOperationRule",
  • "description": "This rule does that",
  • "type": "BuildMap",
  • "signature": {
    },
  • "sourceCode": {
    },
  • "attributes": { },
  • "id": "8113d48c0b914f17b4c6072d4dcb9dfe",
  • "created": "021-07-22T15:59:23Z",
  • "modified": "021-07-22T15:59:23Z"
}

Update connector rule

Update an existing connector rule with the one provided in the request body. These fields are immutable: id, name, type

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

ID of the connector rule to update.

Request Body schema: application/json

Connector rule with updated data.

id
required
string

the ID of the rule to update

name
required
string [ 1 .. 128 ] characters

the name of the rule

description
string or null

a description of the rule's purpose

type
required
string
Enum: "BuildMap" "ConnectorAfterCreate" "ConnectorAfterDelete" "ConnectorAfterModify" "ConnectorBeforeCreate" "ConnectorBeforeDelete" "ConnectorBeforeModify" "JDBCBuildMap" "JDBCOperationProvisioning" "JDBCProvision" "PeopleSoftHRMSBuildMap" "PeopleSoftHRMSOperationProvisioning" "PeopleSoftHRMSProvision" "RACFPermissionCustomization" "ResourceObjectCustomization" "SAPBuildMap" "SapHrManagerRule" "SapHrOperationProvisioning" "SapHrProvision" "SuccessFactorsOperationProvisioning" "WebServiceAfterOperationRule" "WebServiceBeforeOperationRule" "ResourceObjectCustomization"

the type of rule

object

The rule's function signature. Describes the rule's input arguments and output (if any)

required
object (Source Code)

SourceCode

attributes
object or null

a map of string to objects

Responses

Request samples

Content type
application/json
{
  • "id": "8113d48c0b914f17b4c6072d4dcb9dfe",
  • "name": "WebServiceBeforeOperationRule",
  • "description": "This rule does that",
  • "type": "BuildMap",
  • "signature": {
    },
  • "sourceCode": {
    },
  • "attributes": { }
}

Response samples

Content type
application/json
{
  • "name": "WebServiceBeforeOperationRule",
  • "description": "This rule does that",
  • "type": "BuildMap",
  • "signature": {
    },
  • "sourceCode": {
    },
  • "attributes": { },
  • "id": "8113d48c0b914f17b4c6072d4dcb9dfe",
  • "created": "021-07-22T15:59:23Z",
  • "modified": "021-07-22T15:59:23Z"
}

Delete connector rule

Delete the connector rule for the given ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

ID of the connector rule to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Validate connector rule

Detect issues within the connector rule's code to fix and list them.

Authorizations:
Personal Access Token
Request Body schema: application/json

Code to validate.

version
required
string

the version of the code

script
required
string

The code

Responses

Request samples

Content type
application/json
{
  • "version": "1.0",
  • "script": "return \"Mr. \" + firstName;"
}

Response samples

Content type
application/json
{
  • "state": "ERROR",
  • "details": [
    ]
}

Connectors

Use this API to implement connector functionality. With this functionality in place, administrators can view available connectors.

Connectors are the bridges Identity Security Cloud uses to communicate with and aggregate data from sources. For example, if it is necessary to set up a connection between Identity Security Cloud and the Active Directory source, a connector can bridge the two and enable Identity Security Cloud to synchronize data between the systems. This ensures account entitlements and states are correct throughout the organization.

In Identity Security Cloud, administrators can use the Connections drop-down menu and select Sources to view the available source connectors.

Refer to Identity Security Cloud Connectors for more information about the connectors available in Identity Security Cloud.

Refer to SaaS Connectivity for more information about the SaaS custom connectors that do not need VAs (virtual appliances) to communicate with their sources.

Refer to Managing Sources for more information about using connectors in Identity Security Cloud.

Get connector by script name

Fetches a connector that using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. ScriptName is the unique id generated at connector creation.

query Parameters
locale
string
Enum: "de" "no" "fi" "sv" "ru" "pt" "ko" "zh-TW" "en" "it" "fr" "zh-CN" "hu" "es" "cs" "ja" "pl" "da" "nl"
Example: locale=de

The locale to apply to the config. If no viable locale is given, it will default to "en"

Responses

Response samples

Content type
application/json
{
  • "name": "name",
  • "type": "ServiceNow",
  • "className": "class name",
  • "scriptName": "servicenow",
  • "applicationXml": "<?xml version='1.0' encoding='UTF-8'?>\n<!DOCTYPE Application PUBLIC \"sailpoint.dtd\" \"sailpoint.dtd\">\n<Application connector=\"sailpoint.connector.OpenConnectorAdapter\" name=\"custom Atlassian Suite - Cloud\" type=\"custom Atlassian Suite - Cloud\"/>\n",
  • "correlationConfigXml": "<?xml version='1.0' encoding='UTF-8'?>\n<!-- Copyright (C) 2021 SailPoint Technologies, Inc. All rights reserved. -->\n\n<!DOCTYPE CorrelationConfig PUBLIC \"sailpoint.dtd\" \"sailpoint.dtd\">\n\n<CorrelationConfig name=\"custom Atlassian Suite - Cloud Account Correlation Config\">\n\t<AttributeAssignments>\n\t\t<Filter operation=\"EQ\" property=\"email\" value=\"mail\"/>\n\t\t<Filter operation=\"EQ\" property=\"empId\" value=\"employeeNumber\"/>\n\t\t<Filter operation=\"EQ\" property=\"displayName\" value=\"cn\"/>\n\t</AttributeAssignments>\n</CorrelationConfig>\n",
  • "sourceConfigXml": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?><!-- Copyright (C) 2023 SailPoint Technologies, Inc. All rights reserved. --><Form xmlns=\"http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd\" connectorName=\"custom Atlassian Suite - Cloud\" directConnect=\"true\" fileUpload=\"true\" name=\"Custom Atlassian Suite - Cloud\" status=\"released\" type=\"SourceConfig\">\n <BaseConfig>\n <Field maxFiles=\"10\" maxSize=\"300\" name=\"fileUpload\" supportedExtensions=\"jar\" type=\"fileupload\" validateJSON=\"false\"/>\n </BaseConfig>\n \n\n \n</Form>",
  • "sourceConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?><!-- Copyright (C) 2023 SailPoint Technologies, Inc. All rights reserved. --><Form xmlns=\"http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd\" connectorName=\"custom Atlassian Suite - Cloud\" directConnect=\"true\" fileUpload=\"true\" name=\"Custom Atlassian Suite - Cloud\" status=\"released\" type=\"SourceConfig\">\n <BaseConfig>\n <Field maxFiles=\"10\" maxSize=\"300\" name=\"fileUpload\" supportedExtensions=\"jar\" type=\"fileupload\" validateJSON=\"false\"/>\n </BaseConfig>\n \n\n \n</Form>",
  • "sourceConfigFrom": "sp-connect",
  • "s3Location": "custom-connector/scriptname",
  • "uploadedFiles": [
    ],
  • "fileUpload": true,
  • "directConnect": true,
  • "translationProperties": {
    },
  • "connectorMetadata": {
    },
  • "status": "RELEASED"
}

Delete connector by script name

Delete a custom connector that using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. ScriptName is the unique id generated at connector creation.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update connector by script name

This API updates a custom connector by script name using JSON Patch syntax.

The following fields are patchable:

  • connectorMetadata

  • applicationXml

  • correlationConfigXml

  • sourceConfigXml

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. ScriptName is the unique id generated at connector creation.

Request Body schema: application/json-patch+json

A list of connector detail update operations

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "name": "name",
  • "type": "ServiceNow",
  • "className": "class name",
  • "scriptName": "servicenow",
  • "applicationXml": "<?xml version='1.0' encoding='UTF-8'?>\n<!DOCTYPE Application PUBLIC \"sailpoint.dtd\" \"sailpoint.dtd\">\n<Application connector=\"sailpoint.connector.OpenConnectorAdapter\" name=\"custom Atlassian Suite - Cloud\" type=\"custom Atlassian Suite - Cloud\"/>\n",
  • "correlationConfigXml": "<?xml version='1.0' encoding='UTF-8'?>\n<!-- Copyright (C) 2021 SailPoint Technologies, Inc. All rights reserved. -->\n\n<!DOCTYPE CorrelationConfig PUBLIC \"sailpoint.dtd\" \"sailpoint.dtd\">\n\n<CorrelationConfig name=\"custom Atlassian Suite - Cloud Account Correlation Config\">\n\t<AttributeAssignments>\n\t\t<Filter operation=\"EQ\" property=\"email\" value=\"mail\"/>\n\t\t<Filter operation=\"EQ\" property=\"empId\" value=\"employeeNumber\"/>\n\t\t<Filter operation=\"EQ\" property=\"displayName\" value=\"cn\"/>\n\t</AttributeAssignments>\n</CorrelationConfig>\n",
  • "sourceConfigXml": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?><!-- Copyright (C) 2023 SailPoint Technologies, Inc. All rights reserved. --><Form xmlns=\"http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd\" connectorName=\"custom Atlassian Suite - Cloud\" directConnect=\"true\" fileUpload=\"true\" name=\"Custom Atlassian Suite - Cloud\" status=\"released\" type=\"SourceConfig\">\n <BaseConfig>\n <Field maxFiles=\"10\" maxSize=\"300\" name=\"fileUpload\" supportedExtensions=\"jar\" type=\"fileupload\" validateJSON=\"false\"/>\n </BaseConfig>\n \n\n \n</Form>",
  • "sourceConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?><!-- Copyright (C) 2023 SailPoint Technologies, Inc. All rights reserved. --><Form xmlns=\"http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd\" connectorName=\"custom Atlassian Suite - Cloud\" directConnect=\"true\" fileUpload=\"true\" name=\"Custom Atlassian Suite - Cloud\" status=\"released\" type=\"SourceConfig\">\n <BaseConfig>\n <Field maxFiles=\"10\" maxSize=\"300\" name=\"fileUpload\" supportedExtensions=\"jar\" type=\"fileupload\" validateJSON=\"false\"/>\n </BaseConfig>\n \n\n \n</Form>",
  • "sourceConfigFrom": "sp-connect",
  • "s3Location": "custom-connector/scriptname",
  • "uploadedFiles": [
    ],
  • "fileUpload": true,
  • "directConnect": true,
  • "translationProperties": {
    },
  • "connectorMetadata": {
    },
  • "status": "RELEASED"
}

Get connector list

Fetches list of connectors that have 'RELEASED' status using filtering and pagination.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=directConnect eq "true"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: sw, co

type: sw, co, eq

directConnect: eq

category: eq

features: ca

labels: ca

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

locale
string
Enum: "de" "no" "fi" "sv" "ru" "pt" "ko" "zh-TW" "en" "it" "fr" "zh-CN" "hu" "es" "cs" "ja" "pl" "da" "nl"
Example: locale=de

The locale to apply to the config. If no viable locale is given, it will default to "en"

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create custom connector

Create custom connector.

Authorizations:
Personal Access Token
Request Body schema: application/json
name
required
string

The connector name. Need to be unique per tenant. The name will able be used to derive a url friendly unique scriptname that will be in response. Script name can then be used for all update endpoints

type
string

The connector type. If not specified will be defaulted to 'custom '+name

className
required
string

The connector class name. If you are implementing openconnector standard (what is recommended), then this need to be set to sailpoint.connector.OpenConnectorAdapter

directConnect
boolean
Default: true

true if the source is a direct connect source

status
string
Enum: "DEVELOPMENT" "DEMO" "RELEASED"

The connector status

Responses

Request samples

Content type
application/json
{
  • "name": "custom connector",
  • "type": "custom connector type",
  • "className": "sailpoint.connector.OpenConnectorAdapter",
  • "directConnect": true,
  • "status": "RELEASED"
}

Response samples

Content type
application/json
{
  • "name": "name",
  • "type": "ServiceNow",
  • "scriptName": "servicenow",
  • "className": "sailpoint.connector.OpenConnectorAdapter",
  • "features": [
    ],
  • "directConnect": true,
  • "connectorMetadata": {
    },
  • "status": "RELEASED"
}

Get connector source configuration

Fetches a connector's source config using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. ScriptName is the unique id generated at connector creation.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update connector source configuration

Update a connector's source config using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. ScriptName is the unique id generated at connector creation.

Request Body schema: multipart/form-data
file
required
string <binary>

connector source config xml file

Responses

Response samples

Content type
application/json
{
  • "message": "unsupported xsd version, please ensure latest xsd version http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd is used for source config",
  • "scriptName": "servicenow",
  • "updatedFiles": [
    ],
  • "status": "ERROR"
}

Get connector translations

Fetches a connector's translations using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. Scriptname is the unique id generated at connector creation.

locale
required
string
Enum: "de" "no" "fi" "sv" "ru" "pt" "ko" "zh-TW" "en" "it" "fr" "zh-CN" "hu" "es" "cs" "ja" "pl" "da" "nl"
Example: de

The locale to apply to the config. If no viable locale is given, it will default to "en"

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update connector translations

Update a connector's translations using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. Scriptname is the unique id generated at connector creation.

locale
required
string
Enum: "de" "no" "fi" "sv" "ru" "pt" "ko" "zh-TW" "en" "it" "fr" "zh-CN" "hu" "es" "cs" "ja" "pl" "da" "nl"
Example: de

The locale to apply to the config. If no viable locale is given, it will default to "en"

Request Body schema: multipart/form-data
object

Responses

Response samples

Content type
application/json
{
  • "message": "unsupported xsd version, please ensure latest xsd version http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd is used for source config",
  • "scriptName": "servicenow",
  • "updatedFiles": [
    ],
  • "status": "ERROR"
}

Get connector source template

Fetches a connector's source template using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. ScriptName is the unique id generated at connector creation.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update connector source template

Update a connector's source template using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. ScriptName is the unique id generated at connector creation.

Request Body schema: multipart/form-data
file
required
string <binary>

connector source template xml file

Responses

Response samples

Content type
application/json
{
  • "message": "unsupported xsd version, please ensure latest xsd version http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd is used for source config",
  • "scriptName": "servicenow",
  • "updatedFiles": [
    ],
  • "status": "ERROR"
}

Get connector correlation configuration

Fetches a connector's correlation config using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. Scriptname is the unique id generated at connector creation.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update connector correlation configuration

Update a connector's correlation config using its script name.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the connector. Scriptname is the unique id generated at connector creation.

Request Body schema: multipart/form-data
file
required
string <binary>

connector correlation config xml file

Responses

Response samples

Content type
application/json
{
  • "message": "unsupported xsd version, please ensure latest xsd version http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd is used for source config",
  • "scriptName": "servicenow",
  • "updatedFiles": [
    ],
  • "status": "ERROR"
}

Custom Forms

Use this API to build and manage custom forms. With this functionality in place, administrators can create and view form definitions and form instances.

Forms are composed of sections and fields. Sections split the form into logical groups of fields and fields are the data collection points within the form. Configure conditions to modify elements of the form as the responder provides input. Create form inputs to pass information from a calling feature, like a workflow, to your form.

Forms can be used within workflows as an action or as a trigger. The Form Action allows you to assign a form as a step in a running workflow, suspending the workflow until the form is submitted or times out, and the workflow resumes. The Form Submitted Trigger initiates a workflow when a form is submitted. The trigger can be configured to initiate on submission of a full form, a form element with any value, or a form element with a particular value.

Refer to Forms for more information about using forms in Identity Security Cloud.

Export form definitions by tenant.

No parameters required.

Authorizations:
Personal Access Token
query Parameters
offset
integer <int64>
Default: 0
Example: offset=250

Offset

Integer specifying the offset of the first result from the beginning of the collection. The standard syntax described in V3 API Standard Collection Parameters. The offset value is record-based, not page-based, and the index starts at 0.

limit
integer <int64> [ 0 .. 250 ] characters
Default: 250
Example: limit=250

Limit

Integer specifying the maximum number of records to return in a single API call. The standard syntax described in V3 API Standard Collection Parameters. If it is not specified, a default limit is used.

filters
string
Example: filters=name sw "my form"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: eq, gt, sw, in

description: eq, gt, sw, in

created: eq, gt, sw, in

modified: eq, gt, sw, in

sorters
string
Default: "name"
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, description, created, modified

Responses

Response samples

Content type
application/json
{
  • "count": 1,
  • "results": [
    ]
}

Creates a form definition.

Authorizations:
Personal Access Token
Request Body schema: application/json

Body is the request payload to create form definition request

description
string [ 0 .. 2000 ] characters

Description is the form definition description

Array of objects (FormCondition)

FormConditions is the conditional logic that modify the form dynamically modify the form as the recipient is interacting out the form

Array of objects (FormElement)

FormElements is a list of nested form elements

Array of objects (FormDefinitionInput)

FormInput is a list of form inputs that are required when creating a form-instance object

name
required
string <= 255 characters

Name is the form definition name

required
object (FormOwner)
Array of objects (FormUsedBy)

UsedBy is a list of objects where when any system uses a particular form it reaches out to the form service to record it is currently being used

Responses

Request samples

Content type
application/json
{
  • "name": "my form",
  • "description": "my form description",
  • "owner": {
    },
  • "formElements": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "00000000-0000-0000-0000-000000000000",
  • "name": "My form",
  • "description": "My form description",
  • "owner": {
    },
  • "usedBy": [
    ],
  • "formInput": [
    ],
  • "formElements": [
    ],
  • "formConditions": [
    ],
  • "created": "2023-07-12T20:14:57.74486Z",
  • "modified": "2023-07-12T20:14:57.74486Z"
}

Return a form definition.

Parameter {formDefinitionID} should match a form definition ID.

Authorizations:
Personal Access Token
path Parameters
formDefinitionID
required
string
Example: 00000000-0000-0000-0000-000000000000

Form definition ID

Responses

Response samples

Content type
application/json
{
  • "id": "00000000-0000-0000-0000-000000000000",
  • "name": "My form",
  • "description": "My form description",
  • "owner": {
    },
  • "usedBy": [
    ],
  • "formInput": [
    ],
  • "formElements": [
    ],
  • "formConditions": [
    ],
  • "created": "2023-07-12T20:14:57.74486Z",
  • "modified": "2023-07-12T20:14:57.74486Z"
}

Deletes a form definition.

Parameter {formDefinitionID} should match a form definition ID.

Authorizations:
Personal Access Token
path Parameters
formDefinitionID
required
string
Example: 00000000-0000-0000-0000-000000000000

Form definition ID

Responses

Response samples

Content type
application/json
{ }

Patch a form definition.

Parameter {formDefinitionID} should match a form definition ID.

Authorizations:
Personal Access Token
path Parameters
formDefinitionID
required
string
Example: 00000000-0000-0000-0000-000000000000

Form definition ID

Request Body schema: application/json

Body is the request payload to patch a form definition, check: https://jsonpatch.com

Array
property name*
additional property
object

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "00000000-0000-0000-0000-000000000000",
  • "name": "My form",
  • "description": "My form description",
  • "owner": {
    },
  • "usedBy": [
    ],
  • "formInput": [
    ],
  • "formElements": [
    ],
  • "formConditions": [
    ],
  • "created": "2023-07-12T20:14:57.74486Z",
  • "modified": "2023-07-12T20:14:57.74486Z"
}

Preview form definition data source.

Authorizations:
Personal Access Token
path Parameters
formDefinitionID
required
string
Example: 00000000-0000-0000-0000-000000000000

Form definition ID

query Parameters
limit
integer <int64> [ 0 .. 250 ] characters
Default: 10
Example: limit=10

Limit

Integer specifying the maximum number of records to return in a single API call. The standard syntax described in V3 API Standard Collection Parameters. If it is not specified, a default limit is used.

filters
string
Example: filters=value eq "ID01"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

value: eq, ne, in

Supported composite operators: not

Only a single not may be used, and it can only be used with the in operator. The not composite operator must be used in front of the field. For example, the following is valid: not value in ("ID01")

query
string
Example: query=ac

String that is passed to the underlying API to filter other (non-ID) fields. For example, for access profile data sources, this string will be passed to the access profile api and used with a "starts with" filter against several fields.

Request Body schema: application/json

Body is the request payload to create a form definition dynamic schema

object (FormElementDynamicDataSource)

Responses

Request samples

Content type
application/json
{
  • "dataSource": {
    }
}

Response samples

Content type
application/json
{
  • "results": "{\"results\":[{\"label\":\"Alfred 255e71dfc6e\",\"subLabel\":\"Alfred.255e71dfc6e@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2e16676\"},{\"label\":\"Alize eba9d4cd27da\",\"subLabel\":\"Alize.eba9d4cd27da@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2f1667c\"},{\"label\":\"Antonina 01f69c3ea\",\"subLabel\":\"Antonina.01f69c3ea@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2f9667e\"},{\"label\":\"Ardella 21e78ce155\",\"subLabel\":\"Ardella.21e78ce155@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2e6667a\"},{\"label\":\"Arnaldo d8582b6e17\",\"subLabel\":\"Arnaldo.d8582b6e17@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced3426686\"},{\"label\":\"Aurelia admin24828\",\"subLabel\":\"Aurelia.admin24828@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2e16674\"},{\"label\":\"Barbara 72ca418fdd\",\"subLabel\":\"Barbara.72ca418fdd@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2fb6680\"},{\"label\":\"Barbara ee1a2436ee\",\"subLabel\":\"Barbara.ee1a2436ee@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2e56678\"},{\"label\":\"Baylee 652d72432f3\",\"subLabel\":\"Baylee.652d72432f3@testmail.identitysoon.com\",\"value\":\"2c91808582184782018227ced28b6aee\"},{\"label\":\"Brock e76b56ae4d49\",\"subLabel\":\"Brock.e76b56ae4d49@testmail.identitysoon.com\",\"value\":\"2c91808582184782018227ced28b6aef\"}]}"
}

List form definitions by tenant.

No parameters required.

Authorizations:
Personal Access Token
query Parameters
offset
integer <int64> >= 0
Default: 0

Offset

Integer specifying the offset of the first result from the beginning of the collection. The standard syntax described in V3 API Standard Collection Parameters. The offset value is record-based, not page-based, and the index starts at 0.

limit
integer <int64> [ 0 .. 250 ]
Default: 250
Example: limit=250

Limit

Integer specifying the maximum number of records to return in a single API call. The standard syntax described in V3 API Standard Collection Parameters. If it is not specified, a default limit is used.

filters
string
Example: filters=name sw "my form"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: eq, gt, sw, in

description: eq, gt, sw, in

created: eq, gt, sw, in

modified: eq, gt, sw, in

sorters
string
Default: "name"
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, description, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Generate json schema dynamically.

Authorizations:
Personal Access Token
Request Body schema: application/json

Body is the request payload to create a form definition dynamic schema

object
description
string

Description is the form definition dynamic schema description text

id
string

ID is a unique identifier

type
string

Type is the form definition dynamic schema type

versionNumber
integer <int64>

VersionNumber is the form definition dynamic schema version number

Responses

Request samples

Content type
application/json
{
  • "id": "sp:forms",
  • "attributes": {
    },
  • "description": "AnotherDescription",
  • "type": "action",
  • "versionNumber": 1
}

Response samples

Content type
application/json
{
  • "outputSchema": {
    }
}

Import form definitions from export.

Authorizations:
Personal Access Token
Request Body schema: application/json

Body is the request payload to import form definitions

Array
object (FormDefinitionResponse)
self
string
version
integer <int32>

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "errors": [
    ],
  • "importedObjects": [
    ],
  • "infos": [
    ],
  • "warnings": [
    ]
}

Upload new form definition file.

Parameter {formDefinitionID} should match a form definition ID.

Authorizations:
Personal Access Token
path Parameters
formDefinitionID
required
string
Example: 00000000-0000-0000-0000-000000000000

FormDefinitionID

String specifying FormDefinitionID

Request Body schema: multipart/form-data
file
required
string <binary>

File specifying the multipart

Responses

Response samples

Content type
application/json
{
  • "created": "2023-07-12T20:14:57.74486Z",
  • "fileId": "01FHZXHK8PTP9FVK99Z66GXQTX.png",
  • "formDefinitionId": "00000000-0000-0000-0000-000000000000"
}

Download definition file by fileid.

Authorizations:
Personal Access Token
path Parameters
formDefinitionID
required
string
Example: 00000000-0000-0000-0000-000000000000

FormDefinitionID

Form definition ID

fileID
required
string
Example: 00000031N0J7R2B57M8YG73J7M.png

FileID

String specifying the hashed name of the uploaded file we are retrieving.

Responses

Response samples

Content type
"string"

List form instances by tenant.

Returns a list of form instances for the tenant. Optionally filter by form definition ID.

Authorizations:
Personal Access Token
query Parameters
offset
integer <int64>
Default: 0

Offset

Integer specifying the offset of the first result from the beginning of the collection. The standard syntax described in V3 API Standard Collection Parameters. The offset value is record-based, not page-based, and the index starts at 0.

limit
integer <int64> [ 0 .. 250 ]
Default: 250
Example: limit=100

Limit

Integer specifying the maximum number of records to return in a single API call. The standard syntax described in V3 API Standard Collection Parameters. If it is not specified, a default limit is used.

filters
string
Example: filters=formDefinitionId eq "351c1daa-56f6-4bbf-b32c-49844c0b716e"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

formDefinitionId: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Creates a form instance.

Authorizations:
Personal Access Token
Request Body schema: application/json

Body is the request payload to create a form instance

required
object (FormInstanceCreatedBy)
expire
required
string

Expire is required

formDefinitionId
required
string

FormDefinitionID is the id of the form definition that created this form

object

FormInput is an object of form input labels to value

required
Array of objects (FormInstanceRecipient)

Recipients is required

standAloneForm
boolean
Default: false

StandAloneForm is a boolean flag to indicate if this form should be available for users to complete via the standalone form UI or should this only be available to be completed by as an embedded form

state
string
Enum: "ASSIGNED" "IN_PROGRESS" "SUBMITTED" "COMPLETED" "CANCELLED"

State is required, if not present initial state is FormInstanceStateAssigned ASSIGNED FormInstanceStateAssigned IN_PROGRESS FormInstanceStateInProgress SUBMITTED FormInstanceStateSubmitted COMPLETED FormInstanceStateCompleted CANCELLED FormInstanceStateCancelled

ttl
integer <int64>

TTL an epoch timestamp in seconds, it most be in seconds or dynamodb will ignore it SEE: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/time-to-live-ttl-before-you-start.html

Responses

Request samples

Content type
application/json
{
  • "expire": "2023-06-20T15:57:55.332882Z",
  • "formDefinitionId": "00000000-0000-0000-0000-000000000000",
  • "recipients": [
    ],
  • "createdBy": {
    }
}

Response samples

Content type
application/json
{
  • "id": "06a2d961-07fa-44d1-8d0a-2f6470e30fd2",
  • "expire": "2023-08-12T20:14:57.74486Z",
  • "state": "ASSIGNED",
  • "standAloneForm": false,
  • "standAloneFormUrl": "https://my-org.identitynow.com/ui/d/forms/00000000-0000-0000-0000-000000000000",
  • "createdBy": {
    },
  • "formDefinitionId": "49841cb8-00a5-4fbd-9888-8bbb28d48331",
  • "formInput": {
    },
  • "formElements": [
    ],
  • "formData": {
    },
  • "formErrors": [
    ],
  • "formConditions": [
    ],
  • "created": "2023-07-12T20:14:57.74486Z",
  • "modified": "2023-07-12T20:14:57.74486Z",
  • "recipients": [
    ]
}

Returns a form instance.

Parameter {formInstanceID} should match a form instance ID.

Only the assigned recipient (recipients[].id when type is IDENTITY) may call this.

Authorizations:
Personal Access Token
path Parameters
formInstanceID
required
string
Example: 00000000-0000-0000-0000-000000000000

Form instance ID

Responses

Response samples

Content type
application/json
{
  • "id": "06a2d961-07fa-44d1-8d0a-2f6470e30fd2",
  • "expire": "2023-08-12T20:14:57.74486Z",
  • "state": "ASSIGNED",
  • "standAloneForm": false,
  • "standAloneFormUrl": "https://my-org.identitynow.com/ui/d/forms/00000000-0000-0000-0000-000000000000",
  • "createdBy": {
    },
  • "formDefinitionId": "49841cb8-00a5-4fbd-9888-8bbb28d48331",
  • "formInput": {
    },
  • "formElements": [
    ],
  • "formData": {
    },
  • "formErrors": [
    ],
  • "formConditions": [
    ],
  • "created": "2023-07-12T20:14:57.74486Z",
  • "modified": "2023-07-12T20:14:57.74486Z",
  • "recipients": [
    ]
}

Patch a form instance.

Parameter {formInstanceID} should match a form instance ID.

Only the assigned recipient (recipients[].id when type is IDENTITY) may call this.

Authorizations:
Personal Access Token
path Parameters
formInstanceID
required
string
Example: 00000000-0000-0000-0000-000000000000

Form instance ID

Request Body schema: application/json

Body is the request payload to patch a form instance, check: https://jsonpatch.com

Array
property name*
additional property
object

Responses

Request samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "06a2d961-07fa-44d1-8d0a-2f6470e30fd2",
  • "expire": "2023-08-12T20:14:57.74486Z",
  • "state": "ASSIGNED",
  • "standAloneForm": false,
  • "standAloneFormUrl": "https://my-org.identitynow.com/ui/d/forms/00000000-0000-0000-0000-000000000000",
  • "createdBy": {
    },
  • "formDefinitionId": "49841cb8-00a5-4fbd-9888-8bbb28d48331",
  • "formInput": {
    },
  • "formElements": [
    ],
  • "formData": {
    },
  • "formErrors": [
    ],
  • "formConditions": [
    ],
  • "created": "2023-07-12T20:14:57.74486Z",
  • "modified": "2023-07-12T20:14:57.74486Z",
  • "recipients": [
    ]
}

Retrieves dynamic data by element.

Parameter {formInstanceID} should match a form instance ID. Parameter {formElementID} should match a form element ID at the data source configuration.

Authorizations:
Personal Access Token
path Parameters
formInstanceID
required
string
Example: 00000000-0000-0000-0000-000000000000

Form instance ID

formElementID
required
string
Example: 1

Form element ID

query Parameters
limit
integer <int64> [ 0 .. 250 ] characters
Default: 250
Example: limit=250

Limit

Integer specifying the maximum number of records to return in a single API call. The standard syntax described in V3 API Standard Collection Parameters. If it is not specified, a default limit is used.

filters
string
Example: filters=value eq "ID01"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

value: eq, ne, in

Supported composite operators: not

Only a single not may be used, and it can only be used with the in operator. The not composite operator must be used in front of the field. For example, the following is valid: not value in ("ID01")

query
string
Example: query=support

String that is passed to the underlying API to filter other (non-ID) fields. For example, for access profile data sources, this string will be passed to the access profile api and used with a "starts with" filter against several fields.

Responses

Response samples

Content type
application/json
{
  • "results": "{\"results\":[{\"label\":\"Alfred 255e71dfc6e\",\"subLabel\":\"Alfred.255e71dfc6e@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2e16676\"},{\"label\":\"Alize eba9d4cd27da\",\"subLabel\":\"Alize.eba9d4cd27da@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2f1667c\"},{\"label\":\"Antonina 01f69c3ea\",\"subLabel\":\"Antonina.01f69c3ea@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2f9667e\"},{\"label\":\"Ardella 21e78ce155\",\"subLabel\":\"Ardella.21e78ce155@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2e6667a\"},{\"label\":\"Arnaldo d8582b6e17\",\"subLabel\":\"Arnaldo.d8582b6e17@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced3426686\"},{\"label\":\"Aurelia admin24828\",\"subLabel\":\"Aurelia.admin24828@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2e16674\"},{\"label\":\"Barbara 72ca418fdd\",\"subLabel\":\"Barbara.72ca418fdd@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2fb6680\"},{\"label\":\"Barbara ee1a2436ee\",\"subLabel\":\"Barbara.ee1a2436ee@testmail.identitysoon.com\",\"value\":\"2c918084821847c5018227ced2e56678\"},{\"label\":\"Baylee 652d72432f3\",\"subLabel\":\"Baylee.652d72432f3@testmail.identitysoon.com\",\"value\":\"2c91808582184782018227ced28b6aee\"},{\"label\":\"Brock e76b56ae4d49\",\"subLabel\":\"Brock.e76b56ae4d49@testmail.identitysoon.com\",\"value\":\"2c91808582184782018227ced28b6aef\"}]}"
}

Download instance file by fileid.

Authorizations:
Personal Access Token
path Parameters
formInstanceID
required
string
Example: 00000000-0000-0000-0000-000000000000

FormInstanceID

Form instance ID

fileID
required
string
Example: 00000031N0J7R2B57M8YG73J7M.png

FileID

String specifying the hashed name of the uploaded file we are retrieving.

Responses

Response samples

Content type
"string"

List predefined select options.

No parameters required.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "results": [
    ]
}

Custom Password Instructions

Use this API to implement custom password instruction functionality. With this functionality in place, administrators can create custom password instructions to help users reset their passwords, change them, unlock their accounts, or recover their usernames. This allows administrators to emphasize password policies or provide organization-specific instructions.

Administrators must first use Update Password Org Config to set customInstructionsEnabled to true.

Once they have enabled custom instructions, they can use Create Custom Password Instructions to create custom page content for the specific pageId they select.

For example, an administrator can use the pageId forget-username:user-email to set the custom text for the case when users forget their usernames and must enter their emails.

Refer to Creating Custom Instruction Text for more information about creating custom password instructions.

Create custom password instructions

This API creates the custom password instructions for the specified page ID.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
pageId
string
Enum: "change-password:enter-password" "change-password:finish" "flow-selection:select" "forget-username:user-email" "mfa:enter-code" "mfa:enter-kba" "mfa:select" "reset-password:enter-password" "reset-password:enter-username" "reset-password:finish" "unlock-account:enter-username" "unlock-account:finish"

The page ID that represents the page for forget user name, reset password and unlock account flow.

pageContent
string

The custom instructions for the specified page. Allow basic HTML format and maximum length is 1000 characters. The custom instructions will be sanitized to avoid attacks. If the customization text includes a link, like <A HREF=\"URL\">...</A> clicking on this will open the link on the current browser page. If you want your link to be redirected to a different page, please redirect it to "_blank" like this: <a href=\"URL" target=\"_blank\" >link</a>. This will open a new tab when the link is clicked. Notice we're only supporting _blank as the redirection target.

locale
string

The locale for the custom instructions, a BCP47 language tag. The default value is "default".

Responses

Request samples

Content type
application/json
{
  • "pageId": "reset-password:enter-password",
  • "pageContent": "See company password policies for details by clicking <a href=\"url\">here</a>"
}

Response samples

Content type
application/json
{
  • "pageId": "reset-password:enter-password",
  • "locale": "default",
  • "pageContent": "See company password policies for details by clicking <a href=\"url\">here</a>"
}

Get custom password instructions by page id

This API returns the custom password instructions for the specified page ID.

Authorizations:
Personal Access Token
path Parameters
pageId
required
string
Enum: "change-password:enter-password" "change-password:finish" "flow-selection:select" "forget-username:user-email" "mfa:enter-code" "mfa:enter-kba" "mfa:select" "reset-password:enter-password" "reset-password:enter-username" "reset-password:finish" "unlock-account:enter-username" "unlock-account:finish"
Example: mfa:select

The page ID of custom password instructions to query.

query Parameters
locale
string

The locale for the custom instructions, a BCP47 language tag. The default value is "default".

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "pageId": "reset-password:enter-password",
  • "locale": "default",
  • "pageContent": "See company password policies for details by clicking <a href=\"url\">here</a>"
}

Delete custom password instructions by page id

This API delete the custom password instructions for the specified page ID.

Authorizations:
Personal Access Token
path Parameters
pageId
required
string
Enum: "change-password:enter-password" "change-password:finish" "flow-selection:select" "forget-username:user-email" "mfa:enter-code" "mfa:enter-kba" "mfa:select" "reset-password:enter-password" "reset-password:enter-username" "reset-password:finish" "unlock-account:enter-username" "unlock-account:finish"
Example: mfa:select

The page ID of custom password instructions to delete.

query Parameters
locale
string

The locale for the custom instructions, a BCP47 language tag. The default value is "default".

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Custom User Levels

Use this API to implement custom user level functionality. With this functionality in place, administrators can create custom user levels and configure them for use throughout Identity Security Cloud.

Custom user levels allow administrators to create custom user levels that can be used to control access to Identity Security Cloud features and APIs.

Refer to User Levels for more information about User Levels.

Create a custom user level

Creates a new custom user level for the tenant.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

Payload containing the details of the user level to be created.

  • If only a parent right set id is included in the request body, all child right sets associated with that parent will be automatically assigned.
  • If the request body includes both a parent right set and a subset of its children, only the explicitly listed right sets (parent and specified children) will be assigned. Implicit inheritance is not applied in this case.
name
required
string

The name of the user level.

description
required
string

A brief description of the user level.

required
object (Public Identity)

Details about a public identity

rightSets
Array of strings

A list of rights associated with the user level.

Responses

Request samples

Content type
application/json
{
  • "name": "Identity And Access Management",
  • "description": "This is a description of the custom user level.",
  • "owner": {
    },
  • "rightSets": [
    ]
}

Response samples

Content type
application/json
{
  • "owner": {
    },
  • "status": "DRAFT",
  • "created": "2023-01-01T12:00:00Z",
  • "modified": "2023-01-02T12:00:00Z",
  • "associatedIdentitiesCount": 0,
  • "id": "beb02a57-010f-4c29-a6d2-fae9628bda73",
  • "name": "Identity And Detail Management",
  • "description": "This is a description of the custom user level.",
  • "legacyGroup": null,
  • "rightSets": [
    ],
  • "custom": true,
  • "adminAssignable": true,
  • "translatedName": null,
  • "translatedGrant": null,
  • "translatedRemove": null
}

List user levels

Retrieves a list of user levels for the tenant.

Authorizations:
Personal Access Token
query Parameters
detailLevel
string
Enum: "FULL" "SLIM"
Example: detailLevel=FULL

Specifies the level of detail for the user levels.

filters
string
Example: filters=name co "identity", owner co "john", status eq "active", description co "some description"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: co

owner: co

status: eq

description: co

sorters
string
Example: sorters=name, -created, description, status, owner

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, description, status, owner

limit
integer <int32> [ 0 .. 50 ]
Default: 50
Example: limit=50

Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Publish a custom user level

Publishes a custom user level for the tenant, making it active and available.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 6e110911-5984-491b-be74-2707980a46a7

The unique identifier of the user level to publish.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "userLevelId": "6e110911-5984-491b-be74-2707980a46a7",
  • "publish": true,
  • "status": "ACTIVE",
  • "modified": "2023-01-02T12:00:00Z"
}

Retrieve a user level

Fetches the details of a specific user level by its ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 6e110911-5984-491b-be74-2707980a46a7

The unique identifier of the user level.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "owner": {
    },
  • "status": "ACTIVE",
  • "created": "2023-01-01T12:00:00Z",
  • "modified": "2023-01-02T12:00:00Z",
  • "associatedIdentitiesCount": 10,
  • "id": "beb02a57-010f-4c29-a6d2-fae9628bda73",
  • "name": "Identity And Detail Management",
  • "description": "This is a description of the custom user level.",
  • "legacyGroup": null,
  • "rightSets": [
    ],
  • "custom": true,
  • "adminAssignable": true,
  • "translatedName": null,
  • "translatedGrant": null,
  • "translatedRemove": null
}

Delete a user level

Deletes a specific user level by its ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 6e110911-5984-491b-be74-2707980a46a7

The unique identifier of the user level.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update a user level

Updates the details of a specific user level using JSON Patch.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 6e110911-5984-491b-be74-2707980a46a7

The unique identifier of the user level.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json

JSON Patch payload for updating the user level.

  • If only a parent right set id is included in the request body, all child right sets associated with that parent will be automatically assigned.
  • If the request body includes both a parent right set and a subset of its children, only the explicitly listed right sets (parent and specified children) will be assigned. Implicit inheritance is not applied in this case.
Array of objects (Json Patch Operation)

Operations to be applied

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "owner": {
    },
  • "status": "ACTIVE",
  • "created": "2023-01-01T12:00:00Z",
  • "modified": "2023-01-02T12:00:00Z",
  • "associatedIdentitiesCount": 10,
  • "id": "beb02a57-010f-4c29-a6d2-fae9628bda73",
  • "name": "Identity And Detail Management",
  • "description": "This is a description of the custom user level.",
  • "legacyGroup": null,
  • "rightSets": [
    ],
  • "custom": true,
  • "adminAssignable": true,
  • "translatedName": null,
  • "translatedGrant": null,
  • "translatedRemove": null
}

List all uiAssignable right sets

Retrieves a list of authorization assignable right sets for the tenant.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=category eq "identity"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

category: eq

sorters
string
Example: sorters=name, -id, -category

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, category

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List user level identities

List of identities associated with a user level.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: idn:access-request-administrator

The unique identifier of the user level.

query Parameters
count
boolean
Default: false
Example: count=true

If true, X-Total-Count header with the the total number of identities for this user level will be included in the response.

sorters
string
Example: sorters=displayName

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: displayName

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Count user levels identities

List of user levels along with the number of identities associated to it.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

List of user level ids. Max 50 identifiers can be passed in a single request.

Array
string

Responses

Request samples

Content type
application/json
[
  • "HELPDESK",
  • "ORG_ADMIN",
  • "sp:ui-config-hub-admin"
]

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

Data Access Security

Use this API to enable data ownership election campaigns, assign resource owners, and respond to identity lifecycle events to maintain continuous accountability. This API can also trigger and manage DAS tasks such as scans-starting them on demand, updating configurations or schedules, and retrieving statuses. Additionally, you can onboard and manage applications at scale by creating and configuring them, setting scanning schedules, retrieving metadata, and associating them with Virtual Appliances and Identity Collectors.

Lists all DAS tasks.

This end-point lists all the tasks in Data Access Security.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
filters
string
Example: filters=TaskTypeName eq "DataClassification and EndBeforeTime eq 1762240800

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

taskIds: eq, in

statuses: eq, in

taskTypeName: eq, in

taskName: eq

endBeforeTime: eq

Supported composite operators are and, or

Example: taskTypeName eq "DataSync" and endBeforeTime eq 1762240800

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get a DAS task.

This end-point gets a task in Data Access Security.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 1001

The unique identifier of the task to retrieve.

Responses

Response samples

Content type
application/json
{
  • "taskId": 1001,
  • "taskTypeName": "DataSync",
  • "startTime": 1762237200,
  • "endTime": 1762240800,
  • "taskName": "Daily Data Sync",
  • "createdByDisplayName": "Jane Doe",
  • "progress": 75,
  • "status": "Running",
  • "details": "Task is processing files in the Finance folder.",
  • "scheduleTaskId": 2001
}

Delete a DAS task.

This end-point sends a request to delete a task in Data Access Security.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 1001

The unique identifier of the task to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Cancel a DAS task.

This end-point sends a request to cancel a task in Data Access Security.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 1001

The unique identifier of the task to cancel.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Rerun a DAS task.

This end-point sends a request to re-run a task in Data Access Security.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 1001

The unique identifier of the task to rerun.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List all schedules.

This end-point lists all the schedules in Data Access Security.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
filters
string
Example: filters=ScheduleType eq "Daily" and startTime eq 1762237200

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

scheduleTaskIds: eq, in

taskTypeName: eq, in

status: eq

applicationId: eq

fullName: eq

nameSubString: eq

scheduleType: eq

Supported composite operators are and, or

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create a new schedule.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
taskTypeName
string or null

The type or category of the scheduled task.

scheduleType
string or null

The scheduling type, such as "Daily", "Weekly" etc.

interval
integer or null <int32>

The interval depends on the chosen schedule cycle (scheduleType), i.e. if the schedule is daily, the interval will represent the days between executions.

scheduleTaskName
string or null

The display name of the scheduled task.

startTime
integer <int64>

The start time for the scheduled task, represented as epoch seconds.

endTime
integer <int64>

The end time for the scheduled task, represented as epoch seconds.

daysOfWeek
Array of strings or null

A list of days of the week when the task should run (e.g., "Monday", "Wednesday").

active
boolean
Default: false

Indicates whether the scheduled task is currently active.

runAfterScheduleTaskId
integer or null <int64>

The ID of another scheduled task that triggers this scheduled task upon its completion.

applicationId
integer or null <int64>

The unique identifier of the application associated with the scheduled task.

Responses

Request samples

Content type
application/json
{
  • "taskTypeName": "DataSync",
  • "scheduleType": "Daily",
  • "interval": 1440,
  • "scheduleTaskName": "Daily Data Sync",
  • "startTime": 1762237200,
  • "endTime": 1762240800,
  • "daysOfWeek": [
    ],
  • "active": true,
  • "runAfterScheduleTaskId": 1000,
  • "applicationId": 2001
}

Response samples

Content type
application/json
0
0

Get a DAS schedule.

This end-point gets a schedule in Data Access Security.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 1001

The unique identifier of the schedule to retrieve.

Responses

Response samples

Content type
application/json
{
  • "scheduleTaskId": 1001,
  • "scheduleTaskName": "Daily Data Sync",
  • "taskTypeName": "DataSync",
  • "interval": 1440,
  • "scheduleType": "Daily",
  • "active": true,
  • "startTime": 1762237200,
  • "endTime": 1762240800,
  • "daysOfWeek": [
    ],
  • "runAfterScheduleTaskId": 1000,
  • "runAfterScheduleTaskName": "Pre-Sync Task",
  • "applicationId": 2001,
  • "createdByDisplayName": "Jane Doe",
  • "nextRun": 1762323600,
  • "lastRun": 1762237200
}

Update a schedule.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 1001

The unique identifier of the schedule to update.

Request Body schema: application/json
taskTypeName
string or null

The type or category of the scheduled task.

scheduleType
string or null

The scheduling type, such as "Daily", "Weekly", or "Manual" etc.

interval
integer or null <int32>

The interval depends on the chosen schedule cycle (scheduleType), i.e. if the schedule is daily, the interval will represent the days between executions.

scheduleTaskName
string or null

The display name of the scheduled task.

startTime
integer <int64>

The start time for the scheduled task, represented as epoch seconds.

endTime
integer <int64>

The end time for the scheduled task, represented as epoch seconds.

daysOfWeek
Array of strings or null

A list of days of the week when the task should run (e.g., "Monday", "Wednesday").

active
boolean
Default: false

Indicates whether the scheduled task is currently active.

runAfterScheduleTaskId
integer or null <int64>

The ID of another scheduled task that triggers this scheduled task upon its completion.

applicationId
integer or null <int64>

The unique identifier of the application associated with the scheduled task.

Responses

Request samples

Content type
application/json
{
  • "taskTypeName": "DataSync",
  • "scheduleType": "Daily",
  • "interval": 1440,
  • "scheduleTaskName": "Daily Data Sync",
  • "startTime": 1762237200,
  • "endTime": 1762240800,
  • "daysOfWeek": [
    ],
  • "active": true,
  • "runAfterScheduleTaskId": 1000,
  • "applicationId": 2001
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Delete a DAS schedule.

This end-point sends a request to delete a schedule in Data Access Security.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 1001

The unique identifier of the schedule to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Create application

This endpoint creates a new application in Data Access Security with the specified configuration.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

Request body containing the details required to create a new application.

applicationType
required
integer <int32> (ApplicationType)
Enum: 1 8 9 11 15 20 21 24 25 27 28 29 33 35 37

Specifies the type of application. Possible values: 1 - Sharepoint 8 - WindowsFileServer 9 - ActiveDirectory 11 - EmcCelerraCifs 15 - NetappCifs 20 - EmcIsilon 21 - GoogleDrive 24 - Box 25 - Dropbox 27 - OneDriveForBusiness 28 - SharepointOnline 29 - ExchangeOnline 33 - Cifs 35 - AwsS3 37 - Snowflake

name
required
string

The display name of the application.

description
string or null

A brief description of the application and its purpose.

Array of objects or null (Int64StringKeyValuePair)

A list of tags to categorize or identify the application.

identityCollectorId
integer or null <int64>

The unique identifier for the identity collector associated with this application.

adIdentityCollectorId
integer or null <int64>

The unique identifier for the AD identity collector.

nisIdentityCollectorId
integer or null <int64>

The unique identifier for the NIS identity collector.

object (ApplicationCrawlerSettings)
object (PermissionCollectorSettings)
object (DataClassificationSettings)

Extend with additional data classification configuration properties as needed.

object (ActivityConfigurationSettings)

Inherits base settings for activity configuration.

executeNow
boolean
Default: false

If true, the application setup will be executed immediately after creation.

Responses

Request samples

Content type
application/json
{
  • "applicationType": 9,
  • "name": "HR File Server",
  • "description": "Stores HR documents and employee records.",
  • "tags": [
    ],
  • "identityCollectorId": 123456789,
  • "adIdentityCollectorId": 987654321,
  • "nisIdentityCollectorId": 192837465,
  • "applicationCrawlerSettings": {
    },
  • "permissionCollectorSettings": {
    },
  • "dataClassificationSettings": {
    },
  • "activityConfigurationSettings": {
    },
  • "executeNow": false
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Search applications in DAS.

This endpoint lists all the applications in Data Access Security with optional filtering.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
filters
string
Example: filters=AppType eq 'ActiveDirectory' and Statuses eq 'Passed'

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

appIds: eq, in

tagIds: eq, in

statuses: eq, in

groupCodes: eq, in

virtualAppId: eq

appName: eq

supportsValidation: eq

Supported composite operators are and, or

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Update application by identifier.

This endpoint updates an existing application in Data Access Security with the specified configuration.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 12345

The unique identifier of the application to update.

Request Body schema: application/json

Request body containing the updated details for the application.

applicationType
required
integer <int32> (ApplicationType)
Enum: 1 8 9 11 15 20 21 24 25 27 28 29 33 35 37

Specifies the type of application. Possible values: 1 - Sharepoint 8 - WindowsFileServer 9 - ActiveDirectory 11 - EmcCelerraCifs 15 - NetappCifs 20 - EmcIsilon 21 - GoogleDrive 24 - Box 25 - Dropbox 27 - OneDriveForBusiness 28 - SharepointOnline 29 - ExchangeOnline 33 - Cifs 35 - AwsS3 37 - Snowflake

name
required
string

The display name of the application.

description
string or null

A brief description of the application and its purpose.

Array of objects or null (Int64StringKeyValuePair)

A list of tags to categorize or identify the application.

identityCollectorId
integer or null <int64>

The unique identifier for the identity collector associated with this application.

adIdentityCollectorId
integer or null <int64>

The unique identifier for the AD identity collector.

nisIdentityCollectorId
integer or null <int64>

The unique identifier for the NIS identity collector.

object (ApplicationCrawlerSettings)
object (PermissionCollectorSettings)
object (DataClassificationSettings)

Extend with additional data classification configuration properties as needed.

object (ActivityConfigurationSettings)

Inherits base settings for activity configuration.

executeNow
boolean
Default: false

If true, the application setup will be executed immediately after creation.

Responses

Request samples

Content type
application/json
{
  • "applicationType": 9,
  • "name": "HR File Server",
  • "description": "Stores HR documents and employee records.",
  • "tags": [
    ],
  • "identityCollectorId": 123456789,
  • "adIdentityCollectorId": 987654321,
  • "nisIdentityCollectorId": 192837465,
  • "applicationCrawlerSettings": {
    },
  • "permissionCollectorSettings": {
    },
  • "dataClassificationSettings": {
    },
  • "activityConfigurationSettings": {
    },
  • "executeNow": false
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Delete an application by identifier.

This endpoint deletes an application from Data Access Security by its unique identifier.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 12345

The unique identifier of the application to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Retrieve application details by identifier.

This endpoint retrieves the details of a specific application in Data Access Security by its unique identifier.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
integer <int64>
Example: 12345

The unique identifier of the application to retrieve.

Responses

Response samples

Content type
application/json
{
  • "id": 12345,
  • "name": "HR File Server",
  • "description": "Stores HR documents and employee records.",
  • "type": "OneDriveForBusiness",
  • "tags": [
    ],
  • "testConnectionStatus": "Success",
  • "testConnectionDate": 1700000000000,
  • "rcClusterId": "459B5ABB-47BE-4069-8DB1-D6A8BE3F4D47",
  • "dcClusterId": "B28B4B37-9E47-426B-BAFD-A1FF048B4DAC",
  • "pcClusterId": "E1304AA9-D8FA-4574-A5CD-B59A6D8CB918"
}

Retrieve owners per application.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
appId
required
integer <int64>
Example: 2001

The unique identifier of the application for which to retrieve owners.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Not applicable for this endpoint. Do not use.

offset
integer <int32> >= 0
Default: 0

Not applicable for this endpoint. Do not use.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List owners for resource.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
resourceId
required
integer <int64>
Example: 101

Unique identifier for the resource.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Not applicable for this endpoint. Do not use.

offset
integer <int32> >= 0
Default: 0

Not applicable for this endpoint. Do not use.

Responses

Response samples

Content type
application/json
[
  • "a3f1c2d4-5678-4e9b-8c2d-123456789abc",
  • "b4e2d3c5-6789-4f0a-9d3e-234567890bcd"
]

List resources for owner.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
ownerIdentityId
required
string <uuid>
Example: a3f1c2d4-5678-4e9b-8c2d-123456789abc

Unique identifier for the owner. This should be a UUID representing the owner's identity.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Not applicable for this endpoint. Do not use.

offset
integer <int32> >= 0
Default: 0

Not applicable for this endpoint. Do not use.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Assign owner to application resource.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
appId
integer <int64>

The unique identifier of the application containing the resource.

fullPath
string or null

The full path to the resource within the application (e.g., file path or object path).

identityId
string <uuid>

The unique identifier (UUID) of the identity to be assigned as the resource owner.

Responses

Request samples

Content type
application/json
{
  • "appId": 12345,
  • "fullPath": "/shared/hr/documents/employee-records.pdf",
  • "identityId": "d290f1ee-6c54-4b01-90e6-d701748f0851"
}

Response samples

Content type
application/json
0
0

Reassign resource owner.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceIdentityId
required
string <uuid>
Example: a3f1c2d4-5678-4e9b-8c2d-123456789abc

Unique identifier for the source owner. This should be a UUID representing the identity to reassign from.

destinationIdentityId
required
string <uuid>
Example: b4e2d3c5-6789-4f0a-9d3e-234567890bcd

Unique identifier for the destination owner. This should be a UUID representing the identity to reassign to.

Responses

Response samples

Content type
application/json
1

Re-elect resource owner.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

The request body must contain details for re-electing a resource owner. Date/time fields should use epoch format in seconds.

ownerId
string <uuid>

The UUID of the identity proposed to be re-elected as the resource owner.

campaignName
string or null

The name of the campaign or election process for re-electing the owner.

reviewers
Array of strings or null <uuid>

A list of UUIDs representing the identities of reviewers participating in the re-election process.

Responses

Request samples

Content type
application/json
{
  • "ownerId": "c1a2b3d4-e5f6-7890-abcd-1234567890ab",
  • "campaignName": "Annual Resource Owner Election",
  • "reviewers": [
    ]
}

Response samples

Content type
application/json
1

Data Segmentation

This service is responsible for creating segments that will determine how access is delegated to identities withing the organization.

Get segmentmembership by identity id

This API returns the segment membership specified by the given identity ID.

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The identity ID to retrieve the segments they are in.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Is segmentation enabled by identity

This API returns whether or not segmentation is enabled for the identity.

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The identity ID to retrieve if segmentation is enabled for the identity.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
true

Get segment by id

This API returns the segment specified by the given ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The segment ID to retrieve.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "segment-xyz",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This segment represents xyz",
  • "scopes": [
    ],
  • "memberSelection": [
    ],
  • "memberFilter": {
    },
  • "membership": "ALL",
  • "enabled": true,
  • "published": true
}

Publish segment by id

This will publish the segment so that it starts applying the segmentation to the desired users if enabled

Authorizations:
Personal Access Token
query Parameters
publishAll
boolean
Default: true
Example: publishAll=true

This flag decides whether you want to publish all unpublished or a list of specific segment ids

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

A list of segment ids that you wish to publish

Array
string

Responses

Request samples

Content type
application/json
[
  • "string"
]

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update segment

Use this API to update segment fields by using the JSON Patch standard.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The segment ID to modify.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json

A list of segment update operations according to the JSON Patch standard.

The following fields are patchable:

  • name
  • description
  • membership
  • memberFilter
  • memberSelection
  • scopes
  • enabled
Array
object

Responses

Request samples

Content type
application/json-patch+json

Set the member filter

[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "segment-xyz",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This segment represents xyz",
  • "scopes": [
    ],
  • "memberSelection": [
    ],
  • "memberFilter": {
    },
  • "membership": "ALL",
  • "enabled": true,
  • "published": true
}

Delete segment by id

This API deletes the segment specified by the given ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The segment ID to delete.

query Parameters
published
boolean
Default: false

This determines which version of the segment to delete

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get segments

This API returns the segment specified by the given ID.

Authorizations:
Personal Access Token
query Parameters
enabled
boolean
Default: true
Example: enabled=true

This boolean indicates whether the segment is currently active. Inactive segments have no effect.

unique
boolean
Default: false

This returns only one record if set to true and that would be the published record if exists.

published
boolean
Default: true
Example: published=true

This boolean indicates whether the segment is being applied to the accounts. If unpublished its being actively modified until published

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name eq ""

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in, sw

name: eq, in, sw

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create segment

This API creates a segment.

Note: Segment definitions may take time to propagate to all identities.

Authorizations:
Personal Access Token
Request Body schema: application/json
id
string (SegmentId)

The segment's ID.

name
string

The segment's business name.

created
string <date-time>

The time when the segment is created.

modified
string <date-time>

The time when the segment is modified.

description
string

The segment's optional description.

Array of objects (Scopes)

List of Scopes that are assigned to the segment

Array of objects (Selection)

List of Identities that are assigned to the segment

object (Visibility Criteria)
membership
string (MembershipType)
Enum: "ALL" "FILTER" "SELECTION"

An enumeration of the types of membership choices

enabled
boolean (enabled)
Default: false

This boolean indicates whether the segment is currently active. Inactive segments have no effect.

published
boolean (published)
Default: false

This boolean indicates whether the segment is being applied to the accounts. If unpublished its being actively modified to until published

Responses

Request samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "segment-xyz",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This segment represents xyz",
  • "scopes": [
    ],
  • "memberSelection": [
    ],
  • "memberFilter": {
    },
  • "membership": "ALL",
  • "enabled": true,
  • "published": true
}

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "segment-xyz",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This segment represents xyz",
  • "scopes": [
    ],
  • "memberSelection": [
    ],
  • "memberFilter": {
    },
  • "membership": "ALL",
  • "enabled": true,
  • "published": true
}

Declassify Source

Declassify source's all accounts

Use this API to declassify all the accounts from a source. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Dimensions

Use this API to implement and customize dynamic role functionality. With this functionality in place, administrators can create dimensions and configure them for use throughout Identity Security Cloud. Identity Security Cloud can use established criteria to automatically assign the dimensions to qualified users. This enables users to get all the access they need quickly and securely and administrators to spend their time on other tasks. Entitlements represent the most granular level of access in Identity Security Cloud. Access profiles represent the next level and often group entitlements. Dimension represent access selectively based on the evaluation of contextual information that is available or provided. Each Dimension include context attributes and access selection expressions which map criteria to access right assignments. Each dimension can contain up to 5 context attributes. Dynamic Access Roles represent the broadest level of access and often group access profiles ,entitlements and dimensions.Each Dynamic Access Role may contain one or more Dimensions.

List dimensions

This API returns a list of dimensions under a specified role.

A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access Token
path Parameters
roleId
required
string
Example: 6603fba3004f43c687610a29195252ce

Parent Role Id of the dimension.

query Parameters
for-subadmin
string
Example: for-subadmin=5168015d32f890ca15812c9180835d2e

If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN Identity. The value of the parameter is either an Identity ID, or the special value me, which is shorthand for the calling Identity's ID. A 400 Bad Request error is returned if the for-subadmin parameter is specified for an Identity that is not a subadmin.

limit
integer <int32> [ 0 .. 50 ]
Default: 50
Example: limit=50

Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq '2c918086749d78830174a1a40e121518'

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

created: gt, lt, ge, le

modified: gt, lt, ge, le

owner.id: eq, in

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create a dimension

This API creates a dimension. You must have a token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority to call this API. Additionally, a ROLE_SUBADMIN cannot create a dimension that includes an access profile or entitlement if that access profile or entitlement is linked to a source that the ROLE_SUBADMIN is not associated with. The maximum supported length for the description field is 2000 characters.

Authorizations:
Personal Access Token
path Parameters
roleId
required
string
Example: 6603fba3004f43c687610a29195252ce

Parent Role Id of the dimension.

Request Body schema: application/json
id
string

The id of the Dimension. This field must be left null when creating a dimension, otherwise a 400 Bad Request error will result.

name
required
string <= 128 characters

The human-readable display name of the Dimension

description
string or null

A human-readable description of the Dimension

required
object or null (OwnerReference)

Owner of the object.

Array of objects or null (AccessProfileRef)
Array of objects (EntitlementRef)
object or null (DimensionMembershipSelector)

When present, specifies that the Dimension is to be granted to Identities which either satisfy specific criteria.

parentId
string or null

The ID of the parent role. This field can be left null when creating a dimension, but if provided, it must match the role ID specified in the path variable of the API call.

Responses

Request samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Dimension 2567",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "parentId": "2c918086749d78830174a1a40e121518"
}

Response samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Dimension 2567",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "parentId": "2c918086749d78830174a1a40e121518"
}

Get a dimension under role.

This API returns a Dimension by its ID.

A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a token with ROLE_SUBADMIN authority may only call this API if all Access Profiles or Entitlements included in the Dimension or Parent Role are associated to Sources with management workgroups of which the ROLE_SUBADMIN is a member.

Authorizations:
Personal Access Token
path Parameters
roleId
required
string
Example: 6603fba3004f43c687610a29195252ce

Parent Role Id of the dimension.

dimensionId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Id of the Dimension

Responses

Response samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Dimension 2567",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "parentId": "2c918086749d78830174a1a40e121518"
}

Patch a specified dimension

This API updates an existing dimension using JSON Patch syntax. The following fields are patchable: name description owner accessProfiles entitlements membership A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a token with ROLE_SUBADMIN authority may only call this API if all access profiles/entitlements included in the dimension are associated to Sources with management workgroups of which the ROLE_SUBADMIN is a member. The maximum supported length for the description field is 2000 characters. When you use this API to modify a dimension's membership identities, you can only modify up to a limit of 500 membership identities at a time.

Authorizations:
Personal Access Token
path Parameters
roleId
required
string
Example: 6603fba3004f43c687610a29195252ce

Parent Role Id of the dimension.

dimensionId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Id of the Dimension

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
Example

This example shows how multiple fields may be updated with a single patch call.

[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Dimension 2567",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "parentId": "2c918086749d78830174a1a40e121518"
}

Delete a dimension

This API deletes a Dimension by its ID. A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a token with ROLE_SUBADMIN authority may only call this API if all Access Profiles/Entitlements included in the Dimension are associated to Sources with management workgroups of which the ROLE_SUBADMIN is a member.

Authorizations:
Personal Access Token
path Parameters
roleId
required
string
Example: 6603fba3004f43c687610a29195252ce

Parent Role Id of the dimension.

dimensionId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Id of the Dimension

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Delete dimension(s)

This endpoint initiates a bulk deletion of one or more dimensions. When the request is successful, the endpoint returns the bulk delete's task result ID. To follow the task, you can use Get Task Status by ID, which will return the task result's status and information. This endpoint can only bulk delete up to a limit of 50 roles per request. A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this endpoint. In addition, a token with ROLE_SUBADMIN authority can only call this endpoint if all dimensions included in the request are associated with sources with management workgroups the ROLE_SUBADMIN is a member of.

Authorizations:
Personal Access Token
path Parameters
roleId
required
string
Example: 6603fba3004f43c687610a29195252ce

Parent Role Id of the dimensions.

Request Body schema: application/json
dimensionIds
required
Array of strings

List of IDs of Dimensions to be deleted.

Responses

Request samples

Content type
application/json
{
  • "dimensionIds": [
    ]
}

Response samples

Content type
application/json
{
  • "type": "TASK_RESULT",
  • "id": "464ae7bf791e49fdb74606a2e4a89635",
  • "name": null
}

List dimension's access profiles

This API lists the Access Profiles associated with a given Dimension

A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a token with ROLE_SUBADMIN authority may only call this API if all Access Profiles included in the Role are associated to Sources with management workgroups of which the ROLE_SUBADMIN is a member.

Authorizations:
Personal Access Token
path Parameters
roleId
required
string
Example: 6603fba3004f43c687610a29195252ce

Parent Role Id of the dimension.

dimensionId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Id of the Dimension

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=source.id eq "2c91808982f979270182f99e386d00fa"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

created: gt, lt, ge, le

modified: gt, lt, ge, le

owner.id: eq, in

source.id: eq, in

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List dimension's entitlements

This API lists the Entitlements associated with a given dimension.

A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access Token
path Parameters
roleId
required
string
Example: 6603fba3004f43c687610a29195252ce

Parent Role Id of the dimension.

dimensionId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Id of the Dimension

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=attribute eq "memberOf"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

attribute: eq, sw

value: eq, sw

created: gt, lt, ge, le

modified: gt, lt, ge, le

owner.id: eq, in

source.id: eq, in

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, attribute, value, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Discovered Applications

Use this API to retrieve all the available discovered apps for a given tenant id.

Entitlements

Use this API to implement and customize entitlement functionality. With this functionality in place, administrators can view entitlements and configure them for use throughout Identity Security Cloud in certifications, access profiles, and roles. Administrators in Identity Security Cloud can then grant users access to the entitlements or configure them so users themselves can request access to the entitlements whenever they need them. With a good approval process, this entitlement functionality allows users to gain the specific access they need on sources quickly and securely.

Entitlements represent access rights on sources. Entitlements are the most granular form of access in Identity Security Cloud. Entitlements are often grouped into access profiles, and access profiles themselves are often grouped into roles, the broadest form of access in Identity Security Cloud.

For example, an Active Directory source in Identity Security Cloud can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.

An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.

An administrator can then create an even broader set of access in the form of a role grouping the 'AD Developers' access profile with another profile, 'GitHub Developers,' grouping entitlements for the GitHub source.

When users only need Active Directory employee access, they can request access to the 'Employees' entitlement.

When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile.

When users need both the 'AD Developers' access profile and the 'GitHub Developers' access profile, they can request access to the role grouping both.

Administrators often use roles and access profiles within those roles to manage access so that users can gain access more quickly, but the hierarchy of access all starts with entitlements.

Anywhere entitlements appear, you can select them to find more information about the following:

  • Cloud Access Details: These provide details about the cloud access entitlements on cloud-enabled sources.

  • Permissions: Permissions represent individual units of read/write/admin access to a system.

  • Relationships: These list each entitlement's parent and child relationships.

  • Type: This is the entitlement's type. Some sources support multiple types, each with a different attribute schema.

Identity Security Cloud uses entitlements in many features, including the following:

  • Certifications: Entitlements can be revoked from an identity that no longer needs them.

  • Roles: Roles can group access profiles which themselves group entitlements. You can grant and revoke access on a broad level with roles. Role membership criteria can grant roles to identities based on whether they have certain entitlements or attributes.

  • Access Profiles: Access profiles group entitlements. They are the most important units of access in Identity Security Cloud. Identity Security Cloud uses them in provisioning, certifications, and access requests, and administrators can configure them to grant very broad or very granular access.

You cannot delete entitlements directly from Identity Security Cloud. Entitlements are deleted based on their inclusion in aggregations.

Refer to Deleting Entitlements more information about deleting entitlements.

Refer to Entitlements for more information about entitlements.

Gets a list of entitlements.

This API returns a list of entitlements.

This API can be used in one of the two following ways: either getting entitlements for a specific account-id, or getting via use of filters (those two options are exclusive).

Any authenticated token can call this API.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
account-id
string
Example: account-id=ef38f94347e94562b5bb8424a56397d8

The account ID. If specified, returns only entitlements associated with the given Account. Cannot be specified with the filters, segmented-for-identity, for-segment-ids, or include-unsegmented param(s).

segmented-for-identity
string
Example: segmented-for-identity=e554098913544630b5985e9042f5e44b

If present and not empty, additionally filters Entitlements to those which are assigned to the Segment(s) which are visible to the Identity with the specified ID. Cannot be specified with the account-id or for-segment-ids param(s). It is also illegal to specify a value that refers to a different user's Identity.

for-segment-ids
string <comma-separated>
Example: for-segment-ids=041727d4-7d95-4779-b891-93cf41e98249,a378c9fa-bae5-494c-804e-a1e30f69f649

If present and not empty, additionally filters Access Profiles to those which are assigned to the Segment(s) with the specified IDs. Cannot be specified with the account-id or segmented-for-identity param(s).

include-unsegmented
boolean
Default: true
Example: include-unsegmented=true

Whether or not the response list should contain unsegmented Entitlements. If for-segment-ids and segmented-for-identity are both absent or empty, specifying include-unsegmented=false results in an error.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, created, modified, type, attribute, value, source.id, requestable

filters
string
Example: filters=attribute eq "memberOf"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in, sw

type: eq, in

attribute: eq, in

value: eq, in, sw

source.id: eq, in

requestable: eq

created: gt, lt, ge, le

modified: gt, lt, ge, le

owner.id: eq, in

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get an entitlement

This API returns an entitlement by its ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808874ff91550175097daaec161c

The entitlement ID

Responses

Response samples

Content type
application/json
{
  • "sourceSchemaObjectType": "group",
  • "attribute": "memberOf",
  • "attributes": {
    },
  • "value": "CN=LauncherTest1,OU=LauncherTestOrg,OU=slpt-automation,DC=TestAutomationAD,DC=local",
  • "description": "some description",
  • "privileged": false,
  • "cloudGoverned": false,
  • "source": {
    },
  • "owner": {
    },
  • "segments": [
    ],
  • "manuallyUpdatedFields": {
    },
  • "id": "2c91808c74ff913f0175097daa9d59cd",
  • "name": "LauncherTest1",
  • "created": "2020-10-08T18:33:52.029Z",
  • "modified": "2021-01-19T16:53:35.707Z"
}

Patch an entitlement

This API updates an existing entitlement using JSON Patch syntax.

The following fields are patchable: requestable, privileged, segments, owner, name, description, and manuallyUpdatedFields

When you're patching owner, only owner type and owner id must be provided. Owner name is optional, and it won't be modified. If the owner name is provided, it should correspond to the real name. The only owner type currently supported is IDENTITY.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the entitlement to patch

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
Example

This example shows how multiple fields may be updated with a single patch call.

[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c91808874ff91550175097daaec161c",
  • "name": "PayrollControls",
  • "attribute": "memberOf",
  • "value": "CN=PayrollControls,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",
  • "sourceSchemaObjectType": "group",
  • "description": "Grants the ability to access and manage payroll-related controls and settings within the Corporate Active Directory system.",
  • "privileged": true,
  • "cloudGoverned": true,
  • "requestable": true,
  • "owner": {
    },
  • "additionalOwners": [
    ],
  • "manuallyUpdatedFields": {
    },
  • "accessModelMetadata": {
    },
  • "created": "2020-10-08T18:33:52.029Z",
  • "modified": "2020-10-08T18:33:52.029Z",
  • "source": {
    },
  • "attributes": {
    },
  • "segments": [
    ],
  • "directPermissions": [
    ]
}

List of entitlements parents

This API returns a list of all parent entitlements of a given entitlement.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808c74ff913f0175097daa9d59cd

Entitlement Id

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, created, modified, type, attribute, value, source.id

filters
string
Example: filters=attribute eq "memberOf"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in, sw

type: eq, in

attribute: eq, in

value: eq, in, sw

source.id: eq, in

requestable: eq

created: gt, lt, ge, le

modified: gt, lt, ge, le

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List of entitlements children

This API returns a list of all child entitlements of a given entitlement.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808874ff91550175097daaec161c

Entitlement Id

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, created, modified, type, attribute, value, source.id

filters
string
Example: filters=attribute eq "memberOf"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in, sw

type: eq, in

attribute: eq, in

value: eq, in, sw

source.id: eq, in

requestable: eq

created: gt, lt, ge, le

modified: gt, lt, ge, le

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Bulk update an entitlement list

This API applies an update to every entitlement of the list.

The number of entitlements to update is limited to 50 items maximum.

The JsonPatch update follows the JSON Patch standard. examples of allowed operations : **{ "op": "replace", "path": "/privileged", "value": boolean }** **{ "op": "replace", "path": "/requestable","value": boolean }**

A token with ORG_ADMIN or API authority is required to call this API.

Authorizations:
Personal Access Token
Request Body schema: application/json
entitlementIds
required
Array of strings <= 50 items

List of entitlement ids to update

required
Array of objects (Json Patch Operation)

Responses

Request samples

Content type
application/json
{
  • "entitlementIds": [
    ],
  • "jsonPatch": [
    ]
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get entitlement request config

This API returns the entitlement request config for a specified entitlement.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808874ff91550175097daaec161c

Entitlement Id

Responses

Response samples

Content type
application/json
{
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    }
}

Replace entitlement request config

This API replaces the entitlement request config for a specified entitlement.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

Entitlement ID

Request Body schema: application/json
object (Entitlement Access Request Config)
object (Entitlement Revocation Request Config)

Responses

Request samples

Content type
application/json
{
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    }
}

Response samples

Content type
application/json
{
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    }
}

Reset source entitlements

Remove all entitlements from a specific source. To reload the accounts along with the entitlements you removed, you must run an unoptimized aggregation. To do so, use Account Aggregation with disableOptimization = true.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121919ecca

ID of source for the entitlement reset

Responses

Response samples

Content type
application/json
{
  • "type": "TASK_RESULT",
  • "id": "2c91808568c529c60168cca6f90c1313",
  • "name": "Entitlement Source Reset"
}

Add metadata to an entitlement.

Add single Access Model Metadata to an entitlement.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808c74ff913f0175097daa9d59cd

The entitlement id.

attributeKey
required
string
Example: iscPrivacy

Technical name of the Attribute.

attributeValue
required
string
Example: public

Technical name of the Attribute Value.

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808874ff91550175097daaec161c",
  • "name": "PayrollControls",
  • "attribute": "memberOf",
  • "value": "CN=PayrollControls,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",
  • "sourceSchemaObjectType": "group",
  • "description": "Grants the ability to access and manage payroll-related controls and settings within the Corporate Active Directory system.",
  • "privileged": true,
  • "cloudGoverned": true,
  • "requestable": true,
  • "owner": {
    },
  • "additionalOwners": [
    ],
  • "manuallyUpdatedFields": {
    },
  • "accessModelMetadata": {
    },
  • "created": "2020-10-08T18:33:52.029Z",
  • "modified": "2020-10-08T18:33:52.029Z",
  • "source": {
    },
  • "attributes": {
    },
  • "segments": [
    ],
  • "directPermissions": [
    ]
}

Remove metadata from an entitlement.

Remove single Access Model Metadata from an entitlement.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808c74ff913f0175097daa9d59cd

The entitlement id.

attributeKey
required
string
Example: iscPrivacy

Technical name of the Attribute.

attributeValue
required
string
Example: public

Technical name of the Attribute Value.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Aggregate entitlements Deprecated

Starts an entitlement aggregation on the specified source. Though this endpoint has been deprecated, you can find its Beta equivalent here.

If the target source is a direct connection, then the request body must be empty. You will also need to make sure the Content-Type header is not set. If you set the Content-Type header without specifying a body, then you will receive a 500 error.

If the target source is a delimited file source, then the CSV file needs to be included in the request body. You will also need to set the Content-Type header to multipart/form-data.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source Id

Request Body schema: multipart/form-data
csvFile
string <binary>

The CSV file containing the source entitlements to aggregate.

Responses

Response samples

Content type
application/json
{
  • "id": "ef38f94347e94562b5bb8424a56397d8",
  • "type": "QUARTZ",
  • "uniqueName": "Cloud Group Aggregation",
  • "description": "Aggregate from the specified application",
  • "launcher": "John Doe",
  • "created": "2020-07-11T21:23:15.000Z",
  • "returns": [
    ]
}

Global Tenant Security Settings

Use this API to implement and customize global tenant security settings. With this functionality in place, administrators can manage the global security settings that a tenant/org has. This API can be used to configure the networks and Geographies allowed to access Identity Security Cloud URLs.

Get security network configuration.

This API returns the details of an org's network auth configuration.

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
{
  • "range": [
    ],
  • "geolocation": [
    ],
  • "whitelisted": true
}

Create security network configuration.

This API returns the details of an org's network auth configuration. Requires security scope of: 'sp:auth-org:manage'

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

Network configuration creation request body. The following constraints ensure the request body conforms to certain logical guidelines, which are:

  1. Each string element in the range array must be a valid ip address or ip subnet mask.
  2. Each string element in the geolocation array must be 2 characters, and they can only be uppercase letters.
range
Array of strings or null

The collection of ip ranges.

geolocation
Array of strings or null

The collection of country codes.

whitelisted
boolean
Default: false

Denotes whether the provided lists are whitelisted or blacklisted for geo location.

Responses

Request samples

Content type
application/json
{
  • "range": [
    ],
  • "geolocation": [
    ],
  • "whitelisted": true
}

Response samples

Content type
application/json
{
  • "range": [
    ],
  • "geolocation": [
    ],
  • "whitelisted": true
}

Update security network configuration.

This API updates an existing network configuration for an org using PATCH Requires security scope of: 'sp:auth-org:manage'

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json-patch+json

A list of auth org network configuration update operations according to the JSON Patch standard. Ensures that the patched Network Config conforms to certain logical guidelines, which are:

  1. Each string element in the range array must be a valid ip address or ip subnet mask.
  2. Each string element in the geolocation array must be 2 characters, and they can only be uppercase letters.
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "range": [
    ],
  • "geolocation": [
    ],
  • "whitelisted": true
}

Get auth org lockout configuration.

This API returns the details of an org's lockout auth configuration.

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
{
  • "maximumAttempts": 5,
  • "lockoutDuration": 15,
  • "lockoutWindow": 5
}

Update auth org lockout configuration

This API updates an existing lockout configuration for an org using PATCH

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json-patch+json

A list of auth org lockout configuration update operations according to the JSON Patch standard. Ensures that the patched Lockout Config conforms to certain logical guidelines, which are: 1. maximumAttempts >= 1 && maximumAttempts <= 15 2. lockoutDuration >= 5 && lockoutDuration <= 60 3. lockoutWindow >= 5 && lockoutDuration <= 60

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "maximumAttempts": 5,
  • "lockoutDuration": 15,
  • "lockoutWindow": 5
}

Get service provider configuration.

This API returns the details of an org's service provider auth configuration.

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
{
  • "enabled": true,
  • "bypassIdp": true,
  • "samlConfigurationValid": true,
  • "federationProtocolDetails": [
    ]
}

Update service provider configuration

This API updates an existing service provider configuration for an org using PATCH.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json-patch+json

A list of auth org service provider configuration update operations according to the JSON Patch standard. Note: /federationProtocolDetails/0 is IdpDetails /federationProtocolDetails/1 is SpDetails Ensures that the patched ServiceProviderConfig conforms to certain logical guidelines, which are:

  1. Do not add or remove any elements in the federation protocol details in the service provider configuration.
  2. Do not modify, add, or delete the service provider details element in the federation protocol details.
  3. If this is the first time the patched ServiceProviderConfig enables Remote IDP sign-in, it must also include IDPDetails.
  4. If the patch enables Remote IDP sign in, the entityID in the IDPDetails cannot be null. IDPDetails must include an entityID.
  5. Any JIT configuration update must be valid.

Just in time configuration update must be valid when enabled. This includes:

  • A Source ID
  • Source attribute mappings
  • Source attribute maps have all the required key values (firstName, lastName, email)
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "enabled": true,
  • "bypassIdp": true,
  • "samlConfigurationValid": true,
  • "federationProtocolDetails": [
    ]
}

Get auth org session configuration.

This API returns the details of an org's session auth configuration.

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
{
  • "maxIdleTime": 15,
  • "rememberMe": true,
  • "maxSessionTime": 45
}

Update auth org session configuration

This API updates an existing session configuration for an org using PATCH.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json-patch+json

A list of auth org session configuration update operations according to the JSON Patch standard.

Ensures that the patched Session Config conforms to certain logical guidelines, which are: 1. maxSessionTime >= 1 && maxSessionTime <= 10080 (1 week) 2. maxIdleTime >= 1 && maxIdleTime <= 1440 (1 day) 3. maxSessionTime must have a greater duration than maxIdleTime.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "maxIdleTime": 15,
  • "rememberMe": true,
  • "maxSessionTime": 45
}

Governance Groups

Use this API to implement and customize Governance Group functionality. With this functionality in place, administrators can create Governance Groups and configure them for use throughout Identity Security Cloud.

A governance group is a group of users that can make governance decisions about access. If your organization has the Access Request or Certifications service, you can configure governance groups to review access requests or certifications. A governance group can determine whether specific access is appropriate for a user.

Refer to Creating and Managing Governance Groups for more information about how to build Governance Groups in the visual builder in the Identity Security Cloud UI.

List governance groups

This API returns list of Governance Groups

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name sw "Test"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in, sw

name: eq, sw, in

memberships.identityId: eq, in

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, modified, id, description

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create a new governance group.

This API creates a new Governance Group.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
object (Owner Dto)

Owner's identity.

name
string

Governance group name.

description
string

Governance group description.

created
string <date-time>
modified
string <date-time>

Responses

Request samples

Content type
application/json
{
  • "owner": {
    },
  • "name": "DB Access Governance Group",
  • "description": "Description of the Governance Group",
  • "created": "2022-01-06T19:51:13Z",
  • "modified": "2022-01-06T19:51:13Z"
}

Response samples

Content type
application/json
{
  • "owner": {
    },
  • "id": "2c91808568c529c60168cca6f90c1313",
  • "name": "DB Access Governance Group",
  • "description": "Description of the Governance Group",
  • "memberCount": 1641498673000,
  • "connectionCount": 1641498673000,
  • "created": "2022-01-06T19:51:13Z",
  • "modified": "2022-01-06T19:51:13Z"
}

Get governance group by id

This API returns a Governance Groups by its ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180837ca6693d017ca8d097500149

ID of the Governance Group

Responses

Response samples

Content type
application/json
{
  • "owner": {
    },
  • "id": "2c91808568c529c60168cca6f90c1313",
  • "name": "DB Access Governance Group",
  • "description": "Description of the Governance Group",
  • "memberCount": 1641498673000,
  • "connectionCount": 1641498673000,
  • "created": "2022-01-06T19:51:13Z",
  • "modified": "2022-01-06T19:51:13Z"
}

Delete a governance group

This API deletes a Governance Group by its ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180837ca6693d017ca8d097500149

ID of the Governance Group

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Patch a governance group

This API updates an existing governance group by ID. The following fields and objects are patchable:

  • name
  • description
  • owner
Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180837ca6693d017ca8d097500149

ID of the Governance Group

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json

Replace description of a Governance Group.

[
  • {
    }
]

Response samples

Content type
application/json
{
  • "owner": {
    },
  • "id": "2c91808568c529c60168cca6f90c1313",
  • "name": "DB Access Governance Group",
  • "description": "Description of the Governance Group",
  • "memberCount": 1641498673000,
  • "connectionCount": 1641498673000,
  • "created": "2022-01-06T19:51:13Z",
  • "modified": "2022-01-06T19:51:13Z"
}

Delete governance group(s)

This API initiates a bulk deletion of one or more Governance Groups.

If any of the indicated Governance Groups have one or more connections associated with it,then those Governance Groups will be added in inUse list of the response. Governance Group(s) marked as inUse can not be deleted.

If any of the indicated Governance Groups is not does not exists in Organization,then those Governance Groups will be added in notFound list of the response. Governance Groups marked as notFound will not be deleted.

If any of the indicated Governance Groups does not have any connections associated with it,then those Governance Groups will be added in deleted list of the response. A Governance Group marked as deleted will be deleted from current Organization.

If the request contains any inUse or notFound Governance Group IDs then it skips only these Governance Groups for deletion and deletes the rest of Governance Groups which have no connections associated with it.

This API has limit number of Governance Groups can be deleted at one time. If the request contains more then 100 Governance Groups IDs to be deleted then the API will throw an exception.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
ids
Array of strings

List of IDs of Governance Groups to be deleted.

Responses

Request samples

Content type
application/json
{
  • "ids": [
    ]
}

Response samples

Content type
application/json
[
  • {
    }
]

List connections for governance group

This API returns list of connections associated with a Governance Group.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
workgroupId
required
string
Example: 2c91808a7813090a017814121919ecca

ID of the Governance Group.

query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 50 ]
Default: 50
Example: limit=50

Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List governance group members

This API returns list of members associated with a Governance Group.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
workgroupId
required
string
Example: 2c91808a7813090a017814121919ecca

ID of the Governance Group.

query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 50 ]
Default: 50
Example: limit=50

Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Add members to governance group

This API adds one or more members to a Governance Group. A token with API, ORG_ADMIN authority is required to call this API.

Following field of Identity is an optional field in the request.

name

Authorizations:
Personal Access TokenClient Credentials
path Parameters
workgroupId
required
string
Example: 2c91808a7813090a017814121919ecca

ID of the Governance Group.

Request Body schema: application/json

List of identities to be added to a Governance Group members list.

Array
type
string
Value: "IDENTITY"

Identity's DTO type.

id
string

Identity ID.

name
string

Identity's display name.

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
[
  • {
    }
]

Remove members from governance group

This API removes one or more members from a Governance Group. A

Following field of Identity is an optional field in the request.

name

Authorizations:
Personal Access TokenClient Credentials
path Parameters
workgroupId
required
string
Example: 2c91808a7813090a017814121919ecca

ID of the Governance Group.

Request Body schema: application/json

List of identities to be removed from a Governance Group members list.

Array
type
string
Value: "IDENTITY"

Identity's DTO type.

id
string

Identity ID.

name
string

Identity's display name.

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
[
  • {
    }
]

IAI Access Request Recommendations

Identity access request recommendations

This API returns the access request recommendations for the specified identity. The default identity is me which indicates the current user.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
identity-id
string
Default: "me"
Example: identity-id=2c91808570313110017040b06f344ec9

Get access request recommendations for an identityId. me indicates the current user.

limit
integer <int32> [ 0 .. 15 ]
Default: 15
Example: limit=15

Max number of results to return.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

include-translation-messages
boolean
Default: false

If true it will populate a list of translation messages in the response.

filters
string
Example: filters=access.name co "admin"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

access.name: co

access.type: eq, in

access.description: co, eq, in

sorters
string <comma-separated>
Example: sorters=access.name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: access.name, access.type

By default the recommendations are sorted by highest confidence first.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get access request recommendations config

This API returns the configurations for Access Request Recommender for the tenant.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "scoreThreshold": 0.5,
  • "startDateAttribute": "startDate",
  • "restrictionAttribute": "location",
  • "moverAttribute": "isMover",
  • "joinerAttribute": "isJoiner",
  • "useRestrictionAttribute": true
}

Update access request recommendations config

This API updates the configurations for Access Request Recommender for the tenant.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

The desired configurations for Access Request Recommender for the tenant.

scoreThreshold
required
number <float>

The value that internal calculations need to exceed for recommendations to be made.

startDateAttribute
string

Use to map an attribute name for determining identities' start date.

restrictionAttribute
string

Use to only give recommendations based on this attribute.

moverAttribute
string

Use to map an attribute name for determining whether identities are movers.

joinerAttribute
string

Use to map an attribute name for determining whether identities are joiners.

useRestrictionAttribute
boolean
Default: false

Use only the attribute named in restrictionAttribute to make recommendations.

Responses

Request samples

Content type
application/json
{
  • "scoreThreshold": 0.5,
  • "startDateAttribute": "startDate",
  • "restrictionAttribute": "location",
  • "moverAttribute": "isMover",
  • "joinerAttribute": "isJoiner",
  • "useRestrictionAttribute": true
}

Response samples

Content type
application/json
{
  • "scoreThreshold": 0.5,
  • "startDateAttribute": "startDate",
  • "restrictionAttribute": "location",
  • "moverAttribute": "isMover",
  • "joinerAttribute": "isJoiner",
  • "useRestrictionAttribute": true
}

Ignore access request recommendation

This API ignores a recommended access request item. Once an item is ignored, it will be marked as ignored=true if it is still a recommended item. The consumer can decide to hide ignored recommendations.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

The recommended access item to ignore for an identity.

identityId
required
string <UUID>

The identity ID taking the action.

required
object (Access Request Recommendation Item)

Responses

Request samples

Content type
application/json
{
  • "identityId": "2c91808570313110017040b06f344ec9",
  • "access": {
    }
}

Response samples

Content type
application/json
{
  • "identityId": "2c91808570313110017040b06f344ec9",
  • "access": {
    },
  • "timestamp": "2017-07-11T18:45:37.098Z"
}

List ignored access request recommendations

This API returns the list of ignored access request recommendations.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=identityId eq "2c9180846b0a0583016b299f210c1314"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

access.id: eq, in

access.type: eq, in

identityId: eq, in

sorters
string <comma-separated>
Example: sorters=access.id

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: access.id, access.type, identityId, timestamp

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Accept access request recommendation

This API consumes a notification that a recommended access request item was requested. This API does not actually make the request, it is just a notification. This will help provide feedback in order to improve our recommendations.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

The recommended access item that was requested for an identity.

identityId
required
string <UUID>

The identity ID taking the action.

required
object (Access Request Recommendation Item)

Responses

Request samples

Content type
application/json
{
  • "identityId": "2c91808570313110017040b06f344ec9",
  • "access": {
    }
}

Response samples

Content type
application/json
{
  • "identityId": "2c91808570313110017040b06f344ec9",
  • "access": {
    },
  • "timestamp": "2017-07-11T18:45:37.098Z"
}

List accepted access request recommendations

This API returns a list of requested access request recommendations.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=access.id eq "2c9180846b0a0583016b299f210c1314"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

access.id: eq, in

access.type: eq, in

identityId: eq, in

sorters
string <comma-separated>
Example: sorters=access.id

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: access.id, access.type, identityId, timestamp

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Mark viewed access request recommendations

This API consumes a notification that a recommended access request item was viewed. Future recommendations with this item will be marked with viewed=true. This can be useful for the consumer to determine if there are any new/unviewed recommendations.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

The recommended access that was viewed for an identity.

identityId
required
string <UUID>

The identity ID taking the action.

required
object (Access Request Recommendation Item)

Responses

Request samples

Content type
application/json
{
  • "identityId": "2c91808570313110017040b06f344ec9",
  • "access": {
    }
}

Response samples

Content type
application/json
{
  • "identityId": "2c91808570313110017040b06f344ec9",
  • "access": {
    },
  • "timestamp": "2017-07-11T18:45:37.098Z"
}

List viewed access request recommendations

This API returns the list of viewed access request recommendations.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=access.id eq "2c9180846b0a0583016b299f210c1314"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

access.id: eq, in

access.type: eq, in

identityId: eq, in

sorters
string <comma-separated>
Example: sorters=access.id

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: access.id, access.type, identityId, timestamp

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Bulk mark viewed access request recommendations

This API consumes a notification that a set of recommended access request item were viewed. Future recommendations with these items will be marked with viewed=true. This can be useful for the consumer to determine if there are any new/unviewed recommendations.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

The recommended access items that were viewed for an identity.

Array
identityId
required
string <UUID>

The identity ID taking the action.

required
object (Access Request Recommendation Item)

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
[
  • {
    }
]

IAI Common Access

Get a paginated list of common access

This endpoint returns the current common access for a customer. The returned items can be filtered and sorted. Requires authorization scope of iai:access-modeling:read

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=access.type eq "ROLE"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

status: eq, sw

reviewedByUser eq

access.id: eq, sw

access.type: eq

access.name: sw, eq

access.description: sw, eq

sorters
string <comma-separated>
Example: sorters=access.name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: access.name, status

By default the common access items are sorted by name, ascending.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create common access items

This API is used to add roles/access profiles to the list of common access for a customer. Requires authorization scope of iai:access-modeling:create

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
object (Common Access Item Access)
status
string (CommonAccessItemState)
Enum: "CONFIRMED" "DENIED"

State of common access item.

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "status": "CONFIRMED"
}

Response samples

Content type
application/json
{
  • "id": "string",
  • "access": {
    },
  • "status": "CONFIRMED",
  • "lastUpdated": "string",
  • "reviewedByUser": true,
  • "lastReviewed": "string",
  • "createdByUser": "string"
}

Bulk update common access status

This submits an update request to the common access application. At this time there are no parameters. Requires authorization scope of iai:access-modeling:update

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

Confirm or deny in bulk the common access ids that are (or aren't) common access

Array
confirmedIds
Array of strings <uuid>

List of confirmed common access ids.

deniedIds
Array of strings <uuid>

List of denied common access ids.

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
{ }

IAI Message Catalogs

IAI Outliers

Iai identity outliers summary

This API returns a summary containing the number of identities that customer has, the number of outliers, and the type of outlier.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

type
string
Enum: "LOW_SIMILARITY" "STRUCTURAL"
Example: type=LOW_SIMILARITY

Type of the identity outliers snapshot to filter on

filters
string
Example: filters=snapshotDate ge "2022-02-07T20:13:29.356648026Z"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

snapshotDate: ge, le

sorters
string <comma-separated>
Example: sorters=snapshotDate

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: snapshotDate

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Iai identity outliers latest summary

This API returns a most recent snapshot of each outlier type, each containing the number of identities that customer has, the number of outliers, and the type of outlier.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
type
string
Enum: "LOW_SIMILARITY" "STRUCTURAL"
Example: type=LOW_SIMILARITY

Type of the identity outliers snapshot to filter on

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Iai get identity outliers

This API returns a list of outliers, containing data such as identity ID, outlier type, detection dates, identity attributes, if identity is ignored, and certification information.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

type
string
Enum: "LOW_SIMILARITY" "STRUCTURAL"
Example: type=LOW_SIMILARITY

Type of the identity outliers snapshot to filter on

filters
string
Example: filters=attributes.displayName sw "John" and certStatus eq "false"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

attributes: eq, sw, co, in

firstDetectionDate: ge, le

certStatus: eq

ignored: eq

score: ge, le

sorters
string <comma-separated>
Example: sorters=attributes.displayName,firstDetectionDate,-score

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: firstDetectionDate, attributes, score

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get identity outlier's contibuting features

This API returns a list of contributing feature objects for a single outlier.

The object contains: feature name, feature value type, value, importance, display name (translated text or message key), description (translated text or message key), translation messages object.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
outlierId
required
string
Example: 2c918085842e69ae018432d22ccb212f

The outlier id

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

include-translation-messages
string
Example: include-translation-messages=include-translation-messages=

Whether or not to include translation messages object in returned response

sorters
string <comma-separated>
Example: sorters=importance

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: importance

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Gets a list of access items associated with each identity outlier contributing feature

This API returns a list of the enriched access items associated with each feature filtered by the access item type.

The object contains: accessItemId, display name (translated text or message key), description (translated text or message key), accessType, sourceName, extremelyRare.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
outlierId
required
string
Example: 2c918085842e69ae018432d22ccb212f

The outlier id

contributingFeatureName
required
string
Enum: "radical_entitlement_count" "entitlement_count" "max_jaccard_similarity" "mean_max_bundle_concurrency" "single_entitlement_bundle_count" "peerless_score"
Example: entitlement_count

The name of contributing feature

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

accessType
string
Example: accessType=ENTITLEMENT

The type of access item for the identity outlier contributing feature. If not provided, it returns all.

sorters
string <comma-separated>
Example: sorters=displayName

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: displayName

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Iai identity outliers ignore

This API receives a list of identity IDs in the request, changes the outliers to be ignored.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
Array
string

Responses

Request samples

Content type
application/json
[
  • "897ef96559df40e1baa6bae6b53e7340",
  • "2c918085837fbfb4018384420dac60c3"
]

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Iai identity outliers unignore

This API receives a list of identity IDs in the request, changes the outliers to be un-ignored.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
Array
string

Responses

Request samples

Content type
application/json
[
  • "897ef96559df40e1baa6bae6b53e7340",
  • "2c918085837fbfb4018384420dac60c3"
]

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Iai identity outliers export

This API exports a list of ignored outliers to a CSV as well as list of non-ignored outliers to a CSV. These two CSVs will be zipped and exported.

Columns will include: identityId, type, firstDetectionDate, latestDetectionDate, ignored, & attributes (defined set of identity attributes).

Authorizations:
Personal Access TokenClient Credentials
query Parameters
type
string
Enum: "LOW_SIMILARITY" "STRUCTURAL"
Example: type=LOW_SIMILARITY

Type of the identity outliers snapshot to filter on

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get identity outlier contibuting feature summary

This API returns a summary of a contributing feature for an identity outlier.

The object contains: contributing feature name (translated text or message key), identity outlier display name, feature values, feature definition and explanation (translated text or message key), peer display name and identityId, access item reference, translation messages object.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
outlierFeatureId
required
string
Example: 04654b66-7561-4090-94f9-abee0722a1af

Contributing feature id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "contributingFeatureName": "Rare Access",
  • "identityOutlierDisplayName": "John Smith",
  • "outlierFeatureDisplayValues": [
    ],
  • "featureDefinition": "Identity total number of entitlements",
  • "featureExplanation": "An identity that has too much rare access has a higher change of becoming a security threat due to the unique access they possess",
  • "peerDisplayName": "Mary Jane",
  • "peerIdentityId": "9f9d5d53ad0e48fba7352f6da9f1b8gbg",
  • "accessItemReference": {
    }
}

IAI Peer Group Strategies

Identity outliers list Deprecated

-- Deprecated : See 'IAI Outliers' This API will be used by Identity Governance systems to identify identities that are not included in an organization's peer groups. By default, 250 identities are returned. You can specify between 1 and 1000 number of identities that can be returned.

Authorizations:
Personal Access Token
path Parameters
strategy
required
string
Value: "entitlement"
Example: entitlement

The strategy used to create peer groups. Currently, 'entitlement' is supported.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

IAI Recommendations

Returns recommendation based on object

The getRecommendations API returns recommendations based on the requested object. The recommendations are invoked by IdentityIQ and IdentityNow plug-ins that retrieve recommendations based on the performed calculations.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
Array of objects (Recommendation Request)
excludeInterpretations
boolean
Default: "false"

Exclude interpretations in the response if "true". Return interpretations in the response if this attribute is not specified.

includeTranslationMessages
boolean
Default: "false"

When set to true, the calling system uses the translated messages for the specified language

includeDebugInformation
boolean
Default: "false"

Returns the recommender calculations if set to true

prescribeMode
boolean
Default: "false"

When set to true, uses prescribedRulesRecommenderConfig to get identity attributes and peer group threshold instead of standard config.

Responses

Request samples

Content type
application/json
{
  • "requests": [
    ],
  • "excludeInterpretations": "false",
  • "includeTranslationMessages": "false",
  • "includeDebugInformation": "true",
  • "prescribeMode": "false"
}

Response samples

Content type
application/json
{
  • "response": [
    ]
}

Get certification recommendation config values

Retrieves configuration attributes used by certification recommendations.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "recommenderFeatures": [
    ],
  • "peerGroupPercentageThreshold": 0.5,
  • "runAutoSelectOnce": false,
  • "onlyTuneThreshold": false
}

Update certification recommendation config values

Updates configuration attributes used by certification recommendations.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
recommenderFeatures
Array of strings

List of identity attributes to use for calculating certification recommendations

peerGroupPercentageThreshold
number <float> [ 0 .. 1 ]

The percent value that the recommendation calculation must surpass to produce a YES recommendation

runAutoSelectOnce
boolean
Default: false

If true, rulesRecommenderConfig will be refreshed with new programatically selected attribute and threshold values on the next pipeline run

onlyTuneThreshold
boolean
Default: false

If true, rulesRecommenderConfig will be refreshed with new programatically selected threshold values on the next pipeline run

Responses

Request samples

Content type
application/json
{
  • "recommenderFeatures": [
    ],
  • "peerGroupPercentageThreshold": 0.5,
  • "runAutoSelectOnce": false,
  • "onlyTuneThreshold": false
}

Response samples

Content type
application/json
{
  • "recommenderFeatures": [
    ],
  • "peerGroupPercentageThreshold": 0.5,
  • "runAutoSelectOnce": false,
  • "onlyTuneThreshold": false
}

IAI Role Mining

Create a role mining session

This submits a create role mining session request to the role mining application.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

Role mining session parameters

object (Role Mining Session Scope)
pruneThreshold
integer or null <int32>

The prune threshold to be used or null to calculate prescribedPruneThreshold

prescribedPruneThreshold
integer or null <int32>

The calculated prescribedPruneThreshold

minNumIdentitiesInPotentialRole
integer or null <int32>

Minimum number of identities in a potential role

potentialRoleCount
integer <int32>

Number of potential roles

potentialRolesReadyCount
integer <int32>

Number of potential roles ready

type
string (RoleMiningRoleType)
Enum: "SPECIALIZED" "COMMON"

Role type

emailRecipientId
string or null

The id of the user who will receive an email about the role mining session

identityCount
integer <int32>

Number of identities in the population which meet the search criteria or identity list provided

saved
boolean
Default: false

The session's saved status

name
string or null

The session's saved name

Responses

Request samples

Content type
application/json
{
  • "scope": {
    },
  • "pruneThreshold": 50,
  • "prescribedPruneThreshold": 10,
  • "minNumIdentitiesInPotentialRole": 20,
  • "potentialRoleCount": 0,
  • "potentialRolesReadyCount": 0,
  • "type": "SPECIALIZED",
  • "emailRecipientId": "2c918090761a5aac0176215c46a62d58",
  • "identityCount": 0,
  • "saved": true,
  • "name": "Saved RM Session - 07/10"
}

Response samples

Content type
application/json
{
  • "scope": {
    },
  • "scopingMethod": "AUTO_RM",
  • "minNumIdentitiesInPotentialRole": 20,
  • "pruneThreshold": 70,
  • "prescribedPruneThreshold": 83,
  • "potentialRoleCount": 8,
  • "potentialRolesReadyCount": 4,
  • "status": {
    },
  • "type": "SPECIALIZED",
  • "emailRecipientId": null,
  • "createdBy": null,
  • "identityCount": 0,
  • "saved": false,
  • "name": null,
  • "dataFilePath": null,
  • "id": "602ba738-cf48-499b-a780-7b67b3fc1ecf",
  • "createdDate": "2021-09-08T16:11:05.348Z",
  • "modifiedDate": "2021-09-08T16:11:05.348Z"
}

Retrieves all role mining sessions

Returns all role mining sessions that match the query parameters

Authorizations:
Personal Access TokenClient Credentials
query Parameters
filters
string
Example: filters=saved eq "true" and name sw "RM Session"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

saved: eq

name: eq, sw

sorters
string <comma-separated>
Example: sorters=createdBy,createdDate

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: createdBy, createdDate

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Patch a role mining session

The method updates an existing role mining session using PATCH. Supports op in {"replace"} and changes to pruneThreshold and/or minNumIdentitiesInPotentialRole. The potential roles in this role mining session is then re-calculated.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id to be patched

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json

Replace pruneThreshold and/or minNumIdentitiesInPotentialRole in role mining session. Update saved status or saved name for a role mining session.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{ }

Get a role mining session

The method retrieves a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id to be retrieved.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "scope": {
    },
  • "scopingMethod": "AUTO_RM",
  • "minNumIdentitiesInPotentialRole": 20,
  • "pruneThreshold": 70,
  • "prescribedPruneThreshold": 83,
  • "potentialRoleCount": 8,
  • "potentialRolesReadyCount": 4,
  • "status": {
    },
  • "type": "SPECIALIZED",
  • "emailRecipientId": null,
  • "createdBy": null,
  • "identityCount": 0,
  • "saved": false,
  • "name": null,
  • "dataFilePath": null,
  • "id": "602ba738-cf48-499b-a780-7b67b3fc1ecf",
  • "createdDate": "2021-09-08T16:11:05.348Z",
  • "modifiedDate": "2021-09-08T16:11:05.348Z"
}

Get role mining session status state

This method returns a role mining session status for a customer.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "state": "CREATED"
}

Retrieves all potential role summaries

This method returns the potential role summaries for a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

query Parameters
sorters
string <comma-separated>
Example: sorters=createdDate

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: createdDate

filters
string
Example: filters=(createdByName co "int")and (createdById sw "2c9180907")and (type eq "COMMON")and ((name co "entt")or (saved eq true))

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

createdById: eq, sw, co

createdByName: eq, sw, co

description: sw, co

endDate: le, lt

freshness: eq, ge, gt, le, lt

name: eq, sw, co

quality: eq, ge, gt, le, lt

startDate: ge, gt

saved: eq

type: eq

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Retrieves a specific potential role

This method returns a specific potential role for a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

A potential role id in a role mining session

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "createdBy": {
    },
  • "density": 75,
  • "description": "Potential Role for Accounting dept",
  • "entitlementCount": 25,
  • "excludedEntitlements": [
    ],
  • "freshness": 75,
  • "identityCount": 25,
  • "identityDistribution": [
    ],
  • "identityIds": [
    ],
  • "identityGroupStatus": "OBTAINED",
  • "name": "Saved Potential Role - 07/10",
  • "potentialRoleRef": {
    },
  • "provisionState": "string",
  • "quality": 100,
  • "roleId": "07a0b4e2-7a76-44fa-bd0b-c64654b66519",
  • "saved": true,
  • "session": {
    },
  • "type": "SPECIALIZED",
  • "id": "e0cc5d7d-bf7f-4f81-b2af-8885b09d9923",
  • "createdDate": "2020-01-01T00:00:00.000Z",
  • "modifiedDate": "2020-01-01T00:00:00.000Z"
}

Update a potential role session

The method updates an existing potential role using.

The following fields can be modified:

  • description

  • name

  • saved

NOTE: All other fields cannot be modified.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The potential role summary id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "remove" "replace"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{ }

Retrieves the applications of a potential role for a role mining session

This method returns the applications of a potential role for a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 62f28d91-7d9f-4d17-be15-666d5b41d77f

A potential role id in a role mining session

query Parameters
filters
string
Example: filters=applicationName sw "test"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

applicationName: sw

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Retrieves the entitlements of a potential role for a role mining session

This method returns the entitlements of a potential role for a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 62f28d91-7d9f-4d17-be15-666d5b41d77f

A potential role id in a role mining session

query Parameters
filters
string
Example: filters=entitlementRef.name sw "test"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

entitlementRef.name: sw

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Retrieves entitlements for a potential role in a role mining session

This method returns entitlements for a potential role in a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

A potential role id in a role mining session

query Parameters
includeCommonAccess
boolean
Default: true
Example: includeCommonAccess=true

Boolean determining whether common access entitlements will be included or not

sorters
string
Example: sorters=popularity

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: popularity, entitlementName, applicationName

The default sort is popularity in descending order.

filters
string
Example: filters=applicationName sw "AD"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

applicationName: sw

entitlementRef.name: sw

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Retrieves entitlement popularity distribution for a potential role in a role mining session

This method returns entitlement popularity distribution for a potential role in a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

A potential role id in a role mining session

query Parameters
includeCommonAccess
boolean

Boolean determining whether common access entitlements will be included or not

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "property1": 0,
  • "property2": 0
}

Edit entitlements for a potential role to exclude some entitlements

This endpoint adds or removes entitlements from an exclusion list for a potential role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

A potential role id in a role mining session

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

Role mining session parameters

ids
Array of strings

The list of entitlement ids to be edited

exclude
boolean

If true, add ids to be exclusion list. If false, remove ids from the exclusion list.

Responses

Request samples

Content type
application/json
{
  • "ids": [
    ],
  • "exclude": true
}

Response samples

Content type
application/json
{
  • "createdBy": {
    },
  • "density": 75,
  • "description": "Potential Role for Accounting dept",
  • "entitlementCount": 25,
  • "excludedEntitlements": [
    ],
  • "freshness": 75,
  • "identityCount": 25,
  • "identityDistribution": [
    ],
  • "identityIds": [
    ],
  • "identityGroupStatus": "OBTAINED",
  • "name": "Saved Potential Role - 07/10",
  • "potentialRoleRef": {
    },
  • "provisionState": "string",
  • "quality": 100,
  • "roleId": "07a0b4e2-7a76-44fa-bd0b-c64654b66519",
  • "saved": true,
  • "session": {
    },
  • "type": "SPECIALIZED",
  • "id": "e0cc5d7d-bf7f-4f81-b2af-8885b09d9923",
  • "createdDate": "2020-01-01T00:00:00.000Z",
  • "modifiedDate": "2020-01-01T00:00:00.000Z"
}

Retrieves identities for a potential role in a role mining session

This method returns identities for a potential role in a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

A potential role id in a role mining session

query Parameters
sorters
string
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name

filters
string

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: sw

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Export (download) details for a potential role in a role mining session

This endpoint downloads all the information for a potential role in a role mining session. Includes identities and entitlements in the potential role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

A potential role id in a role mining session

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Asynchronously export details for a potential role in a role mining session and upload to S3

This endpoint uploads all the information for a potential role in a role mining session to S3 as a downloadable zip archive. Includes identities and entitlements in the potential role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 278359a6-04b7-4669-9468-924cf580964a

A potential role id in a role mining session

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
minEntitlementPopularity
integer

The minimum popularity among identities in the role which an entitlement must have to be included in the report

includeCommonAccess
boolean

If false, do not include entitlements that are highly popular among the entire orginization

Responses

Request samples

Content type
application/json
{
  • "minEntitlementPopularity": 0,
  • "includeCommonAccess": true
}

Response samples

Content type
application/json
{
  • "exportId": "0c6cdb76-1227-4aaf-af21-192dbdfbfa04",
  • "status": "QUEUED",
  • "minEntitlementPopularity": 0,
  • "includeCommonAccess": true
}

Retrieve status of a potential role export job

This endpoint retrieves information about the current status of a potential role export.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string <uuid>
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string <uuid>
Example: 278359a6-04b7-4669-9468-924cf580964a

A potential role id in a role mining session

exportId
required
string <uuid>
Example: 4940ffd4-836f-48a3-b2b0-6d498c3fdf40

The id of a previously run export job for this potential role

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "exportId": "0c6cdb76-1227-4aaf-af21-192dbdfbfa04",
  • "status": "QUEUED",
  • "minEntitlementPopularity": 0,
  • "includeCommonAccess": true
}

Export (download) details for a potential role in a role mining session

This endpoint downloads a completed export of information for a potential role in a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string <uuid>
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string <uuid>
Example: 278359a6-04b7-4669-9468-924cf580964a

A potential role id in a role mining session

exportId
required
string <uuid>
Example: 4940ffd4-836f-48a3-b2b0-6d498c3fdf40

The id of a previously run export job for this potential role

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Create request to provision a potential role into an actual role.

This method starts a job to provision a potential role

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

A potential role id in a role mining session

query Parameters
min-entitlement-popularity
integer [ 0 .. 100 ]
Default: 0

Minimum popularity required for an entitlement to be included in the provisioned role.

include-common-access
boolean
Default: true

Boolean determining whether common access entitlements will be included in the provisioned role.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

Required information to create a new role

roleName
string

Name of the new role being created

roleDescription
string

Short description of the new role being created

ownerId
string

ID of the identity that will own this role

includeIdentities
boolean
Default: false

When true, create access requests for the identities associated with the potential role

directlyAssignedEntitlements
boolean
Default: false

When true, assign entitlements directly to the role; otherwise, create access profiles containing the entitlements

Responses

Request samples

Content type
application/json
{
  • "roleName": "Finance - Accounting",
  • "roleDescription": "General access for accounting department",
  • "ownerId": "2b568c65bc3c4c57a43bd97e3a8e41",
  • "includeIdentities": true,
  • "directlyAssignedEntitlements": false
}

Response samples

Content type
application/json
{
  • "id": "e0cc5d7d-bf7f-4f81-b2af-8885b09d9923",
  • "name": "Potential Role - e0cc5d",
  • "potentialRoleRef": {
    },
  • "identityCount": 25,
  • "entitlementCount": 15,
  • "identityGroupStatus": "OBTAINED",
  • "provisionState": "POTENTIAL",
  • "roleId": "2a4be6fbcf3c4e66b95a0c15ffd591",
  • "density": 90,
  • "freshness": 70,
  • "quality": 80,
  • "type": "SPECIALIZED",
  • "createdBy": {
    },
  • "createdDate": "2019-08-24T14:15:22Z",
  • "saved": true,
  • "description": "string",
  • "session": {
    }
}

Retrieves excluded entitlements for a potential role in a role mining session

This method returns excluded entitlements for a potential role in a role mining session.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

A potential role id in a role mining session

query Parameters
sorters
string
Example: sorters=populariity

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: popularity

filters
string
Example: filters=applicationName sw "AD"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

applicationName: sw

entitlementRef.name: sw

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Retrieves all potential role summaries

Returns all potential role summaries that match the query parameters

Authorizations:
Personal Access TokenClient Credentials
query Parameters
sorters
string <comma-separated>
Example: sorters=createdDate

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: createdDate, identityCount, entitlementCount, freshness, quality

filters
string
Example: filters=(createdByName co "int") and (createdById sw "2c9180907") and (type eq "COMMON") and ((name co "entt") or (saved eq true))

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

createdById: eq, sw, co

createdByName: eq, sw, co

description: sw, co

endDate: le, lt

freshness: eq, ge, gt, le, lt

name: eq, sw, co, ge, gt, le, lt

quality: eq, ge, gt, le, lt

startDate: ge, gt

saved: eq

type: eq, ge, gt, le, lt

scopingMethod: eq

sessionState: eq

identityAttribute: co

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Retrieves a specific potential role

This method returns a specific potential role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

A potential role id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "createdBy": {
    },
  • "density": 75,
  • "description": "Potential Role for Accounting dept",
  • "entitlementCount": 25,
  • "excludedEntitlements": [
    ],
  • "freshness": 75,
  • "identityCount": 25,
  • "identityDistribution": [
    ],
  • "identityIds": [
    ],
  • "identityGroupStatus": "OBTAINED",
  • "name": "Saved Potential Role - 07/10",
  • "potentialRoleRef": {
    },
  • "provisionState": "string",
  • "quality": 100,
  • "roleId": "07a0b4e2-7a76-44fa-bd0b-c64654b66519",
  • "saved": true,
  • "session": {
    },
  • "type": "SPECIALIZED",
  • "id": "e0cc5d7d-bf7f-4f81-b2af-8885b09d9923",
  • "createdDate": "2020-01-01T00:00:00.000Z",
  • "modifiedDate": "2020-01-01T00:00:00.000Z"
}

Update a potential role

The method updates an existing potential role using.

The following fields can be modified:

  • description

  • name

  • saved

NOTE: All other fields cannot be modified.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sessionId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role mining session id

potentialRoleId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The potential role summary id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "remove" "replace"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{ }

Retrieves all saved potential roles

This method returns all saved potential roles (draft roles).

Authorizations:
Personal Access TokenClient Credentials
query Parameters
sorters
string <comma-separated>
Example: sorters=modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters Sorting is supported for the following fields: modified

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Retrieves potential role source usage

This method returns source usageCount (as number of days in the last 90 days) for each identity in a potential role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
potentialRoleId
required
string
Example: e0cc5d7d-bf7f-4f81-b2af-8885b09d9923

A potential role id

sourceId
required
string
Example: 2c9180877620c1460176267f336a106f

A source id

query Parameters
sorters
string <comma-separated>
Example: sorters=-usageCount

Sort results using the standard syntax described in V3 API Standard Collection Parameters Sorting is supported for the following fields: displayName, email, usageCount

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Icons

Use this API to implement functionality related to object icons (application icons for example). With this functionality in place, administrators can set or remove an icon for specific object type for use throughout Identity Security Cloud.

Update an icon

This API endpoint updates an icon by object type and object id. A token with ORG_ADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
objectType
required
string
Value: "application"
Example: application

Object type. Available options ['application']

objectId
required
string
Example: a291e870-48c3-4953-b656-fb5ce2a93169

Object id.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: multipart/form-data
image
required
string <binary>

file with icon. Allowed mime-types ['image/png', 'image/jpeg']

Responses

Response samples

Content type
application/json
{
  • "icon": ""
}

Delete an icon

This API endpoint delete an icon by object type and object id. A token with ORG_ADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
objectType
required
string
Value: "application"
Example: application

Object type. Available options ['application']

objectId
required
string
Example: a291e870-48c3-4953-b656-fb5ce2a93169

Object id.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Identities

Use this API to implement identity functionality. With this functionality in place, administrators can synchronize an identity's attributes with its various source attributes.

Identity Security Cloud uses identities as users' authoritative accounts. Identities can own other accounts, entitlements, and attributes.

An identity has a variety of attributes, such as an account name, an email address, a job title, and more. These identity attributes can be correlated with different attributes on different sources. For example, the identity John.Smith can own an account in the GitHub source with the account name John-Smith-Org, and Identity Security Cloud knows they are the same person with the same access and attributes.

In Identity Security Cloud, administrators often set up these synchronizations to get triggered automatically with a change or to run on a schedule. To manually synchronize attributes for an identity, administrators can use the Identities drop-down menu and select Identity List to view the list of identities. They can then select the identity they want to manually synchronize and use the hamburger menu to select 'Synchronize Attributes.' Doing so immediately begins the attribute synchronization and analyzes all accounts for the selected identity.

Refer to Synchronizing Attributes for more information about synchronizing attributes.

List identities

This API returns a list of identities.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=id eq "6c9079b270a266a60170a2779fcb0006" or correlated eq false

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

alias: eq, sw

firstname: eq, sw

lastname: eq, sw

email: eq, sw

cloudStatus: eq

processingState: eq

correlated: eq

protected: eq

sorters
string <comma-separated>
Example: sorters=name,-cloudStatus

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, alias, cloudStatus

defaultFilter
string
Default: "CORRELATED_ONLY"
Enum: "CORRELATED_ONLY" "NONE"
Example: defaultFilter=NONE

Adds additional filter to filters query parameter.

CORRELATED_ONLY adds correlated=true and returns only identities that are correlated.

NONE does not add any and returns all identities that satisfy filters query parameter.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Identity details

This API returns a single identity using the Identity ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Identity Id

Responses

Response samples

Content type
application/json
{
  • "id": "01f04e428c484542a241dc89c303b178",
  • "name": "Walter White",
  • "created": "2023-01-03T21:16:22.432Z",
  • "modified": "2023-01-03T21:16:22.432Z",
  • "alias": "walter.white",
  • "emailAddress": "walter.white@example.com",
  • "processingState": "ERROR",
  • "identityStatus": "LOCKED",
  • "managerRef": {
    },
  • "isManager": true,
  • "lastRefresh": "2020-11-22T15:42:31.123Z",
  • "attributes": {
    },
  • "lifecycleState": {
    }
}

Delete identity

The API returns successful response if the requested identity was deleted.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Identity Id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "message": "Identity is the owner of following resources",
  • "associationDetails": {
    }
}

Get ownership details

Use this API to return an identity's owned objects that will cause problems for deleting the identity. Use this API as a checklist of objects that you need to reassign to a different identity before you can delete the identity. For a full list of objects owned by an identity, use the Search API. When you search for identities, the returned identities have a property, owns, that contains a more comprehensive list of identity's owned objects.

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: ff8081814d2a8036014d701f3fbf53fa

Identity ID.

Responses

Response samples

Content type
application/json
{
  • "associationDetails": {
    }
}

Reset an identity

Use this endpoint to reset a user's identity if they have forgotten their authentication information like their answers to knowledge-based questions. Resetting an identity de-registers the user and removes any elevated user levels they have.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
identityId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Identity Id

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List role assignments

This returns either a list of Role Assignments when querying with either a Role Id or Role Name, or a list of Role Assignment References if querying with only identity Id.

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Identity Id to get the role assignments for

query Parameters
roleId
string
Example: roleId=e7697a1e96d04db1ac7b0f4544915d2c

Role Id to filter the role assignments with

roleName
string
Example: roleName=Engineer

Role name to filter the role assignments with

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Role assignment details

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Identity Id

assignmentId
required
string
Example: 1cbb0705b38c4226b1334eadd8874086

Assignment Id

Responses

Response samples

Content type
application/json
{
  • "id": "1cbb0705b38c4226b1334eadd8874086",
  • "role": {
    },
  • "comments": "I'm a new Engineer and need this role to do my work",
  • "assignmentSource": "UI",
  • "assigner": {
    },
  • "assignedDimensions": [
    ],
  • "assignmentContext": {
    },
  • "accountTargets": [
    ],
  • "startDate": "2026-07-10T18:45:37.098Z",
  • "removeDate": "2026-07-11T18:45:37.098Z",
  • "addedDate": "2025-07-11T18:45:37.098Z"
}

List of entitlements by identity.

The API returns a list of all entitlements assigned to an identity, either directly or through the role or access profile. A token with ORG_ADMIN or API authority is required to call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Identity Id

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

Attribute synchronization for single identity.

This end-point performs attribute synchronization for a selected identity. The endpoint can be called once in 10 seconds per identity.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
identityId
required
string

The Identity id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3dfc",
  • "status": "IN_PROGRESS",
  • "payload": {
    }
}

Invite identities to register

This API submits a task for inviting given identities via email to complete registration. The invitation email will include the link. After selecting the link an identity will be able to set up password and log in into the system. Invitations expire after 7 days. By default invitations send to the work identity email. It can be changed in Admin > Identities > Identity Profiles by selecting corresponding profile and editing Invitation Options.

This task will send an invitation email only for unregistered identities.

The executed task status can be checked by Task Management > Get task status by ID.

Learn more about inviting identities here
Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
ids
Array of strings or null

The list of Identities IDs to invite - required when 'uninvited' is false

uninvited
boolean
Default: false

indicator (optional) to invite all unregistered identities in the system within a limit 1000. This parameter makes sense only when 'ids' is empty.

Responses

Request samples

Content type
application/json
{
  • "ids": [
    ],
  • "uninvited": false
}

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "type": "QUARTZ",
  • "uniqueName": "Big Task",
  • "description": "A Really Big Task",
  • "parentName": "Parent Task",
  • "launcher": "sweep",
  • "target": {
    },
  • "created": "2020-07-11T21:23:15.000Z",
  • "modified": "2020-07-11T21:23:15.000Z",
  • "launched": "2020-07-11T21:23:15.000Z",
  • "completed": "2020-07-11T21:23:15.000Z",
  • "completionStatus": "SUCCESS",
  • "messages": [
    ],
  • "returns": [
    ],
  • "attributes": {
    },
  • "progress": "Started",
  • "percentComplete": 100,
  • "taskDefinitionSummary": {
    }
}

Send password reset email

This API sends an email with the link to start Password Reset. After selecting the link an identity will be able to set up a new password. Emails expire after 2 hours.

Authorizations:
Personal Access Token
path Parameters
id
required
string <uuid>
Example: ef38f94347e94562b5bb8424a56397d8

Identity ID

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
sourceName
string or null

The source name where identity account password should be reset

via
required
string
Enum: "EMAIL_WORK" "EMAIL_PERSONAL" "LINK_WORK" "LINK_PERSONAL"

The method to send notification

Responses

Request samples

Content type
application/json
{
  • "sourceName": "Active Directory Source",
  • "via": "EMAIL_WORK"
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Process a list of identityids

This operation should not be used to schedule your own identity processing or to perform system wide identity refreshes. The system will use a combination of event-based processing and scheduled processing that runs every day at 8:00 AM and 8:00 PM in the tenant's timezone to keep your identities synchronized.

This endpoint will perform the following tasks:

  1. Calculate identity attributes, including applying or running any rules or transforms (e.g. calculate Lifecycle State at a point-in-time it's expected to change).
  2. Evaluate role assignments, leading to assignment of new roles and removal of existing roles.
  3. Enforce provisioning for any assigned accesses that haven't been fulfilled (e.g. failure due to source health).
  4. Recalculate manager relationships.
  5. Potentially clean-up identity processing errors, assuming the error has been resolved.
Learn more about manually processing identities here
Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
identityIds
Array of strings [ 1 .. 250 ] items

List of up to 250 identity IDs to process.

Responses

Request samples

Content type
application/json
{
  • "identityIds": [
    ]
}

Response samples

Content type
application/json
{
  • "type": "TASK_RESULT",
  • "id": "78733556-9ea3-4f59-bf69-e5cd92b011b4",
  • "name": "null"
}

Identity Attributes

List identity attributes

Use this API to get a collection of identity attributes.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
includeSystem
boolean
Default: false

Include 'system' attributes in the response.

includeSilent
boolean
Default: false

Include 'silent' attributes in the response.

searchableOnly
boolean
Default: false

Include only 'searchable' attributes in the response.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create identity attribute

Use this API to create a new identity attribute.

Authorizations:
Personal Access Token
Request Body schema: application/json
name
required
string

Identity attribute's technical name.

displayName
string

Identity attribute's business-friendly name.

standard
boolean
Default: false

Indicates whether the attribute is 'standard' or 'default'.

type
string or null

Identity attribute's type.

multi
boolean
Default: false

Indicates whether the identity attribute is multi-valued.

searchable
boolean
Default: false

Indicates whether the identity attribute is searchable.

system
boolean
Default: false

Indicates whether the identity attribute is 'system', meaning that it doesn't have a source and isn't configurable.

Array of objects (Source-3)

Identity attribute's list of sources - this specifies how the rule's value is derived.

Responses

Request samples

Content type
application/json
{
  • "name": "costCenter",
  • "displayName": "Cost Center",
  • "standard": false,
  • "type": "string",
  • "multi": false,
  • "searchable": false,
  • "system": false,
  • "sources": [
    ]
}

Response samples

Content type
application/json
{
  • "name": "costCenter",
  • "displayName": "Cost Center",
  • "standard": false,
  • "type": "string",
  • "multi": false,
  • "searchable": false,
  • "system": false,
  • "sources": [
    ]
}

Get identity attribute

This gets an identity attribute for a given technical name.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
name
required
string
Example: displayName

The attribute's technical name.

Responses

Response samples

Content type
application/json
{
  • "name": "costCenter",
  • "displayName": "Cost Center",
  • "standard": false,
  • "type": "string",
  • "multi": false,
  • "searchable": false,
  • "system": false,
  • "sources": [
    ]
}

Update identity attribute

This updates an existing identity attribute. Making an attribute searchable requires that the system, standard, and multi properties be set to false.

Authorizations:
Personal Access Token
path Parameters
name
required
string
Example: displayName

The attribute's technical name.

Request Body schema: application/json
name
required
string

Identity attribute's technical name.

displayName
string

Identity attribute's business-friendly name.

standard
boolean
Default: false

Indicates whether the attribute is 'standard' or 'default'.

type
string or null

Identity attribute's type.

multi
boolean
Default: false

Indicates whether the identity attribute is multi-valued.

searchable
boolean
Default: false

Indicates whether the identity attribute is searchable.

system
boolean
Default: false

Indicates whether the identity attribute is 'system', meaning that it doesn't have a source and isn't configurable.

Array of objects (Source-3)

Identity attribute's list of sources - this specifies how the rule's value is derived.

Responses

Request samples

Content type
application/json
{
  • "name": "costCenter",
  • "displayName": "Cost Center",
  • "standard": false,
  • "type": "string",
  • "multi": false,
  • "searchable": false,
  • "system": false,
  • "sources": [
    ]
}

Response samples

Content type
application/json
{
  • "name": "costCenter",
  • "displayName": "Cost Center",
  • "standard": false,
  • "type": "string",
  • "multi": false,
  • "searchable": false,
  • "system": false,
  • "sources": [
    ]
}

Delete identity attribute

This deletes an identity attribute with the given name. The system and standard properties must be set to false before you can delete an identity attribute.

Authorizations:
Personal Access Token
path Parameters
name
required
string
Example: displayName

The attribute's technical name.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Bulk delete identity attributes

Use this API to bulk delete identity attributes for a given set of names. Attributes that are currently mapped in an identity profile cannot be deleted. The system and standard properties must be set to 'false' before you can delete an identity attribute.

Authorizations:
Personal Access Token
Request Body schema: application/json
ids
Array of strings

List of identity attributes' technical names.

Responses

Request samples

Content type
application/json
{
  • "ids": [
    ]
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Identity History

Lists all the identities

This gets the list of identities for the customer. This list end point does not support count=true request param. The total count of identities would never be returned even if the count param is specified in the request Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
query Parameters
starts-with-query
string
Example: starts-with-query=Ada

This param is used for starts-with search for first, last and display name of the identity

is-deleted
boolean
Example: is-deleted=true

Indicates if we want to only list down deleted identities or not.

is-active
boolean
Example: is-active=true

Indicates if we want to only list active or inactive identities.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get latest snapshot of identity

This method retrieves a specified identity Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "bc693f07e7b645539626c25954c58554",
  • "displayName": "Adam Zampa",
  • "snapshot": "2007-03-01T13:00:00.000Z",
  • "deletedDate": "2007-03-01T13:00:00.000Z",
  • "accessItemCount": {
    },
  • "attributes": {
    }
}

List access items by identity

This method retrieves a list of access item for the identity filtered by the access item type

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

query Parameters
type
string
Enum: "account" "entitlement" "app" "accessProfile" "role"
Example: type=account

The type of access item for the identity. If not provided, it defaults to account

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
Example

An access profile response

[
  • {
    }
]

Lists all the snapshots for the identity

This method retrieves all the snapshots for the identity Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

query Parameters
start
string
Example: start=2007-03-01T13:00:00Z

The specified start date

interval
string
Enum: "day" "month"

The interval indicating the range in day or month for the specified interval-name

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Gets the summary for the event count for a specific identity

This method gets the summary for the event count for a specific identity by month/day Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

query Parameters
before
string
Example: before=2007-03-01T13:00:00Z

The date before which snapshot summary is required

interval
string
Enum: "day" "month"

The interval indicating day or month. Defaults to month if not specified

time-zone
string
Example: time-zone=UTC

The time zone. Defaults to UTC if not provided

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Gets an identity snapshot at a given date

This method retrieves a specified identity snapshot at a given date Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

date
required
string
Example: 2007-03-01T13:00:00Z

The specified date

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "bc693f07e7b645539626c25954c58554",
  • "displayName": "Adam Zampa",
  • "snapshot": "2007-03-01T13:00:00.000Z",
  • "deletedDate": "2007-03-01T13:00:00.000Z",
  • "accessItemCount": {
    },
  • "attributes": {
    }
}

Gets the list of identity access items at a given date filterd by item type

This method retrieves the list of identity access items at a given date filterd by item type Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

date
required
string
Example: 2007-03-01T13:00:00Z

The specified date

query Parameters
type
string
Example: type=account

The access item type

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
Example

An access profile response

[
  • {
    }
]

List identity event history

This method retrieves all access events for the identity Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

query Parameters
from
string
Example: from=2024-03-01T13:00:00Z

The optional instant until which access events are returned

eventTypes
Array of strings
Example: eventTypes=AccessAddedEvent&eventTypes=AccessRemovedEvent

An optional list of event types to return. If null or empty, all events are returned

accessItemTypes
Array of strings
Example: accessItemTypes=entitlement&accessItemTypes=account

An optional list of access item types (app, account, entitlement, etc...) to return. If null or empty, all access items types are returned

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
Example

An Access item associated event

[
  • {
    }
]

Gets the start date of the identity

This method retrieves start date of the identity Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
"2017-03-01T13:00:00.000Z"

Gets a difference of count for each access item types for the given identity between 2 snapshots

This method gets a difference of count for each access item types for the given identity between 2 snapshots Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

query Parameters
snapshot1
string
Example: snapshot1=2007-03-01T13:00:00Z

The snapshot 1 of identity

snapshot2
string
Example: snapshot2=2008-03-01T13:00:00Z

The snapshot 2 of identity

accessItemTypes
Array of strings

An optional list of access item types (app, account, entitlement, etc...) to return. If null or empty, all access items types are returned

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Gets a list of differences of specific accesstype for the given identity between 2 snapshots

This method gets a list of differences of specific accessType for the given identity between 2 snapshots Requires authorization scope of 'idn:identity-history:read'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The identity id

accessType
required
string
Enum: "accessProfile" "account" "app" "entitlement" "role"
Example: role

The specific type which needs to be compared

query Parameters
access-associated
boolean
Example: access-associated=2007-03-01T13:00:00Z

Indicates if added or removed access needs to be returned. true - added, false - removed, null - both added & removed

snapshot1
string
Example: snapshot1=2008-03-01T13:00:00Z

The snapshot 1 of identity

snapshot2
string
Example: snapshot2=2009-03-01T13:00:00Z

The snapshot 2 of identity

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Identity Profiles

Use this API to implement identity profile functionality. With this functionality in place, administrators can view identity profiles and their configurations.

Identity profiles represent the configurations that can be applied to identities as a way of granting them a set of security and access, as well as defining the mappings between their identity attributes and their source attributes.

In Identity Security Cloud, administrators can use the Identities drop-down menu and select Identity Profiles to view the list of identity profiles. This list shows some details about each identity profile, along with its status. They can select an identity profile to view its settings, its mappings between identity attributes and correlating source account attributes, and its provisioning settings.

Refer to Creating Identity Profiles for more information about identity profiles.

List identity profiles

Get a list of identity profiles, based on the specified query parameters.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "ef38f94347e94562b5bb8424a56397d8"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, ne, ge, gt, in, le, sw

name: eq, ne, ge, gt, in, le, sw

priority: eq, ne

sorters
string <comma-separated>
Example: sorters=id,name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, priority, created, modified, owner.id, owner.name

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create identity profile

Creates an identity profile.

Authorizations:
Personal Access Token
Request Body schema: application/json
name
required
string or null

Name of the Object

description
string or null

Identity profile's description.

object or null

Identity profile's owner.

priority
integer <int64>

Identity profile's priority.

required
object
identityRefreshRequired
boolean
Default: false

Set this value to 'True' if an identity refresh is necessary. You would typically want to trigger an identity refresh when a change has been made on the source.

identityCount
integer <int32>

Number of identities belonging to the identity profile.

object (Identity Attribute Config)

Defines all the identity attribute mapping configurations. This defines how to generate or collect data for each identity attributes in identity refresh process.

object or null (Identity Exception Report Reference)
hasTimeBasedAttr
boolean
Default: false

Indicates the value of requiresPeriodicRefresh attribute for the identity profile.

Responses

Request samples

Content type
application/json
{
  • "name": "aName",
  • "description": "My custom flat file profile",
  • "owner": {
    },
  • "priority": 10,
  • "authoritativeSource": {
    },
  • "identityRefreshRequired": true,
  • "identityCount": 8,
  • "identityAttributeConfig": {
    },
  • "identityExceptionReportReference": {
    },
  • "hasTimeBasedAttr": true
}

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "description": "My custom flat file profile",
  • "owner": {
    },
  • "priority": 10,
  • "authoritativeSource": {
    },
  • "identityRefreshRequired": true,
  • "identityCount": 8,
  • "identityAttributeConfig": {
    },
  • "identityExceptionReportReference": {
    },
  • "hasTimeBasedAttr": true
}

Delete identity profiles

This deletes multiple Identity Profiles via a list of supplied IDs.

On success, this endpoint will return a reference to the bulk delete task result.

The following rights are required to access this endpoint: idn:identity-profile:delete

Authorizations:
Personal Access Token
Request Body schema: application/json

Identity Profile bulk delete request body.

Array
string

Responses

Request samples

Content type
application/json
[
  • "2c9180867b2a34e0017b3078d60b0699",
  • "2c9180867b2a34e0017b3078d60b0698"
]

Response samples

Content type
application/json
{
  • "id": "ff8081814d977c21014da056804a0af3",
  • "name": "Background Object Terminator c8f030f2-b1a6-4e33-99e8-6935bc18735d",
  • "description": "Generic task for terminating data in the overlay, used by the TerminationService.",
  • "launcher": "support",
  • "completed": "Mon Aug 21 14:57:39 CDT 2023",
  • "launched": "Mon Aug 21 14:55:39 CDT 2023",
  • "completionStatus": "Success"
}

Export identity profiles

This exports existing identity profiles in the format specified by the sp-config service.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "ef38f94347e94562b5bb8424a56397d8"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, ne

name: eq, ne

priority: eq, ne

sorters
string <comma-separated>
Example: sorters=id,name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, priority

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Import identity profiles

This imports previously exported identity profiles.

Authorizations:
Personal Access Token
Request Body schema: application/json

Previously exported Identity Profiles.

Array
version
integer <int32>

Version or object from the target service.

object

Self block for exported object.

object (IdentityProfile-2)

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "infos": [
    ],
  • "warnings": [
    ],
  • "errors": [
    ],
  • "importedObjects": [
    ]
}

Get identity profile

Get a single identity profile by ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
identity-profile-id
required
string <uuid>
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

Identity profile ID.

Responses

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "description": "My custom flat file profile",
  • "owner": {
    },
  • "priority": 10,
  • "authoritativeSource": {
    },
  • "identityRefreshRequired": true,
  • "identityCount": 8,
  • "identityAttributeConfig": {
    },
  • "identityExceptionReportReference": {
    },
  • "hasTimeBasedAttr": true
}

Delete identity profile

Delete an identity profile by ID. On success, this endpoint will return a reference to the bulk delete task result.

Authorizations:
Personal Access Token
path Parameters
identity-profile-id
required
string <uuid>
Example: ef38f94347e94562b5bb8424a56397d8

Identity profile ID.

Responses

Response samples

Content type
application/json
{
  • "id": "ff8081814d977c21014da056804a0af3",
  • "name": "Background Object Terminator c8f030f2-b1a6-4e33-99e8-6935bc18735d",
  • "description": "Generic task for terminating data in the overlay, used by the TerminationService.",
  • "launcher": "support",
  • "completed": "Mon Aug 21 14:57:39 CDT 2023",
  • "launched": "Mon Aug 21 14:55:39 CDT 2023",
  • "completionStatus": "Success"
}

Update identity profile

Update a specified identity profile with this PATCH request.

You cannot update these fields:

  • id
  • created
  • modified
  • identityCount
  • identityRefreshRequired
  • Authoritative Source and Identity Attribute Configuration cannot be modified at the same time.
Authorizations:
Personal Access Token
path Parameters
identity-profile-id
required
string <uuid>
Example: ef38f94347e94562b5bb8424a56397d8

Identity profile ID.

Request Body schema: application/json-patch+json

List of identity profile update operations according to the JSON Patch standard.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "description": "My custom flat file profile",
  • "owner": {
    },
  • "priority": 10,
  • "authoritativeSource": {
    },
  • "identityRefreshRequired": true,
  • "identityCount": 8,
  • "identityAttributeConfig": {
    },
  • "identityExceptionReportReference": {
    },
  • "hasTimeBasedAttr": true
}

Get default identity attribute config

This returns the default identity attribute config.

Authorizations:
Personal Access Token
path Parameters
identity-profile-id
required
string <uuid>
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

The Identity Profile ID.

Responses

Response samples

Content type
application/json
{
  • "enabled": true,
  • "attributeTransforms": [
    ]
}

Process identities under profile

Process identities under the profile This operation should not be used to schedule your own identity processing or to perform system wide identity refreshes. The system will use a combination of event-based processing and scheduled processing that runs every day at 8:00 AM and 8:00 PM in the tenant's timezone to keep your identities synchronized. This should only be run on identity profiles that have the identityRefreshRequired attribute set to true. If identityRefreshRequired is false, then there is no benefit to running this operation. Typically, this operation is performed when a change is made to the identity profile or its related lifecycle states that requires a refresh. This operation will perform the following activities on all identities under the identity profile.

  1. Updates identity attribute according to the identity profile mappings. 2. Determines the identity's correct manager through manager correlation. 3. Updates the identity's access according to their assigned lifecycle state. 4. Updates the identity's access based on role assignment criteria.
Learn more about manually processing identities here
Authorizations:
Personal Access Token
path Parameters
identity-profile-id
required
string <uuid>
Example: ef38f94347e94562b5bb8424a56397d8

The Identity Profile ID to be processed

Responses

Response samples

Content type
application/json
{ }

Generate identity profile preview

This generates a non-persisted IdentityDetails object that will represent as the preview of the identities attribute when the given policy''s attribute config is applied.

Authorizations:
Personal Access Token
Request Body schema: application/json

Identity Preview request body.

identityId
string <uuid>

The Identity id

object (Identity Attribute Config)

Defines all the identity attribute mapping configurations. This defines how to generate or collect data for each identity attributes in identity refresh process.

Responses

Request samples

Content type
application/json
{
  • "identityId": "2c9180857893f12901789445619b0366",
  • "identityAttributeConfig": {
    }
}

Response samples

Content type
application/json
{
  • "identity": {
    },
  • "previewAttributes": [
    ]
}

Lifecycle States

Use this API to implement and customize lifecycle state functionality. With this functionality in place, administrators can create and configure custom lifecycle states for use across their organizations, which is key to controlling which users have access, when they have access, and the access they have.

A lifecycle state describes a user's status in a company. For example, two lifecycle states come by default with Identity Security Cloud: 'Active' and 'Inactive.' When an active employee takes an extended leave of absence from a company, his or her lifecycle state may change to 'Inactive,' for security purposes. The inactive employee would lose access to all the applications, sources, and sensitive data during the leave of absence, but when the employee returns and becomes active again, all that access would be restored. This saves administrators the time that would otherwise be spent provisioning the employee's access to each individual tool, reviewing the employee's certification history, etc.

Administrators can create a variety of custom lifecycle states. Refer to Planning New Lifecycle States for some custom lifecycle state ideas.

Administrators must define the criteria for being in each lifecycle state, and they must define how Identity Security Cloud manages users' access to apps and sources for each lifecycle state.

In Identity Security Cloud, administrators can manage lifecycle states by going to Admin > Identities > Identity Profile, selecting the identity profile whose lifecycle states they want to manage, selecting the 'Provisioning' tab, and using the left panel to either select the lifecycle state they want to modify or create a new lifecycle state.

In the 'Provisioning' tab, administrators can make the following access changes to an identity profile's lifecycle state:

  • Enable/disable the lifecycle state for the identity profile.

  • Enable/disable source accounts for the identity profile's lifecycle state.

  • Add existing access profiles to grant to the identity profiles in that lifecycle state.

  • Create a new access profile to grant to the identity profile in that lifecycle state.

Access profiles granted in a previous lifecycle state are automatically revoked when the identity moves to a new lifecycle state. To maintain access across multiple lifecycle states, administrators must grant the access profiles in each lifecycle state. For example, if an administrator wants users with the 'HR Employee' identity profile to maintain their building access in both the 'Active' and 'Leave of Absence' lifecycle states, the administrator must grant the access profile for that building access to both lifecycle states.

During scheduled refreshes, Identity Security Cloud evaluates lifecycle states to determine whether their assigned identities have the access defined in the lifecycle states' access profiles. If the identities are missing access, Identity Security Cloud provisions that access.

Administrators can also use the 'Provisioning' tab to configure email notifications for Identity Security Cloud to send whenever an identity with that identity profile has a lifecycle state change. Refer to Configuring Lifecycle State Notifications for more information on how to do so.

An identity's lifecycle state can have four different statuses: the lifecycle state's status can be 'Active,' it can be 'Not Set,' it can be 'Not Valid,' or it 'Does Not Match Technical Name Case.' Refer to Moving Identities into Lifecycle States for more information about these different lifecycle state statuses.

Refer to Setting Up Lifecycle States for more information about lifecycle states.

Set lifecycle state

Use this API to set/update an identity's lifecycle state to the one provided and update the corresponding identity profile.

Authorizations:
Personal Access Token
path Parameters
identity-id
required
string
Example: 2c9180857893f1290178944561990364

ID of the identity to update.

Request Body schema: application/json
lifecycleStateId
string

ID of the lifecycle state to set.

Responses

Request samples

Content type
application/json
{
  • "lifecycleStateId": "2c9180877a86e408017a8c19fefe046c"
}

Response samples

Content type
application/json
{
  • "accountActivityId": "2c9180837ab5b716017ab7c6c9ef1e20"
}

Lists lifecyclestates

Use this endpoint to list all lifecycle states by their associated identity profiles.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
identity-profile-id
required
string
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

Identity profile ID.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=created,modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, priority, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create lifecycle state

Use this endpoint to create a lifecycle state.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
identity-profile-id
required
string
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

Identity profile ID.

Request Body schema: application/json

Lifecycle state to be created.

name
required
string or null

Name of the Object

enabled
boolean
Default: false

Indicates whether the lifecycle state is enabled or disabled.

technicalName
required
string

The lifecycle state's technical name. This is for internal use.

description
string or null

Lifecycle state's description.

object (Email Notification Option)

This is used for representing email configuration for a lifecycle state

Array of objects (Account Action)
accessProfileIds
Array of strings unique

List of unique access-profile IDs that are associated with the lifecycle state.

identityState
string or null
Enum: "ACTIVE" "INACTIVE_SHORT_TERM" "INACTIVE_LONG_TERM"

The lifecycle state's associated identity state. This field is generally 'null'.

object (Access Action Configuration)

This is used for access configuration for a lifecycle state

priority
integer or null <int32>

Used to control the order of lifecycle states when listing with ?sorters=priority. Lower numbers appear first (ascending order). Out-of-the-box lifecycle states are assigned priorities in increments of 10.

Responses

Request samples

Content type
application/json
{
  • "name": "aName",
  • "enabled": true,
  • "technicalName": "Technical Name",
  • "description": "Lifecycle description",
  • "emailNotificationOption": {
    },
  • "accountActions": [
    ],
  • "accessProfileIds": [
    ],
  • "identityState": "INACTIVE_LONG_TERM",
  • "accessActionConfiguration": {
    },
  • "priority": 10
}

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "enabled": true,
  • "technicalName": "Technical Name",
  • "description": "Lifecycle description",
  • "identityCount": 42,
  • "emailNotificationOption": {
    },
  • "accountActions": [
    ],
  • "accessProfileIds": [
    ],
  • "identityState": "INACTIVE_LONG_TERM",
  • "accessActionConfiguration": {
    },
  • "priority": 10
}

Get lifecycle state

Use this endpoint to get a lifecycle state by its ID and its associated identity profile ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
identity-profile-id
required
string
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

Identity profile ID.

lifecycle-state-id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Lifecycle state ID.

Responses

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "enabled": true,
  • "technicalName": "Technical Name",
  • "description": "Lifecycle description",
  • "identityCount": 42,
  • "emailNotificationOption": {
    },
  • "accountActions": [
    ],
  • "accessProfileIds": [
    ],
  • "identityState": "INACTIVE_LONG_TERM",
  • "accessActionConfiguration": {
    },
  • "priority": 10
}

Update lifecycle state

Use this endpoint to update individual lifecycle state fields, using the JSON Patch standard.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
identity-profile-id
required
string
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

Identity profile ID.

lifecycle-state-id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Lifecycle state ID.

Request Body schema: application/json-patch+json

A list of lifecycle state update operations according to the JSON Patch standard.

The following fields can be updated:

  • enabled
  • description
  • accountActions
  • accessProfileIds
  • emailNotificationOption
  • accessActionConfiguration
  • priority
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "enabled": true,
  • "technicalName": "Technical Name",
  • "description": "Lifecycle description",
  • "identityCount": 42,
  • "emailNotificationOption": {
    },
  • "accountActions": [
    ],
  • "accessProfileIds": [
    ],
  • "identityState": "INACTIVE_LONG_TERM",
  • "accessActionConfiguration": {
    },
  • "priority": 10
}

Delete lifecycle state

Use this endpoint to delete the lifecycle state by its ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
identity-profile-id
required
string
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

Identity profile ID.

lifecycle-state-id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Lifecycle state ID.

Responses

Response samples

Content type
application/json
{
  • "type": "LIFECYCLE_STATE",
  • "id": 12345,
  • "name": "Contractor Lifecycle"
}

Machine Account Classify

Classify single machine account

Use this API to classify a single machine account. A token with API, ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Account ID.

query Parameters
classificationMode
string
Default: "default"
Enum: "default" "ignoreManual" "forceMachine" "forceHuman"
Example: classificationMode=forceMachine

Specifies how the accounts should be classified. default - uses criteria to classify account as machine or human, excludes accounts that were manually classified. ignoreManual - like default, but includes accounts that were manually classified. forceMachine - forces account to be classified as machine. forceHuman - forces account to be classified as human.

Responses

Response samples

Content type
application/json
{
  • "isMachine": true
}

Machine Account Mappings

Machine account mapping for source

Retrieves Machine account mappings for a specified source using Source ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create machine account mappings

Creates Machine Account Mappings for both identities and accounts for a source. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID.

Request Body schema: application/json
object

Targeted Entity

object

Responses

Request samples

Content type
application/json
{
  • "target": {
    },
  • "transformDefinition": {
    }
}

Response samples

Content type
application/json
[
  • {
    }
]

Delete source's machine account mappings

Use this API to remove machine account attribute mappings for a Source. A token with ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

source ID.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update source's Machine Account Mappings

Use this API to update Machine Account Attribute Mapping for a Source. A token with ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID.

Request Body schema: application/json
object

Targeted Entity

object

Responses

Request samples

Content type
application/json
{
  • "target": {
    },
  • "transformDefinition": {
    }
}

Response samples

Content type
application/json
[
  • {
    }
]

Machine Accounts

List machine accounts

This returns a list of machine accounts.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=hasEntitlements eq true

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in, sw

nativeIdentity: eq, in, sw

uuid: eq, in

description: eq, in, sw

machineIdentity.id: eq, in

machineIdentity.name: eq, in, sw

subtype.technicalName: eq, in, sw

subtype.displayName: eq, in, sw

accessType: eq, in, sw

environment: eq, in, sw

ownerIdentity: eq, in

ownerIdentity.id: eq, in

ownerIdentity.name: eq, in, sw

manuallyCorrelated: eq

enabled: eq

locked: eq

hasEntitlements: eq

attributes: eq

source.id: eq, in

source.name: eq, in, sw

created: eq, gt, lt, ge, le

modified: eq, gt, lt, ge, le

sorters
string <comma-separated>
Example: sorters=id,name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, nativeIdentity, ownerIdentity, uuid, description, machineIdentity.id, machineIdentity.name, subtype.technicalName, subtype.displayName, accessType, environment, manuallyCorrelated, enabled, locked, hasEntitlements, ownerIdentity.id, ownerIdentity.name, attributes, source.id, source.name, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get machine account details

Use this API to return the details for a single machine account by its ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Machine Account ID.

Responses

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "description": "Service account for Active Directory",
  • "nativeIdentity": "552775",
  • "uuid": "{b0dce506-d6d4-44d2-8a32-d9a5b21fb175}",
  • "classificationMethod": "SOURCE",
  • "machineIdentity": {
    },
  • "ownerIdentity": {
    },
  • "accessType": "direct",
  • "subtype": null,
  • "environment": "TEST",
  • "attributes": {
    },
  • "connectorAttributes": {
    },
  • "manuallyCorrelated": true,
  • "manuallyEdited": true,
  • "locked": false,
  • "enabled": false,
  • "hasEntitlements": false,
  • "source": {
    }
}

Update machine account details

Use this API to update machine accounts details.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Machine Account ID.

Request Body schema: application/json-patch+json

A JSON of updated values JSON Patch standard. The following fields are patchable: * description * ownerIdentity * subType * accessType * environment * attributes * classificationMethod * manuallyEdited * nativeIdentity * uuid * source * manuallyCorrelated * enabled * locked * hasEntitlements * connectorAttributes

Array
object

Responses

Request samples

Content type
application/json-patch+json
Example
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "description": "Service account for Active Directory",
  • "nativeIdentity": "552775",
  • "uuid": "{b0dce506-d6d4-44d2-8a32-d9a5b21fb175}",
  • "classificationMethod": "SOURCE",
  • "machineIdentity": {
    },
  • "ownerIdentity": {
    },
  • "accessType": "direct",
  • "subtype": null,
  • "environment": "TEST",
  • "attributes": {
    },
  • "connectorAttributes": {
    },
  • "manuallyCorrelated": true,
  • "manuallyEdited": true,
  • "locked": false,
  • "enabled": false,
  • "hasEntitlements": false,
  • "source": {
    }
}

Retrieve all subtypes by source Deprecated

Get all machine account subtypes for a given source.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 6d0458373bec4b4b80460992b76016da

The ID of the source.

query Parameters
filters
string
Example: filters=displayName eq "sail"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

displayName: eq, sw

technicalName: eq, sw

sorters
string <comma-separated>
Example: sorters=displayName

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: displayName, technicalName

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create subtype Deprecated

Create a new machine account subtype for a source.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 6d0458373bec4b4b80460992b76016da

The ID of the source.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
technicalName
required
string

Technical name of the subtype.

displayName
required
string

Display name of the subtype.

description
required
string

Description of the subtype.

type
string

Type of the subtype.

Responses

Request samples

Content type
application/json
{
  • "technicalName": "foo",
  • "displayName": "Mr Foo",
  • "description": "fighters",
  • "type": "MACHINE"
}

Response samples

Content type
application/json
{
  • "id": "43bdd144-4b17-4fce-a744-17c7fd3e717b",
  • "sourceId": "6d0458373bec4b4b80460992b76016da",
  • "technicalName": "foo",
  • "displayName": "Mr Foo",
  • "description": "fighters",
  • "created": "2025-07-28T16:13:42.801Z",
  • "modified": "2025-07-28T16:13:42.750Z",
  • "type": "MACHINE"
}

Retrieve subtype by source and technicalName Deprecated

Get a machine account subtype by source ID and technical name.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 6d0458373bec4b4b80460992b76016da

The ID of the source.

technicalName
required
string
Example: foo

The technical name of the subtype.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "43bdd144-4b17-4fce-a744-17c7fd3e717b",
  • "sourceId": "6d0458373bec4b4b80460992b76016da",
  • "technicalName": "foo",
  • "displayName": "Mr Foo",
  • "description": "fighters",
  • "created": "2025-07-28T16:13:42.801Z",
  • "modified": "2025-07-28T16:13:42.750Z",
  • "type": "MACHINE"
}

Patch subtype Deprecated

Update fields of a machine account subtype by source ID and technical name. Patchable fields include: displayName, description.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 6d0458373bec4b4b80460992b76016da

The ID of the source.

technicalName
required
string
Example: foo

The technical name of the subtype.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json

A JSON of updated values JSON Patch standard.

Array
object

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "43bdd144-4b17-4fce-a744-17c7fd3e717b",
  • "sourceId": "6d0458373bec4b4b80460992b76016da",
  • "technicalName": "foo",
  • "displayName": "Test New DisplayName",
  • "description": "fighters updated",
  • "created": "2025-07-28T16:13:42.801Z",
  • "modified": "2025-07-28T16:13:42.750Z",
  • "type": "MACHINE"
}

Delete subtype Deprecated

Delete a machine account subtype by source ID and technical name.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 6d0458373bec4b4b80460992b76016da

The ID of the source.

technicalName
required
string
Example: foo

The technical name of the subtype.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Retrieve subtype by subtype id Deprecated

Get a machine account subtype by its unique ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
subtypeId
required
string
Example: 43bdd144-4b17-4fce-a744-17c7fd3e717b

The ID of the machine account subtype.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "43bdd144-4b17-4fce-a744-17c7fd3e717b",
  • "sourceId": "6d0458373bec4b4b80460992b76016da",
  • "technicalName": "foo",
  • "displayName": "Mr Foo",
  • "description": "fighters",
  • "created": "2025-07-28T16:13:42.801Z",
  • "modified": "2025-07-28T16:13:42.750Z"
}

Machine Classification Config

Machine classification config for source

This API returns a Machine Classification Config for a Source using Source ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID

Responses

Response samples

Content type
application/json
{
  • "enabled": true,
  • "classificationMethod": "SOURCE",
  • "criteria": {
    },
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z"
}

Update source's classification config

Use this API to update Classification Config for a Source. A token with ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID.

Request Body schema: application/json
enabled
boolean
Default: false

Indicates whether Classification is enabled for a Source

classificationMethod
string
Enum: "SOURCE" "CRITERIA"

Classification Method

object (MachineClassificationCriteriaLevel1)
created
string <date-time>

Date the config was created

modified
string or null <date-time>

Date the config was last updated

Responses

Request samples

Content type
application/json
{
  • "enabled": true,
  • "classificationMethod": "SOURCE",
  • "criteria": {
    },
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z"
}

Response samples

Content type
application/json
{
  • "enabled": true,
  • "classificationMethod": "SOURCE",
  • "criteria": {
    },
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z"
}

Delete source's classification config

Use this API to remove Classification Config for a Source. A token with ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Machine Identities

Start machine identity aggregation

Starts a machine identity (AI Agents) aggregation on the specified source.

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source ID.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
datasetIds
required
Array of strings

List of dataset Ids to aggregate machine identities

disableOptimization
boolean
Default: false

Flag to disable optimization for the aggregation. Defaults to false when not provided. When set to true, it disables aggregation optimizations and may increase processing time.

Responses

Request samples

Content type
application/json
{
  • "datasetIds": [
    ],
  • "disableOptimization": false
}

Response samples

Content type
application/json
{
  • "id": "8886e5e3-63d0-462f-a195-d98da885b8dc",
  • "type": "QUARTZ",
  • "uniqueName": "AI Agent Aggregation - ID123",
  • "description": "AI Agent Aggregation - From given dataset IDs",
  • "parentName": "Parent Task",
  • "launcher": "System",
  • "target": {
    },
  • "created": "2020-07-11T21:23:15.000Z",
  • "modified": "2020-07-11T21:23:15.000Z",
  • "launched": "2020-07-11T21:23:15.000Z",
  • "completed": "2020-07-11T21:23:15.000Z",
  • "taskDefinitionSummary": {
    },
  • "completionStatus": "SUCCESS",
  • "messages": [
    ],
  • "returns": [
    ],
  • "attributes": {
    },
  • "progress": "Started",
  • "percentComplete": 100
}

List machine identities

This API returns a list of machine identities.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=identityId eq "2c9180858082150f0180893dbaf44201"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in, sw

displayName: eq, in, sw

cisIdentityId: eq, in, sw

businessApplication: eq, in, sw

attributes: eq

manuallyEdited: eq

subtype: eq, in

owners.primaryIdentity.id: eq, in, sw

owners.primaryIdentity.name: eq, in, isnull, pr

owners.secondaryIdentity.id: eq, in, sw

owners.secondaryIdentity.name: eq, in, isnull, pr

source.name: eq, in, sw

source.id: eq, in

entitlement.id: eq, in

entitlement.name: eq, in, sw

sorters
string <comma-separated>
Example: sorters=businessApplication

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: businessApplication, name, owners.primaryIdentity.name, source.name, created, modified

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create machine identity

Use this API to create a machine identity. The maximum supported length for the description field is 2000 characters.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
name
required
string or null

Name of the Object

businessApplication
required
string

The business application that the identity represents

description
string

Description of machine identity

attributes
object

A map of custom machine identity attributes

subtype
required
string

The subtype value associated to the machine identity

object

The owner configuration associated to the machine identity

sourceId
string

The source id associated to the machine identity

uuid
string

The UUID associated to the machine identity directly aggregated from a source

nativeIdentity
string

The native identity associated to the machine identity directly aggregated from a source

Array of objects

The user entitlements associated to the machine identity

Responses

Request samples

Content type
application/json
{
  • "name": "aName",
  • "businessApplication": "ADService",
  • "description": "",
  • "attributes": "{\"Region\":\"EU\"}",
  • "subtype": "Application",
  • "owners": {
    },
  • "sourceId": "6d28b7c1-620c-49c6-b6d5-cbf81eb4b5fa",
  • "uuid": "f5dd23fe-3414-42b7-bb1c-869400ad7a10",
  • "nativeIdentity": "abc:123:dddd",
  • "userEntitlements": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "businessApplication": "ADService",
  • "description": "",
  • "attributes": "{\"Region\":\"EU\"}",
  • "subtype": "Application",
  • "owners": {
    },
  • "sourceId": "6d28b7c1-620c-49c6-b6d5-cbf81eb4b5fa",
  • "uuid": "f5dd23fe-3414-42b7-bb1c-869400ad7a10",
  • "nativeIdentity": "abc:123:dddd",
  • "manuallyEdited": true,
  • "manuallyCreated": true,
  • "source": {
    },
  • "datasetId": "8886e5e3-63d0-462f-a195-d98da885b8dc",
  • "userEntitlements": [
    ]
}

Get machine identity details

This API returns a single machine identity using the Machine Identity ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Machine Identity ID

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "businessApplication": "ADService",
  • "description": "",
  • "attributes": "{\"Region\":\"EU\"}",
  • "subtype": "Application",
  • "owners": {
    },
  • "sourceId": "6d28b7c1-620c-49c6-b6d5-cbf81eb4b5fa",
  • "uuid": "f5dd23fe-3414-42b7-bb1c-869400ad7a10",
  • "nativeIdentity": "abc:123:dddd",
  • "manuallyEdited": true,
  • "manuallyCreated": true,
  • "source": {
    },
  • "datasetId": "8886e5e3-63d0-462f-a195-d98da885b8dc",
  • "userEntitlements": [
    ]
}

Update machine identity details

Use this API to update machine identity details.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Machine Identity ID.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json

A JSON of updated values JSON Patch standard.

Array
object

Responses

Request samples

Content type
application/json-patch+json
Example
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "businessApplication": "ADService",
  • "description": "",
  • "attributes": "{\"Region\":\"EU\"}",
  • "subtype": "Application",
  • "owners": {
    },
  • "sourceId": "6d28b7c1-620c-49c6-b6d5-cbf81eb4b5fa",
  • "uuid": "f5dd23fe-3414-42b7-bb1c-869400ad7a10",
  • "nativeIdentity": "abc:123:dddd",
  • "manuallyEdited": true,
  • "manuallyCreated": true,
  • "source": {
    },
  • "datasetId": "8886e5e3-63d0-462f-a195-d98da885b8dc",
  • "userEntitlements": [
    ]
}

Delete machine identity

The API returns successful response if the requested machine identity was deleted.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Machine Identity ID

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List machine identity's user entitlements

This API returns a list of user entitlements associated with machine identities.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=machineIdentityId eq "2c9180858082150f0180893dbaf44201"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

machineIdentityId: eq, in

machineIdentityName: eq, in, sw

entitlement.id: eq, in

entitlement.name: eq, in, sw

source.id: eq, in

source.name: eq, in, sw

sorters
string
Example: sorters=machineIdentityName

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: machineIdentityName, entitlement.name, source.name

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Machine Mapping Metadata

Managed Clients

Use this API to implement managed client functionality. With this functionality in place, administrators can modify and delete existing managed clients, create new ones, and view and make changes to their log configurations.

Get managed clients

List managed clients.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name eq "client name"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq

name: eq

clientId: eq

clusterId: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create managed client

Create a new managed client. The API returns a result that includes the managed client ID.

Authorizations:
Personal Access Token
Request Body schema: application/json
clusterId
required
string

Cluster ID that the ManagedClient is linked to

description
string or null

description for the ManagedClient to create

name
string or null

name for the ManagedClient to create

type
string or null

Type of the ManagedClient (VA, CCG) to create

Responses

Request samples

Content type
application/json
{
  • "clusterId": "aClusterId",
  • "description": "A short description of the ManagedClient",
  • "name": "aName",
  • "type": "VA"
}

Response samples

Content type
application/json
{
  • "id": "2c9180878eaf4204018eb019c3570003",
  • "alertKey": "CLIENT_STATUS_NOT_CONFIGURED",
  • "apiGatewayBaseUrl": "string",
  • "cookbook": "string",
  • "ccId": 2248,
  • "clientId": "00be54a2-bb6d-402f-9159-beb2d5319347",
  • "clusterId": "e1ff7bb24c934240bbf55e1aa39e41c5",
  • "description": "A short description of the ManagedClient",
  • "ipAddress": "123.456.78.90",
  • "lastSeen": "2020-01-01T00:00:00.000000Z",
  • "name": "aName",
  • "sinceLastSeen": 15000,
  • "status": "NORMAL",
  • "type": "VA",
  • "clusterType": "idn",
  • "vaDownloadUrl": "aUrl",
  • "vaVersion": "va-megapod-useast1-610-1621372012",
  • "secret": "ef878e15eaa8c8d3e2fa52f41125e2a0eeadadc6a14f931a33ad3e1b62d56381",
  • "createdAt": "2023-08-04T20:48:01.865Z",
  • "updatedAt": "2023-08-04T20:48:01.865Z",
  • "provisionStatus": "PROVISIONED"
}

Get managed client

Get managed client by ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 4440278c-0ce2-41ee-a0a9-f5cfd5e8d3b7

Managed client ID.

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180878eaf4204018eb019c3570003",
  • "alertKey": "CLIENT_STATUS_NOT_CONFIGURED",
  • "apiGatewayBaseUrl": "string",
  • "cookbook": "string",
  • "ccId": 2248,
  • "clientId": "00be54a2-bb6d-402f-9159-beb2d5319347",
  • "clusterId": "e1ff7bb24c934240bbf55e1aa39e41c5",
  • "description": "A short description of the ManagedClient",
  • "ipAddress": "123.456.78.90",
  • "lastSeen": "2020-01-01T00:00:00.000000Z",
  • "name": "aName",
  • "sinceLastSeen": 15000,
  • "status": "NORMAL",
  • "type": "VA",
  • "clusterType": "idn",
  • "vaDownloadUrl": "aUrl",
  • "vaVersion": "va-megapod-useast1-610-1621372012",
  • "secret": "ef878e15eaa8c8d3e2fa52f41125e2a0eeadadc6a14f931a33ad3e1b62d56381",
  • "createdAt": "2023-08-04T20:48:01.865Z",
  • "updatedAt": "2023-08-04T20:48:01.865Z",
  • "provisionStatus": "PROVISIONED"
}

Update managed client

Update an existing managed client.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 4440278c-0ce2-41ee-a0a9-f5cfd5e8d3b7

Managed client ID.

Request Body schema: application/json-patch+json

JSONPatch payload used to update the object.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c9180878eaf4204018eb019c3570003",
  • "alertKey": "CLIENT_STATUS_NOT_CONFIGURED",
  • "apiGatewayBaseUrl": "string",
  • "cookbook": "string",
  • "ccId": 2248,
  • "clientId": "00be54a2-bb6d-402f-9159-beb2d5319347",
  • "clusterId": "e1ff7bb24c934240bbf55e1aa39e41c5",
  • "description": "A short description of the ManagedClient",
  • "ipAddress": "123.456.78.90",
  • "lastSeen": "2020-01-01T00:00:00.000000Z",
  • "name": "aName",
  • "sinceLastSeen": 15000,
  • "status": "NORMAL",
  • "type": "VA",
  • "clusterType": "idn",
  • "vaDownloadUrl": "aUrl",
  • "vaVersion": "va-megapod-useast1-610-1621372012",
  • "secret": "ef878e15eaa8c8d3e2fa52f41125e2a0eeadadc6a14f931a33ad3e1b62d56381",
  • "createdAt": "2023-08-04T20:48:01.865Z",
  • "updatedAt": "2023-08-04T20:48:01.865Z",
  • "provisionStatus": "PROVISIONED"
}

Delete managed client

Delete an existing managed client.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 4440278c-0ce2-41ee-a0a9-f5cfd5e8d3b7

Managed client ID.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get managed client status

Get a managed client's status, using its ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: aClientId

Managed client ID to get status for.

query Parameters
type
required
string or null (ManagedClientType)
Enum: "CCG" "VA" "INTERNAL" "IIQ_HARVESTER" null
Example: type=CCG

Managed client type to get status for.

Responses

Response samples

Content type
application/json
{
  • "body": {
    },
  • "status": "NORMAL",
  • "type": "CCG",
  • "timestamp": "2020-01-01T00:00:00.000000Z"
}

Get managed client health indicators

Get a managed client's health indicators, using its ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 4440278c-0ce2-41ee-a0a9-f5cfd5e8d3b7

Managed client ID to get health indicators for.

Responses

Response samples

Content type
application/json
{
  • "body": {
    },
  • "status": "NORMAL",
  • "type": "VA",
  • "timestamp": "2025-08-06T07:35:28.722300Z"
}

Managed Cluster Types

Use this API to implement managed cluster types functionality. With this functionality in place, administrators can modify and delete existing managed cluster types and create new ones.

List managed cluster types

Get a list of Managed Cluster Types.

Authorizations:
Personal Access Token
query Parameters
type
string
Example: type=IDN

Type descriptor

pod
string
Example: pod=megapod-useast1

Pinned pod (or default)

org
string
Example: org=denali-xyz

Pinned org (or default)

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create new managed cluster type

Create a new Managed Cluster Type.

The API returns a result that includes the Managed Cluster Type ID

Authorizations:
Personal Access Token
Request Body schema: application/json
type
required
string

ManagedClusterType type name

pod
required
string

ManagedClusterType pod

org
required
string

ManagedClusterType org

managedProcessIds
Array of strings

List of processes for the cluster type

Responses

Request samples

Content type
application/json
{
  • "type": "idn",
  • "pod": "megapod-useast1",
  • "org": "denali-cjh",
  • "managedProcessIds": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "aClusterTypeId",
  • "type": "idn",
  • "pod": "megapod-useast1",
  • "org": "denali-cjh",
  • "managedProcessIds": [
    ]
}

Get a managed cluster type

Get a Managed Cluster Type.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: aClusterTypeId

The Managed Cluster Type ID

Responses

Response samples

Content type
application/json
{
  • "id": "aClusterTypeId",
  • "type": "idn",
  • "pod": "megapod-useast1",
  • "org": "denali-cjh",
  • "managedProcessIds": [
    ]
}

Update a managed cluster type

Update an existing Managed Cluster Type.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: aClusterTypeId

The Managed Cluster Type ID

Request Body schema: application/json-patch+json

The JSONPatch payload used to update the schema.

Array of objects (Json Patch Operation)

Operations to be applied

Responses

Request samples

Content type
application/json-patch+json
{
  • "operations": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "aClusterTypeId",
  • "type": "idn",
  • "pod": "megapod-useast1",
  • "org": "denali-cjh",
  • "managedProcessIds": [
    ]
}

Delete a managed cluster type

Delete an existing Managed Cluster Type.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: aClusterTypeId

The Managed Cluster Type ID

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Managed Clusters

Use this API to implement managed cluster functionality. With this functionality in place, administrators can modify and delete existing managed clients, get their statuses, and create new ones.

Get managed clusters

List current organization's managed clusters, based on request context.

Authorizations:
Personal Access Token
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=operational eq "operation"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

operational: eq

name: eq

type: eq

status: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create create managed cluster

Create a new Managed Cluster. The API returns a result that includes the managed cluster ID.

Authorizations:
Personal Access Token
Request Body schema: application/json
name
required
string

ManagedCluster name

type
string (ManagedClusterTypes)
Enum: "idn" "iai" "spConnectCluster" "sqsCluster" "das-rc" "das-pc" "das-dc" "pag" "das-am" "standard"

The Type of Cluster:

  • idn - IDN VA type
  • iai - IAI harvester VA
  • spConnectCluster - Saas 2.0 connector cluster (this should be one per org)
  • sqsCluster - This should be unused
  • das-rc - Data Access Security Resources Collector
  • das-pc - Data Access Security Permissions Collector
  • das-dc - Data Access Security Data Classification Collector
  • pag - Privilege Action Gateway VA
  • das-am - Data Access Security Activity Monitor
  • standard - Standard Cluster type for running multiple products
object

ManagedProcess configuration map

description
string or null

ManagedCluster description

Responses

Request samples

Content type
application/json
{
  • "name": "Managed Cluster Name",
  • "type": "idn",
  • "configuration": {
    },
  • "description": "A short description of the managed cluster."
}

Response samples

Content type
application/json
{
  • "id": "e1ff7bb24c934240bbf55e1aa39e41c5",
  • "name": "Managed Cluster Name",
  • "pod": "megapod-useast1",
  • "org": "denali",
  • "type": "idn",
  • "configuration": {
    },
  • "keyPair": {
    },
  • "attributes": {
    },
  • "description": "A short description of the managed cluster.",
  • "redis": {
    },
  • "clientType": "CCG",
  • "ccgVersion": "v01",
  • "pinnedConfig": false,
  • "logConfiguration": {
    },
  • "operational": false,
  • "status": "NORMAL",
  • "publicKeyCertificate": "-----BEGIN CERTIFICATE-----TCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQsFADAuMQ0wCwYDVQQD-----END CERTIFICATE-----",
  • "publicKeyThumbprint": "obc6pLiulGbtZ",
  • "publicKey": "-----BEGIN PUBLIC KEY-----jANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3WgnsxP52MDgBTfHR+5n4-----END PUBLIC KEY-----",
  • "encryptionConfiguration": {
    },
  • "alertKey": "LIMITED_RESOURCES",
  • "clientIds": [
    ],
  • "serviceCount": 6,
  • "ccId": "1533",
  • "createdAt": "2023-08-04T20:48:01.865Z",
  • "updatedAt": "2023-08-04T20:48:01.865Z",
  • "lastReleaseNotifiedAt": "2025-03-11T07:00:13.729721Z",
  • "updatePreferences": {
    },
  • "currentInstalledReleaseVersion": "123.1",
  • "updatePackage": "123.1.2",
  • "isOutOfDateNotifiedAt": "2025-03-11T07:00:13.734393Z",
  • "consolidatedHealthIndicatorsStatus": "ERROR"
}

Get managed cluster

Get a managed cluster by ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180897de347a2017de8859e8c5039

Managed cluster ID.

Responses

Response samples

Content type
application/json
{
  • "id": "e1ff7bb24c934240bbf55e1aa39e41c5",
  • "name": "Managed Cluster Name",
  • "pod": "megapod-useast1",
  • "org": "denali",
  • "type": "idn",
  • "configuration": {
    },
  • "keyPair": {
    },
  • "attributes": {
    },
  • "description": "A short description of the managed cluster.",
  • "redis": {
    },
  • "clientType": "CCG",
  • "ccgVersion": "v01",
  • "pinnedConfig": false,
  • "logConfiguration": {
    },
  • "operational": false,
  • "status": "NORMAL",
  • "publicKeyCertificate": "-----BEGIN CERTIFICATE-----TCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQsFADAuMQ0wCwYDVQQD-----END CERTIFICATE-----",
  • "publicKeyThumbprint": "obc6pLiulGbtZ",
  • "publicKey": "-----BEGIN PUBLIC KEY-----jANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3WgnsxP52MDgBTfHR+5n4-----END PUBLIC KEY-----",
  • "encryptionConfiguration": {
    },
  • "alertKey": "LIMITED_RESOURCES",
  • "clientIds": [
    ],
  • "serviceCount": 6,
  • "ccId": "1533",
  • "createdAt": "2023-08-04T20:48:01.865Z",
  • "updatedAt": "2023-08-04T20:48:01.865Z",
  • "lastReleaseNotifiedAt": "2025-03-11T07:00:13.729721Z",
  • "updatePreferences": {
    },
  • "currentInstalledReleaseVersion": "123.1",
  • "updatePackage": "123.1.2",
  • "isOutOfDateNotifiedAt": "2025-03-11T07:00:13.734393Z",
  • "consolidatedHealthIndicatorsStatus": "ERROR"
}

Update managed cluster

Update an existing managed cluster.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180897de347a2017de8859e8c5039

Managed cluster ID.

Request Body schema: application/json-patch+json

JSONPatch payload used to update the object.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "e1ff7bb24c934240bbf55e1aa39e41c5",
  • "name": "Managed Cluster Name",
  • "pod": "megapod-useast1",
  • "org": "denali",
  • "type": "idn",
  • "configuration": {
    },
  • "keyPair": {
    },
  • "attributes": {
    },
  • "description": "A short description of the managed cluster.",
  • "redis": {
    },
  • "clientType": "CCG",
  • "ccgVersion": "v01",
  • "pinnedConfig": false,
  • "logConfiguration": {
    },
  • "operational": false,
  • "status": "NORMAL",
  • "publicKeyCertificate": "-----BEGIN CERTIFICATE-----TCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQsFADAuMQ0wCwYDVQQD-----END CERTIFICATE-----",
  • "publicKeyThumbprint": "obc6pLiulGbtZ",
  • "publicKey": "-----BEGIN PUBLIC KEY-----jANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3WgnsxP52MDgBTfHR+5n4-----END PUBLIC KEY-----",
  • "encryptionConfiguration": {
    },
  • "alertKey": "LIMITED_RESOURCES",
  • "clientIds": [
    ],
  • "serviceCount": 6,
  • "ccId": "1533",
  • "createdAt": "2023-08-04T20:48:01.865Z",
  • "updatedAt": "2023-08-04T20:48:01.865Z",
  • "lastReleaseNotifiedAt": "2025-03-11T07:00:13.729721Z",
  • "updatePreferences": {
    },
  • "currentInstalledReleaseVersion": "123.1",
  • "updatePackage": "123.1.2",
  • "isOutOfDateNotifiedAt": "2025-03-11T07:00:13.734393Z",
  • "consolidatedHealthIndicatorsStatus": "ERROR"
}

Delete managed cluster

Delete an existing managed cluster.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180897de347a2017de8859e8c5039

Managed cluster ID.

query Parameters
removeClients
boolean
Default: false

Flag to determine the need to delete a cluster with clients.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get managed cluster log configuration

Get a managed cluster's log configuration.

Authorizations:
Personal Access Token
path Parameters
id
required
string <uuid>
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

ID of managed cluster to get log configuration for.

Responses

Response samples

Content type
application/json
{
  • "clientId": "3a38a51992e8445ab51a549c0a70ee66",
  • "durationMinutes": 120,
  • "expiration": "2024-11-06T01:31:08.013164Z",
  • "rootLevel": "INFO",
  • "logLevels": "INFO"
}

Update managed cluster log configuration

Update a managed cluster's log configuration. You may only specify one of durationMinutes or expiration, up to 1440 minutes (24 hours) in the future. If neither is specified, the default value for durationMinutes is 240.

Authorizations:
Personal Access Token
path Parameters
id
required
string <uuid>
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

ID of the managed cluster to update the log configuration for.

Request Body schema: application/json

Client log configuration for the given managed cluster.

One of
clientId
string

Log configuration's client ID

durationMinutes
integer <int32> [ 5 .. 1440 ]
Default: 240

Duration in minutes for log configuration to remain in effect before resetting to defaults.

rootLevel
required
string (StandardLevel)
Enum: "OFF" "FATAL" "ERROR" "WARN" "INFO" "DEBUG" "TRACE"

Standard Log4j log level

object (Log Level Spec)

Mapping of identifiers to Standard Log Level values

Responses

Request samples

Content type
application/json
Example
{
  • "clientId": "3a38a51992e8445ab51a549c0a70ee66",
  • "durationMinutes": 120,
  • "rootLevel": "INFO",
  • "logLevels": {
    }
}

Response samples

Content type
application/json
{
  • "clientId": "3a38a51992e8445ab51a549c0a70ee66",
  • "durationMinutes": 120,
  • "expiration": "2024-11-06T01:31:08.013164Z",
  • "rootLevel": "INFO",
  • "logLevels": "INFO"
}

Trigger manual upgrade for managed cluster

Trigger Manual Upgrade for Managed Cluster. AMS Security: API, Internal A token with SYSTEM_ADMINISTRATOR authority is required to call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string <uuid>
Example: 2b838de9-db9b-abcf-e646-d4f274ad4238

ID of managed cluster to trigger manual upgrade.

Responses

Response samples

Content type
application/json
{
  • "jobs": [
    ]
}

Manual Discover Applications

Use this API to manually upload application names to be correlated to an ISC connector.

Manual Discover Applications Template

Use this API to download the CSV template to send to the application discovery service.

MFA Configuration

Configure and test multifactor authentication (MFA) methods

Configuration of okta mfa method

This API returns the configuration of an Okta MFA method.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "mfaMethod": "okta-verify",
  • "enabled": true,
  • "host": "www.example.com",
  • "accessKey": "d******Y",
  • "identityAttribute": "email"
}

Set okta mfa configuration

This API sets the configuration of an Okta MFA method.

Authorizations:
Personal Access Token
Request Body schema: application/json
mfaMethod
string or null

Mfa method name

enabled
boolean
Default: false

If MFA method is enabled.

host
string or null

The server host name or IP address of the MFA provider.

accessKey
string or null

The secret key for authenticating requests to the MFA provider.

identityAttribute
string or null

Optional. The name of the attribute for mapping IdentityNow identity to the MFA provider.

Responses

Request samples

Content type
application/json
{
  • "mfaMethod": "okta-verify",
  • "enabled": true,
  • "host": "www.example.com",
  • "accessKey": "dk778Y3QlA5UqocYpdU3rEkzrK2D497y",
  • "identityAttribute": "email"
}

Response samples

Content type
application/json
{
  • "mfaMethod": "okta-verify",
  • "enabled": true,
  • "host": "www.example.com",
  • "accessKey": "d******Y",
  • "identityAttribute": "email"
}

Configuration of duo mfa method

This API returns the configuration of an Duo MFA method.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "mfaMethod": "duo-web",
  • "enabled": true,
  • "host": "www.example.com",
  • "accessKey": "d******Y",
  • "identityAttribute": "email",
  • "configProperties": {
    }
}

Set duo mfa configuration

This API sets the configuration of an Duo MFA method.

Authorizations:
Personal Access Token
Request Body schema: application/json
mfaMethod
string or null

Mfa method name

enabled
boolean
Default: false

If MFA method is enabled.

host
string or null

The server host name or IP address of the MFA provider.

accessKey
string or null

The secret key for authenticating requests to the MFA provider.

identityAttribute
string or null

Optional. The name of the attribute for mapping IdentityNow identity to the MFA provider.

object or null

A map with additional config properties for the given MFA method - duo-web.

Responses

Request samples

Content type
application/json
{
  • "mfaMethod": "duo-web",
  • "enabled": true,
  • "host": "www.example.com",
  • "accessKey": "qw123Y3QlA5UqocYpdU3rEkzrK2D497y",
  • "identityAttribute": "email",
  • "configProperties": {
    }
}

Response samples

Content type
application/json
{
  • "mfaMethod": "duo-web",
  • "enabled": true,
  • "host": "www.example.com",
  • "accessKey": "q******y",
  • "identityAttribute": "email",
  • "configProperties": {
    }
}

Configuration of kba mfa method

This API returns the KBA configuration for MFA.

Authorizations:
Personal Access Token
query Parameters
allLanguages
boolean
Example: allLanguages=allLanguages=true

Indicator whether the question text should be returned in all configured languages

  • If true, the question text is returned in all languages that it is configured in.
  • If false, the question text is returned in the user locale if available, else for the default locale.
  • If not passed, it behaves the same way as passing this parameter as false

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Set mfa kba configuration

This API sets answers to challenge questions. Any configured questions omitted from the request are removed from user KBA configuration.

Authorizations:
Personal Access Token
Request Body schema: application/json
Array
id
required
string

Question Id

answer
required
string

An answer for the KBA question

Responses

Request samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

Mfa method's test configuration

This API validates that the configuration is valid and will properly authenticate with the MFA provider identified by the method path parameter.

Authorizations:
Personal Access Token
path Parameters
method
required
string
Enum: "okta-verify" "duo-web"
Example: okta-verify

The name of the MFA method. The currently supported method names are 'okta-verify' and 'duo-web'.

Responses

Response samples

Content type
application/json
{
  • "state": "SUCCESS",
  • "error": null
}

MFA Controller

This API used for multifactor authentication functionality belong to gov-multi-auth service. This controller allow you to verify authentication by specified method

Multi-Host Integration

Use this API to build a Multi-Host Integration. Multi-Host Integration will help customers to configure and manage similar type of target system in Identity Security Cloud. In Identity Security Cloud, administrators can create a Multi-Host Integration by going to Admin > Connections > Multi-Host Sources and selecting 'Create.'

Create multi-host integration

This API is used to create Multi-Host Integration. Multi-host Integration holds similar types of sources.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

The specifics of the Multi-Host Integration to create

name
required
string

Multi-Host Integration's human-readable name.

description
required
string

Multi-Host Integration's human-readable description.

required
object

Reference to identity object who owns the source.

object or null

Reference to the source's associated cluster.

connector
required
string

Connector script name.

object

Multi-Host Integration specific configuration. User can add any number of additional attributes. e.g. maxSourcesPerAggGroup, maxAllowedSources etc.

object or null

Reference to management workgroup for the source.

created
string <date-time>

Date-time when the source was created

modified
string <date-time>

Date-time when the source was last modified.

Responses

Request samples

Content type
application/json
{
  • "name": "My Multi-Host Integration",
  • "description": "This is the Multi-Host Integration.",
  • "owner": {
    },
  • "cluster": {
    },
  • "connector": "multihost-microsoft-sql-server",
  • "connectorAttributes": {
    },
  • "managementWorkgroup": {
    },
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z"
}

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1324",
  • "name": "My Multi-Host Integration",
  • "description": "This is a Multi-Host Integration.",
  • "owner": {
    },
  • "cluster": {
    },
  • "accountCorrelationConfig": {
    },
  • "accountCorrelationRule": {
    },
  • "managerCorrelationMapping": {
    },
  • "managerCorrelationRule": {
    },
  • "beforeProvisioningRule": {
    },
  • "schemas": [
    ],
  • "passwordPolicies": [
    ],
  • "features": [
    ],
  • "type": "Multi-Host - Microsoft SQL Server",
  • "connector": "multihost-microsoft-sql-server",
  • "connectorClass": "sailpoint.connector.OpenConnectorAdapter",
  • "connectorAttributes": {
    },
  • "deleteThreshold": 10,
  • "authoritative": false,
  • "managementWorkgroup": {
    },
  • "healthy": true,
  • "status": "SOURCE_STATE_HEALTHY",
  • "since": "2021-09-28T15:48:29.3801666300Z",
  • "connectorId": "multihost-microsoft-sql-server",
  • "connectorName": "Multi-Host Microsoft SQL Server",
  • "connectionType": "direct",
  • "connectorImplementationId": "multihost-microsoft-sql-server",
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z",
  • "credentialProviderEnabled": false,
  • "category": "CredentialProvider",
  • "accountsFile": {
    }
}

List all existing multi-host integrations

Get a list of Multi-Host Integrations.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

sorters
string
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name

filters
string <comma-separated>
Example: filters=id eq 2c91808b6ef1d43e016efba0ce470904

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

type: in

forSubAdminId: in

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

for-subadmin
string
Example: for-subadmin=5168015d32f890ca15812c9180835d2e

If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN Identity or SOURCE_SUBADMIN identity.

The value of the parameter is either an Identity ID, or the special value me, which is shorthand for the calling Identity's ID.

A 400 Bad Request error is returned if the for-subadmin parameter is specified for an Identity that is not a subadmin.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List multi-host integration types

This API endpoint returns the current list of supported Multi-Host Integration types.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create sources within multi-host integration

This API is used to create sources within Multi-Host Integration. Multi-Host Integration holds similar types of sources.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
multihostId
required
string
Example: 2c91808568c529c60168cca6f90c1326

ID of the Multi-Host Integration.

Request Body schema: application/json

The specifics of the sources to create within Multi-Host Integration.

Array
name
required
string

Source's human-readable name.

description
string

Source's human-readable description.

object

Connector specific configuration. This configuration will differ from type to type.

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get multi-host integration by id

Get an existing Multi-Host Integration.

A token with Org Admin or Multi-Host Integration Admin authority is required to access this endpoint.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
multihostId
required
string
Example: 2c91808568c529c60168cca6f90c1326

ID of the Multi-Host Integration.

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1324",
  • "name": "My Multi-Host Integration",
  • "description": "This is a Multi-Host Integration.",
  • "owner": {
    },
  • "cluster": {
    },
  • "accountCorrelationConfig": {
    },
  • "accountCorrelationRule": {
    },
  • "managerCorrelationMapping": {
    },
  • "managerCorrelationRule": {
    },
  • "beforeProvisioningRule": {
    },
  • "schemas": [
    ],
  • "passwordPolicies": [
    ],
  • "features": [
    ],
  • "type": "Multi-Host - Microsoft SQL Server",
  • "connector": "multihost-microsoft-sql-server",
  • "connectorClass": "sailpoint.connector.OpenConnectorAdapter",
  • "connectorAttributes": {
    },
  • "deleteThreshold": 10,
  • "authoritative": false,
  • "managementWorkgroup": {
    },
  • "healthy": true,
  • "status": "SOURCE_STATE_HEALTHY",
  • "since": "2021-09-28T15:48:29.3801666300Z",
  • "connectorId": "multihost-microsoft-sql-server",
  • "connectorName": "Multi-Host Microsoft SQL Server",
  • "connectionType": "direct",
  • "connectorImplementationId": "multihost-microsoft-sql-server",
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z",
  • "credentialProviderEnabled": false,
  • "category": "CredentialProvider",
  • "accountsFile": {
    }
}

Delete multi-host integration

Delete an existing Multi-Host Integration by ID.

A token with Org Admin or Multi Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
multihostId
required
string
Example: 2c91808568c529c60168cca6f90c1326

ID of Multi-Host Integration to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update multi-host integration

Update existing sources within Multi-Host Integration.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access Token
path Parameters
multihostId
required
string
Example: anId

ID of the Multi-Host Integration to update.

Request Body schema: application/json-patch+json

This endpoint allows you to update a Multi-Host Integration.

Array
op
required
string
Enum: "add" "replace"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Test configuration for multi-host integration

This endpoint performs a more detailed validation of the Multi-Host Integration's configuration.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access Token
path Parameters
multihostId
required
string
Example: 2c91808568c529c60168cca6f90c1324

ID of the Multi-Host Integration

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Test configuration for multi-host integration's single source

This endpoint performs a more detailed validation of the source's configuration.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
multihostId
required
string
Example: 2c91808568c529c60168cca6f90c1326

ID of the Multi-Host Integration

sourceId
required
string
Example: 2c91808568c529f60168cca6f90c1324

ID of the source within the Multi-Host Integration

Responses

Response samples

Content type
application/json
{
  • "success": true,
  • "message": "Tes.",
  • "timing": 30437,
  • "resultType": "SOURCE_STATE_HEALTHY",
  • "testConnectionDetails": null
}

List sources within multi-host integration

Get a list of sources within Multi-Host Integration ID.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
multihostId
required
string
Example: aMultiHostId

ID of the Multi-Host Integration to update

query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

sorters
string
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name

filters
string <comma-separated>
Example: filters=id eq 2c91808b6ef1d43e016efba0ce470904

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: in

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List multi-host source creation errors

Get a list of sources creation errors within Multi-Host Integration ID.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
multiHostId
required
string
Example: 004091cb79b04636b88662afa50a4440

ID of the Multi-Host Integration

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Delete sources within multi-host integration

This endpoint performs bulk sources delete within Multi-Host Integration via a list of supplied IDs.

The following rights are required to access this endpoint: idn:multihosts:delete, idn:sources:delete

Authorizations:
Personal Access TokenClient Credentials
path Parameters
multiHostId
required
string
Example: 004091cb79b04636b88662afa50a4440

ID of the Multi-Host Integration

Request Body schema: application/json

The delete bulk sources within multi-host integration request body

Array
string

Responses

Request samples

Content type
application/json
[
  • "2c9180867b2a34e0017b3078d60b0699",
  • "2c9180867b2a34e0017b3078d60b0698"
]

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List account-aggregation-groups by multi-host id

This API will return array of account aggregation groups within provided Multi-Host Integration ID. A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access Token
path Parameters
multihostId
required
string
Example: aMultiHostId

ID of the Multi-Host Integration to update

query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List entitlement-aggregation-groups by integration id

This API will return array of aggregation groups within provided Multi-Host Integration ID.

A token with Org Admin or Multi-Host Admin authority is required to access this endpoint.

Authorizations:
Personal Access Token
path Parameters
multiHostId
required
string
Example: aMultiHostId

ID of the Multi-Host Integration to update

query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Non-Employee Lifecycle Management

Use this API to implement non-employee lifecycle management functionality. With this functionality in place, administrators can create non-employee records and configure them for use in their organizations. This allows organizations to provide secure access to non-employees and control that access.

The 'non-employee' term refers to any consultant, contractor, intern, or other user in an organization who is not a full-time permanent employee. Organizations can track non-employees' access and activity in Identity Security Cloud by creating and maintaining non-employee sources. Organizations can have a maximum of 50 non-employee sources.

By using SailPoint's Non-Employee Lifecycle Management functionality, you agree to the following:

  • SailPoint is not responsible for storing sensitive data. You may only add account attributes to non-employee identities that are necessary for business operations and are consistent with your contractual limitations on data that may be sent or stored in Identity Security Cloud.

  • You are responsible for regularly downloading your list of non-employee accounts for all the sources you create and storing this list of accounts in a managed location to maintain an authoritative system of record and backup data for these accounts.

To manage non-employees in Identity Security Cloud, administrators must create a non-employee source and add accounts to the source.

To create a non-employee source in Identity Security Cloud, administrators must use the Admin panel to go to Connections > Sources. They must then specify 'Non-Employee' in the 'Source Type' field. Refer to Creating a Non-Employee Source for more details about how to create non-employee sources.

To add accounts to a non-employee source in Identity Security Cloud, administrators can select the non-employee source and add the accounts. They can also use the 'Manage Non-Employees' widget on their user dashboards to reach the list of sources and then select the non-employee source they want to add the accounts to.

Administrators can either add accounts individually or in bulk. Each non-employee source can have a maximum of 20,000 accounts. To add accounts in bulk, they must select the 'Bulk Upload' option and upload a CSV file. Refer to Adding Accounts for more details about how to add accounts to non-employee sources.

Once administrators have created the non-employee source and added accounts to it, they can create identity profiles to generate identities for the non-employee accounts and manage the non-employee identities the same way they would any other identities.

Refer to Managing Non-Employee Sources and Accounts for more information about non-employee lifecycle management.

Create non-employee record

This request will create a non-employee record. Requires role context of idn:nesr:create

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

Non-Employee record creation request body.

accountName
required
string

Requested identity account name.

firstName
required
string

Non-Employee's first name.

lastName
required
string

Non-Employee's last name.

email
required
string

Non-Employee's email.

phone
required
string

Non-Employee's phone.

manager
required
string

The account ID of a valid identity to serve as this non-employee's manager.

sourceId
required
string

Non-Employee's source id.

object

Additional attributes for a non-employee. Up to 10 custom attributes can be added.

startDate
required
string <date-time>

Non-Employee employment start date.

endDate
required
string <date-time>

Non-Employee employment end date.

Responses

Request samples

Content type
application/json
{
  • "accountName": "william.smith",
  • "firstName": "William",
  • "lastName": "Smith",
  • "email": "william.smith@example.com",
  • "phone": "5125555555",
  • "manager": "jane.doe",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "data": {
    },
  • "startDate": "2020-03-24T00:00:00-05:00",
  • "endDate": "2021-03-25T00:00:00-05:00"
}

Response samples

Content type
application/json
{
  • "id": "ef38f94347e94562b5bb8424a56397d8",
  • "accountName": "Abby.Smith",
  • "firstName": "William",
  • "lastName": "Smith",
  • "email": "william.smith@example.com",
  • "phone": "5125555555",
  • "manager": "jane.doe",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "data": {
    },
  • "startDate": "2019-08-23T18:52:59.162Z",
  • "endDate": "2020-08-23T18:52:59.162Z",
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z"
}

List non-employee records

This gets a list of non-employee records. There are two contextual uses for this endpoint:

  1. The user has the role context of idn:nesr:read, in which case they can get a list of all of the non-employees.
  2. The user is an account manager, in which case they can get a list of the non-employees that they manage.
Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=accountName,sourceId

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, accountName, sourceId, manager, firstName, lastName, email, phone, startDate, endDate, created, modified

filters
string
Example: filters=sourceId eq "2c91808568c529c60168cca6f90c1313"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

sourceId: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get a non-employee record

This gets a non-employee record. Requires role context of idn:nesr:read

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Non-Employee record id (UUID)

Responses

Response samples

Content type
application/json
{
  • "id": "ef38f94347e94562b5bb8424a56397d8",
  • "accountName": "Abby.Smith",
  • "firstName": "William",
  • "lastName": "Smith",
  • "email": "william.smith@example.com",
  • "phone": "5125555555",
  • "manager": "jane.doe",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "data": {
    },
  • "startDate": "2019-08-23T18:52:59.162Z",
  • "endDate": "2020-08-23T18:52:59.162Z",
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z"
}

Update non-employee record

This request will update a non-employee record. There are two contextual uses for this endpoint:

  1. The user has the role context of idn:nesr:update, in which case they update all available fields.
  2. The user is owner of the source, in this case they can only update the end date.
Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Non-employee record id (UUID)

Request Body schema: application/json

Non-employee record creation request body. Attributes are restricted by user type. Owner of source can update end date. Organization admins can update all available fields.

accountName
required
string

Requested identity account name.

firstName
required
string

Non-Employee's first name.

lastName
required
string

Non-Employee's last name.

email
required
string

Non-Employee's email.

phone
required
string

Non-Employee's phone.

manager
required
string

The account ID of a valid identity to serve as this non-employee's manager.

sourceId
required
string

Non-Employee's source id.

object

Additional attributes for a non-employee. Up to 10 custom attributes can be added.

startDate
required
string <date-time>

Non-Employee employment start date.

endDate
required
string <date-time>

Non-Employee employment end date.

Responses

Request samples

Content type
application/json
{
  • "accountName": "william.smith",
  • "firstName": "William",
  • "lastName": "Smith",
  • "email": "william.smith@example.com",
  • "phone": "5125555555",
  • "manager": "jane.doe",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "data": {
    },
  • "startDate": "2020-03-24T00:00:00-05:00",
  • "endDate": "2021-03-25T00:00:00-05:00"
}

Response samples

Content type
application/json
{
  • "id": "ef38f94347e94562b5bb8424a56397d8",
  • "accountName": "Abby.Smith",
  • "firstName": "William",
  • "lastName": "Smith",
  • "email": "william.smith@example.com",
  • "phone": "5125555555",
  • "manager": "jane.doe",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "data": {
    },
  • "startDate": "2019-08-23T18:52:59.162Z",
  • "endDate": "2020-08-23T18:52:59.162Z",
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z"
}

Patch non-employee record

This request will patch a non-employee record. There are two contextual uses for this endpoint:

  1. The user has the role context of idn:nesr:update, in which case they update all available fields.
  2. The user is owner of the source, in this case they can only update the end date.
Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Non-employee record id (UUID)

Request Body schema: application/json-patch+json

A list of non-employee update operations according to the JSON Patch standard. Attributes are restricted by user type. Owner of source can update end date. Organization admins can update all available fields.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "ef38f94347e94562b5bb8424a56397d8",
  • "accountName": "Abby.Smith",
  • "firstName": "William",
  • "lastName": "Smith",
  • "email": "william.smith@example.com",
  • "phone": "5125555555",
  • "manager": "jane.doe",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "data": {
    },
  • "startDate": "2019-08-23T18:52:59.162Z",
  • "endDate": "2020-08-23T18:52:59.162Z",
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z"
}

Delete non-employee record

This request will delete a non-employee record. Requires role context of idn:nesr:delete

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Non-Employee record id (UUID)

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Delete multiple non-employee records

This request will delete multiple non-employee records based on the non-employee ids provided. Requires role context of idn:nesr:delete

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

Non-Employee bulk delete request body.

ids
required
Array of strings <uuid>

List of non-employee ids.

Responses

Request samples

Content type
application/json
{
  • "ids": [
    ]
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Create non-employee request

This request will create a non-employee request and notify the approver. Requires role context of idn:nesr:create or the user must own the source.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

Non-Employee creation request body

accountName
required
string

Requested identity account name.

firstName
required
string

Non-Employee's first name.

lastName
required
string

Non-Employee's last name.

email
required
string

Non-Employee's email.

phone
required
string

Non-Employee's phone.

manager
required
string

The account ID of a valid identity to serve as this non-employee's manager.

sourceId
required
string

Non-Employee's source id.

object

Additional attributes for a non-employee. Up to 10 custom attributes can be added.

startDate
required
string <date-time>

Non-Employee employment start date.

endDate
required
string <date-time>

Non-Employee employment end date.

Responses

Request samples

Content type
application/json
{
  • "accountName": "william.smith",
  • "firstName": "William",
  • "lastName": "Smith",
  • "email": "william.smith@example.com",
  • "phone": "5125555555",
  • "manager": "jane.doe",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "data": {
    },
  • "startDate": "2020-03-24T00:00:00-05:00",
  • "endDate": "2021-03-25T00:00:00-05:00"
}

Response samples

Content type
application/json
{
  • "id": "a0303682-5e4a-44f7-bdc2-6ce6112549c1",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "name": "Retail",
  • "description": "Source description",
  • "accountName": "william.smith",
  • "firstName": "William",
  • "lastName": "Smith",
  • "email": "william.smith@example.com",
  • "phone": "5125555555",
  • "manager": "jane.doe",
  • "nonEmployeeSource": {
    },
  • "data": {
    },
  • "approvalItems": [
    ],
  • "approvalStatus": "APPROVED",
  • "comment": "approved",
  • "completionDate": "2020-03-24T11:11:41.139-05:00",
  • "startDate": "2020-03-24T00:00:00-05:00",
  • "endDate": "2021-03-25T00:00:00-05:00",
  • "modified": "2020-03-24T11:11:41.139-05:00",
  • "created": "2020-03-24T11:11:41.139-05:00"
}

List non-employee requests

This gets a list of non-employee requests. There are two contextual uses for the requested-for path parameter:

  1. The user has the role context of idn:nesr:read, in which case he or she may request a list non-employee requests assigned to a particular account manager by passing in that manager's id.
  2. The current user is an account manager, in which case "me" should be provided as the requested-for value. This will provide the user with a list of the non-employee requests in the source(s) he or she manages.
Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

requested-for
required
string
Example: requested-for=e136567de87e4d029e60b3c3c55db56d

The identity for whom the request was made. me indicates the current user.

sorters
string <comma-separated>
Example: sorters=created,approvalStatus

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: created, approvalStatus, firstName, lastName, email, phone, accountName, startDate, endDate

filters
string
Example: filters=sourceId eq "2c91808568c529c60168cca6f90c1313"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

sourceId: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get a non-employee request

This gets a non-employee request. There are two contextual uses for this endpoint:

  1. The user has the role context of idn:nesr:read, in this case the user can get the non-employee request for any user.
  2. The user must be the owner of the non-employee request.
Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ac110005-7156-1150-8171-5b292e3e0084

Non-Employee request id (UUID)

Responses

Response samples

Content type
application/json
{
  • "id": "a0303682-5e4a-44f7-bdc2-6ce6112549c1",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "name": "Retail",
  • "description": "Source description",
  • "accountName": "william.smith",
  • "firstName": "William",
  • "lastName": "Smith",
  • "email": "william.smith@example.com",
  • "phone": "5125555555",
  • "manager": "jane.doe",
  • "nonEmployeeSource": {
    },
  • "data": {
    },
  • "approvalItems": [
    ],
  • "approvalStatus": "APPROVED",
  • "comment": "approved",
  • "completionDate": "2020-03-24T11:11:41.139-05:00",
  • "startDate": "2020-03-24T00:00:00-05:00",
  • "endDate": "2021-03-25T00:00:00-05:00",
  • "modified": "2020-03-24T11:11:41.139-05:00",
  • "created": "2020-03-24T11:11:41.139-05:00"
}

Delete non-employee request

This request will delete a non-employee request. Requires role context of idn:nesr:delete

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string <uuid>
Example: ac110005-7156-1150-8171-5b292e3e0084

Non-Employee request id in the UUID format

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get summary of non-employee requests

This request will retrieve a summary of non-employee requests. There are two contextual uses for the requested-for path parameter:

  1. The user has the role context of idn:nesr:read, in which case he or she may request a summary of all non-employee approval requests assigned to a particular account manager by passing in that manager's id.
  2. The current user is an account manager, in which case "me" should be provided as the requested-for value. This will provide the user with a summary of the non-employee requests in the source(s) he or she manages.
Authorizations:
Personal Access TokenClient Credentials
path Parameters
requested-for
required
string <uuid (if user is Org Admin)>
Example: 2c91808280430dfb0180431a59440460

The identity (UUID) of the non-employee account manager for whom the summary is being retrieved. Use "me" instead to indicate the current user.

Responses

Response samples

Content type
application/json
{
  • "approved": 2,
  • "rejected": 2,
  • "pending": 2,
  • "nonEmployeeCount": 2
}

Create non-employee source

Create a non-employee source.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

Non-Employee source creation request body.

name
required
string

Name of non-employee source.

description
required
string

Description of non-employee source.

required
object (NonEmployeeIdnUserRequest)
managementWorkgroup
string

The ID for the management workgroup that contains source sub-admins

Array of objects (NonEmployeeIdnUserRequest) <= 3 items

List of approvers.

Array of objects (NonEmployeeIdnUserRequest) <= 10 items

List of account managers.

Responses

Request samples

Content type
application/json
{
  • "name": "Retail",
  • "description": "Source description",
  • "owner": {
    },
  • "managementWorkgroup": "123299",
  • "approvers": [
    ],
  • "accountManagers": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "a0303682-5e4a-44f7-bdc2-6ce6112549c1",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "name": "Retail",
  • "description": "Source description",
  • "approvers": [
    ],
  • "accountManagers": [
    ],
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z",
  • "cloudExternalId": "99999"
}

List non-employee sources

Get a list of non-employee sources. There are two contextual uses for the requested-for path parameter:

  1. If the user has the role context of idn:nesr:read, he or she may request a list sources assigned to a particular account manager by passing in that manager's id.
  2. If the current user is an account manager, the user should provide 'me' as the requested-for value. Doing so provide the user with a list of the sources he or she owns.
Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

requested-for
string
Example: requested-for=me

Identity the request was made for. Use 'me' to indicate the current user.

non-employee-count
boolean
Default: false
Example: non-employee-count=true

Flag that determines whether the API will return a non-employee count associated with the source.

sorters
string <comma-separated>
Example: sorters=name,created

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, sourceId

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get a non-employee source

This gets a non-employee source. There are two contextual uses for the requested-for path parameter:

  1. The user has the role context of idn:nesr:read, in which case he or she may request any source.
  2. The current user is an account manager, in which case the user can only request sources that they own.
Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c91808b7c28b350017c2a2ec5790aa1

Source Id

Responses

Response samples

Content type
application/json
{
  • "id": "a0303682-5e4a-44f7-bdc2-6ce6112549c1",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "name": "Retail",
  • "description": "Source description",
  • "approvers": [
    ],
  • "accountManagers": [
    ],
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z"
}

Patch a non-employee source

patch a non-employee source. (partial update)
Patchable field: name, description, approvers, accountManagers Requires role context of idn:nesr:update.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: e136567de87e4d029e60b3c3c55db56d

Source Id

Request Body schema: application/json-patch+json

A list of non-employee source update operations according to the JSON Patch standard.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "a0303682-5e4a-44f7-bdc2-6ce6112549c1",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "name": "Retail",
  • "description": "Source description",
  • "approvers": [
    ],
  • "accountManagers": [
    ],
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z"
}

Delete non-employee source

This request will delete a non-employee source. Requires role context of idn:nesr:delete.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: e136567de87e4d029e60b3c3c55db56d

Source Id

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Exports non-employee records to csv

This requests a CSV download for all non-employees from a provided source. Requires role context of idn:nesr:read

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: e136567de87e4d029e60b3c3c55db56d

Source Id (UUID)

Responses

Response samples

Content type
text/csv
accountName,firstName,lastName,phone,email,manager,startDate,endDate
Jon.Smith, Jon, Smith, 555-555-5555, jon@jon.doe.nope.com, Jim Smith, 2020-04-05T08:00:00-10:00,2020-08-07T19:00:00-10:00
William.Chaffin, William, Chaffin, 555-555-5555, william@chaffins.nope.com, Bertram Chaffin, 2020-04-05T08:00:00-10:00,2020-08-07T19:00:00-10:00

Imports, or updates, non-employee records

This post will import, or update, Non-Employee records found in the CSV. Requires role context of idn:nesr:create

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: e136567de87e4d029e60b3c3c55db56d

Source Id (UUID)

Request Body schema: multipart/form-data
data
required
string <binary>

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90cffff",
  • "sourceId": "2c91808568c529c60168cca6f90c1313",
  • "created": "2019-08-23T18:52:59.162Z",
  • "modified": "2019-08-23T18:52:59.162Z",
  • "status": "PENDING"
}

Obtain the status of bulk upload on the source

The nonEmployeeBulkUploadStatus API returns the status of the newest bulk upload job for the specified source. Requires role context of idn:nesr:read

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: e136567de87e4d029e60b3c3c55db56d

Source ID (UUID)

Responses

Response samples

Content type
application/json
{
  • "status": "PENDING"
}

Exports source schema template

This requests a download for the Source Schema Template for a provided source. Requires role context of idn:nesr:read

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source Id (UUID)

Responses

Response samples

Content type
text/csv
accountName,firstName,lastName,phone,email,manager,startDate,endDate

Get list of non-employee approval requests

This gets a list of non-employee approval requests. There are two contextual uses for this endpoint:

  1. The user has the role context of idn:nesr:read, in which case they can list the approvals for any approver.
  2. The user owns the requested approval.
Authorizations:
Personal Access TokenClient Credentials
query Parameters
requested-for
string
Example: requested-for=2c91808280430dfb0180431a59440460

The identity for whom the request was made. me indicates the current user.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=approvalStatus eq "Pending"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

approvalStatus: eq

sorters
string <comma-separated>
Example: sorters=created

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get a non-employee approval item detail

Gets a non-employee approval item detail. There are two contextual uses for this endpoint:

  1. The user has the role context of idn:nesr:read, in which case they can get any approval.
  2. The user owns the requested approval.
Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: e136567de87e4d029e60b3c3c55db56d

Non-Employee approval item id (UUID)

query Parameters
include-detail
boolean
Example: include-detail=true

The object nonEmployeeRequest will not be included detail when set to false. Default value is true

Responses

Response samples

Content type
application/json
{
  • "id": "2c1e388b-1e55-4b0a-ab5c-897f1204159c",
  • "approver": {
    },
  • "accountName": "test.account",
  • "approvalStatus": "APPROVED",
  • "approvalOrder": 1,
  • "comment": "I approve",
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z",
  • "nonEmployeeRequest": {
    }
}

Approve a non-employee request

Approves a non-employee approval request and notifies the next approver. The current user must be the requested approver.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: e136567de87e4d029e60b3c3c55db56d

Non-Employee approval item id (UUID)

Request Body schema: application/json
comment
string <= 4000 characters

Comment on the approval item.

Responses

Request samples

Content type
application/json
{
  • "comment": "Approved by manager"
}

Response samples

Content type
application/json
{
  • "id": "2c1e388b-1e55-4b0a-ab5c-897f1204159c",
  • "approver": {
    },
  • "accountName": "test.account",
  • "approvalStatus": "APPROVED",
  • "approvalOrder": 1,
  • "comment": "I approve",
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z",
  • "nonEmployeeRequest": {
    }
}

Reject a non-employee request

This endpoint will reject an approval item request and notify user. The current user must be the requested approver.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: e136567de87e4d029e60b3c3c55db56d

Non-Employee approval item id (UUID)

Request Body schema: application/json
comment
required
string <= 4000 characters

Comment on the approval item.

Responses

Request samples

Content type
application/json
{
  • "comment": "approved"
}

Response samples

Content type
application/json
{
  • "id": "2c1e388b-1e55-4b0a-ab5c-897f1204159c",
  • "approver": {
    },
  • "accountName": "test.account",
  • "approvalStatus": "APPROVED",
  • "approvalOrder": 1,
  • "comment": "I approve",
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z",
  • "nonEmployeeRequest": {
    }
}

Get summary of non-employee approval requests

This request will retrieve a summary of non-employee approval requests. There are two contextual uses for the requested-for path parameter:

  1. The user has the role context of idn:nesr:read, in which case he or she may request a summary of all non-employee approval requests assigned to a particular approver by passing in that approver's id.
  2. The current user is an approver, in which case "me" should be provided as the requested-for value. This will provide the approver with a summary of the approval items assigned to him or her.
Authorizations:
Personal Access TokenClient Credentials
path Parameters
requested-for
required
string
Example: 2c91808280430dfb0180431a59440460

The identity (UUID) of the approver for whom for whom the summary is being retrieved. Use "me" instead to indicate the current user.

Responses

Response samples

Content type
application/json
{
  • "approved": 2,
  • "pending": 2,
  • "rejected": 2
}

List schema attributes non-employee source

This API gets the list of schema attributes for the specified Non-Employee SourceId. There are 8 mandatory attributes added to each new Non-Employee Source automatically. Additionaly, user can add up to 10 custom attributes. This interface returns all the mandatory attributes followed by any custom attributes. At most, a total of 18 attributes will be returned. Requires role context of idn:nesr:read or the user must be an account manager of the source.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Source id

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create a new schema attribute for non-employee source

This API creates a new schema attribute for Non-Employee Source. The schema technical name must be unique in the source. Attempts to create a schema attribute with an existing name will result in a "400.1.409 Reference conflict" response. At most, 10 custom attributes can be created per schema. Attempts to create more than 10 will result in a "400.1.4 Limit violation" response. Requires role context of idn:nesr:create

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Source id

Request Body schema: application/json
type
required
string

Type of the attribute. Only type 'TEXT' is supported for custom attributes.

label
required
string

Label displayed on the UI for this schema attribute.

technicalName
required
string

The technical name of the attribute. Must be unique per source.

helpText
string

help text displayed by UI.

placeholder
string

Hint text that fills UI box.

required
boolean

If true, the schema attribute is required for all non-employees in the source

Responses

Request samples

Content type
application/json
{
  • "type": "TEXT",
  • "label": "Account Name",
  • "technicalName": "account.name",
  • "helpText": "The unique identifier for the account",
  • "placeholder": "Enter a unique user name for this account.",
  • "required": true
}

Response samples

Content type
application/json
{
  • "id": "ac110005-7156-1150-8171-5b292e3e0084",
  • "system": true,
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z",
  • "type": "TEXT",
  • "label": "Account Name",
  • "technicalName": "account.name",
  • "helpText": "The unique identifier for the account",
  • "placeholder": "Enter a unique user name for this account.",
  • "required": true
}

Delete all custom schema attributes for non-employee source

This end-point deletes all custom schema attributes for a non-employee source. Requires role context of idn:nesr:delete

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Source id

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get schema attribute non-employee source

This API gets a schema attribute by Id for the specified Non-Employee SourceId. Requires role context of idn:nesr:read or the user must be an account manager of the source.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
attributeId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Schema Attribute Id (UUID)

sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Source id

Responses

Response samples

Content type
application/json
{
  • "id": "ac110005-7156-1150-8171-5b292e3e0084",
  • "system": true,
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z",
  • "type": "TEXT",
  • "label": "Account Name",
  • "technicalName": "account.name",
  • "helpText": "The unique identifier for the account",
  • "placeholder": "Enter a unique user name for this account.",
  • "required": true
}

Patch a schema attribute for non-employee source

This end-point patches a specific schema attribute for a non-employee SourceId. Requires role context of idn:nesr:update

Authorizations:
Personal Access TokenClient Credentials
path Parameters
attributeId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Schema Attribute Id (UUID)

sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Source id

Request Body schema: application/json-patch+json

A list of schema attribute update operations according to the JSON Patch standard. The following properties are allowed for update ':' 'label', 'helpText', 'placeholder', 'required'.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "ac110005-7156-1150-8171-5b292e3e0084",
  • "system": true,
  • "modified": "2019-08-23T18:52:59.162Z",
  • "created": "2019-08-23T18:40:35.772Z",
  • "type": "TEXT",
  • "label": "Account Name",
  • "technicalName": "account.name",
  • "helpText": "The unique identifier for the account",
  • "placeholder": "Enter a unique user name for this account.",
  • "required": true
}

Delete a schema attribute for non-employee source

This end-point deletes a specific schema attribute for a non-employee source. Requires role context of idn:nesr:delete

Authorizations:
Personal Access TokenClient Credentials
path Parameters
attributeId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Schema Attribute Id (UUID)

sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Source id

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Notifications

Change mail from domain

Change the MAIL FROM domain of an AWS SES email identity and provide the MX and TXT records to be placed in the caller's DNS

Authorizations:
Personal Access Token
Request Body schema: application/json
identity
string

The identity or domain address

mailFromDomain
string

The new MAIL FROM domain of the identity. Must be a subdomain of the identity.

Responses

Request samples

Content type
application/json
{
  • "identity": "BobSmith@sailpoint.com",
  • "mailFromDomain": "example.sailpoint.com"
}

Response samples

Content type
application/json
{
  • "identity": "bob.smith@sailpoint.com",
  • "mailFromDomain": "foo.sailpoint.com",
  • "mxRecord": "10 feedback-smtp.us-east-1.amazonses.com",
  • "txtRecord": "v=spf1 include:amazonses.com ~all",
  • "mailFromDomainStatus": "PENDING"
}

Get mail from attributes

Retrieve MAIL FROM attributes for a given AWS SES identity.

Authorizations:
Personal Access Token
path Parameters
identity
required
string
Example: bobsmith@sailpoint.com

Returns the MX and TXT record to be put in your DNS, as well as the MAIL FROM domain status

Responses

Response samples

Content type
application/json
{
  • "identity": "bob.smith@sailpoint.com",
  • "mailFromDomain": "foo.sailpoint.com",
  • "mxRecord": "10 feedback-smtp.us-east-1.amazonses.com",
  • "txtRecord": "v=spf1 include:amazonses.com ~all",
  • "mailFromDomainStatus": "PENDING"
}

List notification template defaults

This lists the default templates used for notifications, such as emails from IdentityNow.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=key eq "cloud_manual_work_item_summary"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

key: eq, in, sw

medium: eq, sw

locale: eq, sw

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List notification templates

This lists the templates that you have modified for your site.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=medium eq "EMAIL"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

key: eq, in, sw

medium: eq, sw

locale: eq, sw

sorters
string <comma-separated>
Example: sorters=key, -name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: key, name, medium

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create notification template

This will update notification templates that are available in your tenant. Note that you cannot create new templates in your tenant, but you can use this to create custom notifications from existing templates. First, copy the response body from the get notification template endpoint for a template you wish to update and paste it into the request body for this endpoint.
Modify the fields you want to change and submit the POST request when ready.

Authorizations:
Personal Access Token
Request Body schema: application/json
key
required
string

The key of the template

name
string

The name of the Task Manager Subscription

medium
required
string
Enum: "EMAIL" "SLACK" "TEAMS"

The message medium. More mediums may be added in the future.

locale
required
string

The locale for the message text, a BCP 47 language tag.

subject
string

The subject line in the template

header
string or null
Deprecated

The header value is now located within the body field. If included with non-null values, will result in a 400.

body
string

The body in the template

footer
string or null
Deprecated

The footer value is now located within the body field. If included with non-null values, will result in a 400.

from
string

The "From:" address in the template

replyTo
string

The "Reply To" line in the template

description
string

The description in the template

id
string

This is auto-generated.

created
string <date-time>

The time when this template is created. This is auto-generated.

modified
string <date-time>

The time when this template was last modified. This is auto-generated.

object or null (Template Slack)
object or null (Template Teams)

Responses

Request samples

Content type
application/json
{
  • "key": "cloud_manual_work_item_summary",
  • "name": "Task Manager Subscription",
  • "medium": "EMAIL",
  • "locale": "en",
  • "subject": "You have $numberOfPendingTasks $taskTasks to complete in ${__global.productName}.",
  • "header": null,
  • "body": "Please go to the task manager",
  • "footer": null,
  • "from": "$__global.emailFromAddress",
  • "replyTo": "$__global.emailFromAddress",
  • "description": "Daily digest - sent if number of outstanding tasks for task owner > 0",
  • "id": "c17bea3a-574d-453c-9e04-4365fbf5af0b",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "slackTemplate": {
    },
  • "teamsTemplate": {
    }
}

Response samples

Content type
application/json
{
  • "key": "cloud_manual_work_item_summary",
  • "name": "Task Manager Subscription",
  • "medium": "EMAIL",
  • "locale": "en",
  • "subject": "You have $numberOfPendingTasks $taskTasks to complete in ${__global.productName}.",
  • "header": null,
  • "body": "Please go to the task manager",
  • "footer": null,
  • "from": "$__global.emailFromAddress",
  • "replyTo": "$__global.emailFromAddress",
  • "description": "Daily digest - sent if number of outstanding tasks for task owner > 0",
  • "id": "c17bea3a-574d-453c-9e04-4365fbf5af0b",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "slackTemplate": {
    },
  • "teamsTemplate": {
    }
}

Get notification template by id

This gets a template that you have modified for your site by Id.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the Notification Template

Responses

Response samples

Content type
application/json
{
  • "key": "cloud_manual_work_item_summary",
  • "name": "Task Manager Subscription",
  • "medium": "EMAIL",
  • "locale": "en",
  • "subject": "You have $numberOfPendingTasks $taskTasks to complete in ${__global.productName}.",
  • "header": null,
  • "body": "Please go to the task manager",
  • "footer": null,
  • "from": "$__global.emailFromAddress",
  • "replyTo": "$__global.emailFromAddress",
  • "description": "Daily digest - sent if number of outstanding tasks for task owner > 0",
  • "id": "c17bea3a-574d-453c-9e04-4365fbf5af0b",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "slackTemplate": {
    },
  • "teamsTemplate": {
    }
}

Bulk delete notification templates

This lets you bulk delete templates that you previously created for your site.

Authorizations:
Personal Access Token
Request Body schema: application/json
Array
key
required
string

The template key to delete

medium
string
Enum: "EMAIL" "SLACK" "TEAMS"

The notification medium (EMAIL, SLACK, or TEAMS)

locale
string

The locale for the message text, a BCP 47 language tag.

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get notification template context

The notification service maintains metadata to construct the notification templates or supply any information during the event propagation. The data-store where this information is retrieved is called "Global Context" (a.k.a. notification template context). It defines a set of attributes that will be available per tenant (organization).

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "attributes": {
    },
  • "created": "2020-04-15T16:16:47.525Z",
  • "modified": "2020-04-15T16:16:47.525Z"
}

List notification preferences for tenant.

Returns a list of notification preferences for tenant.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "key": "cloud_manual_work_item_summary",
  • "mediums": [
    ],
  • "modified": "2020-05-15T14:37:06.909Z"
}

Send test notification

Send a Test Notification

Authorizations:
Personal Access Token
Request Body schema: application/json
key
string

The template notification key.

medium
string
Enum: "EMAIL" "SLACK" "TEAMS"

The notification medium. Has to be one of the following enum values.

locale
string

The locale for the message text.

context
object

A Json object that denotes the context specific to the template.

recipientEmailList
Array of strings

A list of override recipient email addresses for the test notification.

carbonCopy
Array of strings

A list of CC email addresses for the test notification.

blindCarbonCopy
Array of strings

A list of BCC email addresses for the test notification.

Responses

Request samples

Content type
application/json
{
  • "key": "cloud_manual_work_item_summary",
  • "medium": "EMAIL",
  • "context": {
    }
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List from addresses

Retrieve a list of sender email addresses and their verification statuses

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=email eq "john.doe@company.com"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

email: eq, ge, le, gt, lt

sorters
string <comma-separated>
Example: sorters=email

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: email

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create verified from address

Create a new sender email address and initiate verification process.

Authorizations:
Personal Access Token
Request Body schema: application/json
id
string or null

Unique identifier for the verified sender address

email
string

The verified sender email address

isVerifiedByDomain
boolean
Default: false

Whether the sender address is verified by domain

verificationStatus
string
Enum: "PENDING" "SUCCESS" "FAILED" "NA"

The verification status of the sender address

region
string or null

The AWS SES region the sender address is associated with

Responses

Request samples

Content type
application/json
{
  • "email": "sender@example.com"
}

Response samples

Content type
application/json
{
  • "id": "string",
  • "email": "sender@example.com",
  • "isVerifiedByDomain": false,
  • "verificationStatus": "SUCCESS",
  • "region": "us-east-1"
}

Delete verified from address

Delete a verified sender email address

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Unique identifier of the verified sender address to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get dkim attributes

Retrieve DKIM (DomainKeys Identified Mail) attributes for all your tenants' AWS SES identities. Limits retrieval to 100 identities per call.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Verify domain address via dkim

Create a domain to be verified via DKIM (DomainKeys Identified Mail)

Authorizations:
Personal Access Token
Request Body schema: application/json
domain
string

A domain address

Responses

Request samples

Content type
application/json
{
  • "domain": "sailpoint.com"
}

Response samples

Content type
application/json
{
  • "id": "123b45b0-aaaa-bbbb-a7db-123456a56abc",
  • "domain": "sailpoint.com",
  • "dkimEnabled": true,
  • "dkimTokens": [
    ],
  • "dkimVerificationStatus": "PENDING",
  • "region": "us-east-1"
}

OAuth Clients

Use this API to implement OAuth client functionality.
With this functionality in place, users with the appropriate security scopes can create and configure OAuth clients to use as a way to obtain authorization to use the Identity Security Cloud REST API. Refer to Authentication for more information about OAuth and how it works with the Identity Security Cloud REST API.

List oauth clients

This gets a list of OAuth clients.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=lastUsed le 2023-02-05T10:59:27.214Z

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

lastUsed: le, isnull

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create oauth client

This creates an OAuth client.

Authorizations:
Personal Access Token
Request Body schema: application/json
businessName
string or null

The name of the business the API Client should belong to

homepageUrl
string or null

The homepage URL associated with the owner of the API Client

name
required
string or null

A human-readable name for the API Client

description
required
string or null

A description of the API Client

accessTokenValiditySeconds
required
integer <int32>

The number of seconds an access token generated for this API Client is valid for

refreshTokenValiditySeconds
integer <int32>

The number of seconds a refresh token generated for this API Client is valid for

redirectUris
Array of strings or null

A list of the approved redirect URIs. Provide one or more URIs when assigning the AUTHORIZATION_CODE grant type to a new OAuth Client.

grantTypes
required
Array of strings or null (GrantType)
Enum: "CLIENT_CREDENTIALS" "AUTHORIZATION_CODE" "REFRESH_TOKEN"

A list of OAuth 2.0 grant types this API Client can be used with

accessType
required
string (AccessType)
Enum: "ONLINE" "OFFLINE"

Access type of API Client indicating online or offline use

type
string (ClientType)
Enum: "CONFIDENTIAL" "PUBLIC"

Type of an API Client indicating public or confidentials use

internal
boolean

An indicator of whether the API Client can be used for requests internal within the product.

enabled
required
boolean

An indicator of whether the API Client is enabled for use

strongAuthSupported
boolean

An indicator of whether the API Client supports strong authentication

claimsSupported
boolean

An indicator of whether the API Client supports the serialization of SAML claims when used with the authorization_code flow

scope
Array of strings or null

Scopes of the API Client. If no scope is specified, the client will be created with the default scope "sp:scopes:all". This means the API Client will have all the rights of the owner who created it.

Responses

Request samples

Content type
application/json
{
  • "businessName": "Acme-Solar",
  • "homepageUrl": "http://localhost:12345",
  • "name": "Demo API Client",
  • "description": "An API client used for the authorization_code, refresh_token, and client_credentials flows",
  • "accessTokenValiditySeconds": 750,
  • "refreshTokenValiditySeconds": 86400,
  • "redirectUris": [],
  • "grantTypes": [
    ],
  • "accessType": "OFFLINE",
  • "type": "CONFIDENTIAL",
  • "internal": false,
  • "enabled": true,
  • "strongAuthSupported": false,
  • "claimsSupported": false,
  • "scope": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "secret": "5c32dd9b21adb51c77794d46e71de117a1d0ddb36a7ff941fa28014ab7de2cf3",
  • "businessName": "Acme-Solar",
  • "homepageUrl": "http://localhost:12345",
  • "name": "Demo API Client",
  • "description": "An API client used for the authorization_code, refresh_token, and client_credentials flows",
  • "accessTokenValiditySeconds": 750,
  • "refreshTokenValiditySeconds": 86400,
  • "redirectUris": [],
  • "grantTypes": [
    ],
  • "accessType": "OFFLINE",
  • "type": "CONFIDENTIAL",
  • "internal": false,
  • "enabled": true,
  • "strongAuthSupported": false,
  • "claimsSupported": false,
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "scope": [
    ]
}

Get oauth client

This gets details of an OAuth client.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The OAuth client id

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "businessName": "Acme-Solar",
  • "homepageUrl": "http://localhost:12345",
  • "name": "Demo API Client",
  • "description": "An API client used for the authorization_code, refresh_token, and client_credentials flows",
  • "accessTokenValiditySeconds": 750,
  • "refreshTokenValiditySeconds": 86400,
  • "redirectUris": [],
  • "grantTypes": [
    ],
  • "accessType": "OFFLINE",
  • "type": "CONFIDENTIAL",
  • "internal": false,
  • "enabled": true,
  • "strongAuthSupported": false,
  • "claimsSupported": false,
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "secret": "string",
  • "metadata": "string",
  • "lastUsed": "2017-07-11T18:45:37.098Z",
  • "scope": [
    ]
}

Delete oauth client

This deletes an OAuth client.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The OAuth client id

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Patch oauth client

This performs a targeted update to the field(s) of an OAuth client.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The OAuth client id

Request Body schema: application/json-patch+json

A list of OAuth client update operations according to the JSON Patch standard.

The following fields are patchable:

  • tenant
  • businessName
  • homepageUrl
  • name
  • description
  • accessTokenValiditySeconds
  • refreshTokenValiditySeconds
  • redirectUris
  • grantTypes
  • accessType
  • enabled
  • strongAuthSupported
  • claimsSupported
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "businessName": "Acme-Solar",
  • "homepageUrl": "http://localhost:12345",
  • "name": "Demo API Client",
  • "description": "An API client used for the authorization_code, refresh_token, and client_credentials flows",
  • "accessTokenValiditySeconds": 750,
  • "refreshTokenValiditySeconds": 86400,
  • "redirectUris": [],
  • "grantTypes": [
    ],
  • "accessType": "OFFLINE",
  • "type": "CONFIDENTIAL",
  • "internal": false,
  • "enabled": true,
  • "strongAuthSupported": false,
  • "claimsSupported": false,
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "secret": "string",
  • "metadata": "string",
  • "lastUsed": "2017-07-11T18:45:37.098Z",
  • "scope": [
    ]
}

Org Config

Use this API to implement organization configuration functionality. Administrators can use this functionality to manage organization settings, such as time zones.

Get org config settings

Get the current organization's configuration settings, only external accessible properties.

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
{
  • "orgName": "acme-solar",
  • "timeZone": "America/Toronto",
  • "lcsChangeHonorsSourceEnableFeature": false,
  • "armCustomerId": "DE38E75A-5FF6-4A65-5DC7-08D64426B09E",
  • "armSapSystemIdMappings": [
    ],
  • "armAuth": "epiYNTRYA2S7swisDWk1Zv4VMNgvqEjiBh5_ufuCWsma2m-5XADijqBg0ijXLby5nS6lxZNXabhGnAPGeDGc4V3jQKrhwV-UHypRLs8ZLgOjiQNus9NimS0uPdKomRW6TFWqXyfnYd-znNgbbVuwUy9GyD9ebDVJSntPastxSx7UcyGuWBqfNZYpuxKRWe_7TVY60qL55jUqyz8N4XUbbdcxdbZ0uik6ut-Bv90MKTbZexBW_PR4qcgIkaEs4kIenLyBxnGziYo7AO0tJ8bGHO8FJRkibCpAQIt7PISLo7Gg_Xf9j10dKq2YDgy4pPTvz3fE2ZHYnXCXvXFSA-vVag==",
  • "armDb": "EU",
  • "armSsoUrl": "https://your-arm-sso-url",
  • "iaiEnableCertificationRecommendations": true,
  • "sodReportConfigs": [
    ]
}

Patch org config

Patch the current organization's configuration, using http://jsonpatch.com/ syntax. This is commonly used to changing an organization's time zone.

Authorizations:
Personal Access Token
Request Body schema: application/json-patch+json

A list of schema attribute update operations according to the JSON Patch standard.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "orgName": "acme-solar",
  • "timeZone": "America/Toronto",
  • "lcsChangeHonorsSourceEnableFeature": false,
  • "armCustomerId": "DE38E75A-5FF6-4A65-5DC7-08D64426B09E",
  • "armSapSystemIdMappings": [
    ],
  • "armAuth": "epiYNTRYA2S7swisDWk1Zv4VMNgvqEjiBh5_ufuCWsma2m-5XADijqBg0ijXLby5nS6lxZNXabhGnAPGeDGc4V3jQKrhwV-UHypRLs8ZLgOjiQNus9NimS0uPdKomRW6TFWqXyfnYd-znNgbbVuwUy9GyD9ebDVJSntPastxSx7UcyGuWBqfNZYpuxKRWe_7TVY60qL55jUqyz8N4XUbbdcxdbZ0uik6ut-Bv90MKTbZexBW_PR4qcgIkaEs4kIenLyBxnGziYo7AO0tJ8bGHO8FJRkibCpAQIt7PISLo7Gg_Xf9j10dKq2YDgy4pPTvz3fE2ZHYnXCXvXFSA-vVag==",
  • "armDb": "EU",
  • "armSsoUrl": "https://your-arm-sso-url",
  • "iaiEnableCertificationRecommendations": true,
  • "sodReportConfigs": [
    ]
}

Get valid time zones

List the valid time zones that can be set in organization configurations.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 50 ]
Default: 50
Example: limit=50

Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • "Etc/GMT-6",
  • "Etc/GMT+8",
  • "EST",
  • "America/Chicago",
  • "America/Toronto",
  • "Asia/Gaza",
  • "Europe/Brussels",
  • "Europe/Kiev"
]

Parameter Storage

The Parameter Storage is SailPoint's centralized repository for authentication, authorization, and connection configurations, stored as typed Parameters.

The APIs can be used to input Parameters, which can then be referenced by other services, such as Workflow configurations. When these services are executed, the relevant values are fetched via an internal API (not documented here).

The usage of Parameters can be monitored via References managed by Parameter Storage. References provide an indirect mapping between a Parameter and its usage (e.g., within a Workflow), allowing for reports such as "Parameter X is used in Workflow Y" via APIs.

A Parameter is a named instance of typed configuration, where the state is stored as Fields. These Fields are either Public (cleartext, searchable) or Private (encrypted).

Parameter Types are grouped and fall into three Categories: Authentication, Authorization, and Connection.

Parameters are strongly typed; each Type's fields are named and exposed to the consumer. This means that if a service states that it expects a Credential Type, it will receive a Parameter with a Username and Password.

Fields are named, typed variables within a Parameter; the Fields on a Parameter depend on the Parameter's Type. Fields contain customer-provided data that will be referenced by another service, and their typing determines whether they're stored in cleartext or encrypted.

The Specification documents the supported Categories, Types, Fields, Field Names, and their relationships.

A Reference is an indirect pointer to a Parameter, where each usage of a Parameter has a corresponding Reference. This allows for usage tracking and safe deletion.

Get an attestation document.

Get an attestation document containing a NIST P-384 service public key for an ECDHE handshake, enabling the end-to-end-encrypted transport of parameter private fields.

Authorizations:
Personal Access Token
query Parameters
key
required
string
Example: key=BLdV-KA7nSRXx2XkksQX7bmOAShARsB3CCVWodKr4dOJj_puru76wy6drBTVlSytW_rDheLwepm9xdrRuqUI7p81wMP576frFBbsjndBKyRm3eouPbDcW8MAz0XRH1BB3w==

Base64Url encoded NIST P-384 public key

Responses

Response samples

Content type
application/json
{
  • "attestationDocument": "YmFzZTY0IGVuY29kZWQgYXR0ZXN0YXRpb24gZG9jdW1lbnQgZ29lcyBoZXJlLg=="
}

Add a new parameter.

Add a new parameter.

Authorizations:
Personal Access Token
Request Body schema: application/json

The parameter to add to the store.

ownerId
required
string

The UUID of the parameter owner.

name
required
string

The human-readable name for the parameter.

type
required
string

The type of the parameter. This cannot be changed after being set. Please see the types document for more information.

publicFields
object

The content must be a JSON object containing the public fields that can be stored with this parameter.

privateFields
string

Must be a JWE AES256 encrypted blob. The content of the blob must be a JSON object containing the private fields that can be stored with this parameter.

description
string

Describe the parameter

Responses

Request samples

Content type
application/json
{
  • "ownerId": "c0b4568a4fe7458c434ee77d1fbt156b",
  • "name": "Credentials for server.",
  • "type": "1.1",
  • "publicFields": "{\"username\": \"username\"}",
  • "privateFields": "ZW5jcnlwdGVkIHBhc3N3b3JkIGhlcmUu",
  • "description": "Credentials for server."
}

Response samples

Content type
application/json
{
  • "id": "58de858b-83d9-4563-9e15-7393594c684a",
  • "ownerId": "c0b4568a4fe7458c434ee77d1fbt156b",
  • "type": "1.1",
  • "name": "Credentials for server",
  • "primaryField": "username",
  • "publicFields": "{\"username\": \"username\"}",
  • "description": "Credentials for server.",
  • "lastModifiedAt": "2025-09-16T12:47:08Z",
  • "lastModifiedBy": "c0b4568a4fe7458c434ee77d1fbt156b",
  • "privateFieldsLastModifiedAt": "2025-09-16T12:47:08Z",
  • "privateFieldsLastModifiedBy": "c0b4568a4fe7458c434ee77d1fbt156b"
}

Query stored parameters.

Query a stored parameter.

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=id eq 550e8400-e29b-41d4-a716-446655440000

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, ne

name: eq, in, co

description: co

ownerId: eq

type: eq, sw

sorters
string <comma-separated>
Example: sorters=type,name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, ownerId, type, description, lastModifiedAt, lastModifiedBy, privateFieldsLastModifiedAt, privateFieldsLastModifiedAt

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get a specific parameter.

Get a parameter by ID. This will only return the public fields for the parameter.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 58de858b-83d9-4563-9e15-7393594c684a

The ID of the parameter to be fetched

Responses

Response samples

Content type
application/json
{
  • "id": "58de858b-83d9-4563-9e15-7393594c684a",
  • "ownerId": "c0b4568a4fe7458c434ee77d1fbt156b",
  • "type": "1.1",
  • "name": "Credentials for server",
  • "primaryField": "username",
  • "publicFields": "{\"username\": \"username\"}",
  • "description": "Credentials for server.",
  • "lastModifiedAt": "2025-09-16T12:47:08Z",
  • "lastModifiedBy": "c0b4568a4fe7458c434ee77d1fbt156b",
  • "privateFieldsLastModifiedAt": "2025-09-16T12:47:08Z",
  • "privateFieldsLastModifiedBy": "c0b4568a4fe7458c434ee77d1fbt156b"
}

Update a parameter.

Update a parameter. You cannot change a parameter's type once set. Only the name, owner, description, public fields, and private fields can be updated. Private field updates are made via JWE AES256 encrypted blobs.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 58de858b-83d9-4563-9e15-7393594c684a

The ID of the parameter to be updated.

Request Body schema:

The updated parameter. Supports both full and RFC 6902 JSON Patch updates. For RFC 6902 JSON Patch updates, move and copy operations are not supported for privateField updates.

ownerId
string

The UUID of the parameter owner.

name
string

The human-readable name for the parameter.

publicFields
object

The public fields that can be stored with this parameter.

privateFields
string

The private fields that can be stored with this parameter.

description
string

Describe the parameter

Responses

Request samples

Content type
{
  • "ownerId": "c0b4568a4fe7458c434ee77d1fbt156b",
  • "name": "Credentials for server.",
  • "publicFields": "{\"username\": \"username\"}",
  • "privateFields": "ZW5jcnlwdGVkIHBhc3N3b3JkIGhlcmUu",
  • "description": "Credentials for server."
}

Response samples

Content type
application/json
{
  • "id": "58de858b-83d9-4563-9e15-7393594c684a",
  • "ownerId": "c0b4568a4fe7458c434ee77d1fbt156b",
  • "type": "1.1",
  • "name": "Credentials for server",
  • "primaryField": "username",
  • "publicFields": "{\"username\": \"username\"}",
  • "description": "Credentials for server.",
  • "lastModifiedAt": "2025-09-16T12:47:08Z",
  • "lastModifiedBy": "c0b4568a4fe7458c434ee77d1fbt156b",
  • "privateFieldsLastModifiedAt": "2025-09-16T12:47:08Z",
  • "privateFieldsLastModifiedBy": "c0b4568a4fe7458c434ee77d1fbt156b"
}

Delete a parameter.

Delete a parameter. Will only delete parameters without existing references.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 58de858b-83d9-4563-9e15-7393594c684a

The ID of the parameter to be deleted.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get parameter references.

Get the references for a given parameter.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 58de858b-83d9-4563-9e15-7393594c684a

The ID of the parameter which you want to fetch the references for.

query Parameters
sorters
string <comma-separated>
Example: sorters=consumerId,name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, consumerId, parameterId, name, usageHint

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get specifications for parameter types.

Get the specifications for all parameter types. All parameters must conform to this specification document.

Authorizations:
Personal Access Token
header Parameters
Accept-Language
string
Default: en
Example: en

The i18n internationalization code for the language that the spec is in. Defaults to english.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Password Configuration

Use this API to implement organization password configuration functionality. With this functionality in place, organization administrators can create organization-specific password configurations.

These configurations include details like custom password instructions, as well as digit token length and duration.

Refer to Configuring User Authentication for Password Resets for more information about organization password configuration functionality.

Get password org config

This API returns the password org config . Requires ORG_ADMIN, API role or authorization scope of 'idn:password-org-config:read'

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
{
  • "customInstructionsEnabled": true,
  • "digitTokenDurationMinutes": 9,
  • "digitTokenEnabled": false,
  • "digitTokenLength": 6
}

Update password org config

This API updates the password org config for specified fields. Other fields will keep original value. You must set the customInstructionsEnabled field to "true" to be able to use custom password instructions. Requires ORG_ADMIN, API role or authorization scope of 'idn:password-org-config:write'

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
customInstructionsEnabled
boolean
Default: false

Indicator whether custom password instructions feature is enabled. The default value is false.

digitTokenEnabled
boolean
Default: false

Indicator whether "digit token" feature is enabled. The default value is false.

digitTokenDurationMinutes
integer <int32> [ 1 .. 60 ]
Default: 5

The duration of "digit token" in minutes. The default value is 5.

digitTokenLength
integer <int32> [ 6 .. 18 ]
Default: 6

The length of "digit token". The default value is 6.

Responses

Request samples

Content type
application/json
{
  • "digitTokenEnabled": true,
  • "digitTokenDurationMinutes": 12
}

Response samples

Content type
application/json
{
  • "customInstructionsEnabled": true,
  • "digitTokenDurationMinutes": 12,
  • "digitTokenEnabled": true,
  • "digitTokenLength": 6
}

Create password org config

This API creates the password org config. Unspecified fields will use default value. To be able to use the custom password instructions, you must set the customInstructionsEnabled field to "true". Requires ORG_ADMIN, API role or authorization scope of 'idn:password-org-config:write'

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
customInstructionsEnabled
boolean
Default: false

Indicator whether custom password instructions feature is enabled. The default value is false.

digitTokenEnabled
boolean
Default: false

Indicator whether "digit token" feature is enabled. The default value is false.

digitTokenDurationMinutes
integer <int32> [ 1 .. 60 ]
Default: 5

The duration of "digit token" in minutes. The default value is 5.

digitTokenLength
integer <int32> [ 6 .. 18 ]
Default: 6

The length of "digit token". The default value is 6.

Responses

Request samples

Content type
application/json
{
  • "customInstructionsEnabled": true,
  • "digitTokenEnabled": true,
  • "digitTokenDurationMinutes": 12,
  • "digitTokenLength": 9
}

Response samples

Content type
application/json
{
  • "customInstructionsEnabled": true,
  • "digitTokenDurationMinutes": 9,
  • "digitTokenEnabled": true,
  • "digitTokenLength": 12
}

Password Dictionary

Use this API to implement password dictionary functionality.
With this functionality in place, administrators can create password dictionaries to prevent users from using certain words or characters in their passwords.

A password dictionary is a list of words or characters that users are prevented from including in their passwords. This can help protect users from themselves and force them to create passwords that are not easy to break.

A password dictionary must meet the following requirements to for the API to handle them correctly:

  • It must be in .txt format.

  • All characters must be UTF-8 characters.

  • Each line must contain a single word or character with no spaces or whitespace characters.

  • It must contain at least one line other than the locale string.

  • Each line must not exceed 128 characters.

  • The file must not exceed 2500 lines.

Administrators should also consider the following when they create their dictionaries:

  • Lines starting with a # represent comments.

  • All words in the password dictionary are case-insensitive. For example, adding the word "password" to the dictionary also disallows the following: PASSWORD, Password, and PassWord.

  • The dictionary uses substring matching. For example, adding the word "spring" to the dictionary also disallows the following: Spring124, 345SprinG, and 8spring. Users can then select 'Change Password' to update their passwords.

Administrators must do the following to create a password dictionary:

  • Create the text file that will contain the prohibited password values.

  • If the dictionary is not in English, they must add a locale string to the top line: locale:languageCode_countryCode

The languageCode value refers to the language's 2-letter ISO 639-1 code. The countryCode value refers to the country's 2-letter ISO 3166-1 code.

Refer to this list https://docs.oracle.com/cd/E13214_01/wli/docs92/xref/xqisocodes.html to see all the available ISO 639-1 language codes and ISO 3166-1 country codes.

  • Upload the .txt file to Identity Security Cloud with Update Password Dictionary. Uploading a new file always overwrites the previous dictionary file.

Administrators can then specify which password policies check new passwords against the password dictionary by doing the following: In the Admin panel, they can use the Password Mgmt dropdown menu to select Policies, select the policy, and select the 'Prevent use of words in this site's password dictionary' checkbox beside it.

Refer to Configuring Advanced Password Management Options for more information about password dictionaries.

Get password dictionary

This gets password dictionary for the organization. The password dictionary file can contain lines that are:

  1. comment lines - the first character is '#', can be 128 Unicode codepoints in length, and are ignored during processing
  2. empty lines
  3. locale line - the first line that starts with "locale=" is considered to be locale line, the rest are treated as normal content lines
  4. line containing the password dictionary word - it must start with non-whitespace character and only non-whitespace characters are allowed; maximum length of the line is 128 Unicode codepoints

Password dictionary file may not contain more than 2,500 lines (not counting whitespace lines, comment lines and locale line). Password dict file must contain UTF-8 characters only.

Sample password text file


# Password dictionary small test file

locale=en_US

# Password dictionary prohibited words

qwerty
abcd
aaaaa
password
qazxsws
Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update password dictionary

This updates password dictionary for the organization. The password dictionary file can contain lines that are:

  1. comment lines - the first character is '#', can be 128 Unicode codepoints in length, and are ignored during processing
  2. empty lines
  3. locale line - the first line that starts with "locale=" is considered to be locale line, the rest are treated as normal content lines
  4. line containing the password dictionary word - it must start with non-whitespace character and only non-whitespace characters are allowed; maximum length of the line is 128 Unicode codepoints

Password dictionary file may not contain more than 2,500 lines (not counting whitespace lines, comment lines and locale line). Password dict file must contain UTF-8 characters only.

Sample password text file


# Password dictionary small test file

locale=en_US

# Password dictionary prohibited words

qwerty
abcd
aaaaa
password
qazxsws
Authorizations:
Personal Access Token
Request Body schema: multipart/form-data

The password dictionary file to be uploaded.

file
string <binary>

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Password Management

Use this API to implement password management functionality.
With this functionality in place, users can manage their identity passwords for all their applications.

In Identity Security Cloud, users can select their names in the upper right corner of the page and use the drop-down menu to select Password Manager. Password Manager lists the user's identity's applications, possibly grouped to share passwords. Users can then select 'Change Password' to update their passwords.

Grouping passwords allows users to update their passwords more broadly, rather than requiring them to update each password individually. Password Manager may list the applications and sources in the following groups:

  • Password Group: This refers to a group of applications that share a password. For example, a user can use the same password for Google Drive, Google Mail, and YouTube. Updating the password for the password group updates the password for all its included applications.

  • Multi-Application Source: This refers to a source with multiple applications that share a password. For example, a user can have a source, G Suite, that includes the Google Calendar, Google Drive, and Google Mail applications. Updating the password for the multi-application source updates the password for all its included applications.

  • Applications: These are applications that do not share passwords with other applications.

An organization may require some authentication for users to update their passwords. Users may be required to answer security questions or use a third-party authenticator before they can confirm their updates.

Refer to Managing Passwords for more information about password management.

Query password info

This API is used to query password related information.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
userName
string

The login name of the user

sourceName
string

The display name of the source

Responses

Request samples

Content type
application/json
{
  • "userName": "Abby.Smith",
  • "sourceName": "My-AD"
}

Response samples

Content type
application/json
{
  • "identityId": "2c918085744fec4301746f9a5bce4605",
  • "sourceId": "2c918083746f642c01746f990884012a",
  • "publicKeyId": "N2M1OTJiMGEtMDJlZS00ZWU3LTkyYTEtNjA5YmI5NWE3ZWVh",
  • "publicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuGFkWi2J75TztpbaPKd36bJnIB3J8gZ6UcoS9oSDYsqBzPpTsfZXYaEf4Y4BKGgJIXmE/lwhwuj7mU1itdZ2qTSNFtnXA8Fn75c3UUkk+h+wdZbkuSmqlsJo3R1OnJkwkJggcAy9Jvk9jlcrNLWorpQ1w9raUvxtvfgkSdq153KxotenQ1HciSyZ0nA/Kw0UaucLnho8xdRowZs11afXGXA9IT9H6D8T6zUdtSxm0nAyH+mluma5LdTfaM50W3l/L8q56Vrqmx2pZIiwdx/0+g3Y++jV70zom0ZBkC1MmSoLMrQYG5OICNjr72f78B2PaGXfarQHqARLjKpMVt9YIQIDAQAB",
  • "accounts": [
    ],
  • "policies": [
    ]
}

Set identity's password

This API is used to set a password for an identity.

An identity can change their own password (as well as any of their accounts' passwords) if they use a token generated by their ISC user, such as a personal access token or "authorization_code" derived OAuth token.

Note: If you want to set an identity's source account password, you must enable PASSWORD as one of the source's features. You can use the PATCH Source endpoint to add the PASSWORD feature.

To generate the encryptedPassword (RSA encrypted using publicKey) for the request body, run the following command:

echo -n "myPassword" | openssl pkeyutl -encrypt -inkey public_key.pem -pubin | base64

In this example, myPassword is the plain text password being set and encrypted, and public_key.pem is the path to the public key file. You can retrieve the required publicKey, along with other information like identityId, sourceId, publicKeyId, accounts, and policies, using the Query Password Info endpoint.

To successfully run this command, you must have OpenSSL installed on your machine. If OpenSSL is unavailable, consider using the Virtual Appliance (VA), which has OpenSSL pre-installed and configured.

If you are using a Windows machine, refer to this guide for instructions on installing OpenSSL.

You can then use Get Password Change Request Status to check the password change request status. To do so, you must provide the requestId from your earlier request to set the password.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
identityId
string

The identity ID that requested the password change

encryptedPassword
string

The RSA encrypted password

publicKeyId
string

The encryption key ID

accountId
string

Account ID of the account This is specified per account schema in the source configuration. It is used to distinguish accounts. More info can be found here https://community.sailpoint.com/t5/IdentityNow-Connectors/How-do-I-designate-an-account-attribute-as-the-Account-ID-for-a/ta-p/80350

sourceId
string

The ID of the source for which identity is requesting the password change

Responses

Request samples

Content type
application/json
{
  • "identityId": "8a807d4c73c545510173c545f0a002ff",
  • "encryptedPassword": "XzN+YwKgr2C+InkMYFMBG3UtjMEw5ZIql/XFlXo8cJNeslmkplx6vn4kd4/43IF9STBk5RnzR6XmjpEO+FwHDoiBwYZAkAZK/Iswxk4OdybG6Y4MStJCOCiK8osKr35IMMSV/mbO4wAeltoCk7daTWzTGLiI6UaT5tf+F2EgdjJZ7YqM8W8r7aUWsm3p2Xt01Y46ZRx0QaM91QruiIx2rECFT2pUO0wr+7oQ77jypATyGWRtADsu3YcvCk/6U5MqCnXMzKBcRas7NnZdSL/d5H1GglVGz3VLPMaivG4/oL4chOMmFCRl/zVsGxZ9RhN8rxsRGFFKn+rhExTi+bax3A==",
  • "publicKeyId": "YWQ2NjQ4MTItZjY0NC00MWExLWFjMjktOGNmMzU3Y2VlNjk2",
  • "accountId": "CN=Abby Smith,OU=Austin,OU=Americas,OU=Demo,DC=seri,DC=acme,DC=com",
  • "sourceId": "8a807d4c73c545510173c545d4b60246"
}

Response samples

Content type
application/json
{
  • "requestId": "089899f13a8f4da7824996191587bab9",
  • "state": "IN_PROGRESS"
}

Get password change request status

This API returns the status of a password change request.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 089899f13a8f4da7824996191587bab9

Password change request ID

Responses

Response samples

Content type
application/json
{
  • "requestId": "089899f13a8f4da7824996191587bab9",
  • "state": "IN_PROGRESS",
  • "errors": [
    ],
  • "sourceIds": [
    ]
}

Generate a digit token

This API is used to generate a digit token for password management. Requires authorization scope of "idn:password-digit-token:create".

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
userId
required
string

The uid of the user requested for digit token

length
integer

The length of digit token. It should be from 6 to 18, inclusive. The default value is 6.

durationMinutes
integer

The time to live for the digit token in minutes. The default value is 5 minutes.

Responses

Request samples

Content type
application/json
{
  • "userId": "Abby.Smith",
  • "length": 8,
  • "durationMinutes": 5
}

Response samples

Content type
application/json
{
  • "digitToken": 9087713,
  • "requestId": "e1267ecd-fcd9-4c73-9c55-12555efad136"
}

Password Policies

Use these APIs to implement password policies functionality. These APIs allow you to define the policy parameters for choosing passwords.

IdentityNow comes with a default policy that you can modify to define the password requirements your users must meet to log in to IdentityNow, such as requiring a minimum password length, including special characters, and disallowing certain patterns. If you have licensed Password Management, you can create additional password policies beyond the default one to manage passwords for supported sources in your org.

In the Identity Security Cloud Admin panel, administrators can use the Password Mgmt dropdown menu to select Sync Groups. Refer to Managing Password Policies for more information about password policies.

Get password policy by id

This API returns the password policy for the specified ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ff808081838d9e9d01838da6a03e0005

The ID of password policy to retrieve.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "description": "Default Password Policy",
  • "id": "2c91808e7d976f3b017d9f5ceae440c8",
  • "name": "Example PP",
  • "dateCreated": 1639056206564,
  • "lastUpdated": 1662385430753,
  • "firstExpirationReminder": 90,
  • "accountIdMinWordLength": 3,
  • "accountNameMinWordLength": 3,
  • "maxLength": 0,
  • "maxRepeatedChars": 4,
  • "minAlpha": 1,
  • "minCharacterTypes": -1,
  • "minLength": 8,
  • "minLower": 0,
  • "minNumeric": 1,
  • "minSpecial": 0,
  • "minUpper": 0,
  • "passwordExpiration": 90,
  • "defaultPolicy": true,
  • "enablePasswdExpiration": false,
  • "requireStrongAuthn": false,
  • "requireStrongAuthOffNetwork": false,
  • "requireStrongAuthUntrustedGeographies": false,
  • "useAccountAttributes": false,
  • "useDictionary": false,
  • "useIdentityAttributes": false,
  • "validateAgainstAccountId": true,
  • "validateAgainstAccountName": true,
  • "sourceIds": [
    ]
}

Update password policy by id

This API updates the specified password policy.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ff808081838d9e9d01838da6a03e0007

The ID of password policy to update.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
id
string

The password policy Id.

description
string or null

Description for current password policy.

name
string

The name of the password policy.

dateCreated
integer <int64>

Date the Password Policy was created.

lastUpdated
integer or null <int64>

Date the Password Policy was updated.

firstExpirationReminder
integer <int64>

The number of days before expiration remaninder.

accountIdMinWordLength
integer <int64>

The minimun length of account Id. By default is equals to -1.

accountNameMinWordLength
integer <int64>

The minimun length of account name. By default is equals to -1.

minAlpha
integer <int64>

Maximum alpha. By default is equals to 0.

minCharacterTypes
integer <int64>

MinCharacterTypes. By default is equals to -1.

maxLength
integer <int64>

Maximum length of the password.

minLength
integer <int64>

Minimum length of the password. By default is equals to 0.

maxRepeatedChars
integer <int64>

Maximum repetition of the same character in the password. By default is equals to -1.

minLower
integer <int64>

Minimum amount of lower case character in the password. By default is equals to 0.

minNumeric
integer <int64>

Minimum amount of numeric characters in the password. By default is equals to 0.

minSpecial
integer <int64>

Minimum amount of special symbols in the password. By default is equals to 0.

minUpper
integer <int64>

Minimum amount of upper case symbols in the password. By default is equals to 0.

passwordExpiration
integer <int64>

Number of days before current password expires. By default is equals to 90.

defaultPolicy
boolean
Default: false

Defines whether this policy is default or not. Default policy is created automatically when an org is setup. This field is false by default.

enablePasswdExpiration
boolean
Default: false

Defines whether this policy is enabled to expire or not. This field is false by default.

requireStrongAuthn
boolean
Default: false

Defines whether this policy require strong Auth or not. This field is false by default.

requireStrongAuthOffNetwork
boolean
Default: false

Defines whether this policy require strong Auth of network or not. This field is false by default.

requireStrongAuthUntrustedGeographies
boolean
Default: false

Defines whether this policy require strong Auth for untrusted geographies. This field is false by default.

useAccountAttributes
boolean
Default: false

Defines whether this policy uses account attributes or not. This field is false by default.

useDictionary
boolean
Default: false

Defines whether this policy uses dictionary or not. This field is false by default.

useIdentityAttributes
boolean
Default: false

Defines whether this policy uses identity attributes or not. This field is false by default.

validateAgainstAccountId
boolean
Default: false

Defines whether this policy validate against account id or not. This field is false by default.

validateAgainstAccountName
boolean
Default: false

Defines whether this policy validate against account name or not. This field is false by default.

created
string or null
modified
string or null
sourceIds
Array of strings

List of sources IDs managed by this password policy.

Responses

Request samples

Content type
application/json
{
  • "description": "Password Policy after update.",
  • "id": "2c91808e7d976f3b017d9f5ceae440c8",
  • "name": "Improved Password Policy",
  • "dateCreated": 1639056206564,
  • "lastUpdated": 1662385430753,
  • "firstExpirationReminder": 90,
  • "accountIdMinWordLength": 3,
  • "accountNameMinWordLength": 3,
  • "maxLength": 0,
  • "maxRepeatedChars": 4,
  • "minAlpha": 1,
  • "minCharacterTypes": -1,
  • "minLength": 8,
  • "minLower": 0,
  • "minNumeric": 1,
  • "minSpecial": 0,
  • "minUpper": 0,
  • "passwordExpiration": 90,
  • "defaultPolicy": false,
  • "enablePasswdExpiration": false,
  • "requireStrongAuthn": false,
  • "requireStrongAuthOffNetwork": false,
  • "requireStrongAuthUntrustedGeographies": false,
  • "useAccountAttributes": false,
  • "useDictionary": false,
  • "useIdentityAttributes": false,
  • "validateAgainstAccountId": true,
  • "validateAgainstAccountName": true,
  • "sourceIds": [
    ]
}

Response samples

Content type
application/json
{
  • "description": "Password Policy after update.",
  • "id": "2c91808e7d976f3b017d9f5ceae440c8",
  • "name": "Improved Password Policy",
  • "dateCreated": 1639056206564,
  • "lastUpdated": 1662385430753,
  • "firstExpirationReminder": 90,
  • "accountIdMinWordLength": 3,
  • "accountNameMinWordLength": 3,
  • "maxLength": 0,
  • "maxRepeatedChars": 4,
  • "minAlpha": 1,
  • "minCharacterTypes": -1,
  • "minLength": 8,
  • "minLower": 0,
  • "minNumeric": 1,
  • "minSpecial": 0,
  • "minUpper": 0,
  • "passwordExpiration": 90,
  • "defaultPolicy": false,
  • "enablePasswdExpiration": false,
  • "requireStrongAuthn": false,
  • "requireStrongAuthOffNetwork": false,
  • "requireStrongAuthUntrustedGeographies": false,
  • "useAccountAttributes": false,
  • "useDictionary": false,
  • "useIdentityAttributes": false,
  • "validateAgainstAccountId": true,
  • "validateAgainstAccountName": true,
  • "sourceIds": [
    ]
}

Delete password policy by id

This API deletes the specified password policy.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ff808081838d9e9d01838da6a03e0002

The ID of password policy to delete.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Create password policy

This API creates the specified password policy.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
id
string

The password policy Id.

description
string or null

Description for current password policy.

name
string

The name of the password policy.

dateCreated
integer <int64>

Date the Password Policy was created.

lastUpdated
integer or null <int64>

Date the Password Policy was updated.

firstExpirationReminder
integer <int64>

The number of days before expiration remaninder.

accountIdMinWordLength
integer <int64>

The minimun length of account Id. By default is equals to -1.

accountNameMinWordLength
integer <int64>

The minimun length of account name. By default is equals to -1.

minAlpha
integer <int64>

Maximum alpha. By default is equals to 0.

minCharacterTypes
integer <int64>

MinCharacterTypes. By default is equals to -1.

maxLength
integer <int64>

Maximum length of the password.

minLength
integer <int64>

Minimum length of the password. By default is equals to 0.

maxRepeatedChars
integer <int64>

Maximum repetition of the same character in the password. By default is equals to -1.

minLower
integer <int64>

Minimum amount of lower case character in the password. By default is equals to 0.

minNumeric
integer <int64>

Minimum amount of numeric characters in the password. By default is equals to 0.

minSpecial
integer <int64>

Minimum amount of special symbols in the password. By default is equals to 0.

minUpper
integer <int64>

Minimum amount of upper case symbols in the password. By default is equals to 0.

passwordExpiration
integer <int64>

Number of days before current password expires. By default is equals to 90.

defaultPolicy
boolean
Default: false

Defines whether this policy is default or not. Default policy is created automatically when an org is setup. This field is false by default.

enablePasswdExpiration
boolean
Default: false

Defines whether this policy is enabled to expire or not. This field is false by default.

requireStrongAuthn
boolean
Default: false

Defines whether this policy require strong Auth or not. This field is false by default.

requireStrongAuthOffNetwork
boolean
Default: false

Defines whether this policy require strong Auth of network or not. This field is false by default.

requireStrongAuthUntrustedGeographies
boolean
Default: false

Defines whether this policy require strong Auth for untrusted geographies. This field is false by default.

useAccountAttributes
boolean
Default: false

Defines whether this policy uses account attributes or not. This field is false by default.

useDictionary
boolean
Default: false

Defines whether this policy uses dictionary or not. This field is false by default.

useIdentityAttributes
boolean
Default: false

Defines whether this policy uses identity attributes or not. This field is false by default.

validateAgainstAccountId
boolean
Default: false

Defines whether this policy validate against account id or not. This field is false by default.

validateAgainstAccountName
boolean
Default: false

Defines whether this policy validate against account name or not. This field is false by default.

created
string or null
modified
string or null
sourceIds
Array of strings

List of sources IDs managed by this password policy.

Responses

Request samples

Content type
application/json
{
  • "description": "New Password Policy with high requirements to password complexity.",
  • "id": null,
  • "name": "High security Password Policy",
  • "dateCreated": 1639056206564,
  • "lastUpdated": 1662385430753,
  • "firstExpirationReminder": 90,
  • "accountIdMinWordLength": 3,
  • "accountNameMinWordLength": 3,
  • "maxLength": 0,
  • "maxRepeatedChars": 4,
  • "minAlpha": 1,
  • "minCharacterTypes": -1,
  • "minLength": 8,
  • "minLower": 0,
  • "minNumeric": 1,
  • "minSpecial": 0,
  • "minUpper": 0,
  • "passwordExpiration": 90,
  • "defaultPolicy": false,
  • "enablePasswdExpiration": false,
  • "requireStrongAuthn": false,
  • "requireStrongAuthOffNetwork": false,
  • "requireStrongAuthUntrustedGeographies": false,
  • "useAccountAttributes": false,
  • "useDictionary": false,
  • "useIdentityAttributes": false,
  • "validateAgainstAccountId": true,
  • "validateAgainstAccountName": true,
  • "sourceIds": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2c91808e7d976f3b017d9f5ceae440c8",
  • "description": "Information about the Password Policy",
  • "name": "PasswordPolicy Example",
  • "dateCreated": 1639056206564,
  • "lastUpdated": 1939056206564,
  • "firstExpirationReminder": 45,
  • "accountIdMinWordLength": 4,
  • "accountNameMinWordLength": 6,
  • "minAlpha": 5,
  • "minCharacterTypes": 5,
  • "maxLength": 25,
  • "minLength": 8,
  • "maxRepeatedChars": 3,
  • "minLower": 8,
  • "minNumeric": 8,
  • "minSpecial": 8,
  • "minUpper": 8,
  • "passwordExpiration": 8,
  • "defaultPolicy": true,
  • "enablePasswdExpiration": true,
  • "requireStrongAuthn": true,
  • "requireStrongAuthOffNetwork": true,
  • "requireStrongAuthUntrustedGeographies": true,
  • "useAccountAttributes": false,
  • "useDictionary": false,
  • "useIdentityAttributes": false,
  • "validateAgainstAccountId": false,
  • "validateAgainstAccountName": true,
  • "created": "string",
  • "modified": "string",
  • "sourceIds": [
    ]
}

List password policies

This gets list of all Password Policies. Requires role of ORG_ADMIN

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Password Sync Groups

Use this API to implement password sync group functionality. With this functionality in place, administrators can group sources into password sync groups so that all their applications share the same password. This allows users to update the password for all the applications in a sync group if they want, rather than updating each password individually.

A password sync group is a group of applications that shares a password. Administrators create these groups by grouping the applications' sources. For example, an administrator can group the ActiveDirectory, GitHub, and G Suite sources together so that all those sources' applications can also be grouped to share a password. A user can then update his or her password for ActiveDirectory, GitHub, Gmail, Google Drive, and Google Calendar all at once, rather then updating each one individually.

The following are required for administrators to create a password sync group in Identity Security Cloud:

  • At least two direct connect sources connected to Identity Security Cloud and configured for Password Management.

  • Each authentication source in a sync group must have at least one application. Refer to Adding and Resetting Application Passwords for more information about adding applications to sources.

  • At least one password policy. Refer to Managing Password Policies for more information about password policies.

In the Admin panel in Identity Security Cloud, administrators can use the Password Mgmt dropdown menu to select Sync Groups. To create a sync group, administrators must provide a name, choose a password policy to be enforced across the sources in the sync group, and select the sources to include in the sync group.

Administrators can also delete sync groups in Identity Security Cloud, but they should know the following before they do:

  • Passwords related to the associated sources will become independent, so changing one will not change the others anymore.

  • Passwords for the sources' connected applications will also become independent.

  • Password policies assigned to the sync group are then assigned directly to the associated sources. To change the password policy for a source, administrators must edit it directly.

Once the password sync group has been created, users can update the password for the group in Password Manager.

Refer to Managing Password Sync Groups for more information about password sync groups.

Get password sync group list

This API returns a list of password sync groups.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create password sync group

This API creates a password sync group based on the specifications provided.

Authorizations:
Personal Access Token
Request Body schema: application/json
id
string

ID of the sync group

name
string

Name of the sync group

passwordPolicyId
string

ID of the password policy

sourceIds
Array of strings

List of password managed sources IDs

created
string or null <date-time>

The date and time this sync group was created

modified
string or null <date-time>

The date and time this sync group was last modified

Responses

Request samples

Content type
application/json
{
  • "name": "Password Sync Group 2",
  • "passwordPolicyId": "2c91808d744ba0ce01746f93b6204501",
  • "sourceIds": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "6881f631-3bd5-4213-9c75-8e05cc3e35dd",
  • "name": "Password Sync Group 2",
  • "passwordPolicyId": "2c91808d744ba0ce01746f93b6204501",
  • "sourceIds": [
    ]
}

Get password sync group by id

This API returns the sync group for the specified ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 6881f631-3bd5-4213-9c75-8e05cc3e35dd

The ID of password sync group to retrieve.

Responses

Response samples

Content type
application/json
{
  • "id": "6881f631-3bd5-4213-9c75-8e05cc3e35dd",
  • "name": "Password Sync Group 1",
  • "passwordPolicyId": "2c91808d744ba0ce01746f93b6204501",
  • "sourceIds": [
    ]
}

Update password sync group by id

This API updates the specified password sync group.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 6881f631-3bd5-4213-9c75-8e05cc3e35dd

The ID of password sync group to update.

Request Body schema: application/json
id
string

ID of the sync group

name
string

Name of the sync group

passwordPolicyId
string

ID of the password policy

sourceIds
Array of strings

List of password managed sources IDs

created
string or null <date-time>

The date and time this sync group was created

modified
string or null <date-time>

The date and time this sync group was last modified

Responses

Request samples

Content type
application/json
{
  • "id": "6881f631-3bd5-4213-9c75-8e05cc3e35dd",
  • "name": "Password Sync Group 2",
  • "passwordPolicyId": "2c91808d744ba0ce01746f93b6204501",
  • "sourceIds": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "6881f631-3bd5-4213-9c75-8e05cc3e35dd",
  • "name": "Password Sync Group 2",
  • "passwordPolicyId": "2c91808d744ba0ce01746f93b6204501",
  • "sourceIds": [
    ]
}

Delete password sync group by id

This API deletes the specified password sync group.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 6881f631-3bd5-4213-9c75-8e05cc3e35dd

The ID of password sync group to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Personal Access Tokens

Use this API to implement personal access token (PAT) functionality. With this functionality in place, users can use PATs as an alternative to passwords for authentication in Identity Security Cloud.

PATs embed user information into the client ID and secret. This replaces the API clients' need to store and provide a username and password to establish a connection, improving Identity Security Cloud organizations' integration security.

In Identity Security Cloud, users can do the following to create and manage their PATs: Select the dropdown menu under their names, select Preferences, and then select Personal Access Tokens. They must then provide a description about the token's purpose. They can then select 'Create Token' at the bottom of the page to generate and view the Secret and Client ID.

Refer to Managing Personal Access Tokens for more information about PATs.

List personal access tokens

This gets a collection of personal access tokens associated with the optional owner-id. query parameter. If the owner-id query parameter is omitted, all personal access tokens for a tenant will be retrieved, but the caller must have the 'idn:all-personal-access-tokens:read' right.

Authorizations:
Personal Access Token
query Parameters
owner-id
string
Default: null
Example: owner-id=2c9180867b50d088017b554662fb281e

The identity ID of the owner whose personal access tokens should be listed. If "me", the caller should have the following right: 'idn:my-personal-access-tokens:read' If an actual owner ID or if the owner-id parameter is omitted in the request, the caller should have the following right: 'idn:all-personal-access-tokens:read'. If the caller has the following right, then managed personal access tokens associated with owner-id will be retrieved: 'idn:managed-personal-access-tokens:read'

filters
string
Example: filters=lastUsed le 2023-02-05T10:59:27.214Z

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

lastUsed: le, isnull

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create personal access token

This creates a personal access token. expirationDate and userAwareTokenNeverExpires Relationship: Important: When expirationDate is null or empty (not included in the request body), the token will never expire. Required Validation: If expirationDate is null or empty, userAwareTokenNeverExpires must be set to true. This is a required validation rule. The valid values for expirationDate depend on the value provided for userAwareTokenNeverExpires:

  • When userAwareTokenNeverExpires is true (or required to be true): expirationDate can be null or omitted from the request body. When expirationDate is null or empty, the token will never expire. This creates a PAT that never expires and serves as an explicit acknowledgment that the user is aware of the security implications of creating a non-expiring token. * When userAwareTokenNeverExpires is false or omitted: expirationDate must be provided and must be a valid date-time string representing a future date (there is no upper limit). expirationDate cannot be null in this case. In this scenario, userAwareTokenNeverExpires can be omitted. Validation Rules: * If expirationDate is null or not included in the request body: userAwareTokenNeverExpires must be set to true (required). The token will never expire. * If expirationDate is provided and is not null: userAwareTokenNeverExpires can be omitted. Security Considerations: The userAwareTokenNeverExpires field is designed to ensure that users explicitly acknowledge the security implications of creating tokens that never expire. Setting this field to true indicates that the user understands the increased security risks and has made an informed decision to proceed. Note: The userAwareTokenNeverExpires field indicates that the user acknowledges they are creating a token that will never expire. It does not affect token behavior beyond indicating this acknowledgment.
Authorizations:
Personal Access Token
Request Body schema: application/json

Configuration for creating a personal access token, including name, scope, expiration settings, and user acknowledgment of never-expiring tokens. Important: See the endpoint description for validation rules regarding the relationship between expirationDate and userAwareTokenNeverExpires.

name
required
string

The name of the personal access token (PAT) to be created. Cannot be the same as another PAT owned by the user for whom this PAT is being created.

scope
Array of strings or null

Scopes of the personal access token. If no scope is specified, the token will be created with the default scope "sp:scopes:all". This means the personal access token will have all the rights of the owner who created it.

accessTokenValiditySeconds
integer or null <int32> [ 15 .. 43200 ]

Number of seconds an access token is valid when generated using this Personal Access Token. If no value is specified, the token will be created with the default value of 43200.

expirationDate
string or null <date-time>

Date and time, down to the millisecond, when this personal access token will expire. Important: When expirationDate is null or empty (not included in the request body), the token will never expire. Required Validation: If expirationDate is null or empty, userAwareTokenNeverExpires must be set to true. This is a required validation rule. Valid Values (dependent on userAwareTokenNeverExpires): * When userAwareTokenNeverExpires is true (or required to be true): expirationDate can be null or omitted from the request body. When expirationDate is null or empty, the token will never expire. * When userAwareTokenNeverExpires is false or omitted: expirationDate must be provided and must be a valid date-time string representing a future date (after the current date/time). There is no upper limit on how far in the future the expiration date can be set. expirationDate cannot be null in this case. Validation Rules: * If expirationDate is null or not included in the request body: userAwareTokenNeverExpires must be set to true (required). The token will never expire. * If expirationDate is provided and is not null: userAwareTokenNeverExpires can be omitted.

userAwareTokenNeverExpires
boolean or null
Default: false

Indicates that the user creating this Personal Access Token is aware of and acknowledges the security implications of creating a token that will never expire. When set to true, this flag confirms that the user understands the security risks associated with non-expiring tokens. Security Awareness: Setting this field to true serves as an explicit acknowledgment that the user creating the token understands: * Tokens that never expire pose a greater security risk if compromised * Non-expiring tokens should be used only when necessary and with appropriate security measures * Regular rotation and monitoring of non-expiring tokens is recommended Required Validation: If expirationDate is null or empty (not included in the request body), userAwareTokenNeverExpires must be set to true. This is a required validation rule. Validation Rules: * If expirationDate is null or not included in the request body: userAwareTokenNeverExpires must be set to true (required). * If expirationDate is provided and is not null: userAwareTokenNeverExpires can be omitted. Behavior: * When set to true: Indicates that the user acknowledges they are creating a token that will never expire. When expirationDate is null or empty, the token will never expire. * When set to false or not specified (and expirationDate is provided): The token will follow normal expiration rules based on the expirationDate field and accessTokenValiditySeconds setting.

Responses

Request samples

Content type
application/json
{
  • "name": "NodeJS Integration",
  • "scope": [
    ],
  • "accessTokenValiditySeconds": 36900,
  • "expirationDate": "2026-12-31T23:59:59.999Z",
  • "userAwareTokenNeverExpires": false
}

Response samples

Content type
application/json
{
  • "id": "86f1dc6fe8f54414950454cbb11278fa",
  • "secret": "1d1bef2b9f426383447f64f69349fc7cac176042578d205c256ba3f37c59adb9",
  • "scope": [
    ],
  • "name": "NodeJS Integration",
  • "owner": {
    },
  • "created": "2017-07-11T18:45:37.098Z",
  • "accessTokenValiditySeconds": 36900,
  • "expirationDate": "2018-01-11T18:45:37.098Z"
}

Patch personal access token

This performs a targeted update to the field(s) of a Personal Access Token. Changing scopes for a Personal Access Token does not impact existing bearer tokens. You will need to create a new bearer token to have the new scopes. Please note that it can take up to 20 minutes for scope changes to be seen on new bearer tokens. expirationDate and userAwareTokenNeverExpires Relationship: Important: When expirationDate is null or empty (replaced to null or omitted from the patch request), the token will never expire. Required Validation: If expirationDate is being replaced to null or is empty, userAwareTokenNeverExpires must be set to true in the patch request. This is a required validation rule. When patching expirationDate and userAwareTokenNeverExpires, the valid values for expirationDate depend on the value provided for userAwareTokenNeverExpires:

  • When userAwareTokenNeverExpires is being set to true (or required to be true): expirationDate can be replaced to null or omitted from the patch request. When expirationDate is null or empty, the token will never expire. This sets the PAT to never expire and serves as an explicit acknowledgment that the user is aware of the security implications of creating a non-expiring token. * When userAwareTokenNeverExpires is false or omitted: expirationDate must be provided and must be a valid date-time string representing a future date (there is no upper limit). expirationDate cannot be null in this case. In this scenario, userAwareTokenNeverExpires can be omitted. Validation Rules: * If expirationDate is being replaced to null: userAwareTokenNeverExpires must also be present in the patch request with a value of true (required). The token will never expire. * If expirationDate is not being replaced to null (i.e., set to a future date): userAwareTokenNeverExpires can be omitted. Security Considerations: The userAwareTokenNeverExpires field is designed to ensure that users explicitly acknowledge the security implications of creating tokens that never expire. Setting this field to true indicates that the user understands the increased security risks and has made an informed decision to proceed. Note: The userAwareTokenNeverExpires field indicates that the user acknowledges they are creating a token that will never expire. It does not affect token behavior beyond indicating this acknowledgment.
Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The Personal Access Token id

Request Body schema: application/json-patch+json

A list of OAuth client update operations according to the JSON Patch standard.

The following fields are patchable:

  • name
  • scope
  • expirationDate
  • userAwareTokenNeverExpires

Important: See the endpoint description for validation rules regarding the relationship between expirationDate and userAwareTokenNeverExpires.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "86f1dc6fe8f54414950454cbb11278fa",
  • "name": "NodeJS Integration",
  • "scope": [
    ],
  • "owner": {
    },
  • "created": "2017-07-11T18:45:37.098Z",
  • "lastUsed": "2017-07-11T18:45:37.098Z",
  • "managed": false,
  • "accessTokenValiditySeconds": 36900,
  • "expirationDate": "2026-12-31T23:59:59.999Z",
  • "userAwareTokenNeverExpires": false
}

Delete personal access token

This deletes a personal access token.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The personal access token id

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Privilege Criteria

Use this API to create, retrieve, update, and delete privilege criteria.

Create custom privilege criteria

Use this API to create a custom privilege criteria

Authorizations:
Personal Access Token
Request Body schema: application/json

Create custom privilege criteria request body.

sourceId
string = 32 characters

The Id of the source that the criteria is applied to.

type
string
Value: "CUSTOM"

The type of criteria being created. Expects "CUSTOM".

operator
string
Enum: "AND" "OR"

The logical operator to apply between groups.

Array of objects
privilegeLevel
string
Enum: "HIGH" "MEDIUM" "LOW"

The privilege level assigned by this criteria.

Responses

Request samples

Content type
application/json
{
  • "sourceId": "c42c45d8d7c04d2da64d215cd8c32f21",
  • "type": "CUSTOM",
  • "operator": "AND",
  • "groups": [
    ],
  • "privilegeLevel": "HIGH"
}

Response samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "sourceId": "c42c45d8d7c04d2da64d215cd8c32f21",
  • "type": "CUSTOM",
  • "operator": "AND",
  • "groups": [
    ],
  • "privilegeLevel": "HIGH"
}

List privilege criteria

Use this API to list all privilege criteria matching a filter

Authorizations:
Personal Access Token
query Parameters
filters
required
string
Example: filters=type eq "CUSTOM" and sourceId eq "c42c45d8d7c04d2da64d215cd8c32f21"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

type: eq

sourceId: eq

privilegeLevel: eq

Supported composite operators: and

All filter values are case-sensitive for this API.

For example, the following is valid: ?filters=type eq "CUSTOM" and sourceId eq "2c91809175e6c63f0175fb5570220569"

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Update privilege criteria

Use this API to update a specific custom privilege criteria by overwriting the information with new information.

Authorizations:
Personal Access Token
path Parameters
criteriaId
required
string
Example: 6d123044-5834-4e8d-a49f-9c70089b0de1

The Id of the privilege criteria record to return.

Request Body schema: application/json

The new version of the custom privilege criteria. This overwrites the existing privilege criteria.

id
string

The Id of the criteria.

sourceId
string = 32 characters

The Id of the source that the criteria is applied to.

type
string
Enum: "CUSTOM" "CONNECTOR" "SINGLE_LEVEL"

The type of criteria.

operator
string
Enum: "AND" "OR"

The logical operator to apply between groups.

Array of objects
privilegeLevel
string
Enum: "HIGH" "MEDIUM" "LOW"

The privilege level assigned by this criteria.

Responses

Request samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "sourceId": "c42c45d8d7c04d2da64d215cd8c32f21",
  • "type": "CUSTOM",
  • "operator": "AND",
  • "groups": [
    ],
  • "privilegeLevel": "HIGH"
}

Response samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "sourceId": "c42c45d8d7c04d2da64d215cd8c32f21",
  • "type": "CUSTOM",
  • "operator": "AND",
  • "groups": [
    ],
  • "privilegeLevel": "HIGH"
}

Get privilege criteria

Use this API to get a specific privilege criteria.

Authorizations:
Personal Access Token
path Parameters
criteriaId
required
string
Example: 6d123044-5834-4e8d-a49f-9c70089b0de1

The Id of the privilege criteria record to return.

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "sourceId": "c42c45d8d7c04d2da64d215cd8c32f21",
  • "type": "CUSTOM",
  • "operator": "AND",
  • "groups": [
    ],
  • "privilegeLevel": "HIGH"
}

Delete privilege criteria

Use this API to delete a specific custom privilege criteria.

Authorizations:
Personal Access Token
path Parameters
criteriaId
required
string
Example: 6d123044-5834-4e8d-a49f-9c70089b0de1

The Id of the custom privilege criteria to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Privilege Criteria Configuration

Use this API to manage the configuration of privilege criteria.

globalPrivilegeLevelEnabled: Boolean flag indicating whether privilege classification is enabled.

privilegeClassificationMode: Enum specifying the mode (CRITERIA_PRIVILEGE_LEVEL, SINGLE_PRIVILEGE_LEVEL) to use for privilege classification. CRITERIA_PRIVILEGE_LEVEL mode uses criteria to determine privilege levels, while SINGLE_PRIVILEGE_LEVEL assigns the same privilege level to all enititlements based on the value of singlePrivilegeLevel.privilegeLevel.

singlePrivilegeLevel.privilegeLevel: Enum specifying the privilege level (HIGH, MEDIUM, LOW) to assign to all privileges when the privilege classification mode is SINGLE_PRIVILEGE_LEVEL.

criteriaPrivilegeLevel.connectorHighEnabled: Boolean flag indicating whether HIGH level connector criteria is used for privilege classification.

criteriaPrivilegeLevel.connectorMediumEnabled: Boolean flag indicating whether MEDIUM level connector criteria is used for privilege classification.

criteriaPrivilegeLevel.connectorLowEnabled: Boolean flag indicating whether LOW level connector criteria is used for privilege classification.

criteriaPrivilegeLevel.customHighEnabled: Boolean flag indicating whether HIGH level custom criteria is used for privilege classification.

criteriaPrivilegeLevel.customMediumEnabled: Boolean flag indicating whether MEDIUM level custom criteria is used for privilege classification.

criteriaPrivilegeLevel.customLowEnabled: Boolean flag indicating whether LOW level custom criteria is used for privilege classification.

Update privilege criteria configuration

Use this API to update the privilege criteria configuration.

Authorizations:
Personal Access Token
path Parameters
criteriaConfigId
required
string
Example: 6d123044-5834-4e8d-a49f-9c70089b0de1

The Id of the privilege criteria configuration to update.

Request Body schema: application/json-patch+json

A list of criteria configuration operations according to the JSON Patch standard.

Array
object

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "sourceId": "c42c45d8d7c04d2da64d215cd8c32f21",
  • "config": {
    },
  • "created": "2024-01-10T12:00:00Z",
  • "modified": "2024-01-15T12:00:00Z"
}

Get privilege criteria config

Use this API to get the privilege criteria configuration by Id.

Authorizations:
Personal Access Token
path Parameters
criteriaConfigId
required
string
Example: 6d123044-5834-4e8d-a49f-9c70089b0de1

The Id of the privilege criteria configuration record to retrieve.

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "sourceId": "c42c45d8d7c04d2da64d215cd8c32f21",
  • "config": {
    },
  • "created": "2024-01-10T12:00:00Z",
  • "modified": "2024-01-15T12:00:00Z"
}

List privilege criteria config

Use this API to list the privilege criteria configuration.

Authorizations:
Personal Access Token
query Parameters
filters
required
string
Example: filters=sourceId eq "c42c45d8d7c04d2da64d215cd8c32f21"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

sourceId: eq

All filter values are case-sensitive for this API.

For example, the following is valid: ?filters=sourceId eq "2c91809175e6c63f0175fb5570220569"

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Public Identities

Use this API in conjunction with Public Identites Config to enable non-administrators to view identities' publicly visible attributes. With this functionality in place, non-administrators can view identity attributes other than the default attributes (email, lifecycle state, and manager), depending on which identity attributes their organization administrators have made public. This can be helpful for access approvers, certification reviewers, managers viewing their direct reports' access, and source owners viewing their tasks.

Get list of public identities

Get a list of public identities. Set add-core-filters to true to exclude incomplete identities and uncorrelated accounts.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=firstname eq "John"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

alias: eq, sw

email: eq, sw

firstname: eq, sw

lastname: eq, sw

add-core-filters
boolean
Default: false

If true, only get identities which satisfy ALL the following criteria in addition to any criteria specified by filters:

  • Should be either correlated or protected.
  • Should not be "spadmin" or "cloudadmin".
  • uid should not be null.
  • lastname should not be null.
  • email should not be null.
sorters
string <comma-separated>
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Public Identities Config

Use this API to implement public identity configuration functionality. With this functionality in place, administrators can make up to 5 identity attributes publicly visible so other non-administrator users can see the relevant information they need to make decisions. This can be helpful for approvers making approvals, certification reviewers, managers viewing their direct reports' access, and source owners viewing their tasks.

By default, non-administrators can select an identity and view the following attributes: email, lifecycle state, and manager. However, it may be helpful for a non-administrator reviewer to see other identity attributes like department, region, title, etc. Administrators can use this API to make those necessary identity attributes public to non-administrators.

For example, a non-administrator deciding whether to approve another identity's request for access to the Workday application, whose access may be restricted to members of the HR department, would want to know whether the identity is a member of the HR department. If an administrator has used Update Public Identity Config to make the "department" attribute public, the approver can see the department and make a decision without requesting any more information.

Get the public identities configuration

Returns the publicly visible attributes of an identity available to request approvers for Access Requests and Certification Campaigns.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "attributes": [
    ],
  • "modified": "2018-06-25T20:22:28.104Z",
  • "modifiedBy": {
    }
}

Update the public identities configuration

Updates the publicly visible attributes of an identity available to request approvers for Access Requests and Certification Campaigns.

Authorizations:
Personal Access Token
Request Body schema: application/json
Array of objects (Public Identity Attribute Config)

Up to 5 identity attributes that will be available to everyone in the org for all users in the org.

modified
string or null <date-time>

When this configuration was last modified.

object or null (Identity Reference)

The manager for the identity.

Responses

Request samples

Content type
application/json
{
  • "attributes": [
    ],
  • "modified": "2018-06-25T20:22:28.104Z",
  • "modifiedBy": {
    }
}

Response samples

Content type
application/json
{
  • "attributes": [
    ],
  • "modified": "2018-06-25T20:22:28.104Z",
  • "modifiedBy": {
    }
}

Reports Data Extraction

Use this API to implement reports lifecycle managing and monitoring. With this functionality in place, users can run reports, view their results, and cancel reports in progress. This can be potentially helpful for auditing purposes.

Get report result

Get the report results for a report that was run or is running. Returns empty report result in case there are no active task definitions with used in payload task definition name.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
taskResultId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Unique identifier of the task result which handled report

query Parameters
completed
boolean
Default: false
Example: completed=true

state of task result to apply ordering when results are fetching from the DB

Responses

Response samples

Content type
application/json
{
  • "reportType": "IDENTITIES_DETAILS",
  • "taskDefName": "Identities Details Report",
  • "id": "1e01d272b8084c4fa12fcf8fa898102d",
  • "created": "2023-09-07T42:14:05.122Z",
  • "status": "SUCCESS",
  • "duration": 3681,
  • "rows": 193,
  • "availableFormats": [
    ]
}

Run report

Use this API to run a report according to report input details. If non-concurrent task is already running then it returns, otherwise new task creates and returns.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
reportType
string
Enum: "ACCOUNTS" "IDENTITIES_DETAILS" "IDENTITIES" "IDENTITY_PROFILE_IDENTITY_ERROR" "ORPHAN_IDENTITIES" "SEARCH_EXPORT" "UNCORRELATED_ACCOUNTS"

Use this property to define what report should be processed in the RDE service.

ACCOUNTS (object) or IDENTITIES_DETAILS (object) or IDENTITIES (object) or IDENTITY_PROFILE_IDENTITY_ERROR (object) or ORPHAN_IDENTITIES (object) or SEARCH_EXPORT (object) or UNCORRELATED_ACCOUNTS (object)

The string-object map(dictionary) with the arguments needed for report processing.

Responses

Request samples

Content type
application/json
Example
{
  • "reportType": "ACCOUNTS",
  • "arguments": {
    }
}

Response samples

Content type
application/json
Example
{
  • "reportType": "IDENTITIES_DETAILS",
  • "taskDefName": "Identities Details Report",
  • "type": "QUARTZ",
  • "id": "a248c16fe22222b2bd49615481311111",
  • "created": "2023-09-07T42:14:00.364Z",
  • "description": "A detailed view of the identities in the system.",
  • "parentName": "Audit Report",
  • "launcher": "9832285",
  • "launched": "2023-09-07T42:14:00.521Z",
  • "completed": "2023-09-07T42:14:01.137Z",
  • "messages": [ ],
  • "returns": [ ],
  • "attributes": {
    },
  • "progress": "Initializing..."
}

Cancel report

Cancels a running report.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: a1ed223247144cc29d23c632624b4767

ID of the running Report to cancel

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get report file

Gets a report in file format.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
taskResultId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Unique identifier of the task result which handled report

query Parameters
fileFormat
required
string
Enum: "csv" "pdf"
Example: fileFormat=csv

Output format of the requested report file

name
string
Example: name=Identities Details Report

preferred Report file name, by default will be used report name from task result.

auditable
boolean
Default: false
Example: auditable=true

Enables auditing for current report download. Will create an audit event and sent it to the REPORT cloud-audit kafka topic. Event will be created if there is any result present by requested taskResultId.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Requestable Objects

Use this API to implement requestable object functionality. With this functionality in place, administrators can determine which access items can be requested with the Access Request APIs, along with their statuses. This can be helpful for administrators who are implementing and customizing access request functionality as a way of checking which items are requestable as they are created, assigned, and made available.

Requestable objects list

Get a list of acccess items that can be requested through the Access Request endpoints. Access items are marked with AVAILABLE, PENDING or ASSIGNED with respect to the identity provided using identity-id query parameter. This endpoint only lists roles and access profiles. For gathering requestable entitlements, the Entitlements List API can be used with the segmented-for-identity parameter. Any authenticated token can call this endpoint to see their requestable access items.

Authorizations:
Personal Access Token
query Parameters
identity-id
string
Example: identity-id=e7eab60924f64aa284175b9fa3309599

If present, the value returns only requestable objects for the specified identity.

  • Admin users can call this with any identity ID value.
  • Non-admin users can only specify me or pass their own identity ID value.
  • If absent, returns a list of all requestable objects for the tenant. Only admin users can make such a call. In this case, the available, pending, assigned accesses will not be annotated in the result.
types
Array of strings
Items Enum: "ACCESS_PROFILE" "ROLE"
Example: types=ACCESS_PROFILE,ROLE

Filters the results to the specified type/types, where each type is one of ROLE or ACCESS_PROFILE. If absent, all types are returned. SailPoint may add support for additional types in the future without notice.

term
string
Example: term=Finance Role

Allows searching requestable access items with a partial match on the name or description. If term is provided, then the API will ignore the filter query parameter.

statuses
Array of strings (RequestableObjectRequestStatus-2)
Items Enum: "AVAILABLE" "PENDING" "ASSIGNED" null
Example: statuses=ASSIGNED,PENDING

Filters the result to the specified status/statuses, where each status is one of AVAILABLE, ASSIGNED, or PENDING. Specifying this parameter without also specifying an identity-id parameter results in an error. SailPoint may add additional statuses in the future without notice.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name sw "bob"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in, sw

sorters
string <comma-separated>
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Role Insights

Generate insights for roles Deprecated

Submits a create role insights request to the role insights application. At this time there are no parameters. All business roles will be processed for the customer.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "c9aa02f7-86b0-4bc4-84bd-3116a6131e77",
  • "createdDate": "2020-09-16T18:49:32.150Z",
  • "lastGenerated": "2020-09-16T18:49:32.150Z",
  • "numberOfUpdates": 0,
  • "roleIds": [
    ],
  • "status": "CREATED"
}

Returns metadata from prior request. Deprecated

This endpoint returns details of a prior role insights request.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role insights request id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "c9aa02f7-86b0-4bc4-84bd-3116a6131e77",
  • "createdDate": "2020-09-16T18:49:32.150Z",
  • "lastGenerated": "2020-09-16T18:49:32.150Z",
  • "numberOfUpdates": 0,
  • "roleIds": [
    ],
  • "status": "CREATED"
}

Get role insights summary information

This method returns high level summary information for role insights for a customer.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "numberOfUpdates": 0,
  • "lastGenerated": "2020-05-19T13:49:37.385Z",
  • "entitlementsIncludedInRoles": 45,
  • "totalNumberOfEntitlements": 250,
  • "identitiesWithAccessViaRoles": 550,
  • "totalNumberOfIdentities": 980
}

Get role insights

This method returns detailed role insights for each role.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string
Example: sorters=numberOfUpdates

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: numberOfUpdates, identitiesWithAccess, totalNumberOfIdentities

filters
string
Example: filters=name sw "John"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: sw

ownerName: sw

description: sw

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get a single role insight

This endpoint gets role insights information for a role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
insightId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role insight id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "1467e61e-f284-439c-ba2d-c6cc11cf0941",
  • "numberOfUpdates": 5,
  • "createdDate": "2019-08-24T14:15:22Z",
  • "modifiedDate": "2020-05-19T13:49:37.385Z",
  • "role": {
    },
  • "insight": {
    }
}

Get entitlement insights for a role

This endpoint returns entitlement insights for a role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
insightId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role insight id

query Parameters
sorters
string

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: identitiesWithAccess, name

filters
string
Example: filters=name sw "Admin"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: sw

description: sw

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Download entitlement insights for a role

This endpoint returns the entitlement insights for a role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
insightId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role insight id

query Parameters
sorters
string
Example: sorters=identitiesWithAccess

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: identitiesWithAccess

The default sort is identitiesWithAccess in descending order.

filters
string
Example: filters=name sw "r"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: sw

description: sw

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get current entitlement for a role

This endpoint gets the entitlements for a role. The term "current" is to distinguish from the entitlement(s) an insight might recommend adding.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
insightId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role insight id

query Parameters
filters
string
Example: filters=name sw "r"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: sw

description: sw

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get identities for a suggested entitlement (for a role)

Role insights suggests entitlements to be added for a role. This endpoint returns a list of identities in the role, with or without the entitlements, for a suggested entitlement so that the user can see which identities would be affected if the suggested entitlement were to be added to the role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
insightId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The role insight id

entitlementId
required
string
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

The entitlement id

query Parameters
hasEntitlement
boolean
Default: false

Identity has this entitlement or not

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name

filters
string
Example: filters=name sw "Jan"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

name: sw

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Role Propagation

Role Change Propagation ensures that any changes to the composition of a role’s access objects (entitlements, access profiles, or dimensions) are applied to all member identities. For example: If an entitlement is removed from a role, all identities assigned to that role should lose access to that entitlement as part of this process.

Initiate Role Propagation process

This endpoint initiates a role change propagation process for a tenant asynchronously. If all preconditions are met, the request is accepted and a rolePropagationId is returned which can be used to view the status. API throws 4xx if any of the following conditions are met - Role propagation feature is disabled - There is an ongoing role propagation for the tenant - Role refresh needs to be kicked off as part of the role propagation (skipRoleRefresh=false) and there is an ongoing refresh for the tenant

Authorizations:
Personal Access TokenClient Credentials
query Parameters
skipRoleRefresh
boolean
Default: false
Example: skipRoleRefresh=true

When true, the role refresh is not performed. Keeping it false is recommended.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "rolePropagationId": "47b9fb02-e12e-42ba-8bfe-1860d78c88eb"
}

Get status of Role-Propagation process

This endpoint returns the information of the specified role change propagation process. The execution stage of the role propagation process can be one of the following: - PENDING - The role propagation process is queued to be executed. - DATA_AGGREGATION_RUNNING - The role propagation process is currently aggregating data. - LAUNCH_PROVISIONING - The role propagation process has started to provision the access to the identities. - SUCCEEDED - The role propagation process has successfully completed. - FAILED - The role propagation process has failed. - TERMINATED - The role propagation process was externally terminated.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
rolePropagationId
required
string
Example: 47b9fb02-e12e-42ba-8bfe-1860d78c88eb

The ID of the role propagation process to retrieve the status for.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "0210f50c-bc23-4f9d-9921-056f1a170471",
  • "status": "COMPLETED",
  • "executionStage": "SUCCEEDED",
  • "launched": "2025-05-29T17:18:31Z",
  • "launchedBy": {
    },
  • "completed": "2025-05-29T17:21:19Z",
  • "skipRoleRefresh": false
}

Get ongoing Role Propagation process

This endpoint returns the information of ongoing role change propagation process for a tenant. It returns the information whether the role propagation process is currently running or not, If it is running it returns the details of the ongoing role propagation process. The execution stage of the role propagation process can be one of the following: - PENDING - The role propagation process is queued to be executed. - DATA_AGGREGATION_RUNNING - The role propagation process is currently aggregating data. - LAUNCH_PROVISIONING - The role propagation process has started to provision the access to the identities. - SUCCEEDED - The role propagation process has successfully completed. - FAILED - The role propagation process has failed. - TERMINATED - The role propagation process was externally terminated.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "isRunning": true,
  • "rolePropagationDetails": {
    }
}

Terminate Role Propagation process

This endpoint terminates the ongoing role change propagation process for a tenant.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update Role Change Propagation Configuration

This endpoint enables or disables the Role Change Propagation Process for the tenant

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
enabled
boolean
Default: false

Indicates if the Role Change Propagation process should be enabled for the tenant

Responses

Request samples

Content type
application/json
{
  • "enabled": true
}

Response samples

Content type
application/json
{
  • "enabled": true,
  • "enabledDate": "2026-01-27T08:07:20Z",
  • "createdDate": "2025-02-18T20:20:36Z",
  • "modifiedDate": "2026-01-27T08:07:20Z"
}

Get Role Change Propagation Configuration

This endpoint fetches the Role Change Propagation Configuration for the tenant

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "enabled": true,
  • "enabledDate": "2026-01-27T08:07:20Z",
  • "createdDate": "2025-02-18T20:20:36Z",
  • "modifiedDate": "2026-01-27T08:07:20Z"
}

Roles

Use this API to implement and customize role functionality. With this functionality in place, administrators can create roles and configure them for use throughout Identity Security Cloud. Identity Security Cloud can use established criteria to automatically assign the roles to qualified users. This enables users to get all the access they need quickly and securely and administrators to spend their time on other tasks.

Entitlements represent the most granular level of access in Identity Security Cloud. Access profiles represent the next level and often group entitlements. Roles represent the broadest level of access and often group access profiles.

For example, an Active Directory source in Identity Security Cloud can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.

An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.

An administrator can then create an even broader set of access in the form of a role grouping the 'AD Developers' access profile with another profile, 'GitHub Developers,' grouping entitlements for the GitHub source.

When users only need Active Directory employee access, they can request access to the 'Employees' entitlement.

When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile.

When users need both the 'AD Developers' access profile and the 'GitHub Developers' access profile, they can request access to the role grouping both.

Roles often represent positions within organizations. For example, an organization's accountant can access all the tools the organization's accountants need with the 'Accountant' role. If the accountant switches to engineering, a qualified member of the organization can quickly revoke the accountant's 'Accountant' access and grant access to the 'Engineer' role instead, granting access to all the tools the organization's engineers need.

In Identity Security Cloud, adminstrators can use the Access drop-down menu and select Roles to view, configure, and delete existing roles, as well as create new ones. Administrators can enable and disable the role, and they can also make the following configurations:

  • Manage Access: Manage the role's access by adding or removing access profiles.

  • Define Assignment: Define the criteria Identity Security Cloud uses to assign the role to identities. Use the first option, 'Standard Criteria,' to provide specific criteria for assignment like specific account attributes, entitlements, or identity attributes. Use the second, 'Identity List,' to specify the identities for assignment.

  • Access Requests: Configure roles to be requestable and establish an approval process for any requests that the role be granted or revoked. Do not configure a role to be requestable without establishing a secure access request approval process for that role first.

Refer to Working with Roles for more information about roles.

List roles

This API returns a list of Roles.

A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
for-subadmin
string
Example: for-subadmin=5168015d32f890ca15812c9180835d2e

If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN Identity. The value of the parameter is either an Identity ID, or the special value me, which is shorthand for the calling Identity's ID. A 400 Bad Request error is returned if the for-subadmin parameter is specified for an Identity that is not a subadmin.

limit
integer <int32> [ 0 .. 50 ]
Default: 50
Example: limit=50

Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=requestable eq false

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

created: gt, ge, le

modified: lt, ge, le

owner.id: eq, in

requestable: eq

dimensional: eq

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, modified

for-segment-ids
string <comma-separated>
Example: for-segment-ids=0b5c9f25-83c6-4762-9073-e38f7bb2ae26,2e8d8180-24bc-4d21-91c6-7affdb473b0d

If present and not empty, additionally filters Roles to those which are assigned to the Segment(s) with the specified IDs.

If segmentation is currently unavailable, specifying this parameter results in an error.

include-unsegmented
boolean
Default: true

Whether or not the response list should contain unsegmented Roles. If for-segment-ids is absent or empty, specifying include-unsegmented as false results in an error.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create a role

This API creates a role.

You must have a token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority to call this API.

In addition, a ROLE_SUBADMIN may not create a role including an access profile if that access profile is associated with a source the ROLE_SUBADMIN is not associated with themselves.

The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing roles. However, any new roles as well as any updates to existing descriptions will be limited to 2000 characters.

Authorizations:
Personal Access Token
Request Body schema: application/json
id
string

The id of the Role. This field must be left null when creating an Role, otherwise a 400 Bad Request error will result.

name
required
string <= 128 characters

The human-readable display name of the Role

description
string or null

A human-readable description of the Role

required
object or null (OwnerReference)

Owner of the object.

Array of objects or null (AdditionalOwnerRef)

List of additional owner references beyond the primary owner. Each entry may be an identity (IDENTITY) or a governance group (GOVERNANCE_GROUP).

Array of objects or null (AccessProfileRef)
Array of objects (EntitlementRef)
object or null (RoleMembershipSelector)

When present, specifies that the Role is to be granted to Identities which either satisfy specific criteria or which are members of a given list of Identities.

object or null

This field is not directly modifiable and is generally expected to be null. In very rare instances, some Roles may have been created using membership selection criteria that are no longer fully supported. While these Roles will still work, they should be migrated to STANDARD or IDENTITY_LIST selection criteria. This field exists for informational purposes as an aid to such migration.

enabled
boolean
Default: false

Whether the Role is enabled or not.

requestable
boolean
Default: false

Whether the Role can be the target of access requests.

object (RequestabilityForRole)
object (RevocabilityForRole)
segments
Array of strings or null

List of IDs of segments, if any, to which this Role is assigned.

dimensional
boolean or null
Default: false

Whether the Role is dimensional.

Array of objects or null (DimensionRef)

List of references to dimensions to which this Role is assigned. This field is only relevant if the Role is dimensional.

object (AttributeDTOList)
privilegeLevel
string or null

The privilege level of the role, if applicable.

Responses

Request samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Role 2567",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "additionalOwners": [
    ],
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "legacyMembershipInfo": {
    },
  • "enabled": true,
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "dimensional": false,
  • "dimensionRefs": [
    ],
  • "accessModelMetadata": {
    },
  • "privilegeLevel": "High"
}

Response samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Role 2567",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "additionalOwners": [
    ],
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "legacyMembershipInfo": {
    },
  • "enabled": true,
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "dimensional": false,
  • "dimensionRefs": [
    ],
  • "accessModelMetadata": {
    },
  • "privilegeLevel": "High"
}

Get a role

This API returns a Role by its ID. A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a token with ROLE_SUBADMIN authority may only call this API if all Access Profiles included in the Role are associated to Sources with management workgroups of which the ROLE_SUBADMIN is a member.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the Role

Responses

Response samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Role 2567",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "additionalOwners": [
    ],
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "legacyMembershipInfo": {
    },
  • "enabled": true,
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "dimensional": false,
  • "dimensionRefs": [
    ],
  • "accessModelMetadata": {
    },
  • "privilegeLevel": "High"
}

Patch a specified role

This API updates an existing role using JSON Patch syntax.

The following fields are patchable:

  • name
  • description
  • enabled
  • owner
  • additionalOwners
  • accessProfiles
  • entitlements
  • membership
  • requestable
  • accessRequestConfig
  • revokeRequestConfig
  • segments
  • accessModelMetadata
    A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a token with ROLE_SUBADMIN authority may only call this API if all access profiles included in the role are associated to Sources with management workgroups of which the ROLE_SUBADMIN is a member.

The maximum supported length for the description field is 2000 characters. Longer descriptions will be preserved for existing roles, however, any new roles as well as any updates to existing descriptions will be limited to 2000 characters.

When you use this API to modify a role's membership identities, you can only modify up to a limit of 500 membership identities at a time.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the Role to patch

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
Example

This example shows how multiple fields may be updated with a single patch call.

[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Role 2567",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "additionalOwners": [
    ],
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "legacyMembershipInfo": {
    },
  • "enabled": true,
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "dimensional": false,
  • "dimensionRefs": [
    ],
  • "accessModelMetadata": {
    },
  • "privilegeLevel": "High"
}

Delete a role

This API deletes a Role by its ID.

A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a token with ROLE_SUBADMIN authority may only call this API if all Access Profiles included in the Role are associated to Sources with management workgroups of which the ROLE_SUBADMIN is a member.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the Role

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Delete role(s)

This endpoint initiates a bulk deletion of one or more roles. When the request is successful, the endpoint returns the bulk delete's task result ID. To follow the task, you can use Get Task Status by ID, which will return the task result's status and information. This endpoint can only bulk delete up to a limit of 50 roles per request. A user with ROLE_SUBADMIN authority can only call this endpoint if all roles included in the request are associated with sources with management workgroups the ROLE_SUBADMIN is a member of.

Authorizations:
Personal Access Token
Request Body schema: application/json
roleIds
required
Array of strings

List of IDs of Roles to be deleted.

Responses

Request samples

Content type
application/json
{
  • "roleIds": [
    ]
}

Response samples

Content type
application/json
{
  • "type": "TASK_RESULT",
  • "id": "464ae7bf791e49fdb74606a2e4a89635",
  • "name": null
}

List identities assigned a role

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808a7813090a017814121e121518

ID of the Role for which the assigned Identities are to be listed

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name sw Joe

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

aliasName: eq, sw

email: eq, sw

name: eq, sw, co

sorters
string <comma-separated>
Example: sorters=aliasName,name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, aliasName, email

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List role's entitlements

Get a list of entitlements associated with a specified role.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c91808a7813090a017814121919ecca

Containing role's ID.

query Parameters
limit
integer <int32> [ 0 .. 50 ]
Default: 50
Example: limit=50

Note that for this API the maximum value for limit is 50. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=attribute eq "memberOf"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

attribute: eq, sw

value: eq, sw

created: gt, lt, ge, le

modified: gt, lt, ge, le

owner.id: eq, in

source.id: eq, in

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, attribute, value, created, modified

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Add a metadata to role.

This API initialize a request to add a single Access Model Metadata to a role by attribute key and attribute value. A token with ORG_ADMIN, ROLE_ADMIN ROLE_SUBADMIN authority is required to call this API. The maximum number of attributes in one role is 25. Custom metadata update, including ADD and REPLACE need suit licensed.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c24359c389374d0fb8585698a2189e3d

The Id of a role

attributeKey
required
string
Example: iscPrivacy

Technical name of the Attribute.

attributeValue
required
string
Example: public

Technical name of the Attribute Value.

Responses

Response samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Role 2567",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "additionalOwners": [
    ],
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "legacyMembershipInfo": {
    },
  • "enabled": true,
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "dimensional": false,
  • "dimensionRefs": [
    ],
  • "accessModelMetadata": {
    },
  • "privilegeLevel": "High"
}

Remove a metadata from role.

This API initialize a request to remove a single Access Model Metadata from a role by attribute key and value. A token with ORG_ADMIN, ROLE_ADMIN ROLE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808c74ff913f0175097daa9d59cd

The role's id.

attributeKey
required
string
Example: iscPrivacy

Technical name of the Attribute.

attributeValue
required
string
Example: public

Technical name of the Attribute Value.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Bulk-update roles' metadata by id

This API initiates a bulk update of metadata for one or more Roles by a list of Role Ids. A token with ORG_ADMIN, ROLE_ADMIN ROLE_SUBADMIN authority is required to call this API. The maximum role count in a single update request is 3000. The maximum metadata value count for a single role is 25. Custom metadata update, including add, replace need suit licensed.

Authorizations:
None
Request Body schema: application/json
roles
required
Array of strings

Roles' Id to be updated

operation
required
string
Enum: "ADD" "REMOVE" "REPLACE"

The operation to be performed

replaceScope
string
Enum: "ALL" "ATTRIBUTE"

The choice of update scope.

required
Array of objects

The metadata to be updated, including attribute key and value.

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ],
  • "operation": "REPLACE",
  • "replaceScope": "ALL",
  • "values": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2c9180867817ac4d017817c491119a20",
  • "type": "Role",
  • "status": "CREATED",
  • "created": "2020-10-08T18:33:52.029Z"
}

Bulk-update roles' metadata by filters

This API initiates a bulk update of metadata for one or more Roles by filter. A token with ORG_ADMIN, ROLE_ADMIN ROLE_SUBADMIN authority is required to call this API. The maximum metadata value count for a single role is 25. Custom metadata update, including add, replace need suit licensed.

Authorizations:
None
Request Body schema: application/json
filters
required
string

Filtering is supported for the following fields and operators:

id : eq, in

name : eq, sw

created : gt, lt, ge, le

modified : gt, lt, ge, le

owner.id : eq, in

requestable : eq

operation
required
string
Enum: "ADD" "REMOVE" "REPLACE"

The operation to be performed

replaceScope
string
Enum: "ALL" "ATTRIBUTE"

The choice of update scope.

required
Array of objects

The metadata to be updated, including attribute key and value.

Responses

Request samples

Content type
application/json
{
  • "operation": "ADD",
  • "replaceScope": "ALL",
  • "filters": "requestable eq false",
  • "values": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2d82ac17-eb0d-4ba6-9918-dcad6ee0294d",
  • "type": "ROLE",
  • "status": "CREATED",
  • "created": "2024-09-16T18:59:06.871594Z"
}

Bulk-update roles' metadata by query

This API initiates a bulk update of metadata for one or more Roles by query. A token with ORG_ADMIN, ROLE_ADMIN ROLE_SUBADMIN authority is required to call this API. The maximum metadata value count for a single role is 25. Custom metadata update, including add, replace need suit licensed.

Authorizations:
None
Request Body schema: application/json
query
required
object

query the identities to be updated

operation
required
string
Enum: "ADD" "REMOVE" "REPLACE"

The operation to be performed

replaceScope
string
Enum: "ALL" "ATTRIBUTE"

The choice of update scope.

required
Array of objects

The metadata to be updated, including attribute key and value.

Responses

Request samples

Content type
application/json
{
  • "example of a success update": {
    }
}

Response samples

Content type
application/json
{
  • "id": "2d82ac17-eb0d-4ba6-9918-dcad6ee0294d",
  • "type": "ROLE",
  • "status": "CREATED",
  • "created": "2024-09-16T18:59:06.871594Z"
}

Get bulk-update status by id

This API initial a request for one bulk update's status by bulk update Id returns the status of the bulk update process. A token with ORG_ADMIN, ROLE_ADMIN ROLE_SUBADMIN authority is required to call this API.

Authorizations:
None
path Parameters
id
required
string
Example: c24359c389374d0fb8585698a2189e3d

The Id of the bulk update task.

Responses

Response samples

Content type
application/json
{
  • "id": "2d82ac17-eb0d-4ba6-9918-dcad6ee0294d",
  • "type": "ROLE",
  • "status": "CREATED",
  • "created": "2024-09-16T18:59:06.871594Z"
}

Get bulk-update statuses

This API returns a list of all unfinished bulk update process status of the tenant.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Filter roles by metadata

This API returns a list of Role that filter by metadata and filter, it support filter by both path parameter and attribute key and values. A token with API, ORG_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, HELPDESK, CERT_ADMIN, REPORT_ADMIN or SOURCE_ADMIN authority is required to call this API.

Authorizations:
Personal Access Token
query Parameters
for-subadmin
string
Example: for-subadmin=5168015d32f890ca15812c9180835d2e

If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN Identity. The value of the parameter is either an Identity ID, or the special value me, which is shorthand for the calling Identity's ID. A 400 Bad Request error is returned if the for-subadmin parameter is specified for an Identity that is not a subadmin.

limit
integer <int32> [ 0 .. 250 ]
Default: 50
Example: limit=50

Max number of results to return See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

Boolean indicating whether a total count is returned, factoring in any filter parameters, in the X-Total-Count response header. The value is the total size of the collection that would be returned if limit and offset were ignored. See V3 API Standard Collection Parameters for more information.

sorters
string
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name, created, modified

for-segment-ids
string
Example: for-segment-ids=0b5c9f25-83c6-4762-9073-e38f7bb2ae26,2e8d8180-24bc-4d21-91c6-7affdb473b0d

If present and not empty, additionally filters Roles to those which are assigned to the Segment(s) with the specified IDs. If segmentation is currently unavailable, specifying this parameter results in an error.

include-unsegmented
boolean
Default: true

Whether or not the response list should contain unsegmented Roles. If for-segment-ids is absent or empty, specifying include-unsegmented as false results in an error.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Request Body schema: application/json
filters
string or null

Filter results using the standard syntax described in V3 API Standard Collection Parameters Filtering is supported for the following fields and operators:

id: eq, in

name: eq, sw

created: gt, lt, ge, le

modified: gt, lt, ge, le

owner.id: eq, in

requestable: eq

Array of objects or null

Responses

Request samples

Content type
application/json
{
  • "filters": "dimensional eq false",
  • "ammKeyValues": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2c918086749d78830174a1a40e121518",
  • "name": "Role 2567",
  • "created": "2021-03-01T22:32:58.104Z",
  • "modified": "2021-03-02T20:22:28.104Z",
  • "description": "Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor.",
  • "owner": {
    },
  • "additionalOwners": [
    ],
  • "accessProfiles": [
    ],
  • "entitlements": [
    ],
  • "membership": {
    },
  • "legacyMembershipInfo": {
    },
  • "enabled": true,
  • "requestable": true,
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    },
  • "segments": [
    ],
  • "dimensional": false,
  • "dimensionRefs": [
    ],
  • "accessModelMetadata": {
    },
  • "privilegeLevel": "High"
}

Create a saved search

Creates a new saved search.

Authorizations:
Personal Access Token
Request Body schema: application/json

The saved search to persist.

name
string

The name of the saved search.

description
string or null

The description of the saved search.

created
string or null <date-time> (DateTime)

A date-time in ISO-8601 format

modified
string or null <date-time> (DateTime)

A date-time in ISO-8601 format

indices
required
Array of strings (Index)
Items Enum: "accessprofiles" "accountactivities" "entitlements" "events" "identities" "roles" "*"

The names of the Elasticsearch indices in which to search.

object

The columns to be returned (specifies the order in which they will be presented) for each document type.

The currently supported document types are: accessprofile, accountactivity, account, aggregation, entitlement, event, identity, and role.

query
required
string

The search query using Elasticsearch Query String Query syntax from the Query DSL.

fields
Array of strings or null

The fields to be searched against in a multi-field query.

object or null

Sort by index. This takes precedence over the sort property.

sort
Array of strings or null

The fields to be used to sort the search results.

object or null

The filters to be applied for each filtered field name.

Responses

Request samples

Content type
application/json
{
  • "name": "Disabled accounts",
  • "description": "Disabled accounts",
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "indices": [
    ],
  • "columns": {
    },
  • "query": "@accounts(disabled:true)",
  • "fields": [
    ],
  • "orderBy": {
    },
  • "sort": [
    ],
  • "filters": {
    }
}

Response samples

Content type
application/json
{
  • "id": "0de46054-fe90-434a-b84e-c6b3359d0c64",
  • "owner": {
    },
  • "ownerId": "2c91808568c529c60168cca6f90c1313",
  • "public": false,
  • "name": "Disabled accounts",
  • "description": "Disabled accounts",
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "indices": [
    ],
  • "columns": {
    },
  • "query": "@accounts(disabled:true)",
  • "fields": [
    ],
  • "orderBy": {
    },
  • "sort": [
    ],
  • "filters": {
    }
}

A list of saved searches

Returns a list of saved searches.

Authorizations:
Personal Access Token
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=owner.id eq "7a724640-0c17-4ce9-a8c3-4a89738459c8"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

owner.id: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Updates an existing saved search

Updates an existing saved search.

NOTE: You cannot update the owner of the saved search.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808568c529c60168cca6f90c1313

ID of the requested document.

Request Body schema: application/json

The saved search to persist.

id
string

The saved search ID.

object (TypedReference)

A typed reference to the object.

ownerId
string

The ID of the identity that owns this saved search.

public
boolean
Default: false

Whether this saved search is visible to anyone but the owner. This field will always be false as there is no way to set a saved search as public at this time.

name
string

The name of the saved search.

description
string or null

The description of the saved search.

created
string or null <date-time> (DateTime)

A date-time in ISO-8601 format

modified
string or null <date-time> (DateTime)

A date-time in ISO-8601 format

indices
required
Array of strings (Index)
Items Enum: "accessprofiles" "accountactivities" "entitlements" "events" "identities" "roles" "*"

The names of the Elasticsearch indices in which to search.

object

The columns to be returned (specifies the order in which they will be presented) for each document type.

The currently supported document types are: accessprofile, accountactivity, account, aggregation, entitlement, event, identity, and role.

query
required
string

The search query using Elasticsearch Query String Query syntax from the Query DSL.

fields
Array of strings or null

The fields to be searched against in a multi-field query.

object or null

Sort by index. This takes precedence over the sort property.

sort
Array of strings or null

The fields to be used to sort the search results.

object or null

The filters to be applied for each filtered field name.

Responses

Request samples

Content type
application/json
{
  • "id": "0de46054-fe90-434a-b84e-c6b3359d0c64",
  • "owner": {
    },
  • "ownerId": "2c91808568c529c60168cca6f90c1313",
  • "public": false,
  • "name": "Disabled accounts",
  • "description": "Disabled accounts",
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "indices": [
    ],
  • "columns": {
    },
  • "query": "@accounts(disabled:true)",
  • "fields": [
    ],
  • "orderBy": {
    },
  • "sort": [
    ],
  • "filters": {
    }
}

Response samples

Content type
application/json
{
  • "id": "0de46054-fe90-434a-b84e-c6b3359d0c64",
  • "owner": {
    },
  • "ownerId": "2c91808568c529c60168cca6f90c1313",
  • "public": false,
  • "name": "Disabled accounts",
  • "description": "Disabled accounts",
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "indices": [
    ],
  • "columns": {
    },
  • "query": "@accounts(disabled:true)",
  • "fields": [
    ],
  • "orderBy": {
    },
  • "sort": [
    ],
  • "filters": {
    }
}

Return saved search by id

Returns the specified saved search.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808568c529c60168cca6f90c1313

ID of the requested document.

Responses

Response samples

Content type
application/json
{
  • "id": "0de46054-fe90-434a-b84e-c6b3359d0c64",
  • "owner": {
    },
  • "ownerId": "2c91808568c529c60168cca6f90c1313",
  • "public": false,
  • "name": "Disabled accounts",
  • "description": "Disabled accounts",
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "indices": [
    ],
  • "columns": {
    },
  • "query": "@accounts(disabled:true)",
  • "fields": [
    ],
  • "orderBy": {
    },
  • "sort": [
    ],
  • "filters": {
    }
}

Delete document by id

Deletes the specified saved search.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808568c529c60168cca6f90c1313

ID of the requested document.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Execute a saved search by id

Executes the specified saved search.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808568c529c60168cca6f90c1313

ID of the requested document.

Request Body schema: application/json

When saved search execution is triggered by a scheduled search, scheduleId will specify the ID of the triggering scheduled search.

If scheduleId is not specified (when execution is triggered by a UI test), the owner and recipients arguments must be provided.

scheduleId
string

The ID of the scheduled search that triggered the saved search execution.

object

The owner of the scheduled search being tested.

Array of objects (TypedReference)

The email recipients of the scheduled search being tested.

Responses

Request samples

Content type
application/json
Example
{
  • "scheduleId": "7a724640-0c17-4ce9-a8c3-4a89738459c8"
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Create a new scheduled search

Creates a new scheduled search.

Authorizations:
Personal Access Token
Request Body schema: application/json

The scheduled search to persist.

name
string or null

The name of the scheduled search.

description
string or null

The description of the scheduled search.

savedSearchId
required
string

The ID of the saved search that will be executed.

required
object (Schedule-3)

The schedule information.

required
Array of objects

A list of identities that should receive the scheduled search report via email.

enabled
boolean
Default: false

Indicates if the scheduled search is enabled.

emailEmptyResults
boolean
Default: false

Indicates if email generation should occur when search returns no results.

displayQueryDetails
boolean
Default: false

Indicates if the generated email should include the query and search results preview (which could include PII).

Responses

Request samples

Content type
application/json
Example

A search that executes each day at a 9 AM

{
  • "savedSearchId": "9c620e13-cd33-4804-a13d-403bd7bcdbad",
  • "schedule": {
    },
  • "recipients": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "0de46054-fe90-434a-b84e-c6b3359d0c64",
  • "owner": {
    },
  • "ownerId": "2c9180867624cbd7017642d8c8c81f67",
  • "name": "Daily disabled accounts",
  • "description": "Daily disabled accounts",
  • "savedSearchId": "554f1511-f0a1-4744-ab14-599514d3e57c",
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "schedule": {
    },
  • "recipients": [
    ],
  • "enabled": false,
  • "emailEmptyResults": false,
  • "displayQueryDetails": false
}

List scheduled searches

Returns a list of scheduled searches.

Authorizations:
Personal Access Token
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=savedSearchId eq "6cc0945d-9eeb-4948-9033-72d066e1153e"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

owner.id: eq

savedSearchId: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Update an existing scheduled search

Updates an existing scheduled search.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808568c529c60168cca6f90c1313

ID of the requested document.

Request Body schema: application/json

The scheduled search to persist.

name
string or null

The name of the scheduled search.

description
string or null

The description of the scheduled search.

savedSearchId
required
string

The ID of the saved search that will be executed.

required
object (Schedule-3)

The schedule information.

required
Array of objects

A list of identities that should receive the scheduled search report via email.

enabled
boolean
Default: false

Indicates if the scheduled search is enabled.

emailEmptyResults
boolean
Default: false

Indicates if email generation should occur when search returns no results.

displayQueryDetails
boolean
Default: false

Indicates if the generated email should include the query and search results preview (which could include PII).

Responses

Request samples

Content type
application/json
{
  • "name": "Daily disabled accounts",
  • "description": "Daily disabled accounts",
  • "savedSearchId": "554f1511-f0a1-4744-ab14-599514d3e57c",
  • "schedule": {
    },
  • "recipients": [
    ],
  • "enabled": false,
  • "emailEmptyResults": false,
  • "displayQueryDetails": false
}

Response samples

Content type
application/json
{
  • "id": "0de46054-fe90-434a-b84e-c6b3359d0c64",
  • "owner": {
    },
  • "ownerId": "2c9180867624cbd7017642d8c8c81f67",
  • "name": "Daily disabled accounts",
  • "description": "Daily disabled accounts",
  • "savedSearchId": "554f1511-f0a1-4744-ab14-599514d3e57c",
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "schedule": {
    },
  • "recipients": [
    ],
  • "enabled": false,
  • "emailEmptyResults": false,
  • "displayQueryDetails": false
}

Get a scheduled search

Returns the specified scheduled search.

path Parameters
id
required
string
Example: 2c91808568c529c60168cca6f90c1313

ID of the requested document.

Responses

Response samples

Content type
application/json
{
  • "id": "0de46054-fe90-434a-b84e-c6b3359d0c64",
  • "owner": {
    },
  • "ownerId": "2c9180867624cbd7017642d8c8c81f67",
  • "name": "Daily disabled accounts",
  • "description": "Daily disabled accounts",
  • "savedSearchId": "554f1511-f0a1-4744-ab14-599514d3e57c",
  • "created": "2018-06-25T20:22:28.104Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "schedule": {
    },
  • "recipients": [
    ],
  • "enabled": false,
  • "emailEmptyResults": false,
  • "displayQueryDetails": false
}

Delete a scheduled search

Deletes the specified scheduled search.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808568c529c60168cca6f90c1313

ID of the requested document.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Unsubscribe a recipient from scheduled search

Unsubscribes a recipient from the specified scheduled search.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c91808568c529c60168cca6f90c1313

ID of the requested document.

Request Body schema: application/json

The recipient to be removed from the scheduled search.

type
required
string (DtoType)
Enum: "ACCOUNT_CORRELATION_CONFIG" "ACCESS_PROFILE" "ACCESS_REQUEST_APPROVAL" "ACCOUNT" "APPLICATION" "CAMPAIGN" "CAMPAIGN_FILTER" "CERTIFICATION" "CLUSTER" "CONNECTOR_SCHEMA" "ENTITLEMENT" "GOVERNANCE_GROUP" "IDENTITY" "IDENTITY_PROFILE" "IDENTITY_REQUEST" "MACHINE_IDENTITY" "LIFECYCLE_STATE" "PASSWORD_POLICY" "ROLE" "RULE" "SOD_POLICY" "SOURCE" "TAG" "TAG_CATEGORY" "TASK_RESULT" "REPORT_RESULT" "SOD_VIOLATION" "ACCOUNT_ACTIVITY" "WORKGROUP"

An enumeration of the types of DTOs supported within the IdentityNow infrastructure.

id
required
string

The id of the object.

Responses

Request samples

Content type
application/json
{
  • "type": "IDENTITY",
  • "id": "2c91808568c529c60168cca6f90c1313"
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Search

Use this API to implement search functionality. With search functionality in place, users can search their tenants for nearly any information from throughout their organizations.

Identity Security Cloud enables organizations to store user data from across all their connected sources and manage the users' access, so the ability to query and filter that data is essential.
Its search goes through all those sources and finds the results quickly and specifically.

The search query is flexible - it can be very broad or very narrow. The search only returns results for searchable objects it is filtering for. The following objects are searchable: identities, roles, access profiles, entitlements, events, and account activities. By default, no filter is applied, so a search for "Ad" returns both the identity "Adam.Archer" as well as the role "Administrator."

Users can further narrow their results by using Identity Security Cloud's specific syntax and punctuation to structure their queries. For example, the query "attributes.location:austin AND NOT manager.name:amanda.ross" returns all results associated with the Austin location, but it excludes those associated with the manager Amanda Ross. Refer to Building a Search Query for more information about how to construct specific search queries.

Refer to Using Search for more information about Identity Security Cloud's search and its different possibilities.

The search feature uses Elasticsearch as a datastore and query engine. The power of Elasticsearch makes this feature suitable for ad-hoc reporting. However, data from the operational databases (ex. identities, roles, events, etc) has to be ingested into Elasticsearch. This ingestion process introduces a latency from when the operational data is created to when it is available in search. Depending on the system load, this can take a few seconds to a few minutes. Please keep this latency in mind when you use search.

Perform search

Perform a search with the provided query and return a matching result collection. To page past 10,000 records, you can use searchAfter paging. Refer to Paginating Search Queries for more information about how to implement searchAfter paging. The search query itself has a size limitation of approximately 800 objects when filtering by large lists of IDs or values (e.g., using terms filters with extensive lists).

Learn more about search.
Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 10000 ]
Default: 250
Example: limit=10000

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Request Body schema: application/json
indices
Array of strings (Index)
Items Enum: "accessprofiles" "accountactivities" "entitlements" "events" "identities" "roles" "*"

The names of the Elasticsearch indices in which to search. If none are provided, then all indices will be searched.

Learn more about search indices here.
queryType
string (QueryType)
Default: "SAILPOINT"
Enum: "DSL" "SAILPOINT" "TEXT" "TYPEAHEAD"

The type of query to use. By default, the SAILPOINT query type is used, which requires the query object to be defined in the request body. To use the queryDsl or typeAheadQuery objects in the request, you must set the type to DSL or TYPEAHEAD accordingly. Additional values may be added in the future without notice.

queryVersion
string
Default: "5.2"

The current Elasticserver version.

object (Query)

Query parameters used to construct an Elasticsearch query object.

queryDsl
object

The search query using the Elasticsearch Query DSL syntax.

object (TextQuery)

Query parameters used to construct an Elasticsearch text query object.

object (TypeAheadQuery)

Query parameters used to construct an Elasticsearch type ahead query object. The typeAheadQuery performs a search for top values beginning with the typed values. For example, typing "Jo" results in top hits matching "Jo." Typing "Job" results in top hits matching "Job."

includeNested
boolean
Default: true

Indicates whether nested objects from returned search results should be included.

object (QueryResultFilter)

Allows the query results to be filtered by specifying a list of fields to include and/or exclude from the result documents.

aggregationType
string (AggregationType)
Default: "DSL"
Enum: "DSL" "SAILPOINT"

Enum representing the currently available query languages for aggregations, which are used to perform calculations or groupings on search results.

Additional values may be added in the future without notice.

aggregationsVersion
string
Default: "5.2"

The current Elasticserver version.

aggregationsDsl
object

The aggregation search query using Elasticsearch Aggregations syntax.

object (SearchAggregationSpecification)
sort
Array of strings

The fields to be used to sort the search results. Use + or - to specify the sort direction.

searchAfter
Array of strings

Used to begin the search window at the values specified. This parameter consists of the last values of the sorted fields in the current record set. This is used to expand the Elasticsearch limit of 10K records by shifting the 10K window to begin at this value. It is recommended that you always include the ID of the object in addition to any other fields on this parameter in order to ensure you don't get duplicate results while paging. For example, when searching for identities, if you are sorting by displayName you will also want to include ID, for example ["displayName", "id"]. If the last identity ID in the search result is 2c91808375d8e80a0175e1f88a575221 and the last displayName is "John Doe", then using that displayName and ID will start a new search after this identity. The searchAfter value will look like ["John Doe","2c91808375d8e80a0175e1f88a575221"]

object

The filters to be applied for each filtered field name.

Responses

Request samples

Content type
application/json
Example
{
  • "indices": [
    ],
  • "query": {
    }
}

Response samples

Content type
application/json
Example
[
  • {
    }
]

Count documents satisfying a query

Performs a search with a provided query and returns the count of results in the X-Total-Count header.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
indices
Array of strings (Index)
Items Enum: "accessprofiles" "accountactivities" "entitlements" "events" "identities" "roles" "*"

The names of the Elasticsearch indices in which to search. If none are provided, then all indices will be searched.

Learn more about search indices here.
queryType
string (QueryType)
Default: "SAILPOINT"
Enum: "DSL" "SAILPOINT" "TEXT" "TYPEAHEAD"

The type of query to use. By default, the SAILPOINT query type is used, which requires the query object to be defined in the request body. To use the queryDsl or typeAheadQuery objects in the request, you must set the type to DSL or TYPEAHEAD accordingly. Additional values may be added in the future without notice.

queryVersion
string
Default: "5.2"

The current Elasticserver version.

object (Query)

Query parameters used to construct an Elasticsearch query object.

queryDsl
object

The search query using the Elasticsearch Query DSL syntax.

object (TextQuery)

Query parameters used to construct an Elasticsearch text query object.

object (TypeAheadQuery)

Query parameters used to construct an Elasticsearch type ahead query object. The typeAheadQuery performs a search for top values beginning with the typed values. For example, typing "Jo" results in top hits matching "Jo." Typing "Job" results in top hits matching "Job."

includeNested
boolean
Default: true

Indicates whether nested objects from returned search results should be included.

object (QueryResultFilter)

Allows the query results to be filtered by specifying a list of fields to include and/or exclude from the result documents.

aggregationType
string (AggregationType)
Default: "DSL"
Enum: "DSL" "SAILPOINT"

Enum representing the currently available query languages for aggregations, which are used to perform calculations or groupings on search results.

Additional values may be added in the future without notice.

aggregationsVersion
string
Default: "5.2"

The current Elasticserver version.

aggregationsDsl
object

The aggregation search query using Elasticsearch Aggregations syntax.

object (SearchAggregationSpecification)
sort
Array of strings

The fields to be used to sort the search results. Use + or - to specify the sort direction.

searchAfter
Array of strings

Used to begin the search window at the values specified. This parameter consists of the last values of the sorted fields in the current record set. This is used to expand the Elasticsearch limit of 10K records by shifting the 10K window to begin at this value. It is recommended that you always include the ID of the object in addition to any other fields on this parameter in order to ensure you don't get duplicate results while paging. For example, when searching for identities, if you are sorting by displayName you will also want to include ID, for example ["displayName", "id"]. If the last identity ID in the search result is 2c91808375d8e80a0175e1f88a575221 and the last displayName is "John Doe", then using that displayName and ID will start a new search after this identity. The searchAfter value will look like ["John Doe","2c91808375d8e80a0175e1f88a575221"]

object

The filters to be applied for each filtered field name.

Responses

Request samples

Content type
application/json
{
  • "indices": [
    ],
  • "query": {
    }
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Perform a search query aggregation

Performs a search query aggregation and returns the aggregation result. By default, you can page a maximum of 10,000 search result records. To page past 10,000 records, you can use searchAfter paging. Refer to Paginating Search Queries for more information about how to implement searchAfter paging.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Request Body schema: application/json
indices
Array of strings (Index)
Items Enum: "accessprofiles" "accountactivities" "entitlements" "events" "identities" "roles" "*"

The names of the Elasticsearch indices in which to search. If none are provided, then all indices will be searched.

Learn more about search indices here.
queryType
string (QueryType)
Default: "SAILPOINT"
Enum: "DSL" "SAILPOINT" "TEXT" "TYPEAHEAD"

The type of query to use. By default, the SAILPOINT query type is used, which requires the query object to be defined in the request body. To use the queryDsl or typeAheadQuery objects in the request, you must set the type to DSL or TYPEAHEAD accordingly. Additional values may be added in the future without notice.

queryVersion
string
Default: "5.2"

The current Elasticserver version.

object (Query)

Query parameters used to construct an Elasticsearch query object.

queryDsl
object

The search query using the Elasticsearch Query DSL syntax.

object (TextQuery)

Query parameters used to construct an Elasticsearch text query object.

object (TypeAheadQuery)

Query parameters used to construct an Elasticsearch type ahead query object. The typeAheadQuery performs a search for top values beginning with the typed values. For example, typing "Jo" results in top hits matching "Jo." Typing "Job" results in top hits matching "Job."

includeNested
boolean
Default: true

Indicates whether nested objects from returned search results should be included.

object (QueryResultFilter)

Allows the query results to be filtered by specifying a list of fields to include and/or exclude from the result documents.

aggregationType
string (AggregationType)
Default: "DSL"
Enum: "DSL" "SAILPOINT"

Enum representing the currently available query languages for aggregations, which are used to perform calculations or groupings on search results.

Additional values may be added in the future without notice.

aggregationsVersion
string
Default: "5.2"

The current Elasticserver version.

aggregationsDsl
object

The aggregation search query using Elasticsearch Aggregations syntax.

object (SearchAggregationSpecification)
sort
Array of strings

The fields to be used to sort the search results. Use + or - to specify the sort direction.

searchAfter
Array of strings

Used to begin the search window at the values specified. This parameter consists of the last values of the sorted fields in the current record set. This is used to expand the Elasticsearch limit of 10K records by shifting the 10K window to begin at this value. It is recommended that you always include the ID of the object in addition to any other fields on this parameter in order to ensure you don't get duplicate results while paging. For example, when searching for identities, if you are sorting by displayName you will also want to include ID, for example ["displayName", "id"]. If the last identity ID in the search result is 2c91808375d8e80a0175e1f88a575221 and the last displayName is "John Doe", then using that displayName and ID will start a new search after this identity. The searchAfter value will look like ["John Doe","2c91808375d8e80a0175e1f88a575221"]

object

The filters to be applied for each filtered field name.

Responses

Request samples

Content type
application/json
Example
{
  • "indices": [
    ],
  • "aggregationType": "SAILPOINT",
  • "aggregations": {
    }
}

Response samples

Content type
{
  • "aggregations": {
    },
  • "hits": [
    ]
}

Get a document by id

Fetches a single document from the specified index, using the specified document ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
index
required
string
Enum: "accessprofiles" "accountactivities" "entitlements" "events" "identities" "roles"
Example: identities

The index from which to fetch the specified document.

The currently supported index names are: accessprofiles, accountactivities, entitlements, events, identities, and roles.

id
required
string
Example: 2c91808568c529c60168cca6f90c1313

ID of the requested document.

Responses

Response samples

Content type
application/json
Example
{
  • "id": "13b856dd9a264206954b63ecbb57a853",
  • "name": "Cloud Eng",
  • "description": "Cloud Eng",
  • "source": {
    },
  • "entitlements": [
    ],
  • "entitlementCount": 1,
  • "segments": [ ],
  • "segmentCount": 0,
  • "apps": [ ],
  • "created": "2024-09-16T17:41:25Z",
  • "modified": "2024-09-16T19:30:54Z",
  • "synced": "2025-02-12T06:32:40.156Z",
  • "enabled": true,
  • "requestable": true,
  • "requestCommentsRequired": false,
  • "owner": {
    },
  • "tags": [
    ]
}

Search Attribute Configuration

Use this API to implement search attribute configuration functionality, along with Search. With this functionality in place, administrators can create custom search attributes that and run extended searches based on those attributes to further narrow down their searches and get the information and insights they want.

Identity Security Cloud (ISC) enables organizations to store user data from across all their connected sources and manage the users' access, so the ability to query and filter that data is essential.
Its search goes through all those sources and finds the results quickly and specifically.

The search query is flexible - it can be very broad or very narrow. The search only returns results for searchable objects it is filtering for. The following objects are searchable: identities, roles, access profiles, entitlements, events, and account activities. By default, no filter is applied, so a search for "Ad" returns both the identity "Adam.Archer" as well as the role "Administrator."

Users can further narrow their results by using ISC's specific syntax and punctuation to structure their queries. For example, the query "attributes.location:austin AND NOT manager.name:amanda.ross" returns all results associated with the Austin location, but it excludes those associated with the manager Amanda Ross. Refer to Building a Search Query for more information about how to construct specific search queries.

Refer to Search Attribute Configuration for more information about ISC's search and its different possibilities.

With Search Attribute Configuration, administrators can create, manage, and run searches based on the attributes they want to search.

Create extended search attributes

Create and configure extended search attributes. This API accepts an attribute name, an attribute display name and a list of name/value pair associates of application IDs to attribute names. It will then validate the inputs and configure/create the attribute promotion configuration in the Link ObjectConfig.

Note: Give searchable attributes unique names. Do not give them the same names used for account attributes or source attributes. Also, do not give them the same names present in account schema for a current or future source, regardless of whether that source is included in the searchable attributes' applicationAttributes.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
name
string

Name of the new attribute

displayName
string

The display name of the new attribute

applicationAttributes
object

Map of application id and their associated attribute.

Responses

Request samples

Content type
application/json
{
  • "name": "newMailAttribute",
  • "displayName": "New Mail Attribute",
  • "applicationAttributes": {
    }
}

Response samples

Content type
application/json
{ }

List extended search attributes

Get a list of attribute/application attributes currently configured in Identity Security Cloud (ISC).

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get extended search attribute

Get an extended attribute configuration by name.

Authorizations:
Personal Access Token
path Parameters
name
required
string
Example: newMailAttribute

Name of the extended search attribute configuration to get.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "name": "newMailAttribute",
  • "displayName": "New Mail Attribute",
  • "applicationAttributes": {
    }
}

Delete extended search attribute

Delete an extended attribute configuration by name.

Authorizations:
Personal Access Token
path Parameters
name
required
string
Example: newMailAttribute

Name of the extended search attribute configuration to delete.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "error": "JWT validation failed: JWT is expired"
}

Update extended search attribute

Update an existing search attribute configuration. You can patch these fields:

  • name * displayName * applicationAttributes
Authorizations:
Personal Access Token
path Parameters
name
required
string
Example: promotedMailAttribute

Name of the search attribute configuration to patch.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "name": "newMailAttribute",
  • "displayName": "New Mail Attribute",
  • "applicationAttributes": {
    }
}

Segments

Use this API to implement and customize access request segment functionality. With this functionality in place, administrators can create and manage access request segments. Segments provide organizations with a way to make the access their users have even more granular - this can simply the access request process for the organization's users and improves security by reducing the risk of overprovisoning access.

Segments represent sets of identities, all grouped by specified identity attributes, who are only able to see and access the access items associated with their segments. For example, administrators could group all their organization's London office employees into one segment, "London Office Employees," by their shared location. The administrators could then define the access items the London employees would need, and the identities in the "London Office Employees" would then only be able to see and access those items.

In Identity Security Cloud, administrators can use the 'Access' drop-down menu and select 'Segments' to reach the 'Access Requests Segments' page. This page lists all the existing access request segments, along with their statuses, enabled or disabled. Administrators can use this page to create, edit, enable, disable, and delete segments. To create a segment, an administrator must provide a name, define the identities grouped in the segment, and define the items the identities in the segment can access. These items can be access profiles, roles, or entitlements.

When administrators use the API to create and manage segments, they use a JSON expression in the visibilityCriteria object to define the segment's identities and access items.

Refer to Managing Access Request Segments for more information about segments in Identity Security Cloud.

Create segment

This API creates a segment.

Note: Segment definitions may take time to propagate to all identities.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
id
string

The segment's ID.

name
string

The segment's business name.

created
string <date-time>

The time when the segment is created.

modified
string <date-time>

The time when the segment is modified.

description
string

The segment's optional description.

object or null (OwnerReferenceSegments)

The owner of this object.

object or null (Visibility Criteria)
active
boolean
Default: false

This boolean indicates whether the segment is currently active. Inactive segments have no effect.

Responses

Request samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "segment-xyz",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This segment represents xyz",
  • "owner": {
    },
  • "visibilityCriteria": {
    },
  • "active": true
}

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "segment-xyz",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This segment represents xyz",
  • "owner": {
    },
  • "visibilityCriteria": {
    },
  • "active": true
}

List segments

This API returns a list of all segments.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get segment by id

This API returns the segment specified by the given ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The segment ID to retrieve.

Responses

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "segment-xyz",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This segment represents xyz",
  • "owner": {
    },
  • "visibilityCriteria": {
    },
  • "active": true
}

Delete segment by id

This API deletes the segment specified by the given ID.

Note: that segment deletion may take some time to become effective.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The segment ID to delete.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Update segment

Use this API to update segment fields by using the JSON Patch standard.

Note: Changes to a segment may take some time to propagate to all identities.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The segment ID to modify.

Request Body schema: application/json-patch+json

A list of segment update operations according to the JSON Patch standard.

The following fields are patchable:

  • name
  • description
  • owner
  • visibilityCriteria
  • active
Array
object

Responses

Request samples

Content type
application/json-patch+json

Set the visibility criteria

[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "segment-xyz",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This segment represents xyz",
  • "owner": {
    },
  • "visibilityCriteria": {
    },
  • "active": true
}

Service Desk Integration

Use this API to build an integration between Identity Security Cloud and a service desk ITSM (IT service management) solution. Once an administrator builds this integration between Identity Security Cloud and a service desk, users can use Identity Security Cloud to raise and track tickets that are synchronized between Identity Security Cloud and the service desk.

In Identity Security Cloud, administrators can create a service desk integration (sometimes also called an SDIM, or Service Desk Integration Module) by going to Admin > Connections > Service Desk and selecting 'Create.'

To create a Generic Service Desk integration, for example, administrators must provide the required information on the General Settings page, the Connectivity and Authentication information, Ticket Creation information, Status Mapping information, and Requester Source information on the Configure page. Refer to Integrating SailPoint with Generic Service Desk for more information about the process of setting up a Generic Service Desk in Identity Security Cloud.

Administrators can create various service desk integrations, all with their own nuances. The following service desk integrations are available:

List existing service desk integrations

Get a list of Service Desk integration objects.

Authorizations:
Personal Access Token
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

sorters
string
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: name

filters
string <comma-separated>
Example: filters=name eq "John Doe"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq

type: eq, in

cluster: eq, in

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create new service desk integration

Create a new Service Desk integration.

Authorizations:
Personal Access Token
Request Body schema: application/json

The specifics of a new integration to create

id
string

Unique identifier for the Service Desk integration

name
required
string

Service Desk integration's name. The name must be unique.

created
string <date-time>

The date and time the Service Desk integration was created

modified
string <date-time>

The date and time the Service Desk integration was last modified

description
required
string

Service Desk integration's description.

type
required
string
Default: "ServiceNowSDIM"

Service Desk integration types:

  • ServiceNowSDIM
  • ServiceNow
object (Owner Dto)

Owner's identity.

object (Source Cluster Dto)

Source cluster.

cluster
string or null
Deprecated

Cluster ID for the Service Desk integration (replaced by clusterRef, retained for backward compatibility).

managedSources
Array of strings
Deprecated

Source IDs for the Service Desk integration (replaced by provisioningConfig.managedSResourceRefs, but retained here for backward compatibility).

object (Provisioning Config)

Specification of a Service Desk integration provisioning configuration.

required
object

Service Desk integration's attributes. Validation constraints enforced by the implementation.

object (Before Provisioning Rule Dto)

Before Provisioning Rule.

Responses

Request samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

Response samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

Get a service desk integration

Get an existing Service Desk integration by ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: anId

ID of the Service Desk integration to get

Responses

Response samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

Update a service desk integration

Update an existing Service Desk integration by ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: anId

ID of the Service Desk integration to update

Request Body schema: application/json

The specifics of the integration to update

id
string

Unique identifier for the Service Desk integration

name
required
string

Service Desk integration's name. The name must be unique.

created
string <date-time>

The date and time the Service Desk integration was created

modified
string <date-time>

The date and time the Service Desk integration was last modified

description
required
string

Service Desk integration's description.

type
required
string
Default: "ServiceNowSDIM"

Service Desk integration types:

  • ServiceNowSDIM
  • ServiceNow
object (Owner Dto)

Owner's identity.

object (Source Cluster Dto)

Source cluster.

cluster
string or null
Deprecated

Cluster ID for the Service Desk integration (replaced by clusterRef, retained for backward compatibility).

managedSources
Array of strings
Deprecated

Source IDs for the Service Desk integration (replaced by provisioningConfig.managedSResourceRefs, but retained here for backward compatibility).

object (Provisioning Config)

Specification of a Service Desk integration provisioning configuration.

required
object

Service Desk integration's attributes. Validation constraints enforced by the implementation.

object (Before Provisioning Rule Dto)

Before Provisioning Rule.

Responses

Request samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

Response samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

Delete a service desk integration

Delete an existing Service Desk integration by ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: anId

ID of Service Desk integration to delete

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Patch a service desk integration

Update an existing Service Desk integration by ID with a PATCH request.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: anId

ID of the Service Desk integration to update

Request Body schema: application/json-patch+json

A list of SDIM update operations according to the JSON Patch standard.

Only replace operations are accepted by this endpoint.

A 403 Forbidden Error indicates that a PATCH operation was attempted that is not allowed.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

List service desk integration types

This API endpoint returns the current list of supported Service Desk integration types.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Service desk integration template by scriptname

This API endpoint returns an existing Service Desk integration template by scriptName.

Authorizations:
Personal Access Token
path Parameters
scriptName
required
string
Example: aScriptName

The scriptName value of the Service Desk integration template to get

Responses

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "name": "aName",
  • "created": "2015-05-28T14:07:17Z",
  • "modified": "2015-05-28T14:07:17Z",
  • "type": "Web Service SDIM",
  • "attributes": {
    },
  • "provisioningConfig": {
    }
}

Get the time check configuration

Get the time check configuration of queued SDIM tickets.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "provisioningStatusCheckIntervalMinutes": 30,
  • "provisioningMaxStatusCheckDays": 2
}

Update the time check configuration

Update the time check configuration of queued SDIM tickets.

Authorizations:
Personal Access Token
Request Body schema: application/json

The modified time check configuration

provisioningStatusCheckIntervalMinutes
required
string

Interval in minutes between status checks

provisioningMaxStatusCheckDays
required
string

Maximum number of days to check

Responses

Request samples

Content type
application/json
{
  • "provisioningStatusCheckIntervalMinutes": 30,
  • "provisioningMaxStatusCheckDays": 2
}

Response samples

Content type
application/json
{
  • "provisioningStatusCheckIntervalMinutes": 30,
  • "provisioningMaxStatusCheckDays": 2
}

Shared Signals Framework (SSF)

The SSF Transmitter Service is a security event notification system that monitors identity attribute changes and automatically triggers session revocation events when specific lifecycle conditions are met.

Use this API to implement transmitter functionality so administrators can discover the transmitter and manage streams. Transmitters send identity data and events from Identity Security Cloud to external receivers over the Secure Sync Framework (SSF). The SSF configuration and JWKS endpoints support discovery and verification; the stream management endpoints support creating, updating, and managing streams and verifying receivers. In Identity Security Cloud, administrators can use the "Connections" > "Shared Signals" area to view and manage transmitters and their streams.

Get SSF configuration

Returns the SSF transmitter discovery metadata (well-known configuration).

Authorizations:
None

Responses

Response samples

Content type
application/json
{}

Get JWKS

Returns the transmitter's JSON Web Key Set (JWKS) for verifying signed delivery requests.

Authorizations:
None

Responses

Response samples

Content type
application/json
{
  • "keys": [
    ]
}

Create stream

An SSF stream is associated with the client ID of the OAuth 2.0 access token used to create the stream. One SSF stream is allowed for each client ID.

You can create a maximum of 10 SSF stream configurations for one org.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object (CreateStreamDeliveryRequest)

Full delivery configuration. method and endpoint_url are required.

events_requested
Array of strings <uri>

Optional list of event types the receiver wants. Use CAEP event-type URIs in the form: https://schemas.openid.net/secevent/caep/event-type/{event-type} (e.g. session revoke).

description
string

Optional human-readable description of the stream.

Responses

Request samples

Content type
application/json
{}

Response samples

Content type
application/json
{}

Get stream(s)

Retrieves either a list of all SSF stream configurations or the individual configuration if specified by ID.

As stream configurations are tied to a client ID, you can only view the stream associated with the client ID of the request OAuth 2.0 access token.

Query parameter aud (co filter) can be used to filter by audience.

Authorizations:
Personal Access Token
query Parameters
stream_id
string
Example: stream_id=550e8400-e29b-41d4-a716-446655440000

If provided, returns that stream; otherwise returns list of all streams.

Responses

Response samples

Content type
application/json
Example
{}

Update stream configuration

Partially updates a stream's configuration (PATCH). Only provided fields are updated.

The associated stream with the client ID (through the request OAuth 2.0 access token) is updated.

Authorizations:
Personal Access Token
Request Body schema: application/json
stream_id
required
string

ID of the stream to update.

object (DeliveryRequest)

Delivery configuration for PATCH /ssf/streams (partial update). All fields are optional; only provided fields are updated.

events_requested
Array of strings <uri>

Event types the receiver wants. Use CAEP event-type URIs.

description
string

Optional human-readable description of the stream.

Responses

Request samples

Content type
application/json
{
  • "stream_id": "550e8400-e29b-41d4-a716-446655440000",
  • "description": "Updated production event stream configuration"
}

Response samples

Content type
application/json
{}

Replace stream configuration

Replaces a stream's configuration (PUT). stream_id and delivery are required; full receiver-supplied properties.

The associated stream with the client ID (through the request OAuth 2.0 access token) is replaced.

Authorizations:
Personal Access Token
Request Body schema: application/json
stream_id
required
string

ID of the stream to replace.

required
object

Full delivery configuration. method and endpoint_url are required.

events_requested
Array of strings <uri>

Event types the receiver wants. Use CAEP event-type URIs.

description
string

Optional human-readable description of the stream.

Responses

Request samples

Content type
application/json
{}

Response samples

Content type
application/json
{}

Delete stream

Deletes a stream by its ID. There is no request body; the stream is identified by the required query parameter stream_id. On success the response has no body (204 No Content).

The associated stream with the client ID (through the request OAuth 2.0 access token) is deleted.

Authorizations:
Personal Access Token
query Parameters
stream_id
required
string
Example: stream_id=550e8400-e29b-41d4-a716-446655440000

ID of the stream to delete. Required; omitted or empty returns 400.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get stream status

Returns the status (enabled, paused, disabled) and optional reason for the stream associated with the client ID of the request's OAuth 2.0 access token. The stream_id query parameter is required.

Authorizations:
Personal Access Token
query Parameters
stream_id
required
string
Example: stream_id=550e8400-e29b-41d4-a716-446655440000

ID of the stream whose status to retrieve.

Responses

Response samples

Content type
application/json
{
  • "stream_id": "550e8400-e29b-41d4-a716-446655440000",
  • "status": "enabled",
  • "reason": ""
}

Update stream status

Updates the operational status (enabled, paused, disabled) with an optional reason for the stream associated with the client ID of the request's OAuth 2.0 access token.

Authorizations:
Personal Access Token
Request Body schema: application/json
stream_id
required
string

ID of the stream whose status to update.

status
required
string
Enum: "enabled" "paused" "disabled"

Desired stream status.

reason
string

Optional reason for the status change.

Responses

Request samples

Content type
application/json
{
  • "stream_id": "550e8400-e29b-41d4-a716-446655440000",
  • "status": "paused",
  • "reason": "manually paused"
}

Response samples

Content type
application/json
{
  • "stream_id": "550e8400-e29b-41d4-a716-446655440000",
  • "status": "paused",
  • "reason": "manually paused"
}

Verify stream

Verifies an SSF stream by publishing a verification event requested by a security events provider.

Authorizations:
Personal Access Token
Request Body schema: application/json
stream_id
required
string

Stream ID for verification.

state
string

Optional state value for verification challenge.

Responses

Request samples

Content type
application/json
{
  • "stream_id": "550e8400-e29b-41d4-a716-446655440000",
  • "state": "verification-challenge-state-123"
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

SIM Integrations

Use this API to administer IdentityNow's Service Integration Module, or SIM integration with ServiceNow, so that it converts IdentityNow provisioning actions into tickets in ServiceNow.

ServiceNow is a software platform that supports IT service management and automates common business processes for requesting and fulfilling service requests across a business enterprise.

You must have an IdentityNow ServiceNow ServiceDesk license to use this integration. Contact your Customer Success Manager for more information.

Service Desk integration for IdentityNow and in deprecation - not available for new implementation, as of July 21st, 2021. As per SailPoint's support policy, all existing SailPoint IdentityNow customers using this legacy integration will be supported until July 2022.

Update an existing sim integration

Update an existing SIM integration.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 12345

The id of the integration.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

The full DTO of the integration containing the updated model

name
required
string or null

Name of the Object

description
string

The description of the integration

type
string

The integration type

attributes
object or null

The attributes map containing the credentials used to configure the integration.

sources
Array of strings

The list of sources (managed resources)

cluster
string

The cluster/proxy

statusMap
object

Custom mapping between the integration result and the provisioning result

request
object

Request data to customize desc and body of the created ticket

object

Before provisioning rule of integration

Responses

Request samples

Content type
application/json
{
  • "name": "aName",
  • "description": "Integration description",
  • "type": "ServiceNow Service Desk",
  • "attributes": "{\"uid\":\"Walter White\",\"firstname\":\"walter\",\"cloudStatus\":\"UNREGISTERED\",\"displayName\":\"Walter White\",\"identificationNumber\":\"942\",\"lastSyncDate\":1470348809380,\"email\":\"walter@gmail.com\",\"lastname\":\"white\"}",
  • "sources": [
    ],
  • "cluster": "xyzzy999",
  • "statusMap": {
    },
  • "request": {
    },
  • "beforeProvisioningRule": {
    }
}

Response samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

Get a sim integration details.

Get the details of a SIM integration.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 12345

The id of the integration.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

Delete a sim integration

Get the details of a SIM integration.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 12345

The id of the integration to delete.

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Patch a sim attribute.

Patch a SIM attribute given a JsonPatch object.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 12345

SIM integration id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json

The JsonPatch object that describes the changes of SIM

Array of objects (Json Patch Operation)

Operations to be applied

Responses

Request samples

Content type
application/json-patch+json
{
  • "operations": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

Patch a sim beforeprovisioningrule attribute.

Patch a SIM beforeProvisioningRule attribute given a JsonPatch object.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 12345

SIM integration id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json-patch+json

The JsonPatch object that describes the changes of SIM beforeProvisioningRule.

Array of objects (Json Patch Operation)

Operations to be applied

Responses

Request samples

Content type
application/json-patch+json
{
  • "operations": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

List the existing sim integrations.

List the existing SIM integrations.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create new sim integration

Create a new SIM Integrations.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json

DTO containing the details of the SIM integration

name
required
string or null

Name of the Object

description
string

The description of the integration

type
string

The integration type

attributes
object or null

The attributes map containing the credentials used to configure the integration.

sources
Array of strings

The list of sources (managed resources)

cluster
string

The cluster/proxy

statusMap
object

Custom mapping between the integration result and the provisioning result

request
object

Request data to customize desc and body of the created ticket

object

Before provisioning rule of integration

Responses

Request samples

Content type
application/json
{
  • "name": "aName",
  • "description": "Integration description",
  • "type": "ServiceNow Service Desk",
  • "attributes": "{\"uid\":\"Walter White\",\"firstname\":\"walter\",\"cloudStatus\":\"UNREGISTERED\",\"displayName\":\"Walter White\",\"identificationNumber\":\"942\",\"lastSyncDate\":1470348809380,\"email\":\"walter@gmail.com\",\"lastname\":\"white\"}",
  • "sources": [
    ],
  • "cluster": "xyzzy999",
  • "statusMap": {
    },
  • "request": {
    },
  • "beforeProvisioningRule": {
    }
}

Response samples

Content type
application/json
{
  • "id": "62945a496ef440189b1f03e3623411c8",
  • "name": "Service Desk Integration Name",
  • "created": "2024-01-17T18:45:25.994Z",
  • "modified": "2024-02-18T18:45:25.994Z",
  • "description": "A very nice Service Desk integration",
  • "type": "ServiceNowSDIM",
  • "ownerRef": {
    },
  • "clusterRef": {
    },
  • "cluster": "xyzzy999",
  • "managedSources": [
    ],
  • "provisioningConfig": {
    },
  • "attributes": {
    },
  • "beforeProvisioningRule": {
    }
}

SOD Policies

Use this API to implement and manage "separation of duties" (SOD) policies. With SOD policy functionality in place, administrators can organize the access in their tenants to prevent individuals from gaining conflicting or excessive access.

"Separation of duties" refers to the concept that people shouldn't have conflicting sets of access - all their access should be configured in a way that protects your organization's assets and data.
For example, people who record monetary transactions shouldn't be able to issue payment for those transactions. Any changes to major system configurations should be approved by someone other than the person requesting the change.

Organizations can use "separation of duties" (SOD) policies to enforce and track their internal security rules throughout their tenants. These SOD policies limit each user's involvement in important processes and protects the organization from individuals gaining excessive access.

To create SOD policies in Identity Security Cloud, administrators use 'Search' and then access 'Policies'. To create a policy, they must configure two lists of access items. Each access item can only be added to one of the two lists. They can search for the entitlements they want to add to these access lists.

Note: You can have a maximum of 500 policies of any type (including general policies) in your organization. In each access-based SOD policy, you can have a maximum of 50 entitlements in each access list.

Once a SOD policy is in place, if an identity has access items on both lists, a SOD violation will trigger. These violations are included in SOD violation reports that other users will see in emails at regular intervals if they're subscribed to the SOD policy. The other users can then better help to enforce these SOD policies.

To create a subscription to a SOD policy in Identity Security Cloud, administrators use 'Search' and then access 'Layers'. They can create a subscription to the policy and schedule it to run at a regular interval.

Refer to Managing Policies for more information about SOD policies.

Refer to Subscribe to a SOD Policy for more information about SOD policy subscriptions.

Create sod policy

This creates both General and Conflicting Access Based policy, with a limit of 50 entitlements for each (left & right) criteria for Conflicting Access Based SOD policy. Requires role of ORG_ADMIN.

Authorizations:
Personal Access Token
Request Body schema: application/json
name
string

Policy Business Name

description
string or null

Optional description of the SOD policy

object

The owner of the SOD policy.

externalPolicyReference
string or null

Optional External Policy Reference

policyQuery
string

Search query of the SOD policy

compensatingControls
string or null

Optional compensating controls(Mitigating Controls)

correctionAdvice
string or null

Optional correction advice

state
string
Enum: "ENFORCED" "NOT_ENFORCED"

whether the policy is enforced or not

tags
Array of strings

tags for this policy object

object (Violation Owner Assignment Config)
scheduled
boolean
Default: false

defines whether a policy has been scheduled or not

type
string
Default: "GENERAL"
Enum: "GENERAL" "CONFLICTING_ACCESS_BASED"

whether a policy is query based or conflicting access based

object or null (Conflicting Access Criteria)

Responses

Request samples

Content type
application/json
Example
{
  • "name": "Conflicting-Policy-Name",
  • "description": "This policy ensures compliance of xyz",
  • "ownerRef": {
    },
  • "externalPolicyReference": "XYZ policy",
  • "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  • "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  • "state": "ENFORCED",
  • "tags": [
    ],
  • "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "violationOwnerAssignmentConfig": {
    },
  • "scheduled": true,
  • "type": "CONFLICTING_ACCESS_BASED",
  • "conflictingAccessCriteria": {
    }
}

Response samples

Content type
application/json
Example
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "Conflicting-Policy-Name",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This policy ensures compliance of xyz",
  • "ownerRef": {
    },
  • "externalPolicyReference": "XYZ policy",
  • "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c9180866166b5b0016167c32ef31a68 OR id:2c9180866166b5b0016167c32ef31a69)",
  • "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  • "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  • "state": "ENFORCED",
  • "tags": [
    ],
  • "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "violationOwnerAssignmentConfig": {
    },
  • "scheduled": true,
  • "type": "CONFLICTING_ACCESS_BASED",
  • "conflictingAccessCriteria": {
    }
}

List sod policies

This gets list of all SOD policies. Requires role of ORG_ADMIN

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "bc693f07e7b645539626c25954c58554"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in

state: eq, in

sorters
string <comma-separated>
Example: sorters=id,name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, created, modified, description

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Get sod policy by id

This gets specified SOD policy. Requires role of ORG_ADMIN.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The ID of the SOD Policy to retrieve.

Responses

Response samples

Content type
application/json
Example
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "Conflicting-Policy-Name",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "This policy ensures compliance of xyz",
  • "ownerRef": {
    },
  • "externalPolicyReference": "XYZ policy",
  • "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c9180866166b5b0016167c32ef31a68 OR id:2c9180866166b5b0016167c32ef31a69)",
  • "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  • "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  • "state": "ENFORCED",
  • "tags": [
    ],
  • "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "violationOwnerAssignmentConfig": {
    },
  • "scheduled": true,
  • "type": "CONFLICTING_ACCESS_BASED",
  • "conflictingAccessCriteria": {
    }
}

Update sod policy by id

This updates a specified SOD policy. Requires role of ORG_ADMIN.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The ID of the SOD policy to update.

Request Body schema: application/json
name
string

Policy Business Name

description
string or null

Optional description of the SOD policy

object

The owner of the SOD policy.

externalPolicyReference
string or null

Optional External Policy Reference

policyQuery
string

Search query of the SOD policy

compensatingControls
string or null

Optional compensating controls(Mitigating Controls)

correctionAdvice
string or null

Optional correction advice

state
string
Enum: "ENFORCED" "NOT_ENFORCED"

whether the policy is enforced or not

tags
Array of strings

tags for this policy object

object (Violation Owner Assignment Config)
scheduled
boolean
Default: false

defines whether a policy has been scheduled or not

type
string
Default: "GENERAL"
Enum: "GENERAL" "CONFLICTING_ACCESS_BASED"

whether a policy is query based or conflicting access based

object or null (Conflicting Access Criteria)

Responses

Request samples

Content type
application/json
Example
{
  • "name": "Conflicting-Policy-Name",
  • "description": "Modified Description",
  • "externalPolicyReference": "XYZ policy",
  • "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  • "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  • "state": "ENFORCED",
  • "tags": [
    ],
  • "violationOwnerAssignmentConfig": {
    },
  • "scheduled": true,
  • "type": "CONFLICTING_ACCESS_BASED",
  • "conflictingAccessCriteria": {
    }
}

Response samples

Content type
application/json
Example
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "Conflicting-Policy-Name",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "Modified description",
  • "ownerRef": {
    },
  • "externalPolicyReference": "XYZ policy",
  • "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c9180866166b5b0016167c32ef31a68 OR id:2c9180866166b5b0016167c32ef31a69)",
  • "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  • "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  • "state": "ENFORCED",
  • "tags": [
    ],
  • "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "violationOwnerAssignmentConfig": {
    },
  • "scheduled": true,
  • "type": "CONFLICTING_ACCESS_BASED",
  • "conflictingAccessCriteria": {
    }
}

Delete sod policy by id

This deletes a specified SOD policy. Requires role of ORG_ADMIN.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The ID of the SOD Policy to delete.

query Parameters
logical
boolean
Default: true
Example: logical=true

Indicates whether this is a soft delete (logical true) or a hard delete. Soft delete marks the policy as deleted and just save it with this status. It could be fully deleted or recovered further. Hard delete vise versa permanently delete SOD request during this call.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Patch sod policy by id

Allows updating SOD Policy fields other than ["id","created","creatorId","policyQuery","type"] using the JSON Patch standard. Requires role of ORG_ADMIN. This endpoint can only patch CONFLICTING_ACCESS_BASED type policies. Do not use this endpoint to patch general policies - doing so will build an API exception.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c918083-5d19-1a86-015d-28455b4a2329

The ID of the SOD policy being modified.

Request Body schema: application/json-patch+json

A list of SOD Policy update operations according to the JSON Patch standard.

The following fields are patchable:

  • name
  • description
  • ownerRef
  • externalPolicyReference
  • compensatingControls
  • correctionAdvice
  • state
  • tags
  • violationOwnerAssignmentConfig
  • scheduled
  • conflictingAccessCriteria
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
Example
[
  • {
    },
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
Example
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "Conflicting-Policy-Name",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "Modified description",
  • "ownerRef": {
    },
  • "externalPolicyReference": "XYZ policy",
  • "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c918087682f9a86016839c0509c1ab2)",
  • "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
  • "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
  • "state": "ENFORCED",
  • "tags": [
    ],
  • "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "violationOwnerAssignmentConfig": {
    },
  • "scheduled": true,
  • "type": "CONFLICTING_ACCESS_BASED",
  • "conflictingAccessCriteria": {
    }
}

Evaluate one policy by id

Runs the scheduled report for the policy retrieved by passed policy ID. The report schedule is fetched from the policy retrieved by ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The SOD policy ID to run.

Responses

Response samples

Content type
application/json
{
  • "status": "PENDING",
  • "type": "REPORT_RESULT",
  • "id": "37b3b32a-f394-46f8-acad-b5223969fa68",
  • "name": "Multi Query Report"
}

Get sod policy schedule

This endpoint gets a specified SOD policy's schedule.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The ID of the SOD policy schedule to retrieve.

Responses

Response samples

Content type
application/json
{
  • "name": "SCH-1584312283015",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "Schedule for policy xyz",
  • "schedule": {
    },
  • "recipients": [
    ],
  • "emailEmptyResults": false,
  • "creatorId": "0f11f2a47c944bf3a2bd742580fe3bde",
  • "modifierId": "0f11f2a47c944bf3a2bd742580fe3bde"
}

Update sod policy schedule

This updates schedule for a specified SOD policy.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The ID of the SOD policy to update its schedule.

Request Body schema: application/json
name
string

SOD Policy schedule name

description
string

SOD Policy schedule description

object (Schedule-3)

The schedule information.

Array of objects (Sod Recipient)
emailEmptyResults
boolean
Default: false

Indicates if empty results need to be emailed

Responses

Request samples

Content type
application/json
{
  • "name": "SCH-1584312283015",
  • "description": "Schedule for policy xyz",
  • "schedule": {
    },
  • "recipients": [
    ],
  • "emailEmptyResults": false
}

Response samples

Content type
application/json
{
  • "name": "SCH-1584312283015",
  • "created": "2020-01-01T00:00:00.000000Z",
  • "modified": "2020-01-01T00:00:00.000000Z",
  • "description": "Schedule for policy xyz",
  • "schedule": {
    },
  • "recipients": [
    ],
  • "emailEmptyResults": false,
  • "creatorId": "0f11f2a47c944bf3a2bd742580fe3bde",
  • "modifierId": "0f11f2a47c944bf3a2bd742580fe3bde"
}

Delete sod policy schedule

This deletes schedule for a specified SOD policy by ID.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The ID of the SOD policy the schedule must be deleted for.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Runs sod policy violation report

This invokes processing of violation report for given SOD policy. If the policy reports more than 5000 violations, the report returns with violation limit exceeded message.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The SOD policy ID to run.

Responses

Response samples

Content type
application/json
{
  • "status": "PENDING",
  • "type": "REPORT_RESULT",
  • "id": "2e8d8180-24bc-4d21-91c6-7affdb473b0d",
  • "name": "policy-xyz"
}

Get sod violation report status

This gets the status for a violation report run task that has already been invoked.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f943-47e9-4562-b5bb-8424a56397d8

The ID of the violation report to retrieve status for.

Responses

Response samples

Content type
application/json
{
  • "status": "SUCCESS",
  • "type": "REPORT_RESULT",
  • "id": "2e8d8180-24bc-4d21-91c6-7affdb473b0d",
  • "name": "policy-xyz"
}

Get violation report run status

This gets the status for a violation report run task that has already been invoked.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
reportResultId
required
string
Example: 2e8d8180-24bc-4d21-91c6-7affdb473b0d

The ID of the report reference to retrieve.

Responses

Response samples

Content type
application/json
{
  • "status": "SUCCESS",
  • "type": "REPORT_RESULT",
  • "id": "2e8d8180-24bc-4d21-91c6-7affdb473b0d",
  • "name": "policy-xyz"
}

Runs all policies for org

Runs multi-policy report for the org. If a policy reports more than 5000 violations, the report mentions that the violation limit was exceeded for that policy. If the request is empty, the report runs for all policies. Otherwise, the report runs for only the filtered policy list provided.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
filteredPolicyList
Array of strings

Multi-policy report will be run for this list of ids

Responses

Request samples

Content type
application/json
{
  • "filteredPolicyList": [
    ]
}

Response samples

Content type
application/json
{
  • "status": "PENDING",
  • "type": "REPORT_RESULT",
  • "id": "37b3b32a-f394-46f8-acad-b5223969fa68",
  • "name": "Multi Query Report"
}

Get multi-report run task status

This endpoint gets the status for a violation report for all policy run.

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
{
  • "status": "SUCCESS",
  • "type": "REPORT_RESULT",
  • "id": "37b3b32a-f394-46f8-acad-b5223969fa68",
  • "name": "Multi Query Report"
}

Download violation report

This allows to download a violation report for a given report reference.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
reportResultId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the report reference to download.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Download custom violation report

This allows to download a specified named violation report for a given report reference.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
reportResultId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the report reference to download.

fileName
required
string
Example: custom-name

Custom Name for the file.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

SOD Violations

Use this API to check for current "separation of duties" (SOD) policy violations as well as potential future SOD policy violations. With SOD violation functionality in place, administrators can get information about current SOD policy violations and predict whether an access change will trigger new violations, which helps to prevent them from occurring at all.

"Separation of duties" refers to the concept that people shouldn't have conflicting sets of access - all their access should be configured in a way that protects your organization's assets and data.
For example, people who record monetary transactions shouldn't be able to issue payment for those transactions. Any changes to major system configurations should be approved by someone other than the person requesting the change.

Organizations can use "separation of duties" (SOD) policies to enforce and track their internal security rules throughout their tenants. These SOD policies limit each user's involvement in important processes and protects the organization from individuals gaining excessive access.

Once a SOD policy is in place, if an identity has conflicting access items, a SOD violation will trigger. These violations are included in SOD violation reports that other users will see in emails at regular intervals if they're subscribed to the SOD policy. The other users can then better help to enforce these SOD policies.

Administrators can use the SOD violations APIs to check a set of identities for any current SOD violations, and they can use them to check whether adding an access item would potentially trigger a SOD violation. This second option is a good way to prevent SOD violations from triggering at all.

Refer to Handling Policy Violations for more information about SOD policy violations.

Predict sod violations for identity.

This API is used to check if granting some additional accesses would cause the subject to be in violation of any SOD policies. Returns the violations that would be caused.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
identityId
required
string

Identity id to be checked.

required
Array of objects

The list of entitlements to consider for possible violations in a preventive check.

Responses

Request samples

Content type
application/json
{
  • "identityId": "2c91808568c529c60168cca6f90c1313",
  • "accessRefs": [
    ]
}

Response samples

Content type
application/json
{
  • "violationContexts": [
    ]
}

Check sod violations

This API initiates a SOD policy verification asynchronously.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
identityId
required
string

Identity id to be checked.

required
Array of objects

The list of entitlements to consider for possible violations in a preventive check.

Responses

Request samples

Content type
application/json
{
  • "identityId": "2c91808568c529c60168cca6f90c1313",
  • "accessRefs": [
    ],
  • "clientMetadata": {
    }
}

Response samples

Content type
application/json
{
  • "requestId": "089899f13a8f4da7824996191587bab9",
  • "created": "2020-01-01T00:00:00.000000Z"
}

Source Usages

Use this API to implement source usage insight functionality. With this functionality in place, administrators can gather information and insights about how their tenants' sources are being used. This allows organizations to get the information they need to start optimizing and securing source usage.

Finds status of source usage

This API returns the status of the source usage insights setup by IDN source ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

ID of IDN source

Responses

Response samples

Content type
application/json
{
  • "status": "COMPLETE"
}

Returns source usage insights

This API returns a summary of source usage insights for past 12 months.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

ID of IDN source

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

sorters
string <comma-separated>
Example: sorters=-date

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: date

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Sources

Use this API to implement and customize source functionality. With source functionality in place, organizations can use Identity Security Cloud to connect their various sources and user data sets and manage access across all those different sources in a secure, scalable way.

Sources refer to the Identity Security Cloud representations for external applications, databases, and directory management systems that maintain their own sets of users, like Dropbox, GitHub, and Workday, for example. Organizations may use hundreds, if not thousands, of different source systems, and any one employee within an organization likely has a different user record on each source, often with different permissions on many of those records. Connecting these sources to Identity Security Cloud makes it possible to manage user access across them all. Then, if a new hire starts at an organization, Identity Security Cloud can grant the new hire access to all the sources they need. If an employee moves to a new department and needs access to new sources but no longer needs access to others, Identity Security Cloud can grant the necessary access and revoke the unnecessary access for all the employee's various sources. If an employee leaves the company, Identity Security Cloud can revoke access to all the employee's various source accounts immediately. These are just a few examples of the many ways that source functionality makes identity governance easier, more efficient, and more secure.

In Identity Security Cloud, administrators can create configure, manage, and edit sources, and they can designate other users as source admins to be able to do so. They can also designate users as source sub-admins, who can perform the same source actions but only on sources associated with their governance groups. Admins go to Connections > Sources to see a list of the existing source representations in their organizations. They can create new sources or select existing ones.

To create a new source, the following must be specified: Source Name, Description, Source Owner, and Connection Type. Refer to Configuring a Source for more information about the source configuration process.

Identity Security Cloud connects with its sources either by a direct communication with the source server (connection information specific to the source must be provided) or a flat file feed, a CSV file containing all the relevant information about the accounts to be loaded in. Different sources use different connectors to share data with Identity Security Cloud, and each connector's setup process is specific to that connector. SailPoint has built a number of connectors to come out of the box and connect to the most common sources, and SailPoint actively maintains these connectors. Refer to Identity Security Cloud Connectors for more information about these SailPoint supported connectors. Refer to the following links for more information about two useful connectors:

  • JDBC Connector: This customizable connector an directly connect to databases that support JDBC (Java Database Connectivity).

  • Web Services Connector: This connector can directly connect to databases that support Web Services.

Refer to SaaS Connectivity for more information about SailPoint's new connectivity framework that makes it easy to build and manage custom connectors to SaaS sources.

When admins select existing sources, they can view the following information about the source:

  • Associated connections (any associated identity profiles, apps, or references to the source in a transform).

  • Associated user accounts. These accounts are linked to their identities - this provides a more complete picture of each user's access across sources.

  • Associated entitlements (sets of access rights on sources).

  • Associated access profiles (groupings of entitlements).

The user account data and the entitlements update with each data aggregation from the source. Organizations generally run scheduled, automated data aggregations to ensure that their data is always in sync between their sources and their Identity Security Cloud tenants so an access change on a source is detected quickly in Identity Security Cloud. Admins can view a history of these aggregations, and they can also run manual imports. Refer to Loading Account Data for more information about manual and scheduled aggregations.

Admins can also make changes to determine which user account data Identity Security Cloud collects from the source and how it correlates that account data with identity data. To define which account attributes the source shares with Identity Security Cloud, admins can edit the account schema on the source. Refer to Managing Source Account Schemas for more information about source account schemas and how to edit them. To define the mapping between the source account attributes and their correlating identity attributes, admins can edit the correlation configuration on the source. Refer to Assigning Source Accounts to Identities for more information about this correlation process between source accounts and identities.

Admins can also delete sources, but they must first ensure that the sources no longer have any active connections: the source must not be associated with any identity profile or any app, and it must not be referenced by any transform. Refer to Deleting Sources for more information about deleting sources.

Well organized, mapped out connections between sources and Identity Security Cloud are essential to achieving comprehensive identity access governance across all the source systems organizations need. Refer to Managing Sources for more information about all the different things admins can do with sources once they are connected.

Lists all sources in identitynow.

This end-point lists all the sources in IdentityNow.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=name eq "Employees"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in, ge, gt, le, lt, ne, isnull, sw

name: co, eq, in, sw, ge, gt, ne, isnull

type: eq, in, ge, gt, ne, isnull, sw

owner.id: eq, in, ge, gt, le, lt, ne, isnull, sw

features: ca, co

created: eq, ge, gt, in, le, lt, ne, isnull, sw

modified: eq, ge, gt, in, le, lt, ne, isnull, sw

managementWorkgroup.id: eq, ge, gt, in, le, lt, ne, isnull, sw

description: eq, sw

authoritative: eq, ne, isnull

healthy: isnull

status: eq, in, ge, gt, le, lt, ne, isnull, sw

connectionType: eq, ge, gt, in, le, lt, ne, isnull, sw

connectorName: eq, ge, gt, in, ne, isnull, sw

category: co, eq, ge, gt, in, le, lt, ne, sw

sorters
string <comma-separated>
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: type, created, modified, name, owner.name, healthy, status, id, description, owner.id, accountCorrelationConfig.id, accountCorrelationConfig.name, managerCorrelationRule.type, managerCorrelationRule.id, managerCorrelationRule.name, authoritative, managementWorkgroup.id, connectorName, connectionType

for-subadmin
string
Example: for-subadmin=name

Filter the returned list of sources for the identity specified by the parameter, which is the id of an identity with the role SOURCE_SUBADMIN. By convention, the value me indicates the identity id of the current user. Subadmins may only view Sources which they are able to administer; all other Sources will be filtered out when this parameter is set. If the current user is a SOURCE_SUBADMIN but fails to pass a valid value for this parameter, a 403 Forbidden is returned.

includeIDNSource
boolean
Default: false
Example: includeIDNSource=true

Include the IdentityNow source in the response.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Creates a source in identitynow.

This creates a specific source with a full source JSON representation. Any passwords are submitted as plain-text and encrypted upon receipt in IdentityNow.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
provisionAsCsv
boolean

If this parameter is true, it configures the source as a Delimited File (CSV) source. Setting this to true will automatically set the type of the source to DelimitedFile. You must use this query parameter to create a Delimited File source as you would in the UI. If you don't set this query parameter and you attempt to set the type attribute directly, the request won't correctly generate the source.

Request Body schema: application/json
name
required
string

Source's human-readable name.

description
string

Source's human-readable description.

required
object or null

Reference to identity object who owns the source.

object or null

Reference to the source's associated cluster.

object or null

Reference to account correlation config object.

object or null

Reference to a rule that can do COMPLEX correlation. Only use this rule when you can't use accountCorrelationConfig.

object or null (Manager Correlation Mapping)

Filter object used during manager correlation to match incoming manager values to an existing manager's account/identity.

object or null

Reference to the ManagerCorrelationRule. Only use this rule when a simple filter isn't sufficient.

object or null

Rule that runs on the CCG and allows for customization of provisioning plans before the API calls the connector.

Array of objects

List of references to schema objects.

Array of objects or null

List of references to the associated PasswordPolicy objects.

features
Array of strings (SourceFeature)
Items Enum: "AUTHENTICATE" "COMPOSITE" "DIRECT_PERMISSIONS" "DISCOVER_SCHEMA" "ENABLE" "MANAGER_LOOKUP" "NO_RANDOM_ACCESS" "PROXY" "SEARCH" "TEMPLATE" "UNLOCK" "UNSTRUCTURED_TARGETS" "SHAREPOINT_TARGET" "PROVISIONING" "GROUP_PROVISIONING" "SYNC_PROVISIONING" "PASSWORD" "CURRENT_PASSWORD" "ACCOUNT_ONLY_REQUEST" "ADDITIONAL_ACCOUNT_REQUEST" "NO_AGGREGATION" "GROUPS_HAVE_MEMBERS" "NO_PERMISSIONS_PROVISIONING" "NO_GROUP_PERMISSIONS_PROVISIONING" "NO_UNSTRUCTURED_TARGETS_PROVISIONING" "NO_DIRECT_PERMISSIONS_PROVISIONING" "PREFER_UUID" "ARM_SECURITY_EXTRACT" "ARM_UTILIZATION_EXTRACT" "ARM_CHANGELOG_EXTRACT" "USES_UUID" "APPLICATION_DISCOVERY" "DELETE"

Optional features that can be supported by a source. Modifying the features array may cause source configuration errors that are unsupportable. It is recommended to not modify this array for SailPoint supported connectors.

  • AUTHENTICATE: The source supports pass-through authentication.
  • COMPOSITE: The source supports composite source creation.
  • DIRECT_PERMISSIONS: The source supports returning DirectPermissions.
  • DISCOVER_SCHEMA: The source supports discovering schemas for users and groups.
  • ENABLE The source supports reading if an account is enabled or disabled.
  • MANAGER_LOOKUP: The source supports looking up managers as they are encountered in a feed. This is the opposite of NO_RANDOM_ACCESS.
  • NO_RANDOM_ACCESS: The source does not support random access and the getObject() methods should not be called and expected to perform.
  • PROXY: The source can serve as a proxy for another source. When an source has a proxy, all connector calls made with that source are redirected through the connector for the proxy source.
  • SEARCH
  • TEMPLATE
  • UNLOCK: The source supports reading if an account is locked or unlocked.
  • UNSTRUCTURED_TARGETS: The source supports returning unstructured Targets.
  • SHAREPOINT_TARGET: The source supports returning unstructured Target data for SharePoint. It will be typically used by AD, LDAP sources.
  • PROVISIONING: The source can both read and write accounts. Having this feature implies that the provision() method is implemented. It also means that direct and target permissions can also be provisioned if they can be returned by aggregation.
  • GROUP_PROVISIONING: The source can both read and write groups. Having this feature implies that the provision() method is implemented.
  • SYNC_PROVISIONING: The source can provision accounts synchronously.
  • PASSWORD: The source can provision password changes. Since sources can never read passwords, this is should only be used in conjunction with the PROVISIONING feature.
  • CURRENT_PASSWORD: Some source types support verification of the current password
  • ACCOUNT_ONLY_REQUEST: The source supports requesting accounts without entitlements.
  • ADDITIONAL_ACCOUNT_REQUEST: The source supports requesting additional accounts.
  • NO_AGGREGATION: A source that does not support aggregation.
  • GROUPS_HAVE_MEMBERS: The source models group memberships with a member attribute on the group object rather than a groups attribute on the account object. This effects the implementation of delta account aggregation.
  • NO_PERMISSIONS_PROVISIONING: Indicates that the connector cannot provision direct or target permissions for accounts. When DIRECT_PERMISSIONS and PROVISIONING features are present, it is assumed that the connector can also provision direct permissions. This feature disables that assumption and causes permission request to be converted to work items for accounts.
  • NO_GROUP_PERMISSIONS_PROVISIONING: Indicates that the connector cannot provision direct or target permissions for groups. When DIRECT_PERMISSIONS and PROVISIONING features are present, it is assumed that the connector can also provision direct permissions. This feature disables that assumption and causes permission request to be converted to work items for groups.
  • NO_UNSTRUCTURED_TARGETS_PROVISIONING: This string will be replaced by NO_GROUP_PERMISSIONS_PROVISIONING and NO_PERMISSIONS_PROVISIONING.
  • NO_DIRECT_PERMISSIONS_PROVISIONING: This string will be replaced by NO_GROUP_PERMISSIONS_PROVISIONING and NO_PERMISSIONS_PROVISIONING.
  • USES_UUID: Connectivity 2.0 flag used to indicate that the connector supports a compound naming structure.
  • PREFER_UUID: Used in ISC Provisioning AND Aggregation to decide if it should prefer account.uuid to account.nativeIdentity when data is read in through aggregation OR pushed out through provisioning.
  • ARM_SECURITY_EXTRACT: Indicates the application supports Security extracts for ARM
  • ARM_UTILIZATION_EXTRACT: Indicates the application supports Utilization extracts for ARM
  • ARM_CHANGELOG_EXTRACT: Indicates the application supports Change-log extracts for ARM
type
string

Specifies the type of system being managed e.g. Active Directory, Workday, etc.. If you are creating a delimited file source, you must set the provisionasCsv query parameter to true.

connector
required
string

Connector script name.

connectorClass
string

Fully qualified name of the Java class that implements the connector interface.

connectorAttributes
object

Connector specific configuration. This configuration will differ from type to type.

deleteThreshold
integer <int32>

Number from 0 to 100 that specifies when to skip the delete phase.

authoritative
boolean
Default: false

When this is true, it indicates that the source is referenced by an identity profile.

object or null

Reference to management workgroup for the source.

healthy
boolean
Default: false

When this is true, it indicates that the source is healthy.

status
string
Enum: "SOURCE_STATE_ERROR_ACCOUNT_FILE_IMPORT" "SOURCE_STATE_ERROR_CLUSTER" "SOURCE_STATE_ERROR_SOURCE" "SOURCE_STATE_ERROR_VA" "SOURCE_STATE_FAILURE_CLUSTER" "SOURCE_STATE_FAILURE_SOURCE" "SOURCE_STATE_HEALTHY" "SOURCE_STATE_UNCHECKED_CLUSTER" "SOURCE_STATE_UNCHECKED_CLUSTER_NO_SOURCES" "SOURCE_STATE_UNCHECKED_SOURCE" "SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS"

Status identifier that gives specific information about why a source is or isn't healthy.

since
string

Timestamp that shows when a source health check was last performed.

connectorId
string

Connector ID

connectorName
string

Name of the connector that was chosen during source creation.

connectionType
string

Type of connection (direct or file).

connectorImplementationId
string

Connector implementation ID.

created
string <date-time>

Date-time when the source was created

modified
string <date-time>

Date-time when the source was last modified.

credentialProviderEnabled
boolean
Default: false

If this is true, it enables a credential provider for the source. If credentialProvider is turned on, then the source can use credential provider(s) to fetch credentials.

category
string or null
Default: null

Source category (e.g. null, CredentialProvider).

Responses

Request samples

Content type
application/json
{
  • "name": "My Source",
  • "description": "This is the corporate directory.",
  • "owner": {
    },
  • "cluster": {
    },
  • "accountCorrelationConfig": {
    },
  • "accountCorrelationRule": {
    },
  • "managerCorrelationMapping": {
    },
  • "managerCorrelationRule": {
    },
  • "beforeProvisioningRule": {
    },
  • "schemas": [
    ],
  • "passwordPolicies": [
    ],
  • "features": [
    ],
  • "type": "OpenLDAP - Direct",
  • "connector": "active-directory",
  • "connectorClass": "sailpoint.connector.LDAPConnector",
  • "connectorAttributes": {
    },
  • "deleteThreshold": 10,
  • "authoritative": false,
  • "managementWorkgroup": {
    },
  • "healthy": true,
  • "status": "SOURCE_STATE_HEALTHY",
  • "since": "2021-09-28T15:48:29.3801666300Z",
  • "connectorId": "active-directory",
  • "connectorName": "Active Directory",
  • "connectionType": "file",
  • "connectorImplementationId": "delimited-file",
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z",
  • "credentialProviderEnabled": false,
  • "category": "CredentialProvider"
}

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1324",
  • "name": "My Source",
  • "description": "This is the corporate directory.",
  • "owner": {
    },
  • "cluster": {
    },
  • "accountCorrelationConfig": {
    },
  • "accountCorrelationRule": {
    },
  • "managerCorrelationMapping": {
    },
  • "managerCorrelationRule": {
    },
  • "beforeProvisioningRule": {
    },
  • "schemas": [
    ],
  • "passwordPolicies": [
    ],
  • "features": [
    ],
  • "type": "OpenLDAP - Direct",
  • "connector": "active-directory",
  • "connectorClass": "sailpoint.connector.LDAPConnector",
  • "connectorAttributes": {
    },
  • "deleteThreshold": 10,
  • "authoritative": false,
  • "managementWorkgroup": {
    },
  • "healthy": true,
  • "status": "SOURCE_STATE_HEALTHY",
  • "since": "2021-09-28T15:48:29.3801666300Z",
  • "connectorId": "active-directory",
  • "connectorName": "Active Directory",
  • "connectionType": "file",
  • "connectorImplementationId": "delimited-file",
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z",
  • "credentialProviderEnabled": false,
  • "category": "CredentialProvider"
}

Get source by id

Use this API to get a source by a specified ID in Identity Security Cloud (ISC).

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

Source ID.

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1324",
  • "name": "My Source",
  • "description": "This is the corporate directory.",
  • "owner": {
    },
  • "cluster": {
    },
  • "accountCorrelationConfig": {
    },
  • "accountCorrelationRule": {
    },
  • "managerCorrelationMapping": {
    },
  • "managerCorrelationRule": {
    },
  • "beforeProvisioningRule": {
    },
  • "schemas": [
    ],
  • "passwordPolicies": [
    ],
  • "features": [
    ],
  • "type": "OpenLDAP - Direct",
  • "connector": "active-directory",
  • "connectorClass": "sailpoint.connector.LDAPConnector",
  • "connectorAttributes": {
    },
  • "deleteThreshold": 10,
  • "authoritative": false,
  • "managementWorkgroup": {
    },
  • "healthy": true,
  • "status": "SOURCE_STATE_HEALTHY",
  • "since": "2021-09-28T15:48:29.3801666300Z",
  • "connectorId": "active-directory",
  • "connectorName": "Active Directory",
  • "connectionType": "file",
  • "connectorImplementationId": "delimited-file",
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z",
  • "credentialProviderEnabled": false,
  • "category": "CredentialProvider"
}

Update source (full)

Use this API to update a source in Identity Security Cloud (ISC), using a full object representation. This means that when you use this API, it completely replaces the existing source configuration.

These fields are immutable, so they cannot be changed:

  • id
  • type
  • authoritative
  • connector
  • connectorClass
  • passwordPolicies

Attempts to modify these fields will result in a 400 error.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

Source ID.

Request Body schema: application/json
name
required
string

Source's human-readable name.

description
string

Source's human-readable description.

required
object or null

Reference to identity object who owns the source.

object or null

Reference to the source's associated cluster.

object or null

Reference to account correlation config object.

object or null

Reference to a rule that can do COMPLEX correlation. Only use this rule when you can't use accountCorrelationConfig.

object or null (Manager Correlation Mapping)

Filter object used during manager correlation to match incoming manager values to an existing manager's account/identity.

object or null

Reference to the ManagerCorrelationRule. Only use this rule when a simple filter isn't sufficient.

object or null

Rule that runs on the CCG and allows for customization of provisioning plans before the API calls the connector.

Array of objects

List of references to schema objects.

Array of objects or null

List of references to the associated PasswordPolicy objects.

features
Array of strings (SourceFeature)
Items Enum: "AUTHENTICATE" "COMPOSITE" "DIRECT_PERMISSIONS" "DISCOVER_SCHEMA" "ENABLE" "MANAGER_LOOKUP" "NO_RANDOM_ACCESS" "PROXY" "SEARCH" "TEMPLATE" "UNLOCK" "UNSTRUCTURED_TARGETS" "SHAREPOINT_TARGET" "PROVISIONING" "GROUP_PROVISIONING" "SYNC_PROVISIONING" "PASSWORD" "CURRENT_PASSWORD" "ACCOUNT_ONLY_REQUEST" "ADDITIONAL_ACCOUNT_REQUEST" "NO_AGGREGATION" "GROUPS_HAVE_MEMBERS" "NO_PERMISSIONS_PROVISIONING" "NO_GROUP_PERMISSIONS_PROVISIONING" "NO_UNSTRUCTURED_TARGETS_PROVISIONING" "NO_DIRECT_PERMISSIONS_PROVISIONING" "PREFER_UUID" "ARM_SECURITY_EXTRACT" "ARM_UTILIZATION_EXTRACT" "ARM_CHANGELOG_EXTRACT" "USES_UUID" "APPLICATION_DISCOVERY" "DELETE"

Optional features that can be supported by a source. Modifying the features array may cause source configuration errors that are unsupportable. It is recommended to not modify this array for SailPoint supported connectors.

  • AUTHENTICATE: The source supports pass-through authentication.
  • COMPOSITE: The source supports composite source creation.
  • DIRECT_PERMISSIONS: The source supports returning DirectPermissions.
  • DISCOVER_SCHEMA: The source supports discovering schemas for users and groups.
  • ENABLE The source supports reading if an account is enabled or disabled.
  • MANAGER_LOOKUP: The source supports looking up managers as they are encountered in a feed. This is the opposite of NO_RANDOM_ACCESS.
  • NO_RANDOM_ACCESS: The source does not support random access and the getObject() methods should not be called and expected to perform.
  • PROXY: The source can serve as a proxy for another source. When an source has a proxy, all connector calls made with that source are redirected through the connector for the proxy source.
  • SEARCH
  • TEMPLATE
  • UNLOCK: The source supports reading if an account is locked or unlocked.
  • UNSTRUCTURED_TARGETS: The source supports returning unstructured Targets.
  • SHAREPOINT_TARGET: The source supports returning unstructured Target data for SharePoint. It will be typically used by AD, LDAP sources.
  • PROVISIONING: The source can both read and write accounts. Having this feature implies that the provision() method is implemented. It also means that direct and target permissions can also be provisioned if they can be returned by aggregation.
  • GROUP_PROVISIONING: The source can both read and write groups. Having this feature implies that the provision() method is implemented.
  • SYNC_PROVISIONING: The source can provision accounts synchronously.
  • PASSWORD: The source can provision password changes. Since sources can never read passwords, this is should only be used in conjunction with the PROVISIONING feature.
  • CURRENT_PASSWORD: Some source types support verification of the current password
  • ACCOUNT_ONLY_REQUEST: The source supports requesting accounts without entitlements.
  • ADDITIONAL_ACCOUNT_REQUEST: The source supports requesting additional accounts.
  • NO_AGGREGATION: A source that does not support aggregation.
  • GROUPS_HAVE_MEMBERS: The source models group memberships with a member attribute on the group object rather than a groups attribute on the account object. This effects the implementation of delta account aggregation.
  • NO_PERMISSIONS_PROVISIONING: Indicates that the connector cannot provision direct or target permissions for accounts. When DIRECT_PERMISSIONS and PROVISIONING features are present, it is assumed that the connector can also provision direct permissions. This feature disables that assumption and causes permission request to be converted to work items for accounts.
  • NO_GROUP_PERMISSIONS_PROVISIONING: Indicates that the connector cannot provision direct or target permissions for groups. When DIRECT_PERMISSIONS and PROVISIONING features are present, it is assumed that the connector can also provision direct permissions. This feature disables that assumption and causes permission request to be converted to work items for groups.
  • NO_UNSTRUCTURED_TARGETS_PROVISIONING: This string will be replaced by NO_GROUP_PERMISSIONS_PROVISIONING and NO_PERMISSIONS_PROVISIONING.
  • NO_DIRECT_PERMISSIONS_PROVISIONING: This string will be replaced by NO_GROUP_PERMISSIONS_PROVISIONING and NO_PERMISSIONS_PROVISIONING.
  • USES_UUID: Connectivity 2.0 flag used to indicate that the connector supports a compound naming structure.
  • PREFER_UUID: Used in ISC Provisioning AND Aggregation to decide if it should prefer account.uuid to account.nativeIdentity when data is read in through aggregation OR pushed out through provisioning.
  • ARM_SECURITY_EXTRACT: Indicates the application supports Security extracts for ARM
  • ARM_UTILIZATION_EXTRACT: Indicates the application supports Utilization extracts for ARM
  • ARM_CHANGELOG_EXTRACT: Indicates the application supports Change-log extracts for ARM
type
string

Specifies the type of system being managed e.g. Active Directory, Workday, etc.. If you are creating a delimited file source, you must set the provisionasCsv query parameter to true.

connector
required
string

Connector script name.

connectorClass
string

Fully qualified name of the Java class that implements the connector interface.

connectorAttributes
object

Connector specific configuration. This configuration will differ from type to type.

deleteThreshold
integer <int32>

Number from 0 to 100 that specifies when to skip the delete phase.

authoritative
boolean
Default: false

When this is true, it indicates that the source is referenced by an identity profile.

object or null

Reference to management workgroup for the source.

healthy
boolean
Default: false

When this is true, it indicates that the source is healthy.

status
string
Enum: "SOURCE_STATE_ERROR_ACCOUNT_FILE_IMPORT" "SOURCE_STATE_ERROR_CLUSTER" "SOURCE_STATE_ERROR_SOURCE" "SOURCE_STATE_ERROR_VA" "SOURCE_STATE_FAILURE_CLUSTER" "SOURCE_STATE_FAILURE_SOURCE" "SOURCE_STATE_HEALTHY" "SOURCE_STATE_UNCHECKED_CLUSTER" "SOURCE_STATE_UNCHECKED_CLUSTER_NO_SOURCES" "SOURCE_STATE_UNCHECKED_SOURCE" "SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS"

Status identifier that gives specific information about why a source is or isn't healthy.

since
string

Timestamp that shows when a source health check was last performed.

connectorId
string

Connector ID

connectorName
string

Name of the connector that was chosen during source creation.

connectionType
string

Type of connection (direct or file).

connectorImplementationId
string

Connector implementation ID.

created
string <date-time>

Date-time when the source was created

modified
string <date-time>

Date-time when the source was last modified.

credentialProviderEnabled
boolean
Default: false

If this is true, it enables a credential provider for the source. If credentialProvider is turned on, then the source can use credential provider(s) to fetch credentials.

category
string or null
Default: null

Source category (e.g. null, CredentialProvider).

Responses

Request samples

Content type
application/json
{
  • "name": "My Source",
  • "description": "This is the corporate directory.",
  • "owner": {
    },
  • "cluster": {
    },
  • "accountCorrelationConfig": {
    },
  • "accountCorrelationRule": {
    },
  • "managerCorrelationMapping": {
    },
  • "managerCorrelationRule": {
    },
  • "beforeProvisioningRule": {
    },
  • "schemas": [
    ],
  • "passwordPolicies": [
    ],
  • "features": [
    ],
  • "type": "OpenLDAP - Direct",
  • "connector": "active-directory",
  • "connectorClass": "sailpoint.connector.LDAPConnector",
  • "connectorAttributes": {
    },
  • "deleteThreshold": 10,
  • "authoritative": false,
  • "managementWorkgroup": {
    },
  • "healthy": true,
  • "status": "SOURCE_STATE_HEALTHY",
  • "since": "2021-09-28T15:48:29.3801666300Z",
  • "connectorId": "active-directory",
  • "connectorName": "Active Directory",
  • "connectionType": "file",
  • "connectorImplementationId": "delimited-file",
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z",
  • "credentialProviderEnabled": false,
  • "category": "CredentialProvider"
}

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1324",
  • "name": "My Source",
  • "description": "This is the corporate directory.",
  • "owner": {
    },
  • "cluster": {
    },
  • "accountCorrelationConfig": {
    },
  • "accountCorrelationRule": {
    },
  • "managerCorrelationMapping": {
    },
  • "managerCorrelationRule": {
    },
  • "beforeProvisioningRule": {
    },
  • "schemas": [
    ],
  • "passwordPolicies": [
    ],
  • "features": [
    ],
  • "type": "OpenLDAP - Direct",
  • "connector": "active-directory",
  • "connectorClass": "sailpoint.connector.LDAPConnector",
  • "connectorAttributes": {
    },
  • "deleteThreshold": 10,
  • "authoritative": false,
  • "managementWorkgroup": {
    },
  • "healthy": true,
  • "status": "SOURCE_STATE_HEALTHY",
  • "since": "2021-09-28T15:48:29.3801666300Z",
  • "connectorId": "active-directory",
  • "connectorName": "Active Directory",
  • "connectionType": "file",
  • "connectorImplementationId": "delimited-file",
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z",
  • "credentialProviderEnabled": false,
  • "category": "CredentialProvider"
}

Update source (partial)

Use this API to partially update a source in Identity Security Cloud (ISC), using a list of patch operations according to the JSON Patch standard.

These fields are immutable, so they cannot be changed:

  • id
  • type
  • authoritative
  • created
  • modified
  • connector
  • connectorClass
  • passwordPolicies

Attempts to modify these fields will result in a 400 error.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

Source ID.

Request Body schema: application/json-patch+json

A list of account update operations according to the JSON Patch standard. Any password changes are submitted as plain-text and encrypted upon receipt in Identity Security Cloud (ISC).

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
Example

This example shows how to edit a source description.

[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1324",
  • "name": "My Source",
  • "description": "This is the corporate directory.",
  • "owner": {
    },
  • "cluster": {
    },
  • "accountCorrelationConfig": {
    },
  • "accountCorrelationRule": {
    },
  • "managerCorrelationMapping": {
    },
  • "managerCorrelationRule": {
    },
  • "beforeProvisioningRule": {
    },
  • "schemas": [
    ],
  • "passwordPolicies": [
    ],
  • "features": [
    ],
  • "type": "OpenLDAP - Direct",
  • "connector": "active-directory",
  • "connectorClass": "sailpoint.connector.LDAPConnector",
  • "connectorAttributes": {
    },
  • "deleteThreshold": 10,
  • "authoritative": false,
  • "managementWorkgroup": {
    },
  • "healthy": true,
  • "status": "SOURCE_STATE_HEALTHY",
  • "since": "2021-09-28T15:48:29.3801666300Z",
  • "connectorId": "active-directory",
  • "connectorName": "Active Directory",
  • "connectionType": "file",
  • "connectorImplementationId": "delimited-file",
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z",
  • "credentialProviderEnabled": false,
  • "category": "CredentialProvider"
}

Delete source by id

Use this API to delete a specific source in Identity Security Cloud (ISC). The API removes all the accounts on the source first, and then it deletes the source. You can retrieve the actual task execution status with this method: GET /task-status/{id}

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

Source ID.

Responses

Response samples

Content type
application/json
{
  • "type": "TASK_RESULT",
  • "id": "2c91808779ecf55b0179f720942f181a",
  • "name": null
}

Lists provisioningpolicies

This end-point lists all the ProvisioningPolicies in IdentityNow.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create provisioning policy

This API generates a create policy/template based on field value transforms. This API is intended for use when setting up JDBC Provisioning type sources, but it will also work on other source types. Transforms can be used in the provisioning policy to create a new attribute that you only need during provisioning. Refer to Transforms in Provisioning Policies for more information.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id

Request Body schema: application/json
name
required
string or null

the provisioning policy name

description
string

the description of the provisioning policy

usageType
string (UsageType)
Enum: "CREATE" "UPDATE" "ENABLE" "DISABLE" "DELETE" "ASSIGN" "UNASSIGN" "CREATE_GROUP" "UPDATE_GROUP" "DELETE_GROUP" "REGISTER" "CREATE_IDENTITY" "UPDATE_IDENTITY" "EDIT_GROUP" "UNLOCK" "CHANGE_PASSWORD"

The type of provisioning policy usage. In IdentityNow, a source can support various provisioning operations. For example, when a joiner is added to a source, this may trigger both CREATE and UPDATE provisioning operations. Each usage type is considered a provisioning policy. A source can have any number of these provisioning policies defined. These are the common usage types: CREATE - This usage type relates to 'Create Account Profile', the provisioning template for the account to be created. For example, this would be used for a joiner on a source.
UPDATE - This usage type relates to 'Update Account Profile', the provisioning template for the 'Update' connector operations. For example, this would be used for an attribute sync on a source. ENABLE - This usage type relates to 'Enable Account Profile', the provisioning template for the account to be enabled. For example, this could be used for a joiner on a source once the joiner's account is created. DISABLE - This usage type relates to 'Disable Account Profile', the provisioning template for the account to be disabled. For example, this could be used when a leaver is removed temporarily from a source. You can use these four usage types for all your provisioning policy needs.

Array of objects (Field Details Dto)

Responses

Request samples

Content type
application/json
{
  • "name": "Account",
  • "description": "Account Provisioning Policy",
  • "usageType": "CREATE",
  • "fields": [
    ]
}

Response samples

Content type
application/json
{
  • "name": "example provisioning policy for inactive identities",
  • "description": "this provisioning policy creates access based on an identity going inactive",
  • "usageType": "CREATE",
  • "fields": [
    ]
}

Get provisioning policy by usagetype

This end-point retrieves the ProvisioningPolicy with the specified usage on the specified Source in IdentityNow.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source ID.

usageType
required
string (UsageType)
Enum: "CREATE" "UPDATE" "ENABLE" "DISABLE" "DELETE" "ASSIGN" "UNASSIGN" "CREATE_GROUP" "UPDATE_GROUP" "DELETE_GROUP" "REGISTER" "CREATE_IDENTITY" "UPDATE_IDENTITY" "EDIT_GROUP" "UNLOCK" "CHANGE_PASSWORD"
Example: CREATE

The type of provisioning policy usage. In IdentityNow, a source can support various provisioning operations. For example, when a joiner is added to a source, this may trigger both CREATE and UPDATE provisioning operations. Each usage type is considered a provisioning policy. A source can have any number of these provisioning policies defined. These are the common usage types: CREATE - This usage type relates to 'Create Account Profile', the provisioning template for the account to be created. For example, this would be used for a joiner on a source.
UPDATE - This usage type relates to 'Update Account Profile', the provisioning template for the 'Update' connector operations. For example, this would be used for an attribute sync on a source. ENABLE - This usage type relates to 'Enable Account Profile', the provisioning template for the account to be enabled. For example, this could be used for a joiner on a source once the joiner's account is created. DISABLE - This usage type relates to 'Disable Account Profile', the provisioning template for the account to be disabled. For example, this could be used when a leaver is removed temporarily from a source. You can use these four usage types for all your provisioning policy needs.

Responses

Response samples

Content type
application/json
{
  • "name": "example provisioning policy for inactive identities",
  • "description": "this provisioning policy creates access based on an identity going inactive",
  • "usageType": "CREATE",
  • "fields": [
    ]
}

Update provisioning policy by usagetype

This end-point updates the provisioning policy with the specified usage on the specified source in IdentityNow. Transforms can be used in the provisioning policy to create a new attribute that you only need during provisioning. Refer to Transforms in Provisioning Policies for more information.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source ID.

usageType
required
string (UsageType)
Enum: "CREATE" "UPDATE" "ENABLE" "DISABLE" "DELETE" "ASSIGN" "UNASSIGN" "CREATE_GROUP" "UPDATE_GROUP" "DELETE_GROUP" "REGISTER" "CREATE_IDENTITY" "UPDATE_IDENTITY" "EDIT_GROUP" "UNLOCK" "CHANGE_PASSWORD"
Example: CREATE

The type of provisioning policy usage. In IdentityNow, a source can support various provisioning operations. For example, when a joiner is added to a source, this may trigger both CREATE and UPDATE provisioning operations. Each usage type is considered a provisioning policy. A source can have any number of these provisioning policies defined. These are the common usage types: CREATE - This usage type relates to 'Create Account Profile', the provisioning template for the account to be created. For example, this would be used for a joiner on a source.
UPDATE - This usage type relates to 'Update Account Profile', the provisioning template for the 'Update' connector operations. For example, this would be used for an attribute sync on a source. ENABLE - This usage type relates to 'Enable Account Profile', the provisioning template for the account to be enabled. For example, this could be used for a joiner on a source once the joiner's account is created. DISABLE - This usage type relates to 'Disable Account Profile', the provisioning template for the account to be disabled. For example, this could be used when a leaver is removed temporarily from a source. You can use these four usage types for all your provisioning policy needs.

Request Body schema: application/json
name
required
string or null

the provisioning policy name

description
string

the description of the provisioning policy

usageType
string (UsageType)
Enum: "CREATE" "UPDATE" "ENABLE" "DISABLE" "DELETE" "ASSIGN" "UNASSIGN" "CREATE_GROUP" "UPDATE_GROUP" "DELETE_GROUP" "REGISTER" "CREATE_IDENTITY" "UPDATE_IDENTITY" "EDIT_GROUP" "UNLOCK" "CHANGE_PASSWORD"

The type of provisioning policy usage. In IdentityNow, a source can support various provisioning operations. For example, when a joiner is added to a source, this may trigger both CREATE and UPDATE provisioning operations. Each usage type is considered a provisioning policy. A source can have any number of these provisioning policies defined. These are the common usage types: CREATE - This usage type relates to 'Create Account Profile', the provisioning template for the account to be created. For example, this would be used for a joiner on a source.
UPDATE - This usage type relates to 'Update Account Profile', the provisioning template for the 'Update' connector operations. For example, this would be used for an attribute sync on a source. ENABLE - This usage type relates to 'Enable Account Profile', the provisioning template for the account to be enabled. For example, this could be used for a joiner on a source once the joiner's account is created. DISABLE - This usage type relates to 'Disable Account Profile', the provisioning template for the account to be disabled. For example, this could be used when a leaver is removed temporarily from a source. You can use these four usage types for all your provisioning policy needs.

Array of objects (Field Details Dto)

Responses

Request samples

Content type
application/json
{
  • "name": "example provisioning policy for inactive identities",
  • "description": "this provisioning policy creates access based on an identity going inactive",
  • "usageType": "CREATE",
  • "fields": [
    ]
}

Response samples

Content type
application/json
{
  • "name": "example provisioning policy for inactive identities",
  • "description": "this provisioning policy creates access based on an identity going inactive",
  • "usageType": "CREATE",
  • "fields": [
    ]
}

Partial update of provisioning policy

This API selectively updates an existing Provisioning Policy using a JSONPatch payload. Transforms can be used in the provisioning policy to create a new attribute that you only need during provisioning. Refer to Transforms in Provisioning Policies for more information.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

usageType
required
string (UsageType)
Enum: "CREATE" "UPDATE" "ENABLE" "DISABLE" "DELETE" "ASSIGN" "UNASSIGN" "CREATE_GROUP" "UPDATE_GROUP" "DELETE_GROUP" "REGISTER" "CREATE_IDENTITY" "UPDATE_IDENTITY" "EDIT_GROUP" "UNLOCK" "CHANGE_PASSWORD"
Example: CREATE

The type of provisioning policy usage. In IdentityNow, a source can support various provisioning operations. For example, when a joiner is added to a source, this may trigger both CREATE and UPDATE provisioning operations. Each usage type is considered a provisioning policy. A source can have any number of these provisioning policies defined. These are the common usage types: CREATE - This usage type relates to 'Create Account Profile', the provisioning template for the account to be created. For example, this would be used for a joiner on a source.
UPDATE - This usage type relates to 'Update Account Profile', the provisioning template for the 'Update' connector operations. For example, this would be used for an attribute sync on a source. ENABLE - This usage type relates to 'Enable Account Profile', the provisioning template for the account to be enabled. For example, this could be used for a joiner on a source once the joiner's account is created. DISABLE - This usage type relates to 'Disable Account Profile', the provisioning template for the account to be disabled. For example, this could be used when a leaver is removed temporarily from a source. You can use these four usage types for all your provisioning policy needs.

Request Body schema: application/json-patch+json

The JSONPatch payload used to update the schema.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "name": "example provisioning policy for inactive identities",
  • "description": "this provisioning policy creates access based on an identity going inactive",
  • "usageType": "CREATE",
  • "fields": [
    ]
}

Delete provisioning policy by usagetype

Deletes the provisioning policy with the specified usage on an application.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source ID.

usageType
required
string (UsageType)
Enum: "CREATE" "UPDATE" "ENABLE" "DISABLE" "DELETE" "ASSIGN" "UNASSIGN" "CREATE_GROUP" "UPDATE_GROUP" "DELETE_GROUP" "REGISTER" "CREATE_IDENTITY" "UPDATE_IDENTITY" "EDIT_GROUP" "UNLOCK" "CHANGE_PASSWORD"
Example: CREATE

The type of provisioning policy usage. In IdentityNow, a source can support various provisioning operations. For example, when a joiner is added to a source, this may trigger both CREATE and UPDATE provisioning operations. Each usage type is considered a provisioning policy. A source can have any number of these provisioning policies defined. These are the common usage types: CREATE - This usage type relates to 'Create Account Profile', the provisioning template for the account to be created. For example, this would be used for a joiner on a source.
UPDATE - This usage type relates to 'Update Account Profile', the provisioning template for the 'Update' connector operations. For example, this would be used for an attribute sync on a source. ENABLE - This usage type relates to 'Enable Account Profile', the provisioning template for the account to be enabled. For example, this could be used for a joiner on a source once the joiner's account is created. DISABLE - This usage type relates to 'Disable Account Profile', the provisioning template for the account to be disabled. For example, this could be used when a leaver is removed temporarily from a source. You can use these four usage types for all your provisioning policy needs.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Bulk update provisioning policies

This end-point updates a list of provisioning policies on the specified source in IdentityNow.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

Request Body schema: application/json
Array
name
required
string or null

the provisioning policy name

description
string

the description of the provisioning policy

usageType
string (UsageType)
Enum: "CREATE" "UPDATE" "ENABLE" "DISABLE" "DELETE" "ASSIGN" "UNASSIGN" "CREATE_GROUP" "UPDATE_GROUP" "DELETE_GROUP" "REGISTER" "CREATE_IDENTITY" "UPDATE_IDENTITY" "EDIT_GROUP" "UNLOCK" "CHANGE_PASSWORD"

The type of provisioning policy usage. In IdentityNow, a source can support various provisioning operations. For example, when a joiner is added to a source, this may trigger both CREATE and UPDATE provisioning operations. Each usage type is considered a provisioning policy. A source can have any number of these provisioning policies defined. These are the common usage types: CREATE - This usage type relates to 'Create Account Profile', the provisioning template for the account to be created. For example, this would be used for a joiner on a source.
UPDATE - This usage type relates to 'Update Account Profile', the provisioning template for the 'Update' connector operations. For example, this would be used for an attribute sync on a source. ENABLE - This usage type relates to 'Enable Account Profile', the provisioning template for the account to be enabled. For example, this could be used for a joiner on a source once the joiner's account is created. DISABLE - This usage type relates to 'Disable Account Profile', the provisioning template for the account to be disabled. For example, this could be used when a leaver is removed temporarily from a source. You can use these four usage types for all your provisioning policy needs.

Array of objects (Field Details Dto)

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
[
  • {
    }
]

List schemas on source

Use this API to list the schemas that exist on the specified source in Identity Security Cloud (ISC).

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Source ID.

query Parameters
include-types
string
Enum: "group" "user"
Example: include-types=group

If set to 'group', then the account schema is filtered and only group schemas are returned. Only a value of 'group' is recognized presently. Note: The API will check whether include-types is group or not, if not, it will list schemas based on include-names, if include-names is not provided, it will list all schemas.

include-names
string
Example: include-names=account

A comma-separated list of schema names to filter result.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create schema on source

Use this API to create a new schema on the specified source in Identity Security Cloud (ISC).

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Source ID.

Request Body schema: application/json
id
string

The id of the Schema.

name
string

The name of the Schema.

nativeObjectType
string

The name of the object type on the native system that the schema represents.

identityAttribute
string

The name of the attribute used to calculate the unique identifier for an object in the schema.

displayAttribute
string

The name of the attribute used to calculate the display value for an object in the schema.

hierarchyAttribute
string or null

The name of the attribute whose values represent other objects in a hierarchy. Only relevant to group schemas.

includePermissions
boolean
Default: false

Flag indicating whether or not the include permissions with the object data when aggregating the schema.

features
Array of strings (SourceFeature)
Items Enum: "AUTHENTICATE" "COMPOSITE" "DIRECT_PERMISSIONS" "DISCOVER_SCHEMA" "ENABLE" "MANAGER_LOOKUP" "NO_RANDOM_ACCESS" "PROXY" "SEARCH" "TEMPLATE" "UNLOCK" "UNSTRUCTURED_TARGETS" "SHAREPOINT_TARGET" "PROVISIONING" "GROUP_PROVISIONING" "SYNC_PROVISIONING" "PASSWORD" "CURRENT_PASSWORD" "ACCOUNT_ONLY_REQUEST" "ADDITIONAL_ACCOUNT_REQUEST" "NO_AGGREGATION" "GROUPS_HAVE_MEMBERS" "NO_PERMISSIONS_PROVISIONING" "NO_GROUP_PERMISSIONS_PROVISIONING" "NO_UNSTRUCTURED_TARGETS_PROVISIONING" "NO_DIRECT_PERMISSIONS_PROVISIONING" "PREFER_UUID" "ARM_SECURITY_EXTRACT" "ARM_UTILIZATION_EXTRACT" "ARM_CHANGELOG_EXTRACT" "USES_UUID" "APPLICATION_DISCOVERY" "DELETE"

Optional features that can be supported by a source. Modifying the features array may cause source configuration errors that are unsupportable. It is recommended to not modify this array for SailPoint supported connectors.

  • AUTHENTICATE: The source supports pass-through authentication.
  • COMPOSITE: The source supports composite source creation.
  • DIRECT_PERMISSIONS: The source supports returning DirectPermissions.
  • DISCOVER_SCHEMA: The source supports discovering schemas for users and groups.
  • ENABLE The source supports reading if an account is enabled or disabled.
  • MANAGER_LOOKUP: The source supports looking up managers as they are encountered in a feed. This is the opposite of NO_RANDOM_ACCESS.
  • NO_RANDOM_ACCESS: The source does not support random access and the getObject() methods should not be called and expected to perform.
  • PROXY: The source can serve as a proxy for another source. When an source has a proxy, all connector calls made with that source are redirected through the connector for the proxy source.
  • SEARCH
  • TEMPLATE
  • UNLOCK: The source supports reading if an account is locked or unlocked.
  • UNSTRUCTURED_TARGETS: The source supports returning unstructured Targets.
  • SHAREPOINT_TARGET: The source supports returning unstructured Target data for SharePoint. It will be typically used by AD, LDAP sources.
  • PROVISIONING: The source can both read and write accounts. Having this feature implies that the provision() method is implemented. It also means that direct and target permissions can also be provisioned if they can be returned by aggregation.
  • GROUP_PROVISIONING: The source can both read and write groups. Having this feature implies that the provision() method is implemented.
  • SYNC_PROVISIONING: The source can provision accounts synchronously.
  • PASSWORD: The source can provision password changes. Since sources can never read passwords, this is should only be used in conjunction with the PROVISIONING feature.
  • CURRENT_PASSWORD: Some source types support verification of the current password
  • ACCOUNT_ONLY_REQUEST: The source supports requesting accounts without entitlements.
  • ADDITIONAL_ACCOUNT_REQUEST: The source supports requesting additional accounts.
  • NO_AGGREGATION: A source that does not support aggregation.
  • GROUPS_HAVE_MEMBERS: The source models group memberships with a member attribute on the group object rather than a groups attribute on the account object. This effects the implementation of delta account aggregation.
  • NO_PERMISSIONS_PROVISIONING: Indicates that the connector cannot provision direct or target permissions for accounts. When DIRECT_PERMISSIONS and PROVISIONING features are present, it is assumed that the connector can also provision direct permissions. This feature disables that assumption and causes permission request to be converted to work items for accounts.
  • NO_GROUP_PERMISSIONS_PROVISIONING: Indicates that the connector cannot provision direct or target permissions for groups. When DIRECT_PERMISSIONS and PROVISIONING features are present, it is assumed that the connector can also provision direct permissions. This feature disables that assumption and causes permission request to be converted to work items for groups.
  • NO_UNSTRUCTURED_TARGETS_PROVISIONING: This string will be replaced by NO_GROUP_PERMISSIONS_PROVISIONING and NO_PERMISSIONS_PROVISIONING.
  • NO_DIRECT_PERMISSIONS_PROVISIONING: This string will be replaced by NO_GROUP_PERMISSIONS_PROVISIONING and NO_PERMISSIONS_PROVISIONING.
  • USES_UUID: Connectivity 2.0 flag used to indicate that the connector supports a compound naming structure.
  • PREFER_UUID: Used in ISC Provisioning AND Aggregation to decide if it should prefer account.uuid to account.nativeIdentity when data is read in through aggregation OR pushed out through provisioning.
  • ARM_SECURITY_EXTRACT: Indicates the application supports Security extracts for ARM
  • ARM_UTILIZATION_EXTRACT: Indicates the application supports Utilization extracts for ARM
  • ARM_CHANGELOG_EXTRACT: Indicates the application supports Change-log extracts for ARM
configuration
object

Holds any extra configuration data that the schema may require.

Array of objects (Attribute Definition)

The attribute definitions which form the schema.

created
string <date-time>

The date the Schema was created.

modified
string or null <date-time>

The date the Schema was last modified.

Responses

Request samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "account",
  • "nativeObjectType": "User",
  • "identityAttribute": "sAMAccountName",
  • "displayAttribute": "distinguishedName",
  • "hierarchyAttribute": "memberOf",
  • "includePermissions": false,
  • "features": [
    ],
  • "configuration": {
    },
  • "attributes": [
    ],
  • "created": "2019-12-24T22:32:58.104Z",
  • "modified": "2019-12-31T20:22:28.104Z"
}

Response samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "account",
  • "nativeObjectType": "User",
  • "identityAttribute": "sAMAccountName",
  • "displayAttribute": "distinguishedName",
  • "hierarchyAttribute": "memberOf",
  • "includePermissions": false,
  • "features": [
    ],
  • "configuration": {
    },
  • "attributes": [
    ],
  • "created": "2019-12-24T22:32:58.104Z",
  • "modified": "2019-12-31T20:22:28.104Z"
}

List schedules on source

Use this API to list the schedules that exist on the specified source in Identity Security Cloud (ISC). :::info This endpoint uses a cron expression to schedule a task, following standard cron job syntax.

For example, 0 0 12 1/1 * ? * runs the task daily at 12:00 PM.

Days of the week are represented as 1-7 (Sunday-Saturday). :::

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Source ID.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create schedule on source

Use this API to create a new schedule for a type on the specified source in Identity Security Cloud (ISC).

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Source ID.

Request Body schema: application/json
type
required
string
Enum: "ACCOUNT_AGGREGATION" "GROUP_AGGREGATION"

The type of the Schedule.

cronExpression
required
string

The cron expression of the schedule.

Responses

Request samples

Content type
application/json
{
  • "type": "ACCOUNT_AGGREGATION",
  • "cronExpression": "0 0 5,13,21 * * ?"
}

Response samples

Content type
application/json
{
  • "type": "ACCOUNT_AGGREGATION",
  • "cronExpression": "0 0 5,13,21 * * ?"
}

Get source schedule by type

Get the source schedule by type in Identity Security Cloud (ISC).

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

scheduleType
required
string
Enum: "ACCOUNT_AGGREGATION" "GROUP_AGGREGATION"
Example: ACCOUNT_AGGREGATION

The Schedule type.

Responses

Response samples

Content type
application/json
{
  • "type": "ACCOUNT_AGGREGATION",
  • "cronExpression": "0 0 5,13,21 * * ?"
}

Update source schedule (partial)

Use this API to selectively update an existing Schedule using a JSONPatch payload.

The following schedule fields are immutable and cannot be updated:

  • type
Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

scheduleType
required
string
Enum: "ACCOUNT_AGGREGATION" "GROUP_AGGREGATION"
Example: ACCOUNT_AGGREGATION

The Schedule type.

Request Body schema: application/json-patch+json

The JSONPatch payload used to update the schedule.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "type": "ACCOUNT_AGGREGATION",
  • "cronExpression": "0 0 5,13,21 * * ?"
}

Delete source schedule by type.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

scheduleType
required
string
Enum: "ACCOUNT_AGGREGATION" "GROUP_AGGREGATION"
Example: ACCOUNT_AGGREGATION

The Schedule type.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Get source schema by id

Get the Source Schema by ID in IdentityNow.

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

schemaId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Schema id.

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "account",
  • "nativeObjectType": "User",
  • "identityAttribute": "sAMAccountName",
  • "displayAttribute": "distinguishedName",
  • "hierarchyAttribute": "memberOf",
  • "includePermissions": false,
  • "features": [
    ],
  • "configuration": {
    },
  • "attributes": [
    ],
  • "created": "2019-12-24T22:32:58.104Z",
  • "modified": "2019-12-31T20:22:28.104Z"
}

Update source schema (full)

This API will completely replace an existing Schema with the submitted payload. Some fields of the Schema cannot be updated. These fields are listed below.

  • id
  • name
  • created
  • modified

Any attempt to modify these fields will result in an error response with a status code of 400.

id must remain in the request body, but it cannot be changed. If id is omitted from the request body, the result will be a 400 error.

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

schemaId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Schema id.

Request Body schema: application/json
id
string

The id of the Schema.

name
string

The name of the Schema.

nativeObjectType
string

The name of the object type on the native system that the schema represents.

identityAttribute
string

The name of the attribute used to calculate the unique identifier for an object in the schema.

displayAttribute
string

The name of the attribute used to calculate the display value for an object in the schema.

hierarchyAttribute
string or null

The name of the attribute whose values represent other objects in a hierarchy. Only relevant to group schemas.

includePermissions
boolean
Default: false

Flag indicating whether or not the include permissions with the object data when aggregating the schema.

features
Array of strings (SourceFeature)
Items Enum: "AUTHENTICATE" "COMPOSITE" "DIRECT_PERMISSIONS" "DISCOVER_SCHEMA" "ENABLE" "MANAGER_LOOKUP" "NO_RANDOM_ACCESS" "PROXY" "SEARCH" "TEMPLATE" "UNLOCK" "UNSTRUCTURED_TARGETS" "SHAREPOINT_TARGET" "PROVISIONING" "GROUP_PROVISIONING" "SYNC_PROVISIONING" "PASSWORD" "CURRENT_PASSWORD" "ACCOUNT_ONLY_REQUEST" "ADDITIONAL_ACCOUNT_REQUEST" "NO_AGGREGATION" "GROUPS_HAVE_MEMBERS" "NO_PERMISSIONS_PROVISIONING" "NO_GROUP_PERMISSIONS_PROVISIONING" "NO_UNSTRUCTURED_TARGETS_PROVISIONING" "NO_DIRECT_PERMISSIONS_PROVISIONING" "PREFER_UUID" "ARM_SECURITY_EXTRACT" "ARM_UTILIZATION_EXTRACT" "ARM_CHANGELOG_EXTRACT" "USES_UUID" "APPLICATION_DISCOVERY" "DELETE"

Optional features that can be supported by a source. Modifying the features array may cause source configuration errors that are unsupportable. It is recommended to not modify this array for SailPoint supported connectors.

  • AUTHENTICATE: The source supports pass-through authentication.
  • COMPOSITE: The source supports composite source creation.
  • DIRECT_PERMISSIONS: The source supports returning DirectPermissions.
  • DISCOVER_SCHEMA: The source supports discovering schemas for users and groups.
  • ENABLE The source supports reading if an account is enabled or disabled.
  • MANAGER_LOOKUP: The source supports looking up managers as they are encountered in a feed. This is the opposite of NO_RANDOM_ACCESS.
  • NO_RANDOM_ACCESS: The source does not support random access and the getObject() methods should not be called and expected to perform.
  • PROXY: The source can serve as a proxy for another source. When an source has a proxy, all connector calls made with that source are redirected through the connector for the proxy source.
  • SEARCH
  • TEMPLATE
  • UNLOCK: The source supports reading if an account is locked or unlocked.
  • UNSTRUCTURED_TARGETS: The source supports returning unstructured Targets.
  • SHAREPOINT_TARGET: The source supports returning unstructured Target data for SharePoint. It will be typically used by AD, LDAP sources.
  • PROVISIONING: The source can both read and write accounts. Having this feature implies that the provision() method is implemented. It also means that direct and target permissions can also be provisioned if they can be returned by aggregation.
  • GROUP_PROVISIONING: The source can both read and write groups. Having this feature implies that the provision() method is implemented.
  • SYNC_PROVISIONING: The source can provision accounts synchronously.
  • PASSWORD: The source can provision password changes. Since sources can never read passwords, this is should only be used in conjunction with the PROVISIONING feature.
  • CURRENT_PASSWORD: Some source types support verification of the current password
  • ACCOUNT_ONLY_REQUEST: The source supports requesting accounts without entitlements.
  • ADDITIONAL_ACCOUNT_REQUEST: The source supports requesting additional accounts.
  • NO_AGGREGATION: A source that does not support aggregation.
  • GROUPS_HAVE_MEMBERS: The source models group memberships with a member attribute on the group object rather than a groups attribute on the account object. This effects the implementation of delta account aggregation.
  • NO_PERMISSIONS_PROVISIONING: Indicates that the connector cannot provision direct or target permissions for accounts. When DIRECT_PERMISSIONS and PROVISIONING features are present, it is assumed that the connector can also provision direct permissions. This feature disables that assumption and causes permission request to be converted to work items for accounts.
  • NO_GROUP_PERMISSIONS_PROVISIONING: Indicates that the connector cannot provision direct or target permissions for groups. When DIRECT_PERMISSIONS and PROVISIONING features are present, it is assumed that the connector can also provision direct permissions. This feature disables that assumption and causes permission request to be converted to work items for groups.
  • NO_UNSTRUCTURED_TARGETS_PROVISIONING: This string will be replaced by NO_GROUP_PERMISSIONS_PROVISIONING and NO_PERMISSIONS_PROVISIONING.
  • NO_DIRECT_PERMISSIONS_PROVISIONING: This string will be replaced by NO_GROUP_PERMISSIONS_PROVISIONING and NO_PERMISSIONS_PROVISIONING.
  • USES_UUID: Connectivity 2.0 flag used to indicate that the connector supports a compound naming structure.
  • PREFER_UUID: Used in ISC Provisioning AND Aggregation to decide if it should prefer account.uuid to account.nativeIdentity when data is read in through aggregation OR pushed out through provisioning.
  • ARM_SECURITY_EXTRACT: Indicates the application supports Security extracts for ARM
  • ARM_UTILIZATION_EXTRACT: Indicates the application supports Utilization extracts for ARM
  • ARM_CHANGELOG_EXTRACT: Indicates the application supports Change-log extracts for ARM
configuration
object

Holds any extra configuration data that the schema may require.

Array of objects (Attribute Definition)

The attribute definitions which form the schema.

created
string <date-time>

The date the Schema was created.

modified
string or null <date-time>

The date the Schema was last modified.

Responses

Request samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "account",
  • "nativeObjectType": "User",
  • "identityAttribute": "sAMAccountName",
  • "displayAttribute": "distinguishedName",
  • "hierarchyAttribute": "memberOf",
  • "includePermissions": false,
  • "features": [
    ],
  • "configuration": {
    },
  • "attributes": [
    ],
  • "created": "2019-12-24T22:32:58.104Z",
  • "modified": "2019-12-31T20:22:28.104Z"
}

Response samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "account",
  • "nativeObjectType": "User",
  • "identityAttribute": "sAMAccountName",
  • "displayAttribute": "distinguishedName",
  • "hierarchyAttribute": "memberOf",
  • "includePermissions": false,
  • "features": [
    ],
  • "configuration": {
    },
  • "attributes": [
    ],
  • "created": "2019-12-24T22:32:58.104Z",
  • "modified": "2019-12-31T20:22:28.104Z"
}

Update source schema (partial)

Use this API to selectively update an existing Schema using a JSONPatch payload.

The following schema fields are immutable and cannot be updated:

  • id
  • name
  • created
  • modified

To switch an account attribute to a group entitlement, you need to have the following in place:

  • isEntitlement: true
  • Must define a schema for the group and add it to the source before updating the isGroup flag. For example, here is the group account attribute referencing a schema that defines the group:
    {
  "name": "groups",
  "type": "STRING",
  "schema": {
      "type": "CONNECTOR_SCHEMA",
      "id": "2c9180887671ff8c01767b4671fc7d60",
      "name": "group"
  },
  "description": "The groups, roles etc. that reference account group objects",
  "isMulti": true,
  "isEntitlement": true,
  "isGroup": true
}
Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

schemaId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Schema id.

Request Body schema: application/json-patch+json

The JSONPatch payload used to update the schema.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "account",
  • "nativeObjectType": "User",
  • "identityAttribute": "sAMAccountName",
  • "displayAttribute": "distinguishedName",
  • "hierarchyAttribute": "memberOf",
  • "includePermissions": false,
  • "features": [
    ],
  • "configuration": {
    },
  • "attributes": [
    ],
  • "created": "2019-12-24T22:32:58.104Z",
  • "modified": "2019-12-31T20:22:28.104Z"
}

Delete source schema by id

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

schemaId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Schema id.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Fetches source health by id

This endpoint fetches source health by source's id

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1324",
  • "type": "OpenLDAP - Direct",
  • "name": "Source1234",
  • "org": "denali-cjh",
  • "isAuthoritative": false,
  • "isCluster": false,
  • "hostname": "megapod-useast1-secret-hostname.sailpoint.com",
  • "pod": "megapod-useast1",
  • "iqServiceVersion": "iqVersion123",
  • "status": "SOURCE_STATE_UNCHECKED_SOURCE"
}

Downloads source accounts schema template

This API downloads the CSV schema that defines the account attributes on a source.

NOTE: This API is designated only for Delimited File sources.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The Source id

Responses

Response samples

Content type
text/csv
id,name,givenName,familyName,e-mail,location,manager,groups,startDate,endDate

Uploads source accounts schema template

This API uploads a source schema template file to configure a source's account attributes.

To retrieve the file to modify and upload, log into Identity Now.

Click Admin -> Connections -> Sources -> {SourceName} -> Import Data -> Account Schema -> Options -> Download Schema

NOTE: This API is designated only for Delimited File sources.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The Source id

Request Body schema: multipart/form-data
file
string <binary>

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "account",
  • "nativeObjectType": "User",
  • "identityAttribute": "sAMAccountName",
  • "displayAttribute": "distinguishedName",
  • "hierarchyAttribute": "memberOf",
  • "includePermissions": false,
  • "features": [
    ],
  • "configuration": {
    },
  • "attributes": [
    ],
  • "created": "2019-12-24T22:32:58.104Z",
  • "modified": "2019-12-31T20:22:28.104Z"
}

Downloads source entitlements schema template

This API downloads the CSV schema that defines the entitlement attributes on a source.

NOTE: This API is designated only for Delimited File sources.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The Source id

query Parameters
schemaName
string
Example: schemaName=?schemaName=group

Name of entitlement schema

Responses

Response samples

Content type
text/csv
id,name,displayName,created,description,modified,entitlements,groups,permissions

Uploads source entitlements schema template

This API uploads a source schema template file to configure a source's entitlement attributes.

To retrieve the file to modify and upload, log into Identity Now.

Click Admin -> Connections -> Sources -> {SourceName} -> Import Data -> Import Entitlements -> Download

NOTE: This API is designated only for Delimited File sources.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The Source id

query Parameters
schemaName
string
Example: schemaName=?schemaName=group

Name of entitlement schema

Request Body schema: multipart/form-data
file
string <binary>

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "account",
  • "nativeObjectType": "User",
  • "identityAttribute": "sAMAccountName",
  • "displayAttribute": "distinguishedName",
  • "hierarchyAttribute": "memberOf",
  • "includePermissions": false,
  • "features": [
    ],
  • "configuration": {
    },
  • "attributes": [
    ],
  • "created": "2019-12-24T22:32:58.104Z",
  • "modified": "2019-12-31T20:22:28.104Z"
}

Upload connector file to source

This uploads a supplemental source connector file (like jdbc driver jars) to a source's S3 bucket. This also sends ETS and Audit events.

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

The Source id.

Request Body schema: multipart/form-data
file
string <binary>

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1324",
  • "name": "My Source",
  • "description": "This is the corporate directory.",
  • "owner": {
    },
  • "cluster": {
    },
  • "accountCorrelationConfig": {
    },
  • "accountCorrelationRule": {
    },
  • "managerCorrelationMapping": {
    },
  • "managerCorrelationRule": {
    },
  • "beforeProvisioningRule": {
    },
  • "schemas": [
    ],
  • "passwordPolicies": [
    ],
  • "features": [
    ],
  • "type": "OpenLDAP - Direct",
  • "connector": "active-directory",
  • "connectorClass": "sailpoint.connector.LDAPConnector",
  • "connectorAttributes": {
    },
  • "deleteThreshold": 10,
  • "authoritative": false,
  • "managementWorkgroup": {
    },
  • "healthy": true,
  • "status": "SOURCE_STATE_HEALTHY",
  • "since": "2021-09-28T15:48:29.3801666300Z",
  • "connectorId": "active-directory",
  • "connectorName": "Active Directory",
  • "connectionType": "file",
  • "connectorImplementationId": "delimited-file",
  • "created": "2022-02-08T14:50:03.827Z",
  • "modified": "2024-01-23T18:08:50.897Z",
  • "credentialProviderEnabled": false,
  • "category": "CredentialProvider"
}

Get source connections by id

Use this API to get all dependent Profiles, Attributes, Applications and Custom Transforms for a source by a specified ID in Identity Security Cloud (ISC).

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 2c9180835d191a86015d28455b4a2329

Source ID.

Responses

Response samples

Content type
application/json
{
  • "identityProfiles": [
    ],
  • "credentialProfiles": [
    ],
  • "sourceAttributes": [
    ],
  • "mappingProfiles": [
    ],
  • "dependentCustomTransforms": [
    ],
  • "dependentApps": [
    ],
  • "missingDependents": [
    ]
}

Get source correlation configuration

This API returns the existing correlation configuration for a source specified by the given ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

The source id

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "Source [source] Account Correlation",
  • "attributeAssignments": [
    ]
}

Update source correlation configuration

Replaces the correlation configuration for the source specified by the given ID with the configuration provided in the request body.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

The source id

Request Body schema: application/json
id
string or null

The ID of the correlation configuration.

name
string or null

The name of the correlation configuration.

Array of objects or null

The list of attribute assignments of the correlation configuration.

Responses

Request samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "Source [source] Account Correlation",
  • "attributeAssignments": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "2c9180835d191a86015d28455b4a2329",
  • "name": "Source [source] Account Correlation",
  • "attributeAssignments": [
    ]
}

Get Password Policy for source

This API can be used to get Password Policy in IdentityNow for the specified Source. Source must support PASSWORD feature.

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The Source id

query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Update password policy

This API can be used to set up or update Password Policy in IdentityNow for the specified Source. Source must support PASSWORD feature.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The Source id

Request Body schema: application/json
Array
policyId
string

The password policy Id.

policyName
string

The name of the password policy.

object (Password Policy Holders Dto Attributes)

Responses

Request samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Check connection for source connector.

This endpoint validates that the configured credentials are valid and will properly authenticate with the source identified by the sourceId path parameter.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: cef3ee201db947c5912551015ba0c679

The ID of the Source.

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1313",
  • "name": "ODS-AD-Test [source-999999]",
  • "status": "SUCCESS",
  • "elapsedMillis": 1000,
  • "details": {
    }
}

Peek source connector's resource objects

Retrieves a sample of data returned from account and group aggregation requests.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: cef3ee201db947c5912551015ba0c679

The ID of the Source

Request Body schema: application/json
objectType
string
Default: "account"

The type of resource objects to iterate over.

maxCount
integer
Default: 25

The maximum number of resource objects to iterate over and return.

Responses

Request samples

Content type
application/json
{
  • "objectType": "group",
  • "maxCount": 100
}

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1313",
  • "name": "ODS-AD-Test [source-999999]",
  • "objectCount": 25,
  • "elapsedMillis": 1055,
  • "resourceObjects": [
    ]
}

Ping cluster for source connector

This endpoint validates that the cluster being used by the source is reachable from IdentityNow.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: cef3ee201db947c5912551015ba0c679

The ID of the Source

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1313",
  • "name": "ODS-AD-Test [source-999999]",
  • "status": "SUCCESS",
  • "elapsedMillis": 1000,
  • "details": {
    }
}

Test configuration for source connector

This endpoint performs a more detailed validation of the source''s configuration that can take longer than the lighter weight credential validation performed by the checkConnection API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
sourceId
required
string
Example: cef3ee201db947c5912551015ba0c679

The ID of the Source

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1313",
  • "name": "ODS-AD-Test [source-999999]",
  • "status": "SUCCESS",
  • "elapsedMillis": 1000,
  • "details": {
    }
}

Gets source config with language-translations

Looks up and returns the source config for the requested source id after populating the source config values and applying language translations.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: cef3ee201db947c5912551015ba0c679

The Source id

query Parameters
locale
string
Enum: "de" false "fi" "sv" "ru" "pt" "ko" "zh-TW" "en" "it" "fr" "zh-CN" "hu" "es" "cs" "ja" "pl" "da" "nl"
Example: locale=en

The locale to apply to the config. If no viable locale is given, it will default to "en"

Responses

Response samples

Content type
application/json
{
  • "name": "name",
  • "type": "ServiceNow",
  • "className": "class name",
  • "scriptName": "servicenow",
  • "applicationXml": "<?xml version='1.0' encoding='UTF-8'?>\n<!DOCTYPE Application PUBLIC \"sailpoint.dtd\" \"sailpoint.dtd\">\n<Application connector=\"sailpoint.connector.OpenConnectorAdapter\" name=\"custom Atlassian Suite - Cloud\" type=\"custom Atlassian Suite - Cloud\"/>\n",
  • "correlationConfigXml": "<?xml version='1.0' encoding='UTF-8'?>\n<!-- Copyright (C) 2021 SailPoint Technologies, Inc. All rights reserved. -->\n\n<!DOCTYPE CorrelationConfig PUBLIC \"sailpoint.dtd\" \"sailpoint.dtd\">\n\n<CorrelationConfig name=\"custom Atlassian Suite - Cloud Account Correlation Config\">\n\t<AttributeAssignments>\n\t\t<Filter operation=\"EQ\" property=\"email\" value=\"mail\"/>\n\t\t<Filter operation=\"EQ\" property=\"empId\" value=\"employeeNumber\"/>\n\t\t<Filter operation=\"EQ\" property=\"displayName\" value=\"cn\"/>\n\t</AttributeAssignments>\n</CorrelationConfig>\n",
  • "sourceConfigXml": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?><!-- Copyright (C) 2023 SailPoint Technologies, Inc. All rights reserved. --><Form xmlns=\"http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd\" connectorName=\"custom Atlassian Suite - Cloud\" directConnect=\"true\" fileUpload=\"true\" name=\"Custom Atlassian Suite - Cloud\" status=\"released\" type=\"SourceConfig\">\n <BaseConfig>\n <Field maxFiles=\"10\" maxSize=\"300\" name=\"fileUpload\" supportedExtensions=\"jar\" type=\"fileupload\" validateJSON=\"false\"/>\n </BaseConfig>\n \n\n \n</Form>",
  • "sourceConfig": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?><!-- Copyright (C) 2023 SailPoint Technologies, Inc. All rights reserved. --><Form xmlns=\"http://www.sailpoint.com/xsd/sailpoint_form_2_0.xsd\" connectorName=\"custom Atlassian Suite - Cloud\" directConnect=\"true\" fileUpload=\"true\" name=\"Custom Atlassian Suite - Cloud\" status=\"released\" type=\"SourceConfig\">\n <BaseConfig>\n <Field maxFiles=\"10\" maxSize=\"300\" name=\"fileUpload\" supportedExtensions=\"jar\" type=\"fileupload\" validateJSON=\"false\"/>\n </BaseConfig>\n \n\n \n</Form>",
  • "sourceConfigFrom": "sp-connect",
  • "s3Location": "custom-connector/scriptname",
  • "uploadedFiles": [
    ],
  • "fileUpload": true,
  • "directConnect": true,
  • "translationProperties": {
    },
  • "connectorMetadata": {
    },
  • "status": "RELEASED"
}

Native change detection configuration

This API returns the existing native change detection configuration for a source specified by the given ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

The source id

Responses

Response samples

Content type
application/json
{
  • "enabled": true,
  • "operations": [
    ],
  • "allEntitlements": false,
  • "allNonEntitlementAttributes": false,
  • "selectedEntitlements": [
    ],
  • "selectedNonEntitlementAttributes": [
    ]
}

Update native change detection configuration

Replaces the native change detection configuration for the source specified by the given ID with the configuration provided in the request body.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

The source id

Request Body schema: application/json
enabled
boolean
Default: false

A flag indicating if Native Change Detection is enabled for a source.

operations
Array of strings
Items Enum: "ACCOUNT_UPDATED" "ACCOUNT_CREATED" "ACCOUNT_DELETED"

Operation types for which Native Change Detection is enabled for a source.

allEntitlements
boolean
Default: false

A flag indicating that all entitlements participate in Native Change Detection.

allNonEntitlementAttributes
boolean
Default: false

A flag indicating that all non-entitlement account attributes participate in Native Change Detection.

selectedEntitlements
Array of strings

If allEntitlements flag is off this field lists entitlements that participate in Native Change Detection.

selectedNonEntitlementAttributes
Array of strings

If allNonEntitlementAttributes flag is off this field lists non-entitlement account attributes that participate in Native Change Detection.

Learn more about account attributes here.

Responses

Request samples

Content type
application/json
{
  • "enabled": true,
  • "operations": [
    ],
  • "allEntitlements": false,
  • "allNonEntitlementAttributes": false,
  • "selectedEntitlements": [
    ],
  • "selectedNonEntitlementAttributes": [
    ]
}

Response samples

Content type
application/json
{
  • "enabled": true,
  • "operations": [
    ],
  • "allEntitlements": false,
  • "allNonEntitlementAttributes": false,
  • "selectedEntitlements": [
    ],
  • "selectedNonEntitlementAttributes": [
    ]
}

Delete native change detection configuration

Deletes the native change detection configuration for the source specified by the given ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

The source id

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Remove all accounts in source

Use this endpoint to remove all accounts from the system without provisioning changes to the source. Accounts that are removed could be re-created during the next aggregation.

This endpoint is good for:

  • Removing accounts that no longer exist on the source.
  • Removing accounts that won't be aggregated following updates to the source configuration.
  • Forcing accounts to be re-created following the next aggregation to re-run account processing, support testing, etc.
Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ebbf35756e1140699ce52b233121384a

The source id

Responses

Response samples

Content type
application/json
{
  • "type": "TASK_RESULT",
  • "id": "464ae7bf791e49fdb74606a2e4a89635",
  • "name": null
}

Account aggregation

Starts an account aggregation on the specified source. If the target source is a delimited file source, then the CSV file needs to be included in the request body. You will also need to set the Content-Type header to multipart/form-data.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source Id

Request Body schema: multipart/form-data
file
string <binary>

The CSV file containing the source accounts to aggregate.

disableOptimization
string

Use this flag to reprocess every account whether or not the data has changed.

Responses

Response samples

Content type
application/json
{
  • "success": "true",
  • "task": {
    }
}

Process uncorrelated accounts

File is required for upload. You will also need to set the Content-Type header to multipart/form-data

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 75dbec1ebe154d5785da27b95e1dd5d7

Source Id

Request Body schema: multipart/form-data
file
string <binary>

Responses

Response samples

Content type
application/json
{
  • "success": "true",
  • "task": {
    }
}

Attribute sync config

This API returns the existing attribute synchronization configuration for a source specified by the given ID. The response contains all attributes, regardless of whether they enabled or not.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

The source id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "source": {
    },
  • "attributes": [
    ]
}

Update attribute sync config

Replaces the attribute synchronization configuration for the source specified by the given ID with the configuration provided in the request body. Only the "enabled" field of the values in the "attributes" array is mutable. Attempting to change other attributes or add new values to the "attributes" array will result in an error.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

The source id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
required
object (Attr Sync Source)

Target source for attribute synchronization.

required
Array of objects (Attr Sync Source Attribute Config)

Attribute synchronization configuration for specific identity attributes in the context of a source

Responses

Request samples

Content type
application/json
{
  • "source": {
    },
  • "attributes": [
    ]
}

Response samples

Content type
application/json
{
  • "source": {
    },
  • "attributes": [
    ]
}

Synchronize single source attributes.

This end-point performs attribute synchronization for a selected source.

Authorizations:
Personal Access Token
path Parameters
id
required
string

The Source id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "status": "IN_PROGRESS",
  • "payload": {
    }
}

Get source entitlement request configuration

This API gets the current entitlement request configuration for a source. This source-level configuration should apply for all the entitlements in the source.

Access request to any entitlements in the source should follow this configuration unless a separate entitlement-level configuration is defined.

  • During access request, this source-level entitlement request configuration overrides the global organization-level configuration.
  • However, the entitlement-level configuration (if defined) overrides this source-level configuration.
Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The Source id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
Example

The default config for a source should look like the following where the empty approvalSchemes indicates that no approvals are required.

{
  • "accessRequestConfig": {
    }
}

Update source entitlement request configuration

This API replaces the current entitlement request configuration for a source. This source-level configuration should apply for all the entitlements in the source.

Access request to any entitlements in the source should follow this configuration unless a separate entitlement-level configuration is defined.

  • During access request, this source-level entitlement request configuration overrides the global organization-level configuration.
  • However, the entitlement-level configuration (if defined) overrides this source-level configuration.
Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 8c190e6787aa4ed9a90bd9d5344523fb

The Source id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
object (Entitlement Access Request Config)
object (Entitlement Revocation Request Config)

Responses

Request samples

Content type
application/json
Example

If no approvals are required, the following config can be set.

{
  • "accessRequestConfig": {
    }
}

Response samples

Content type
application/json
{
  • "accessRequestConfig": {
    },
  • "revocationRequestConfig": {
    }
}

Entitlement aggregation

Starts an entitlement aggregation on the specified source. If the target source is a delimited file source, then the CSV file needs to be included in the request body. You will also need to set the Content-Type header to multipart/form-data. A token with ORG_ADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access Token
path Parameters
sourceId
required
string
Example: ef38f94347e94562b5bb8424a56397d8

Source Id

Request Body schema: multipart/form-data
file
string <binary>

The CSV file containing the source entitlements to aggregate.

Responses

Response samples

Content type
application/json
{
  • "id": "ef38f94347e94562b5bb8424a56397d8",
  • "type": "QUARTZ",
  • "uniqueName": "Cloud Group Aggregation",
  • "description": "Aggregate from the specified application",
  • "launcher": "John Doe",
  • "created": "2020-07-11T21:23:15.000Z",
  • "returns": [
    ]
}

SP-Config

Import and export configuration for some objects between tenants.

Initiates configuration objects export job

This post will export objects from the tenant to a JSON configuration file. For more information about the object types that currently support export functionality, refer to SaaS Configuration.

Authorizations:
Personal Access Token
Request Body schema: application/json

Export options control what will be included in the export.

description
string

Optional user defined description/name for export job.

excludeTypes
Array of strings
Items Enum: "ACCESS_PROFILE" "ACCESS_REQUEST_CONFIG" "ATTR_SYNC_SOURCE_CONFIG" "AUTH_ORG" "CAMPAIGN_FILTER" "CONNECTOR_RULE" "FORM_DEFINITION" "GOVERNANCE_GROUP" "IDENTITY_OBJECT_CONFIG" "IDENTITY_PROFILE" "LIFECYCLE_STATE" "NOTIFICATION_TEMPLATE" "PASSWORD_POLICY" "PASSWORD_SYNC_GROUP" "PUBLIC_IDENTITIES_CONFIG" "ROLE" "RULE" "SEGMENT" "SERVICE_DESK_INTEGRATION" "SOD_POLICY" "SOURCE" "TAG" "TRANSFORM" "TRIGGER_SUBSCRIPTION" "WORKFLOW"

Object type names to be excluded from an sp-config export command.

includeTypes
Array of strings
Items Enum: "ACCESS_PROFILE" "ACCESS_REQUEST_CONFIG" "ATTR_SYNC_SOURCE_CONFIG" "AUTH_ORG" "CAMPAIGN_FILTER" "CONNECTOR_RULE" "FORM_DEFINITION" "GOVERNANCE_GROUP" "IDENTITY_OBJECT_CONFIG" "IDENTITY_PROFILE" "LIFECYCLE_STATE" "NOTIFICATION_TEMPLATE" "PASSWORD_POLICY" "PASSWORD_SYNC_GROUP" "PUBLIC_IDENTITIES_CONFIG" "ROLE" "RULE" "SEGMENT" "SERVICE_DESK_INTEGRATION" "SOD_POLICY" "SOURCE" "TAG" "TRANSFORM" "TRIGGER_SUBSCRIPTION" "WORKFLOW"

Object type names to be included in an sp-config export command. IncludeTypes takes precedence over excludeTypes.

object

Additional options targeting specific objects related to each item in the includeTypes field

Responses

Request samples

Content type
application/json
Example

Export all object types available in IDN.

{
  • "description": "Export all available objects",
  • "excludeTypes": [ ],
  • "includeTypes": [
    ],
  • "objectOptions": { }
}

Response samples

Content type
application/json
{
  • "jobId": "3469b87d-48ca-439a-868f-2160001da8c1",
  • "status": "COMPLETE",
  • "type": "IMPORT",
  • "expiration": "2021-05-11T22:23:16Z",
  • "created": "2021-05-11T22:23:16Z",
  • "modified": "2021-05-11T22:23:16Z",
  • "description": "ETS configuration objects from Acme-Solar sandbox"
}

Get export job status

This gets the status of the export job identified by the id parameter. The request will need one of the following security scopes:

  • sp:config:read - sp:config:manage
Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the export job whose status will be returned.

Responses

Response samples

Content type
application/json
{
  • "jobId": "1e824aa0-4c6e-4f14-95e9-e7dc5234aa51",
  • "status": "COMPLETE",
  • "type": "EXPORT",
  • "message": null,
  • "description": "Export Job 1 Test",
  • "expiration": "2021-05-20T15:04:24Z",
  • "created": "2021-05-13T15:04:24.112Z",
  • "modified": "2021-05-13T15:04:27.363Z",
  • "completed": "2021-05-13T15:04:27.358Z"
}

Download export job result.

This endpoint gets the export file resulting from the export job with the requested id and downloads it to a file. The request will need one of the following security scopes:

  • sp:config:read - sp:config:manage
Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the export job whose results will be downloaded.

Responses

Response samples

Content type
application/json
{
  • "version": 1,
  • "timestamp": "2021-05-11T22:23:16Z",
  • "tenant": "sample-tenant",
  • "description": "Export Job 1 Test",
  • "options": {
    },
  • "objects": [
    ]
}

Initiates configuration objects import job

This post will import objects from a JSON configuration file into a tenant. By default, every import will first export all existing objects supported by sp-config as a backup before the import is attempted. The backup is provided so that the state of the configuration prior to the import is available for inspection or restore if needed. The backup can be skipped by setting "excludeBackup" to true in the import options. If a backup is performed, the id of the backup will be provided in the ImportResult as the "exportJobId". This can be downloaded using the /sp-config/export/{exportJobId}/download endpoint.

You cannot currently import from the Non-Employee Lifecycle Management (NELM) source. You cannot use this endpoint to back up or store NELM data.

For more information about the object types that currently support import functionality, refer to SaaS Configuration.

Authorizations:
Personal Access Token
query Parameters
preview
boolean
Default: false
Example: preview=true

This option is intended to give the user information about how an import operation would proceed, without having any effect on the target tenant. If this parameter is "true", no objects will be imported. Instead, the import process will pre-process the import file and attempt to resolve references within imported objects. The import result file will contain messages pertaining to how specific references were resolved, any errors associated with the preprocessing, and messages indicating which objects would be imported.

Request Body schema: multipart/form-data

The form-data "name" attribute for the file content must be "data".

Example

data: "config_export_0340b957-5caa-44f6-ada2-d3c4c5bd0b19.json",
options: {
  "excludeTypes": [],
  "includeTypes": ["TRIGGER_SUBSCRIPTION"],
  "objectOptions": {
    "TRIGGER_SUBSCRIPTION": {
      "includedIds": [ "193446a1-c431-4326-8ba7-d6eebf922948"],
      "includedNames":[]
    }
  },
  "defaultReferences": [
    {
      "type": "TRIGGER_SUBSCRIPTION",
      "id": "be9e116d-08e1-49fc-ab7f-fa585e96c9e4",
      "name": "Test Trigger"
    }
  ],
  "excludeBackup": false
}

Sample Import File

{
    "version": 1,
    "timestamp": "2021-05-10T15:19:23.425041-05:00",
    "tenant": "sampleTenant",
    "options": {
        "excludeTypes": [],
        "includeTypes": ["TRIGGER_SUBSCRIPTION"],
        "objectOptions": null
    },
    "objects": [{
            "version": 1,
            "self": {
                "type": "TRIGGER_SUBSCRIPTION",
                "name": "test trigger",
                "id": "193446a1-c431-4326-8ba7-d6eebf922948"
            },
            "object": {
                "type": "HTTP",
                "enabled": true,
                "httpConfig": {
                    "url": "https://localhost",
                    "httpAuthenticationType": "NO_AUTH",
                    "basicAuthConfig": null,
                    "bearerTokenAuthConfig": null,
                    "httpDispatchMode": "SYNC"
                },
                "triggerName": "Access Request Submitted",
                "responseDeadline": "PT1H",
                "name": "test trigger",
                "triggerId": "idn:access-request-pre-approval"
            }
        }
    ]
}
data
required
string <binary>

JSON file containing the objects to be imported.

object (Import Options)

Responses

Request samples

Content type
multipart/form-data
{
  "data": "config_export_0340b957-5caa-44f6-ada2-d3c4c5bd0b19.json",
  "options": {
    "excludeTypes": [],
    "includeTypes": [
      "TRIGGER_SUBSCRIPTION"
    ],
    "objectOptions": {
      "TRIGGER_SUBSCRIPTION": {
        "includedIds": [
          "be9e116d-08e1-49fc-ab7f-fa585e96c9e4"
        ],
        "includedNames": [
          "Lori Test 2"
        ]
      }
    },
    "defaultReferences": [
      {
        "type": "TRIGGER_SUBSCRIPTION",
        "id": "be9e116d-08e1-49fc-ab7f-fa585e96c9e4",
        "name": "Test Trigger"
      }
    ],
    "excludeBackup": false
  }
}

Response samples

Content type
application/json
{
  • "jobId": "3469b87d-48ca-439a-868f-2160001da8c1",
  • "status": "COMPLETE",
  • "type": "IMPORT",
  • "expiration": "2021-05-11T22:23:16Z",
  • "created": "2021-05-11T22:23:16Z",
  • "modified": "2021-05-11T22:23:16Z"
}

Get import job status

'This gets the status of the import job identified by the id parameter.

For more information about the object types that currently support import functionality, refer to SaaS Configuration.'

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the import job whose status will be returned.

Responses

Response samples

Content type
application/json
{
  • "jobId": "4fb10503-1c49-4603-8f8d-886e1f6aa47b",
  • "status": "COMPLETE",
  • "type": "IMPORT",
  • "message": "Download import results for details.",
  • "description": null,
  • "expiration": "2021-05-20T16:42:39Z",
  • "created": "2021-05-13T16:42:39.333Z",
  • "modified": "2021-05-13T16:42:40.71Z",
  • "completed": "2021-05-13T16:42:40.705Z"
}

Download import job result

This gets import file resulting from the import job with the requested id and downloads it to a file. The downloaded file will contain the results of the import operation, including any error, warning or informational messages associated with the import. The request will need the following security scope:

  • sp:config:manage
Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the import job whose results will be downloaded.

Responses

Response samples

Content type
application/json
{
  • "results": {
    },
  • "exportJobId": "be9e116d-08e1-49fc-ab7f-fa585e96c9e4"
}

List config objects

Get a list of object configurations that the tenant export/import service knows.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Suggested Entitlement Description

Use this API to implement Suggested Entitlement Description (SED) functionality. SED functionality leverages the power of LLM to generate suggested entitlement descriptions. Refer to GenAI Entitlement Descriptions to learn more about SED in Identity Security Cloud (ISC).

Submit sed batch stats request

'Submit Sed Batch Stats Request.

Submits batchId in the path param (e.g. {batchId}/stats). API responses with stats of the batchId.'

Authorizations:
Personal Access TokenClient Credentials
path Parameters
batchId
required
string <uuid>
Example: 8c190e67-87aa-4ed9-a90b-d9d5344523fb

Batch Id

Responses

Response samples

Content type
application/json
{
  • "batchComplete": true,
  • "batchId": "016629d1-1d25-463f-97f3-c6686846650",
  • "discoveredCount": 100,
  • "discoveryComplete": true,
  • "processedCount": 100
}

List Sed Batch Record

List Sed Batches. API responses with Sed Batch Records

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int64>
Default: 0

Offset

Integer specifying the offset of the first result from the beginning of the collection. The standard syntax described in V3 API Standard Collection Parameters. The offset value is record-based, not page-based, and the index starts at 0.

limit
integer <int64> [ 0 .. 250 ] characters
Default: 250
Example: limit=250

Limit

Integer specifying the maximum number of records to return in a single API call. The standard syntax described in V3 API Standard Collection Parameters. If it is not specified, a default limit is used.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored. The standard syntax described in V3 API Standard Collection Parameters. Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

count-only
boolean
Default: false
Example: count-only=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored. This parameter differs from the count parameter in that this one skips executing the actual query and always return an empty array.

status
string
Example: status=completed, failed, submitted, materialized, failed

Batch Status

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Submit sed batch request

Submit Sed Batch Request. Request body has one of the following: - a list of entitlement Ids - a list of SED Ids that user wants to have description generated by LLM. API responses with batchId that groups Ids together

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json-patch+json

Sed Batch Request

non-empty
entitlements
Array of strings or null non-empty

list of entitlement ids

seds
Array of strings or null non-empty

list of sed ids

object or null

Search criteria for the batch request.

Responses

Request samples

Content type
application/json-patch+json
{
  • "entitlements": [
    ],
  • "seds": [
    ],
  • "searchCriteria": {
    }
}

Response samples

Content type
application/json
{
  • "batchId": "016629d1-1d25-463f-97f3-c6686846650"
}

Submit bulk approval request

Submit Bulk Approval Request for SED. Request body takes list of SED Ids. API responses with list of SED Approval Status

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json-patch+json

Sed Approval

Array
items
Array of strings <uuid>

List of SED id's

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
[
  • {
    }
]

Submit sed assignment request

Submit Assignment Request. Request body has an assignee, and list of SED Ids that are assigned to that assignee API responses with batchId that groups all approval requests together

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json-patch+json

Sed Assignment Request

object (Sed Assignee)

Sed Assignee

items
Array of strings <uuid>

List of SED id's

Responses

Request samples

Content type
application/json-patch+json
{
  • "assignee": {
    },
  • "items": [
    ]
}

Response samples

Content type
application/json
{
  • "batchId": "016629d1-1d25-463f-97f3-c6686846650"
}

List suggested entitlement descriptions

List of Suggested Entitlement Descriptions (SED)

SED field descriptions:

batchId: the ID of the batch of entitlements that are submitted for description generation

displayName: the display name of the entitlement that we are generating a description for

sourceName: the name of the source associated with the entitlement that we are generating the description for

sourceId: the ID of the source associated with the entitlement that we are generating the description for

status: the status of the suggested entitlement description, valid status options: "requested", "suggested", "not_suggested", "failed", "assigned", "approved", "denied"

fullText: will filter suggested entitlement description records by text found in any of the following fields: entitlement name, entitlement display name, suggested description, source name

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=displayName co "Read and Write"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

batchId: eq, ne

displayName: eq, ne, co

sourceName: eq, ne, co

sourceId: eq, ne

status: eq, ne

fullText: co

sorters
string
Example: sorters=sorters=displayName

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: displayName, sourceName, status

count-only
boolean
Default: false
Example: count-only=count-only=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored. This parameter differs from the count parameter in that this one skips executing the actual query and always return an empty array.

requested-by-anyone
boolean
Default: false
Example: requested-by-anyone=requested-by-anyone=true

By default, the ListSeds API will only return items that you have requested to be generated.
This option will allow you to see all items that have been requested

show-pending-status-only
boolean
Default: false
Example: show-pending-status-only=show-pending-status-only=true

Will limit records to items that are in "suggested" or "approved" status

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Patch suggested entitlement description

Patch Suggested Entitlement Description

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string <uuid>
Example: ebab396f-0af1-4050-89b7-dafc63ec70e7

id is sed id

Request Body schema: application/json-patch+json

Sed Patch Request

Array
op
string

desired operation

path
string

field to be patched

value
any

value to replace with

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "Name": "BatchInvoiceProcessing",
  • "approved_by": "2c918086-76de-afbf-0176-f6d28f65565a",
  • "approved_type": "admin",
  • "approved_when": "2024-03-22 16:32:16.308857",
  • "attribute": "Role",
  • "description": "This entitlement allows automated processing of invoices in batches on a scheduled basis to streamline accounts payable procedures.",
  • "displayName": "AWS-Cloud-Billing",
  • "id": "ead281ee-12a9-40ac-9534-36b5d7d65d53",
  • "sourceId": "103f567b93ee49b991c40f9412f87643",
  • "sourceName": "IDN Salesforce",
  • "status": "suggested",
  • "suggestedDescription": "This entitlement allows automated processing of invoices in batches on a scheduled basis to streamline accounts payable",
  • "type": "group",
  • "value": "group"
}

Tagged Objects

Use this API to implement object tagging functionality. With object tagging functionality in place, any user in an organization can use tags as a way to group objects together and find them more quickly when the user searches Identity Security Cloud.

In Identity Security Cloud, users can search their tenants for information and add tags objects they find. Tagging an object provides users with a way of grouping objects together and makes it easier to find these objects in the future.

For example, if a user is searching for an entitlement that grants a risky level of access to Active Directory, it's possible that the user may have to search through hundreds of entitlements to find the correct one. Once the user finds that entitlement, the user can add a tag to the entitlement, "AD_RISKY" to make it easier to find the entitlement again. The user can add the same tag to multiple objects the user wants to group together for an easy future search, and the user can also do so in bulk. When the user wants to find that tagged entitlement again, the user can search for "tags:AD_RISKY" to find all objects with that tag.

With the API, you can tag even more different object types than you can in Identity Security Cloud (access profiles, entitlements, identities, and roles). You can use the API to tag all these objects:

  • Access profiles

  • Applications

  • Certification campaigns

  • Entitlements

  • Identities

  • Roles

  • SOD (separation of duties) policies

  • Sources

You can also use the API to directly find, create, and manage tagged objects without using search queries.

There are limits to tags:

  • You can have up to 500 different tags in your tenant.

  • You can apply up to 30 tags to one object.

  • You can have up to 10,000 tag associations, pairings of 1 tag to 1 object, in your tenant.

Because of these limits, it is recommended that you work with your governance experts and security teams to establish a list of tags that are most expressive of governance objects and access managed by Identity Security Cloud.

These are the types of information often expressed in tags:

  • Affected departments

  • Compliance and regulatory categories

  • Remediation urgency levels

  • Risk levels

Refer to Tagging Items in Search for more information about tagging objects in Identity Security Cloud.

List tagged objects

This API returns a list of all tagged objects.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=tagName eq "BU_FINANCE"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

objectRef.id: eq, in

objectRef.type: eq, in

tagName: eq, in

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Add tag to object

This adds a tag to an object.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
object (Tagged Object Dto)
tags
Array of strings

Labels to be applied to an Object

Responses

Request samples

Content type
application/json
{
  • "objectRef": {
    },
  • "tags": [
    ]
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List tagged objects by type

This API returns a list of all tagged objects by type.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
type
required
string
Enum: "ACCESS_PROFILE" "APPLICATION" "CAMPAIGN" "ENTITLEMENT" "IDENTITY" "ROLE" "SOD_POLICY" "SOURCE"
Example: ROLE

The type of tagged object to retrieve.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=objectRef.id eq "2c91808568c529c60168cca6f90c1313"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

objectRef.id: eq

objectRef.type: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get tagged object

This gets a tagged object for the specified type.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
type
required
string
Enum: "ACCESS_PROFILE" "APPLICATION" "CAMPAIGN" "ENTITLEMENT" "IDENTITY" "ROLE" "SOD_POLICY" "SOURCE"
Example: ROLE

The type of tagged object to retrieve.

id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the object reference to retrieve.

Responses

Response samples

Content type
application/json
{
  • "objectRef": {
    },
  • "tags": [
    ]
}

Update tagged object

This updates a tagged object for the specified type.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
type
required
string
Enum: "ACCESS_PROFILE" "APPLICATION" "CAMPAIGN" "ENTITLEMENT" "IDENTITY" "ROLE" "SOD_POLICY" "SOURCE"
Example: ROLE

The type of tagged object to update.

id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the object reference to update.

Request Body schema: application/json
object (Tagged Object Dto)
tags
Array of strings

Labels to be applied to an Object

Responses

Request samples

Content type
application/json
{
  • "objectRef": {
    },
  • "tags": [
    ]
}

Response samples

Content type
application/json
{
  • "objectRef": {
    },
  • "tags": [
    ]
}

Delete object tags

Delete all tags from a tagged object.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
type
required
string
Enum: "ACCESS_PROFILE" "APPLICATION" "CAMPAIGN" "ENTITLEMENT" "IDENTITY" "ROLE" "SOD_POLICY" "SOURCE"
Example: ROLE

The type of object to delete tags from.

id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the object to delete tags from.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Tag multiple objects

This API adds tags to multiple objects.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

Supported object types are ACCESS_PROFILE, APPLICATION, CAMPAIGN, ENTITLEMENT, IDENTITY, ROLE, SOD_POLICY, SOURCE.

Array of objects (Tagged Object Dto)
tags
Array of strings

Label to be applied to an Object

operation
string
Default: "APPEND"
Enum: "APPEND" "MERGE"

If APPEND, tags are appended to the list of tags for the object. A 400 error is returned if this would add duplicate tags to the object.

If MERGE, tags are merged with the existing tags. Duplicate tags are silently ignored.

Responses

Request samples

Content type
application/json
{
  • "objectRefs": [
    ],
  • "tags": [
    ],
  • "operation": "MERGE"
}

Response samples

Content type
application/json
[
  • {
    }
]

Remove tags from multiple objects

This API removes tags from multiple objects.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

Supported object types are ACCESS_PROFILE, APPLICATION, CAMPAIGN, ENTITLEMENT, IDENTITY, ROLE, SOD_POLICY, SOURCE.

Array of objects (Tagged Object Dto)
tags
Array of strings

Label to be applied to an Object

Responses

Request samples

Content type
application/json
{
  • "objectRefs": [
    ],
  • "tags": [
    ]
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Task Management

Get task status by id

Get task status by task ID. Types of tasks include account and entitlement aggregation and other general background processing tasks. Data for tasks older than 90 days will not be returned.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 00eebcf881994e419d72e757fd30dc0e

Task ID.

Responses

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "type": "QUARTZ",
  • "uniqueName": "Big Task",
  • "description": "A Really Big Task",
  • "parentName": "Parent Task",
  • "launcher": "sweep",
  • "target": {
    },
  • "created": "2020-07-11T21:23:15.000Z",
  • "modified": "2020-07-11T21:23:15.000Z",
  • "launched": "2020-07-11T21:23:15.000Z",
  • "completed": "2020-07-11T21:23:15.000Z",
  • "completionStatus": "SUCCESS",
  • "messages": [
    ],
  • "returns": [
    ],
  • "attributes": {
    },
  • "progress": "Started",
  • "percentComplete": 100,
  • "taskDefinitionSummary": {
    }
}

Update task status by id

Update a current task status by task ID. Use this API to clear a pending task by updating the completionStatus and completed attributes.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 00eebcf881994e419d72e757fd30dc0e

Task ID.

Request Body schema: application/json-patch+json

The JSONPatch payload used to update the object.

Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "id12345",
  • "type": "QUARTZ",
  • "uniqueName": "Big Task",
  • "description": "A Really Big Task",
  • "parentName": "Parent Task",
  • "launcher": "sweep",
  • "target": {
    },
  • "created": "2020-07-11T21:23:15.000Z",
  • "modified": "2020-07-11T21:23:15.000Z",
  • "launched": "2020-07-11T21:23:15.000Z",
  • "completed": "2020-07-11T21:23:15.000Z",
  • "completionStatus": "SUCCESS",
  • "messages": [
    ],
  • "returns": [
    ],
  • "attributes": {
    },
  • "progress": "Started",
  • "percentComplete": 100,
  • "taskDefinitionSummary": {
    }
}

Retrieve task status list

Use this endpoint to get a list of statuses for all tasks, including completed, in-progress, terminated, and errored tasks. Types of tasks include account and entitlement aggregation and other general background processing tasks. Data for tasks older than 90 days will not be returned. For a list of in-progress tasks, use the retrieve pending task status list endpoint or apply the isnull filter to the Completion Status field.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=completionStatus eq "Success"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

sourceId: eq, in

completionStatus: eq, in, isnull

type: eq, in

Possible Values: CLOUD_ACCOUNT_AGGREGATION, CLOUD_GROUP_AGGREGATION, CLOUD_PROCESS_UNCORRELATED_ACCOUNTS, CLOUD_REFRESH_ROLE, SOURCE_APPLICATION_DISCOVERY, AI_AGENT_AGGREGATION, APPLICATION_DISCOVERY, MACHINE_IDENTITY_AGGREGATION, MACHINE_IDENTITY_DELETION, ACCOUNT_DELETION

sorters
string <comma-separated>
Example: sorters=-created

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: created

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Retrieve pending task status list Deprecated

This API is being deprecated. Please use the task-status-list endpoint with isnull filtering on the completionStatus field to retrieve pending tasks. Example: /v2026/task-status?filters=completionStatus isnull

Retrieve a list of statuses for pending tasks. Types of tasks include account and entitlement aggregation and other general background processing tasks. Data for tasks older than 90 days will not be returned.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Retrieve pending task list headers Deprecated

This API is being deprecated. Please use the task-status-list endpoint with isnull filtering on the completionStatus field and count=true. Example: /v2026/task-status?count=true&filters=completionStatus isnull

Responds with headers only for list of task statuses for pending tasks.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Tenant

API for reading tenant details.

Get tenant information.

This rest endpoint can be used to retrieve tenant details.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
{
  • "id": "2c91808568c529c60168cca6f90c1324",
  • "name": "acme",
  • "fullName": "Acme, Inc",
  • "pod": "example-pod",
  • "region": "us-east-1",
  • "description": "Description of the Tenant",
  • "products": [
    ]
}

Tenant Context

The purpose of this API is to manage key-value pairs specific to a tenant's context, enabling dynamic configuration and personalized settings per tenant. Context key-value pairs will consist of common terms and acronyms used within your organization.

Retrieve tenant context

Returns all key-value pairs representing the current state of the tenant's context. Each tenant is limited to a maximum of 100 key-value pairs.

Authorizations:
Personal Access TokenClient Credentials

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Update tenant context

Allows the user to make incremental updates to tenant context records using JSON Patch syntax.

This endpoint is specifically designed to modify the /Key/* field, supporting operations such as add, remove, or replace to manage key-value pairs.

Note that each tenant is limited to a maximum of 100 key-value pairs.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json-patch+json
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
Example

This example shows how multiple context keys may be updated with a single patch call.

[
  • {
    },
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
Example
{
  • "detailCode": "Bad Request",
  • "trackingId": "e9eaaeac516643ffa087cc476e7577c5",
  • "messages": [
    ]
}

Transforms

The purpose of this API is to expose functionality for the manipulation of Transform objects. Transforms are a form of configurable objects which define an easy way to manipulate attribute data without having to write code.

Refer to Transforms for more information about transforms.

List transforms

Gets a list of all saved transform objects.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

name
string
Example: name=ExampleTransformName123

Name of the transform to retrieve from the list.

filters
string
Example: filters=name eq "Uppercase"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

internal: eq

name: eq, sw

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Create transform

Creates a new transform object immediately. By default, the internal flag is set to false to indicate that this is a custom transform. Only SailPoint employees have the ability to create a transform with internal set to true. Newly created Transforms can be used in the Identity Profile mappings within the UI.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json

The transform to be created.

name
required
string [ 1 .. 50 ] characters

Unique name of this transform

type
required
string
Enum: "accountAttribute" "base64Decode" "base64Encode" "concat" "conditional" "dateCompare" "dateFormat" "dateMath" "decomposeDiacriticalMarks" "e164phone" "firstValid" "rule" "identityAttribute" "indexOf" "iso3166" "lastIndexOf" "leftPad" "lookup" "lower" "normalizeNames" "randomAlphaNumeric" "randomNumeric" "reference" "replaceAll" "replace" "rightPad" "split" "static" "substring" "trim" "upper" "usernameGenerator" "uuid" "displayName" "rfc5646"

The type of transform operation

Transform Operations
required
(accountAttribute (object or null)) or (base64Decode (object or null)) or (base64Encode (object or null)) or (concat (object or null)) or (conditional (object or null)) or (dateCompare (object or null)) or (dateFormat (object or null)) or (dateMath (object or null)) or (decomposeDiacriticalMarks (object or null)) or (e164phone (object or null)) or (firstValid (object or null)) or (rule ((TransformRule (object or null)) or (GenerateRandomString (object or null)) or (GetReferenceIdentityAttribute (object or null)))) or (identityAttribute (object or null)) or (indexOf (object or null)) or (iso3166 (object or null)) or (leftPad (object or null)) or (lookup (object or null)) or (lower (object or null)) or (nameNormalizer (object or null)) or (randomAlphaNumeric (object or null)) or (randomNumeric (object or null)) or (reference (object or null)) or (replaceAll (object or null)) or (replace (object or null)) or (rightPad (object or null)) or (split (object or null)) or (static (object or null)) or (substring (object or null)) or (trim (object or null)) or (upper (object or null)) or (uuid (object or null))

Meta-data about the transform. Values in this list are specific to the type of transform to be executed.

Responses

Request samples

Content type
application/json
{
  • "name": "Timestamp To Date",
  • "type": "dateFormat",
  • "attributes": {
    }
}

Response samples

Content type
application/json
{
  • "name": "Timestamp To Date",
  • "type": "dateFormat",
  • "attributes": {
    },
  • "id": "2cd78adghjkja34jh2b1hkjhasuecd",
  • "internal": false
}

Transform by id

This API returns the transform specified by the given ID.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2cd78adghjkja34jh2b1hkjhasuecd

ID of the transform to retrieve

Responses

Response samples

Content type
application/json
{
  • "name": "Timestamp To Date",
  • "type": "dateFormat",
  • "attributes": {
    },
  • "id": "2cd78adghjkja34jh2b1hkjhasuecd",
  • "internal": false
}

Update a transform

Replaces the transform specified by the given ID with the transform provided in the request body. Only the "attributes" field is mutable. Attempting to change other properties (ex. "name" and "type") will result in an error.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2cd78adghjkja34jh2b1hkjhasuecd

ID of the transform to update

Request Body schema: application/json

The updated transform object. Must include "name", "type", and "attributes" fields, but "name" and "type" must not be modified.

name
required
string [ 1 .. 50 ] characters

Unique name of this transform

type
required
string
Enum: "accountAttribute" "base64Decode" "base64Encode" "concat" "conditional" "dateCompare" "dateFormat" "dateMath" "decomposeDiacriticalMarks" "e164phone" "firstValid" "rule" "identityAttribute" "indexOf" "iso3166" "lastIndexOf" "leftPad" "lookup" "lower" "normalizeNames" "randomAlphaNumeric" "randomNumeric" "reference" "replaceAll" "replace" "rightPad" "split" "static" "substring" "trim" "upper" "usernameGenerator" "uuid" "displayName" "rfc5646"

The type of transform operation

Transform Operations
required
(accountAttribute (object or null)) or (base64Decode (object or null)) or (base64Encode (object or null)) or (concat (object or null)) or (conditional (object or null)) or (dateCompare (object or null)) or (dateFormat (object or null)) or (dateMath (object or null)) or (decomposeDiacriticalMarks (object or null)) or (e164phone (object or null)) or (firstValid (object or null)) or (rule ((TransformRule (object or null)) or (GenerateRandomString (object or null)) or (GetReferenceIdentityAttribute (object or null)))) or (identityAttribute (object or null)) or (indexOf (object or null)) or (iso3166 (object or null)) or (leftPad (object or null)) or (lookup (object or null)) or (lower (object or null)) or (nameNormalizer (object or null)) or (randomAlphaNumeric (object or null)) or (randomNumeric (object or null)) or (reference (object or null)) or (replaceAll (object or null)) or (replace (object or null)) or (rightPad (object or null)) or (split (object or null)) or (static (object or null)) or (substring (object or null)) or (trim (object or null)) or (upper (object or null)) or (uuid (object or null))

Meta-data about the transform. Values in this list are specific to the type of transform to be executed.

Responses

Request samples

Content type
application/json
{
  • "name": "Timestamp To Date",
  • "type": "dateFormat",
  • "attributes": {
    }
}

Response samples

Content type
application/json
{
  • "id": "2cd78adghjkja34jh2b1hkjhasuecd",
  • "name": "Timestamp To Date",
  • "type": "dateFormat",
  • "attributes": {
    },
  • "internal": false
}

Delete a transform

Deletes the transform specified by the given ID. Attempting to delete a transform that is used in one or more Identity Profile mappings will result in an error. If this occurs, you must first remove the transform from all mappings before deleting the transform.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 2cd78adghjkja34jh2b1hkjhasuecd

ID of the transform to delete

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Triggers

Event Triggers provide real-time updates to changes in Identity Security Cloud so you can take action as soon as an event occurs, rather than poll an API endpoint for updates. Identity Security Cloud provides a user interface within the admin console to create and manage trigger subscriptions. These endpoints allow for programatically creating and managing trigger subscriptions.

There are two types of event triggers:

  • FIRE_AND_FORGET: This trigger type will send a payload to each subscriber without needing a response. Each trigger of this type has a limit of 50 subscriptions.
  • REQUEST_RESPONSE: This trigger type will send a payload to a subscriber and expect a response back. Each trigger of this type may only have one subscription.

Available Event Triggers

Production ready event triggers that are available in all tenants.

Name ID Type Trigger condition
Access Request Dynamic Approval idn:access-request-dynamic-approver REQUEST_RESPONSE After an access request is submitted. Expects the subscriber to respond with the ID of an identity or workgroup to add to the approval workflow.
Access Request Decision idn:access-request-post-approval FIRE_AND_FORGET After an access request is approved.
Access Request Submitted idn:access-request-pre-approval REQUEST_RESPONSE After an access request is submitted. Expects the subscriber to respond with an approval decision.
Account Aggregation Completed idn:account-aggregation-completed FIRE_AND_FORGET After an account aggregation completed, terminated, failed.
Account Attributes Changed idn:account-attributes-changed FIRE_AND_FORGET After an account aggregation, and one or more account attributes have changed.
Account Correlated idn:account-correlated FIRE_AND_FORGET After an account is added to an identity.
Accounts Collected for Aggregation idn:aggregation-accounts-collected FIRE_AND_FORGET New, changed, and deleted accounts have been gathered during an aggregation and are being processed.
Campaign Activated idn:campaign-activated FIRE_AND_FORGET After a campaign is activated.
Campaign Ended idn:campaign-ended FIRE_AND_FORGET After a campaign ends.
Campaign Generated idn:campaign-generated FIRE_AND_FORGET After a campaign finishes generating.
Certification Signed Off idn:certification-signed-off FIRE_AND_FORGET After a certification is signed off by its reviewer.
Identity Attributes Changed idn:identity-attributes-changed FIRE_AND_FORGET After One or more identity attributes changed.
Identity Created idn:identity-created FIRE_AND_FORGET After an identity is created.
Provisioning Action Completed idn:post-provisioning FIRE_AND_FORGET After a provisioning action completed on a source.
Scheduled Search idn:saved-search-complete FIRE_AND_FORGET After a scheduled search completed.
Source Created idn:source-created FIRE_AND_FORGET After a source is created.
Source Deleted idn:source-deleted FIRE_AND_FORGET After a source is deleted.
Source Updated idn:source-updated FIRE_AND_FORGET After configuration changes have been made to a source.
VA Cluster Status Change idn:va-cluster-status-change FIRE_AND_FORGET After the status of a VA cluster has changed.

Access request decision Webhook

This event trigger fires after an access request is approved or denied. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Access Request Decision.

Authorizations:
Personal Access Token
Request Body schema: application/json
accessRequestId
required
string

The unique ID of the access request.

required
Array of objects (AccessItemRequestedForDto) [ 1 .. 10 ] items

Identities access was requested for.

required
Array of objects

Details on the outcome of each access item.

required
object

Access item requester's identity.

Request samples

Content type
application/json
{
  • "accessRequestId": "2c91808b6ef1d43e016efba0ce470904",
  • "requestedFor": [
    ],
  • "requestedItemsStatus": [
    ],
  • "requestedBy": {
    }
}

Access request dynamic approval Webhook

This event trigger fires after an access request is submitted but before the request is approved or denied. You can use this trigger as a way to route the access request to an additional approval step by an identity or governance group. This is a REQUEST_RESPONSE event trigger. This trigger type expects a response from the subscribers with directions about how to proceed with the event. You can only have one subscriber per event. For more information about this event trigger, refer to Access Request Dynamic Approval.

Note: If there is an active subscription to the Access Request Submitted trigger, this trigger is invoked after the Access Request Submitted trigger, only if the response to that trigger was to approve the request.

Authorizations:
Personal Access Token
Request Body schema: application/json
accessRequestId
required
string

The unique ID of the access request object. Can be used with the access request status endpoint to get the status of the request.

required
Array of objects (AccessItemRequestedForDto) [ 1 .. 10 ] items

Identities access was requested for.

required
Array of objects [ 1 .. 25 ] items

The access items that are being requested.

required
object

Access item requester's identity.

Request samples

Content type
application/json
{
  • "accessRequestId": "4b4d982dddff4267ab12f0f1e72b5a6d",
  • "requestedFor": [
    ],
  • "requestedItems": [
    ],
  • "requestedBy": {
    }
}

Access request submitted Webhook

This event trigger fires after an access request is submitted but before the request is approved or denied. A service subscribing to the trigger can respond in real-time to approve or deny the request. This is a REQUEST_RESPONSE event trigger. This trigger type expects a response from the subscribers with directions about how to proceed with the event. You can only have one subscriber per event. For more information about this event trigger, refer to Access Request Submitted.

Authorizations:
Personal Access Token
Request Body schema: application/json
accessRequestId
required
string

The unique ID of the access request.

required
Array of objects (AccessItemRequestedForDto) [ 1 .. 10 ] items

Identities access was requested for.

required
Array of objects [ 1 .. 25 ] items

Details of the access items being requested.

required
object

Access item requester's identity.

Request samples

Content type
application/json
{
  • "accessRequestId": "2c91808b6ef1d43e016efba0ce470904",
  • "requestedFor": [
    ],
  • "requestedItems": [
    ],
  • "requestedBy": {
    }
}

Account aggregation completed Webhook

This event trigger fires after a source aggregation has either succeeded or failed in collecting source accounts but before Identity Security Cloud (ISC) processes the aggregation. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Account Aggregation Completed.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

The source the accounts are being aggregated from.

status
required
any
Enum: "Success" "Failed" "Terminated"

The overall status of the aggregation.

started
required
string <date-time>

The date and time when the account aggregation started.

completed
required
string <date-time>

The date and time when the account aggregation finished.

errors
required
Array of strings or null

A list of errors that occurred during the aggregation.

warnings
required
Array of strings or null

A list of warnings that occurred during the aggregation.

required
object

Overall statistics about the account aggregation.

Request samples

Content type
application/json
{
  • "source": {
    },
  • "status": "Success",
  • "started": "2020-06-29T22:01:50.474Z",
  • "completed": "2020-06-29T22:02:04.090Z",
  • "errors": [
    ],
  • "warnings": [
    ],
  • "stats": {
    }
}

Accounts collected for aggregation Webhook

This event trigger fires when Identity Security Cloud has gathered the accounts on a source and is prepared to aggregate them. This trigger occurs after the accounts have been collected from the source but before the aggregation processing begins. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Reference to the source that has been aggregated.

status
required
any
Enum: "Success" "Failed" "Terminated"

The overall status of the collection.

started
required
string <date-time>

The date and time when the account collection started.

completed
required
string <date-time>

The date and time when the account collection finished.

errors
required
Array of strings or null

A list of errors that occurred during the collection.

warnings
required
Array of strings or null

A list of warnings that occurred during the collection.

required
object

Overall statistics about the account collection.

Request samples

Content type
application/json
{
  • "source": {
    },
  • "status": "Success",
  • "started": "2020-06-29T22:01:50.474Z",
  • "completed": "2020-06-29T22:02:04.090Z",
  • "errors": [
    ],
  • "warnings": [
    ],
  • "stats": {
    }
}

Account created Webhook

This event trigger fires when a new account is created in Identity Security Cloud. Accounts can be created via aggregations or provisioning, including when entitlements are added or removed. You could use this event trigger to fire a Workflow that notifies a source owner when an account is created. See Aggregating Accounts and Configuring Source Account Provisioning for more information about the scenarios that lead to account creation. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Account Created.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Details about the event.

required
object (AccountSourceReference)

Details about the account source.

required
object (AccountV2)

Details about the account.

required
object (IdentityReference-2)

Details about the identity correlated with the account.

Request samples

Content type
application/json
{
  • "event": {
    },
  • "source": {
    },
  • "account": {
    },
  • "identity": {
    }
}

Account deleted Webhook

This event trigger fires when an account is deleted in Identity Security Cloud. Accounts can be deleted via aggregations or provisioning. You could use this event trigger to fire a Workflow that takes additional actions after a privileged account has been deleted. See Aggregating Accounts and Configuring Source Account Provisioning for more information about the scenarios that lead to account deletion. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Account Deleted.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Details about the event.

required
object (AccountSourceReference)

Details about the account source.

required
object (AccountV2)

Details about the account.

required
object (IdentityReference-2)

Details about the identity correlated with the account.

Request samples

Content type
application/json
{
  • "event": {
    },
  • "source": {
    },
  • "account": {
    },
  • "identity": {
    }
}

Account updated Webhook

This event trigger fires when an account is updated in Identity Security Cloud. Accounts can be updated via aggregations or provisioning, including when entitlements are added or removed. You could use this event trigger to fire a Workflow that takes additional actions after a new entitlement has been provisioned to a privileged account. See Aggregating Accounts and Configuring Source Account Provisioning for more information about the scenarios that lead to account updates. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Account Updated.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Details about the event.

required
object (AccountSourceReference)

Details about the account source.

required
object (AccountV2)

Details about the account.

required
object (IdentityReference-2)

Details about the identity correlated with the account.

accountChangeTypes
required
Array of strings
Items Enum: "ATTRIBUTES_CHANGED" "ENTITLEMENTS_ADDED" "ENTITLEMENTS_REMOVED"

The types of changes that occurred to the account.

required
Array of objects or null

Details about the single-value attribute changes that occurred to the account.

required
Array of objects or null

Details about the multi-value attribute changes that occurred to the account.

required
Array of objects or null

Details about the entitlement changes that occurred to the account.

Request samples

Content type
application/json
{
  • "event": {
    },
  • "source": {
    },
  • "account": {
    },
  • "identity": {
    },
  • "accountChangeTypes": [
    ],
  • "singleValueAttributeChanges": [
    ],
  • "multiValueAttributeChanges": [
    ],
  • "entitlementChanges": [
    ]
}

Campaign activated Webhook

This event trigger fires after a certification campaign is activated. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Campaign Activated.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Details about the certification campaign that was activated.

Request samples

Content type
application/json
{
  • "campaign": {
    }
}

Campaign ended Webhook

This event trigger fires after a certification campaign ends. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Campaign Ended.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Details about the certification campaign that ended.

Request samples

Content type
application/json
{
  • "campaign": {
    }
}

Campaign generated Webhook

This event trigger fires after a certification campaign has generated and moved into the 'Preview Ready' state but hasn't been activated yet. A typical use case for this event trigger is to use it to immediately activate a campaign once it is generated. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Campaign Generated.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Details about the campaign that was generated.

Request samples

Content type
application/json
{
  • "campaign": {
    }
}

Certification signed off Webhook

This event trigger fires after a certification is signed off on and moves to the 'End' status. Do not confuse this event trigger with the Campaign End trigger. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Certification Sign Off.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object (Certification Dto)

The certification campaign that was signed off on.

Request samples

Content type
application/json
{
  • "certification": {
    }
}

Form submitted Webhook

This event trigger fires after a user has submitted a custom form in Identity Security Cloud (ISC). A typical use case for this trigger is to immediately take actions based on the data in the submitted form. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Form Submitted.

Authorizations:
Personal Access Token
Request Body schema: application/json
submittedAt
required
date-time

Date and time when the user submitted the form.

tenantId
required
string

ISC tenant's unique identifier.

formInstanceId
required
string

Form instance's unique identifier.

formDefinitionId
required
string

Form definition's unique identifier.

name
required
string

Form's name.

required
object

Origin of the form creation.

required
object

Identity who submitted the form.

required
object or null

Data in the submitted form.

Request samples

Content type
application/json
{
  • "submittedAt": "2020-06-29T22:01:50.474Z",
  • "tenantId": "2c9180845d1edece015d27a9717c3e19",
  • "formInstanceId": "2c9180835d2e5168015d32f890ca1582",
  • "formDefinitionId": "2c9180835d2e5168015d32f890ca1581",
  • "name": "Open Service Request",
  • "createdBy": {
    },
  • "submittedBy": {
    },
  • "formData": {
    }
}

Identity attributes changed Webhook

This event trigger fires when Identity Security Cloud (ISC) detects an identity attribute change. ISC identity attribute changes occur when account attributes aggregated from an authoritative source differ from an identity's current attributes during an identity refresh. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Identity Attributes Changed.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Identity whose attributes changed.

required
Array of objects

A list of one or more identity attributes that changed on the identity.

Request samples

Content type
application/json
{
  • "identity": {
    },
  • "changes": [
    ]
}

Identity created Webhook

This event trigger fires when Identity Security Cloud (ISC) detects a new identity during an aggregation and refresh from an authoritative source. ISC detects a new identity when it finds an account from an authoritative source that isn't correlated to an existing identity. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Identity Created.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Created identity.

required
object

The attributes assigned to the identity. Attributes are determined by the identity profile.

Request samples

Content type
application/json
{
  • "identity": {
    },
  • "attributes": {
    }
}

Machine Identity Created Webhook

This event trigger fires when a new machine identity is created in Identity Security Cloud. Machine identities can be created via the UI, endpoint, or aggregated. Machine identities can also be created via machine account to machine account mappings. You could use this event trigger to fire a Workflow that discovers machine identity owners when a machine identity is created. See Managing Application Identities, Managing AI Agents, Aggregating AI Agents or Mapping Machine Account Attributes for more information about the scenarios that lead to machine identity creation. Customers that have licensed Machine Identity Security or Agent Identity Security will receive this event trigger. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Machine Identity Created.

Authorizations:
Personal Access Token
Request Body schema: application/json
eventType
required
string
Value: "MACHINE_IDENTITY_CREATED"

Type of the event.

required
object

Details of the created machine identity.

Request samples

Content type
application/json
{
  • "eventType": "MACHINE_IDENTITY_CREATED",
  • "machineIdentity": {
    }
}

Machine Identity Updated Webhook

This event trigger fires when a machine identity is updated in Identity Security Cloud. Machine identities can be updated via the UI, endpoint, or aggregations. You could use this event trigger to fire a Workflow that notifies machine identity owners when a machine identity's owner list changes. See Managing Application Identities, Managing AI Agents or Aggregating AI Agents for more information about the scenarios that lead to machine identity updates. Customers that have licensed Machine Identity Security or Agent Identity Security will receive this event trigger. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Machine Identity Updated.

Authorizations:
Personal Access Token
Request Body schema: application/json
eventType
required
string
Value: "MACHINE_IDENTITY_UPDATED"

Type of the event.

required
object

Details of the updated machine identity.

machineIdentityChangeTypes
required
Array of strings
Items Enum: "ATTRIBUTES_CHANGED" "USER_ENTITLEMENTS_ADDED" "USER_ENTITLEMENTS_REMOVED" "OWNERS_ADDED" "OWNERS_REMOVED"

Types of changes that occurred to the machine identity.

required
object

Changes to user entitlements.

required
object

Changes to owners.

required
Array of objects or null

Details about the single-value attribute changes that occurred.

Request samples

Content type
application/json
{
  • "eventType": "MACHINE_IDENTITY_UPDATED",
  • "machineIdentity": {
    },
  • "machineIdentityChangeTypes": [
    ],
  • "userEntitlementChanges": {
    },
  • "ownerChanges": {
    },
  • "singleValueAttributeChanges": [
    ]
}

Machine Identity Deleted Webhook

This event trigger fires when a machine identity is deleted in Identity Security Cloud. Machine identities can be deleted via the UI, endpoint, or aggregations. Machine identities can also be auto-deleted when all account correlations to the machine identity are removed. You could use this event trigger to fire a Workflow that notifies machine identity owners when a machine identity is decommissioned. See Managing Application Identities, Managing AI Agents, Aggregating AI Agents, Mapping Machine Account Attributes for more information about the scenarios that lead to machine identity deletion. Customers that have licensed Machine Identity Security or Agent Identity Security will receive this event trigger. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Machine Identity Deleted.

Authorizations:
Personal Access Token
Request Body schema: application/json
eventType
required
string
Value: "MACHINE_IDENTITY_DELETED"

Type of the event.

required
object

Details of the deleted machine identity.

Request samples

Content type
application/json
{
  • "eventType": "MACHINE_IDENTITY_DELETED",
  • "machineIdentity": {
    }
}

Native change account created Webhook

This event trigger fires when Identity Security Cloud (ISC) aggregates data from an external source and detects that a new account exists on the source. The external source must meet these criteria for you to receive this type of event:

  • Native Change Detection (NCD) is enabled.
  • Account Create operations are monitored.
  • At least one attribute selected for monitoring has changed.

In addition to having NCD enabled, There are two ways to configure a source for NCD:

  • Invoke the 'Update Native Change Detection' configuration for each source you want to receive NCD events from.
  • Configure the NCD options on the source in the source configuration user interface (UI).

This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Native Change Account Created.

Authorizations:
Personal Access Token
Request Body schema: application/json
uuid
string

Source unique identifier for the identity. UUID is generated by the source system.

id
required
string

SailPoint generated unique identifier.

nativeIdentifier
required
string

Unique ID of the account on the source.

sourceId
required
string

The ID of the source.

sourceName
required
string

The name of the source.

identityId
required
string

The ID of the identity that is correlated with this account.

identityName
required
string

The name of the identity that is correlated with this account.

required
object

The attributes of the account. The contents of attributes depends on the account schema for the source.

Request samples

Content type
application/json
{
  • "uuid": "b7264868-7201-415f-9118-b581d431c688",
  • "id": "ee769173319b41d19ccec35ba52f237b",
  • "nativeIdentifier": "E009",
  • "sourceId": "2c918082814e693601816e09471b29b6",
  • "sourceName": "Active Directory",
  • "identityId": "ee769173319b41d19ccec6c235423237b",
  • "identityName": "john.doe",
  • "attributes": {
    }
}

Native change account deleted Webhook

This event trigger fires when Identity Security Cloud (ISC) aggregates data from an external source and detects that an account has been deleted from the source. The external source must meet these criteria for you to receive this type of event:

  • Native Change Detection (NCD) is enabled.
  • Account Delete operations are monitored.
  • At least one attribute selected for monitoring has changed.

In addition to having NCD enabled, There are two ways to configure a source for NCD:

  • Invoke the 'Update Native Change Detection' configuration for each source you want to receive NCD events from.
  • Configure the NCD options on the source in the source configuration user interface (UI).

A typical use for this event trigger would be to notify the correlated identity's manager and the source owner when the account is deleted. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Native Change Account Deleted.

Authorizations:
Personal Access Token
Request Body schema: application/json
uuid
string

Source unique identifier for the identity. UUID is generated by the source system.

id
required
string

SailPoint generated unique identifier.

nativeIdentifier
required
string

Unique ID of the account on the source.

sourceId
required
string

The ID of the source.

sourceName
required
string

The name of the source.

identityId
required
string

The ID of the identity that is correlated with this account.

identityName
required
string

The name of the identity that is correlated with this account.

required
object

The attributes of the account. The contents of attributes depends on the account schema for the source.

Request samples

Content type
application/json
{
  • "uuid": "b7264868-7201-415f-9118-b581d431c688",
  • "id": "ee769173319b41d19ccec35ba52f237b",
  • "nativeIdentifier": "E009",
  • "sourceId": "2c918082814e693601816e09471b29b6",
  • "sourceName": "Active Directory",
  • "identityId": "ee769173319b41d19ccec6c235423237b",
  • "identityName": "john.doe",
  • "attributes": {
    }
}

Native change account updated Webhook

This event trigger fires when Identity Security Cloud (ISC) aggregates data from an external source and detects that an account has been updated on the source. The external source must meet these criteria for you to receive this type of event:

  • Native Change Detection (NCD) is enabled.
  • Account Update operations are monitored.
  • At least one attribute selected for monitoring has changed.

In addition to having NCD enabled, There are two ways to configure a source for NCD:

  • Invoke the 'Update Native Change Detection' configuration for each source you want to receive NCD events from.
  • Configure the NCD options on the source in the source configuration user interface (UI).

A typical use for this event trigger would be to notify the correlated identity's manager and the source owner when the account is deleted. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Native Change Account Updated.

Authorizations:
Personal Access Token
Request Body schema: application/json
uuid
string

Source unique identifier for the identity. UUID is generated by the source system.

id
required
string

SailPoint generated unique identifier.

nativeIdentifier
required
string

Unique ID of the account on the source.

sourceId
required
string

The ID of the source.

sourceName
required
string

The name of the source.

identityId
required
string

The ID of the identity that is correlated with this account.

identityName
required
string

The name of the identity that is correlated with this account.

required
object

The attributes of the account. The contents of attributes depends on the account schema for the source.

Request samples

Content type
application/json
{
  • "uuid": "b7264868-7201-415f-9118-b581d431c688",
  • "id": "ee769173319b41d19ccec35ba52f237b",
  • "nativeIdentifier": "E009",
  • "sourceId": "2c918082814e693601816e09471b29b6",
  • "sourceName": "Active Directory",
  • "identityId": "ee769173319b41d19ccec6c235423237b",
  • "identityName": "john.doe",
  • "attributes": {
    }
}

Outlier detected Webhook

This event trigger fires when Identity Security Cloud (ISC) detects that identities have unusual access relative their peers. ISC calculates outliers daily, flags the outliers, and notifies the trigger's subscribers when it detects them. These are the requirements to use the trigger:

  • Your organization must have Access Insights, which it needs to access Identity Outliers.
  • Your organization must have at a configured source that it has loaded account data from.
  • Your organization's accound data must be onboarded into AI-Driven Identity Security.

This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Outlier Detected.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Identity with unusual access, relative to its peers.

outlierType
required
string
Value: "LOW_SIMILARITY"

Identity's outlier type.

score
required
number <decimal>

Dissimilarity score that determines whether the identity is an outlier, ranging from 0.0 to 1.0. The higher the score, the more likely the identity is an outlier.

Request samples

Content type
application/json
{
  • "identity": {
    },
  • "outlierType": "LOW_SIMILARITY",
  • "score": 0.82
}

Provisioning completed Webhook

This event trigger fires after Identity Security Cloud (ISC) provisions access to an account. This trigger provides organizations with a flexible way to extend the provisioning workflow after an identity's access has changed within ISC. These are the requirements to use the trigger:

  • An oAuth client must be configured with the ORG_ADMIN authority.
  • The organization has enabled the ARSENAL_ALLOW_POSTPROVISIONING_TRIGGERS feature flag.
  • Connectors are configured for provisioning into the target applications.
  • The organization is configured for automated provisioning. Different event contexts require different setups. For more information about these setups, refer to Provisioning Completed.

To provision access to a target application, the source's connector must support these features:

  • ENABLE: The ability to enable or disable accounts.
  • UNLOCK: The ability to lock or unlock accounts.
  • PROVISIONING: The ability to write to accounts.
  • PASSWORD: The ability to update account passwords.

For a list of supported connectors and features, refer to Identity Security Cloud Connectors. For more information about configuring sources for provisioning in ISC, refer to Configuring Source Account Provisioning. This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Provisioning Completed.

Authorizations:
Personal Access Token
Request Body schema: application/json
trackingNumber
required
string

The reference number of the provisioning request. Useful for tracking status in the Account Activity search interface.

sources
required
string

One or more sources that the provisioning transaction(s) were done against. Sources are comma separated.

action
string or null

Origin of where the provisioning request came from.

errors
Array of strings or null

A list of any accumulated error messages that occurred during provisioning.

warnings
Array of strings or null

A list of any accumulated warning messages that occurred during provisioning.

required
object

Provisioning recpient.

object or null

Provisioning requester's identity.

required
Array of objects

A list of provisioning instructions to be executed on a per-account basis. The order in which operations are executed may not always be predictable.

Request samples

Content type
application/json
{
  • "trackingNumber": "4b4d982dddff4267ab12f0f1e72b5a6d",
  • "sources": "Corp AD, Corp LDAP, Corp Salesforce",
  • "action": "IdentityRefresh",
  • "errors": [
    ],
  • "warnings": [
    ],
  • "recipient": {
    },
  • "requester": {
    },
  • "accountRequests": [
    ]
}

Scheduled search Webhook

This event trigger fires after Identity Security Cloud (ISC) generates a report from a saved search. In ISC, users can subscribe to saved searches to receive an email report generated by the saved search. They can then set a schedule for when those saved searches generate reports, such as daily at 6:00 GMT. The trigger can notify an external HTTP application that ISC has generated a report from a saved search and the report is ready to be processed. These are some typical use cases for the trigger:

  • Perform continous checks for Separation of Duties (SOD) violations, for quality control.
  • Respond to upcoming Joiner-Mover-Leaver (JML) scenarios, such as deprovisioning access before an employee's separation date.

This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Scheduled Search.

Authorizations:
Personal Access Token
Request Body schema: application/json
fileName
required
string

A name for the report file.

ownerEmail
required
string

The email address of the identity that owns the saved search.

ownerName
required
string

The name of the identity that owns the saved search.

query
required
string

The search query that was used to generate the report.

searchName
required
string

The name of the saved search.

required
object

A preview of the search results for each object type. This includes a count as well as headers, and the first several rows of data, per object type.

signedS3Url
required
string

The Amazon S3 URL to download the report from.

Request samples

Content type
application/json
{}

Source created Webhook

This event trigger fires when a new source is created in Identity Security Cloud (ISC), by either the API or the Admin UI. These are some typical use cases for the trigger:

  • Provide evidence to auditors to show that connector logic and sources are maintained by proper change control processes and aren't vulnerable to outside manipulation.
  • Auto-configure new sources with proper owners, using external data sources.

This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Source Created.

Authorizations:
Personal Access Token
Request Body schema: application/json
id
required
string

The unique ID of the source.

name
required
string

Human friendly name of the source.

type
required
string

The connection type.

created
required
string <date-time>

The date and time the source was created.

connector
required
string

The connector type used to connect to the source.

required
object

Identity who created the source.

Request samples

Content type
application/json
{
  • "id": "2c9180866166b5b0016167c32ef31a66",
  • "name": "Test source",
  • "type": "DIRECT_CONNECT",
  • "created": "2021-03-29T22:01:50.474Z",
  • "connector": "active-directory",
  • "actor": {
    }
}

Source deleted Webhook

This event trigger fires when a new source is deleted from Identity Security Cloud (ISC), by either the API or the Admin UI. These are some typical use cases for the trigger:

  • Provide evidence to auditors to show that connector logic and sources are maintained by proper change control processes and aren't vulnerable to outside manipulation.
  • Alert admins when a source is incorrectly deleted.

This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Source Created.

Authorizations:
Personal Access Token
Request Body schema: application/json
id
required
string

The unique ID of the source.

name
required
string

Human friendly name of the source.

type
required
string

The connection type.

deleted
required
string <date-time>

The date and time the source was deleted.

connector
required
string

The connector type used to connect to the source.

required
object

Identity who deleted the source.

Request samples

Content type
application/json
{
  • "id": "2c9180866166b5b0016167c32ef31a66",
  • "name": "Test source",
  • "type": "DIRECT_CONNECT",
  • "deleted": "2021-03-29T22:01:50.474Z",
  • "connector": "active-directory",
  • "actor": {
    }
}

Source updated Webhook

This event trigger fires when a new source's configuration is changed in Identity Security Cloud (ISC). These are some typical use cases for the trigger:

  • Provide evidence to auditors to show that connector logic and sources are maintained by proper change control processes and aren't vulnerable to outside manipulation.
  • Trigger review for an updated source.

This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Source Created.

Authorizations:
Personal Access Token
Request Body schema: application/json
id
required
string

The unique ID of the source.

name
required
string

The user friendly name of the source.

type
required
string

The connection type of the source.

modified
required
string <date-time>

The date and time the source was modified.

connector
required
string

The connector type used to connect to the source.

required
object

Identity who updated the source.

Request samples

Content type
application/json
{
  • "id": "2c9180866166b5b0016167c32ef31a66",
  • "name": "Corporate Active Directory",
  • "type": "DIRECT_CONNECT",
  • "modified": "2021-03-29T22:01:50.474Z",
  • "connector": "active-directory",
  • "actor": {
    }
}

Va cluster status change Webhook

This event trigger fires when Identity Security Cloud (ISC) runs a health check on a virtual appliance (VA) cluster, and the cluster's health status is different from the previous health check, such as a change from healthy to unhealthy or the opposite. VA cluster health checks run every 30 minutes. Users can use this trigger to monitor all their VA clusters' health status changes. These are some typical use cases for the trigger:

  • Create real-time health dashboards for VA clusters.
  • Notify an admin or system to take appropriate actions when a VA cluster's health status changes.

This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Source Created.

Authorizations:
Personal Access Token
Request Body schema: application/json
created
required
string <date-time>

The date and time the status change occurred.

type
required
any
Enum: "SOURCE" "CLUSTER"

The type of the object that initiated this event.

required
object

Details about the CLUSTER or SOURCE that initiated this event.

required
object

The results of the most recent health check.

required
object

The results of the last health check.

Request samples

Content type
application/json
{
  • "created": "2020-06-29T22:01:50.474Z",
  • "type": "CLUSTER",
  • "application": {
    },
  • "healthCheckResult": {
    },
  • "previousHealthCheckResult": {
    }
}

Identity deleted Webhook

This event trigger fires after an identity has been completely deleted from Identity Security Cloud (ISC). ISC only deletes an identity when it meets all these requirements:

  • It has no correlated accounts.
  • It's not an owner of a role, access profile, application, source, or task result.
  • It's not an owner or requester of a work item.
  • It's not a protected account or manager.
  • It has no assigned capabilities, such as being an assigned certification reviewer.
  • It's not involved in any active certification as a target (its access is not being certified).

These are some typical use cases for the trigger:

  • Notify an administrator or system to take the appropriate provisioning actions as part of the leaver workflow.
  • Notify a system to trigger another action, such as deactivating an employee's badge upon termination.

This is a FIRE_AND_FORGET event trigger. You can have a maximum of 50 subscriptions for this trigger. For more information about this event trigger, refer to Identity Deleted.

Note: This is an early access event trigger. Contact support to enable it on your tenant.

Authorizations:
Personal Access Token
Request Body schema: application/json
required
object

Deleted identity.

required
object

The attributes assigned to the identity. Attributes are determined by the identity profile.

Request samples

Content type
application/json
{
  • "identity": {
    },
  • "attributes": {
    }
}

List triggers

Gets a list of triggers that are available in the tenant.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "idn:access-request-post-approval"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, ge, le

sorters
string <comma-separated>
Example: sorters=name

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create a subscription

This API creates a new subscription to a trigger and defines trigger invocation details. The type of subscription determines which config object is required:

  • HTTP subscriptions require httpConfig
  • EventBridge subscriptions require eventBridgeConfig
Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
name
required
string

Subscription name.

description
string

Subscription description.

triggerId
required
string

ID of trigger subscribed to.

type
required
string (SubscriptionType)
Enum: "HTTP" "EVENTBRIDGE" "INLINE" "SCRIPT" "WORKFLOW"

Subscription type. NOTE If type is EVENTBRIDGE, then eventBridgeConfig is required. If type is HTTP, then httpConfig is required.

responseDeadline
string
Default: "PT1H"

Deadline for completing REQUEST_RESPONSE trigger invocation, represented in ISO-8601 duration format.

object (Http Config)
object (Event Bridge Config)
enabled
boolean
Default: true

Whether subscription should receive real-time trigger invocations or not.

Test trigger invocations are always enabled regardless of this option.

filter
string

JSONPath filter to conditionally invoke trigger when expression evaluates to true.

JSONPath filter documentation

Responses

Request samples

Content type
application/json
Example
{
  • "name": "Access request subscription",
  • "description": "Access requested to site xyz",
  • "triggerId": "idn:access-requested",
  • "type": "HTTP",
  • "httpConfig": {
    },
  • "enabled": true,
  • "filter": "$[?($.identityId == \"201327fda1c44704ac01181e963d463c\")]"
}

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "Access request subscription",
  • "description": "Access requested to site xyz",
  • "triggerId": "idn:access-request-post-approval",
  • "triggerName": "Access Requested",
  • "type": "HTTP",
  • "responseDeadline": "PT1H",
  • "httpConfig": {
    },
  • "eventBridgeConfig": {
    },
  • "enabled": true,
  • "filter": "$[?($.identityId == \"201327fda1c44704ac01181e963d463c\")]"
}

List subscriptions

Gets a list of all trigger subscriptions.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "12cff757-c0c0-413b-8ad7-2a47956d1e89"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq

triggerId: eq

type: eq, le

sorters
string <comma-separated>
Example: sorters=triggerName

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: triggerId, triggerName

Responses

Response samples

Content type
application/json
Example
[
  • {
    }
]

Update a subscription

This API updates a trigger subscription in IdentityNow, using a full object representation. In other words, the existing Subscription is completely replaced. The following fields are immutable:

  • id

  • triggerId

Attempts to modify these fields result in 400.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 0f11f2a4-7c94-4bf3-a2bd-742580fe3bde

Subscription ID

Request Body schema: application/json
name
string

Subscription name.

description
string

Subscription description.

type
string (SubscriptionType)
Enum: "HTTP" "EVENTBRIDGE" "INLINE" "SCRIPT" "WORKFLOW"

Subscription type. NOTE If type is EVENTBRIDGE, then eventBridgeConfig is required. If type is HTTP, then httpConfig is required.

responseDeadline
string
Default: "PT1H"

Deadline for completing REQUEST_RESPONSE trigger invocation, represented in ISO-8601 duration format.

object (Http Config)
object (Event Bridge Config)
enabled
boolean
Default: true

Whether subscription should receive real-time trigger invocations or not.

Test trigger invocations are always enabled regardless of this option.

filter
string

JSONPath filter to conditionally invoke trigger when expression evaluates to true.

JSONPath filter documentation

Responses

Request samples

Content type
application/json
Example
{
  • "name": "Access request subscription",
  • "description": "Access requested to site xyz",
  • "type": "HTTP",
  • "httpConfig": {
    },
  • "enabled": true,
  • "filter": "$[?($.identityId == \"201327fda1c44704ac01181e963d463c\")]"
}

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "Access request subscription",
  • "description": "Access requested to site xyz",
  • "triggerId": "idn:access-request-post-approval",
  • "triggerName": "Access Requested",
  • "type": "HTTP",
  • "responseDeadline": "PT1H",
  • "httpConfig": {
    },
  • "eventBridgeConfig": {
    },
  • "enabled": true,
  • "filter": "$[?($.identityId == \"201327fda1c44704ac01181e963d463c\")]"
}

Patch a subscription

This API updates a trigger subscription in IdentityNow, using a set of instructions to modify a subscription partially. The following fields are patchable:

name, description, enabled, type, filter, responseDeadline, httpConfig, eventBridgeConfig, workflowConfig

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 0f11f2a4-7c94-4bf3-a2bd-742580fe3bde

ID of the Subscription to patch

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string or integer or object or (Array of strings or integers or objects)

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json
[
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "name": "Access request subscription",
  • "description": "Access requested to site xyz",
  • "triggerId": "idn:access-request-post-approval",
  • "triggerName": "Access Requested",
  • "type": "HTTP",
  • "responseDeadline": "PT1H",
  • "httpConfig": {
    },
  • "eventBridgeConfig": {
    },
  • "enabled": true,
  • "filter": "$[?($.identityId == \"201327fda1c44704ac01181e963d463c\")]"
}

Delete a subscription

Deletes an existing subscription to a trigger.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 0f11f2a4-7c94-4bf3-a2bd-742580fe3bde

Subscription ID

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Validate a subscription filter

Validates a JSONPath filter expression against a provided mock input. Request requires a security scope of:

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
input
required
object

Mock input to evaluate filter expression against.

filter
required
string

JSONPath filter to conditionally invoke trigger when expression evaluates to true.

JSONPath filter documentation

Responses

Request samples

Content type
application/json
{
  • "input": {
    },
  • "filter": "$[?($.identityId == \"201327fda1c44704ac01181e963d463c\")]"
}

Response samples

Content type
application/json
{
  • "isValid": true,
  • "isValidJSONPath": true,
  • "isPathExist": true
}

List latest invocation statuses

Gets a list of latest invocation statuses. Statuses of successful invocations are available for up to 24 hours. Statuses of failed invocations are available for up to 48 hours. This endpoint may only fetch up to 2000 invocations, and should not be treated as a representation of the full history of invocations.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=triggerId eq "idn:access-request-dynamic-approver"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

triggerId: eq

subscriptionId: eq

sorters
string <comma-separated>
Example: sorters=created

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: triggerId, subscriptionName, created, completed

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Complete trigger invocation

Completes an invocation to a REQUEST_RESPONSE type trigger.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 0f11f2a4-7c94-4bf3-a2bd-742580fe3bde

The ID of the invocation to complete.

Request Body schema: application/json
secret
required
string

Unique invocation secret that was generated when the invocation was created. Required to authenticate to the endpoint.

error
string

The error message to indicate a failed invocation or error if any.

output
required
object

Trigger output to complete the invocation. Its schema is defined in the trigger definition.

Responses

Request samples

Content type
application/json
{
  • "secret": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  • "output": {
    }
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Start a test invocation

Initiate a test event for all subscribers of the specified event trigger. If there are no subscribers to the specified trigger in the tenant, then no test event will be sent.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
triggerId
required
string

Trigger ID

input
object

Mock input to use for test invocation. This must adhere to the input schema defined in the trigger being invoked. If this property is omitted, then the default trigger sample payload will be sent.

contentJson
required
object

JSON map of invocation metadata.

subscriptionIds
Array of strings

Only send the test event to the subscription IDs listed. If omitted, the test event will be sent to all subscribers.

Responses

Request samples

Content type
application/json
Example
{
  • "triggerId": "idn:access-requested",
  • "input": {
    },
  • "contentJson": {
    }
}

Response samples

Content type
application/json
[
  • {
    }
]

UI Metadata

API for managing UI Metadata. Use this API to manage metadata about your User Interface. For example you can set the iFrameWhitelist parameter to permit another domain to encapsulate IDN within an iframe or set the usernameEmptyText to change the placeholder text for Username on your tenant's login screen.

Get a tenant ui metadata

This API endpoint retrieves UI metadata configured for your tenant.

Authorizations:
Personal Access TokenClient Credentials
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "iframeWhiteList": "http://example.com http://example2.com",
  • "usernameLabel": "Email",
  • "usernameEmptyText": "Please provide your work email address..."
}

Update tenant ui metadata

This API endpoint updates UI metadata for your tenant. These changes may require up to 5 minutes to take effect on the UI.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
iframeWhiteList
string or null

Parameter that organizational administrators can adjust to permit another domain to encapsulate IDN within an iframe. If you would like to reset the value use "null". It will only allow include into iframe non authenticated portions of the product, such as password reset.

usernameLabel
string or null

Descriptor for the username input field. If you would like to reset the value use "null".

usernameEmptyText
string or null

Placeholder text displayed in the username input field. If you would like to reset the value use "null".

Responses

Request samples

Content type
application/json
{
  • "iframeWhiteList": "http://example.com http://example2.com",
  • "usernameLabel": "Email",
  • "usernameEmptyText": "Please provide your work email address..."
}

Response samples

Content type
application/json
{
  • "iframeWhiteList": "http://example.com http://example2.com",
  • "usernameLabel": "Email",
  • "usernameEmptyText": "Please provide your work email address..."
}

Work Items

Use this API to implement work item functionality. With this functionality in place, users can manage their work items (tasks).

Work items refer to the tasks users see in Identity Security Cloud's Task Manager. They can see the pending work items they need to complete, as well as the work items they have already completed. Task Manager lists the work items along with the involved sources, identities, accounts, and the timestamp when the work item was created. For example, a user may see a pending 'Create an Account' work item for the identity Fred.Astaire in GitHub for Fred's GitHub account, fred-astaire-sp. Once the user completes the work item, the work item will be listed with his or her other completed work items.

To complete work items, users can use their dashboards and select the 'My Tasks' widget. The widget will list any work items they need to complete, and they can select the work item from the list to review its details. When they complete the work item, they can select 'Mark Complete' to add it to their list of completed work items.

Refer to Task Manager for more information about work items, including the different types of work items users may need to complete.

List work items

This gets a collection of work items belonging to either the specified user(admin required), or the current user.

Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

ownerId
string
Example: ownerId=1211bcaa32112bcef6122adb21cef1ac

ID of the work item owner.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Completed work items

This gets a collection of completed work items belonging to either the specified user(admin required), or the current user.

Authorizations:
Personal Access Token
query Parameters
ownerId
string
Example: ownerId=1211bcaa32112bcef6122adb21cef1ac

The id of the owner of the work item list being requested. Either an admin, or the owning/current user must make this request.

limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Count work items

This gets a count of work items belonging to either the specified user(admin required), or the current user.

Authorizations:
Personal Access Token
query Parameters
ownerId
string
Example: ownerId=ef38f94347e94562b5bb8424a56397d8

ID of the work item owner.

Responses

Response samples

Content type
application/json
{
  • "count": 29
}

Count completed work items

This gets a count of completed work items belonging to either the specified user(admin required), or the current user.

Authorizations:
Personal Access Token
query Parameters
ownerId
string

ID of the work item owner.

Responses

Response samples

Content type
application/json
{
  • "count": 29
}

Work items summary

This gets a summary of work items belonging to either the specified user(admin required), or the current user.

Authorizations:
Personal Access Token
query Parameters
ownerId
string
Example: ownerId=1211bcaa32112bcef6122adb21cef1ac

ID of the work item owner.

Responses

Response samples

Content type
application/json
{
  • "open": 29,
  • "completed": 1,
  • "total": 30
}

Get a work item

This gets the details of a Work Item belonging to either the specified user(admin required), or the current user.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: 2c9180835d191a86015d28455b4a2329

ID of the work item.

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "requesterId": "2c9180835d2e5168015d32f890ca1581",
  • "requesterDisplayName": "John Smith",
  • "ownerId": "2c9180835d2e5168015d32f890ca1581",
  • "ownerName": "Jason Smith",
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "description": "Create account on source 'AD'",
  • "state": "Finished",
  • "type": "Generic",
  • "remediationItems": [
    ],
  • "approvalItems": [
    ],
  • "name": "Account Create",
  • "completed": "2018-10-19T13:49:37.385Z",
  • "numItems": 19,
  • "form": {
    },
  • "errors": [
    ]
}

Complete a work item

This API completes a work item. Either an admin, or the owning/current user must make this request.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the work item

Request Body schema: application/json

Body is the request payload to create form definition request

string or null

Responses

Request samples

Content type
application/json
"string"

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "requesterId": "2c9180835d2e5168015d32f890ca1581",
  • "requesterDisplayName": "John Smith",
  • "ownerId": "2c9180835d2e5168015d32f890ca1581",
  • "ownerName": "Jason Smith",
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "description": "Create account on source 'AD'",
  • "state": "Finished",
  • "type": "Generic",
  • "remediationItems": [
    ],
  • "approvalItems": [
    ],
  • "name": "Account Create",
  • "completed": "2018-10-19T13:49:37.385Z",
  • "numItems": 19,
  • "form": {
    },
  • "errors": [
    ]
}

Approve an approval item

This API approves an Approval Item. Either an admin, or the owning/current user must make this request.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the work item

approvalItemId
required
string
Example: 1211bcaa32112bcef6122adb21cef1ac

The ID of the approval item.

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "requesterId": "2c9180835d2e5168015d32f890ca1581",
  • "requesterDisplayName": "John Smith",
  • "ownerId": "2c9180835d2e5168015d32f890ca1581",
  • "ownerName": "Jason Smith",
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "description": "Create account on source 'AD'",
  • "state": "Finished",
  • "type": "Generic",
  • "remediationItems": [
    ],
  • "approvalItems": [
    ],
  • "name": "Account Create",
  • "completed": "2018-10-19T13:49:37.385Z",
  • "numItems": 19,
  • "form": {
    },
  • "errors": [
    ]
}

Reject an approval item

This API rejects an Approval Item. Either an admin, or the owning/current user must make this request.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the work item

approvalItemId
required
string
Example: 1211bcaa32112bcef6122adb21cef1ac

The ID of the approval item.

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "requesterId": "2c9180835d2e5168015d32f890ca1581",
  • "requesterDisplayName": "John Smith",
  • "ownerId": "2c9180835d2e5168015d32f890ca1581",
  • "ownerName": "Jason Smith",
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "description": "Create account on source 'AD'",
  • "state": "Finished",
  • "type": "Generic",
  • "remediationItems": [
    ],
  • "approvalItems": [
    ],
  • "name": "Account Create",
  • "completed": "2018-10-19T13:49:37.385Z",
  • "numItems": 19,
  • "form": {
    },
  • "errors": [
    ]
}

Bulk approve approval items

This API bulk approves Approval Items. Either an admin, or the owning/current user must make this request.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the work item

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "requesterId": "2c9180835d2e5168015d32f890ca1581",
  • "requesterDisplayName": "John Smith",
  • "ownerId": "2c9180835d2e5168015d32f890ca1581",
  • "ownerName": "Jason Smith",
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "description": "Create account on source 'AD'",
  • "state": "Finished",
  • "type": "Generic",
  • "remediationItems": [
    ],
  • "approvalItems": [
    ],
  • "name": "Account Create",
  • "completed": "2018-10-19T13:49:37.385Z",
  • "numItems": 19,
  • "form": {
    },
  • "errors": [
    ]
}

Bulk reject approval items

This API bulk rejects Approval Items. Either an admin, or the owning/current user must make this request.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the work item

Responses

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "requesterId": "2c9180835d2e5168015d32f890ca1581",
  • "requesterDisplayName": "John Smith",
  • "ownerId": "2c9180835d2e5168015d32f890ca1581",
  • "ownerName": "Jason Smith",
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "description": "Create account on source 'AD'",
  • "state": "Finished",
  • "type": "Generic",
  • "remediationItems": [
    ],
  • "approvalItems": [
    ],
  • "name": "Account Create",
  • "completed": "2018-10-19T13:49:37.385Z",
  • "numItems": 19,
  • "form": {
    },
  • "errors": [
    ]
}

Submit account selections

This API submits account selections. Either an admin, or the owning/current user must make this request.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the work item

Request Body schema: application/json

Account Selection Data map, keyed on fieldName

property name*
additional property
any

Responses

Request samples

Content type
application/json
{
  • "fieldName": "fieldValue"
}

Response samples

Content type
application/json
{
  • "id": "2c9180835d2e5168015d32f890ca1581",
  • "requesterId": "2c9180835d2e5168015d32f890ca1581",
  • "requesterDisplayName": "John Smith",
  • "ownerId": "2c9180835d2e5168015d32f890ca1581",
  • "ownerName": "Jason Smith",
  • "created": "2017-07-11T18:45:37.098Z",
  • "modified": "2018-06-25T20:22:28.104Z",
  • "description": "Create account on source 'AD'",
  • "state": "Finished",
  • "type": "Generic",
  • "remediationItems": [
    ],
  • "approvalItems": [
    ],
  • "name": "Account Create",
  • "completed": "2018-10-19T13:49:37.385Z",
  • "numItems": 19,
  • "form": {
    },
  • "errors": [
    ]
}

Forward a work item

This API forwards a work item to a new owner. Either an admin, or the owning/current user must make this request.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: ef38f94347e94562b5bb8424a56397d8

The ID of the work item

Request Body schema: application/json
targetOwnerId
required
string

The ID of the identity to forward this work item to.

comment
required
string

Comments to send to the target owner

sendNotifications
boolean
Default: true

If true, send a notification to the target owner.

Responses

Request samples

Content type
application/json
{
  • "targetOwnerId": "2c9180835d2e5168015d32f890ca1581",
  • "comment": "I'm going on vacation.",
  • "sendNotifications": true
}

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Work Reassignment

Use this API to implement work reassignment functionality.

Work Reassignment allows access request reviews, certifications, and manual provisioning tasks assigned to a user to be reassigned to a different user. This is primarily used for:

  • Temporarily redirecting work for users who are out of office, such as on vacation or sick leave
  • Permanently redirecting work for users who should not be assigned these tasks at all, such as senior executives or service identities

Users can define reassignments for themselves, managers can add them for their team members, and administrators can configure them on any user's behalf. Work assigned during the specified reassignment timeframes will be automatically reassigned to the designated user as it is created.

Refer to Work Reassignment for more information about this topic.

List reassignment config types

Gets a collection of types which are available in the Reassignment Configuration UI.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List reassignment configurations

Gets all Reassignment configuration for the current org.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create a reassignment configuration

Creates a new Reassignment Configuration for the specified identity.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
reassignedFromId
string

The identity id to reassign an item from

reassignedToId
string

The identity id to reassign an item to

configType
string (ConfigTypeEnum)
Enum: "ACCESS_REQUESTS" "CERTIFICATIONS" "MANUAL_TASKS" "GENERIC_APPROVALS"

Enum list of valid work types that can be selected for a Reassignment Configuration

startDate
string <date-time>

The date from which to start reassigning work items

endDate
string or null <date-time>

The date from which to stop reassigning work items. If this is an null string it indicates a permanent reassignment.

Responses

Request samples

Content type
application/json
{
  • "reassignedFromId": "2c91808781a71ddb0181b9090b5c504e",
  • "reassignedToId": "2c91808781a71ddb0181b9090b53504a",
  • "configType": "ACCESS_REQUESTS",
  • "startDate": "2022-07-21T11:13:12.345Z",
  • "endDate": "2022-07-30T17:00:00.000Z"
}

Response samples

Content type
application/json
{
  • "identity": {
    },
  • "configDetails": [
    ]
}

Get reassignment configuration

Gets the Reassignment Configuration for an identity.

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: 2c91808781a71ddb0181b9090b5c504f

unique identity id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "identity": {
    },
  • "configDetails": [
    ]
}

Update reassignment configuration

Replaces existing Reassignment configuration for an identity with the newly provided configuration.

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: 2c91808781a71ddb0181b9090b5c504e

unique identity id

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
reassignedFromId
string

The identity id to reassign an item from

reassignedToId
string

The identity id to reassign an item to

configType
string (ConfigTypeEnum)
Enum: "ACCESS_REQUESTS" "CERTIFICATIONS" "MANUAL_TASKS" "GENERIC_APPROVALS"

Enum list of valid work types that can be selected for a Reassignment Configuration

startDate
string <date-time>

The date from which to start reassigning work items

endDate
string or null <date-time>

The date from which to stop reassigning work items. If this is an null string it indicates a permanent reassignment.

Responses

Request samples

Content type
application/json
{
  • "reassignedFromId": "2c91808781a71ddb0181b9090b5c504e",
  • "reassignedToId": "2c91808781a71ddb0181b9090b53504a",
  • "configType": "ACCESS_REQUESTS",
  • "startDate": "2022-07-21T11:13:12.345Z",
  • "endDate": "2022-07-30T17:00:00.000Z"
}

Response samples

Content type
application/json
{
  • "identity": {
    },
  • "configDetails": [
    ]
}

Delete reassignment configuration

Deletes a single reassignment configuration for the specified identity

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: 2c91808781a71ddb0181b9090b5c504e

unique identity id

configType
required
string (ConfigTypeEnum)
Enum: "ACCESS_REQUESTS" "CERTIFICATIONS" "MANUAL_TASKS" "GENERIC_APPROVALS"
Example: ACCESS_REQUESTS

Enum list of valid work types that can be selected for a Reassignment Configuration

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Evaluate reassignment configuration

Evaluates the Reassignment Configuration for an Identity to determine if work items for the specified type should be reassigned. If a valid Reassignment Configuration is found for the identity & work type, then a lookup is initiated which recursively fetches the Reassignment Configuration for the next TargetIdentity until no more results are found or a max depth of 5. That lookup trail is provided in the response and the final reassigned identity in the lookup list is returned as the reassignToId property. If no Reassignment Configuration is found for the specified identity & config type then the requested Identity ID will be used as the reassignToId value and the lookupTrail node will be empty.

Authorizations:
Personal Access Token
path Parameters
identityId
required
string
Example: 2c91808781a71ddb0181b9090b5c504e

unique identity id

configType
required
string (ConfigTypeEnum)
Enum: "ACCESS_REQUESTS" "CERTIFICATIONS" "MANUAL_TASKS" "GENERIC_APPROVALS"
Example: accessRequests

Reassignment work type

query Parameters
exclusionFilters
Array of strings
Example: exclusionFilters=SELF_REVIEW_DELEGATION

Exclusion filters that disable parts of the reassignment evaluation. Possible values are listed below: - SELF_REVIEW_DELEGATION: This will exclude delegations of self-review reassignments

header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
Example
{
  • "reassignToId": "2c9180825a6c1adc015a71c9023f0818",
  • "lookupTrail": [ ]
}

Get tenant-wide reassignment configuration settings

Gets the global Reassignment Configuration settings for the requestor's tenant.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Responses

Response samples

Content type
application/json
{
  • "auditDetails": {
    },
  • "configDetails": {
    }
}

Update tenant-wide reassignment configuration settings

Replaces existing Tenant-wide Reassignment Configuration settings with the newly provided settings.

Authorizations:
Personal Access Token
header Parameters
X-SailPoint-Experimental
required
string
Default: true
Example: true

Use this header to enable this experimental API.

Request Body schema: application/json
object (TenantConfigurationDetails)

Details of any tenant-wide Reassignment Configurations (eg. enabled/disabled)

Responses

Request samples

Content type
application/json
{
  • "configDetails": {
    }
}

Response samples

Content type
application/json
{
  • "auditDetails": {
    },
  • "configDetails": {
    }
}

Workflows

Workflows allow administrators to create custom automation scripts directly within Identity Security Cloud. These automation scripts respond to event triggers and perform a series of actions to perform tasks that are either too cumbersome or not available in the Identity Security Cloud UI. Workflows can be configured via a graphical user interface within Identity Security Cloud, or by creating and uploading a JSON formatted script to the Workflow service. The Workflows API collection provides the necessary functionality to create, manage, and test your workflows via REST.

List workflows

List all workflows in the tenant.

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create workflow

Create a new workflow with the desired trigger and steps specified in the request body.

Authorizations:
Personal Access Token
Request Body schema: application/json
name
required
string

The name of the workflow

object

The identity that owns the workflow. The owner's permissions in IDN will determine what actions the workflow is allowed to perform. Ownership can be changed by updating the owner in a PUT or PATCH request.

description
string

Description of what the workflow accomplishes

object (WorkflowDefinition)

The map of steps that the workflow will execute.

enabled
boolean
Default: false

Enable or disable the workflow. Workflows cannot be created in an enabled state.

object (WorkflowTrigger)

The trigger that starts the workflow

Responses

Request samples

Content type
application/json
Example

Workflow initiated by an event trigger

{
  • "name": "Send Email",
  • "owner": {
    },
  • "description": "Send an email to the identity who's attributes changed.",
  • "definition": {
    },
  • "enabled": false,
  • "trigger": {
    }
}

Response samples

Content type
application/json
{
  • "id": "d201c5e9-d37b-4aff-af14-66414f39d569",
  • "executionCount": 2,
  • "failureCount": 0,
  • "created": "2022-01-10T16:06:16.636381447Z",
  • "modified": "2023-12-05T15:18:27.699132301Z",
  • "modifiedBy": {
    },
  • "creator": {
    },
  • "name": "Send Email",
  • "owner": {
    },
  • "description": "Send an email to the identity who's attributes changed.",
  • "definition": {
    },
  • "enabled": false,
  • "trigger": {
    }
}

Get workflow by id

Get a single workflow by id.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the workflow

Responses

Response samples

Content type
application/json
{
  • "id": "d201c5e9-d37b-4aff-af14-66414f39d569",
  • "executionCount": 2,
  • "failureCount": 0,
  • "created": "2022-01-10T16:06:16.636381447Z",
  • "modified": "2023-12-05T15:18:27.699132301Z",
  • "modifiedBy": {
    },
  • "creator": {
    },
  • "name": "Send Email",
  • "owner": {
    },
  • "description": "Send an email to the identity who's attributes changed.",
  • "definition": {
    },
  • "enabled": false,
  • "trigger": {
    }
}

Update workflow

Perform a full update of a workflow. The updated workflow object is returned in the response.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the Workflow

Request Body schema: application/json
name
string

The name of the workflow

object

The identity that owns the workflow. The owner's permissions in IDN will determine what actions the workflow is allowed to perform. Ownership can be changed by updating the owner in a PUT or PATCH request.

description
string

Description of what the workflow accomplishes

object (WorkflowDefinition)

The map of steps that the workflow will execute.

enabled
boolean
Default: false

Enable or disable the workflow. Workflows cannot be created in an enabled state.

object (WorkflowTrigger)

The trigger that starts the workflow

Responses

Request samples

Content type
application/json
{
  • "name": "Send Email",
  • "owner": {
    },
  • "description": "Send an email to the identity who's attributes changed.",
  • "definition": {
    },
  • "enabled": false,
  • "trigger": {
    }
}

Response samples

Content type
application/json
{
  • "id": "d201c5e9-d37b-4aff-af14-66414f39d569",
  • "executionCount": 2,
  • "failureCount": 0,
  • "created": "2022-01-10T16:06:16.636381447Z",
  • "modified": "2023-12-05T15:18:27.699132301Z",
  • "modifiedBy": {
    },
  • "creator": {
    },
  • "name": "Send Email",
  • "owner": {
    },
  • "description": "Send an email to the identity who's attributes changed.",
  • "definition": {
    },
  • "enabled": false,
  • "trigger": {
    }
}

Patch workflow

Partially update an existing Workflow using JSON Patch syntax.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the Workflow

Request Body schema: application/json-patch+json
Array
op
required
string
Enum: "add" "remove" "replace" "move" "copy" "test"

The operation to be performed

path
required
string

A string JSON Pointer representing the target path to an element to be affected by the operation

string (string) or boolean (boolean) or integer (integer) or object (object) or (Array of array (strings or integers or objects))

The value to be used for the operation, required for "add" and "replace" operations

Responses

Request samples

Content type
application/json-patch+json

Demonstrate how to update each patchable field in one PATCH request.

[
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    },
  • {
    }
]

Response samples

Content type
application/json
{
  • "id": "d201c5e9-d37b-4aff-af14-66414f39d569",
  • "executionCount": 2,
  • "failureCount": 0,
  • "created": "2022-01-10T16:06:16.636381447Z",
  • "modified": "2023-12-05T15:18:27.699132301Z",
  • "modifiedBy": {
    },
  • "creator": {
    },
  • "name": "Send Email",
  • "owner": {
    },
  • "description": "Send an email to the identity who's attributes changed.",
  • "definition": {
    },
  • "enabled": false,
  • "trigger": {
    }
}

Delete workflow by id

Delete a workflow. Enabled workflows cannot be deleted. They must first be disabled.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the Workflow

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Test workflow by id

:::info

Workflow must be disabled in order to use this endpoint.

:::

Test a workflow with the provided input data. The input data should resemble the input that the trigger will send the workflow. See the event trigger documentation for an example input for the trigger that initiates this workflow.

This endpoint will return an execution ID, which can be used to lookup more information about the execution using the Get a Workflow Execution endpoint.

This will cause a live run of the workflow, which could result in unintended modifications to your IDN tenant.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the workflow

Request Body schema: application/json
input
required
object

The test input for the workflow.

Responses

Request samples

Content type
application/json

Identity Attributes Changed Trigger Input

{
  • "input": {
    }
}

Response samples

Content type
application/json
{
  • "workflowExecutionId": "0e11cefa-96e7-4b67-90d0-065bc1da5753"
}

List workflow executions

Use this API to list a specified workflow's executions. Workflow executions are available for up to 90 days before being archived. By default, you can get a maximum of 250 executions. To get executions past the first 250 records, you can do the following:

  1. Use the Get Workflows endpoint to get your workflows.
  2. Get your workflow ID from the response.
  3. You can then do either of the following:

  • Filter to find relevant workflow executions. For example, you can filter for failed workflow executions: GET /workflows/:workflowID/executions?filters=status eq "Failed"

  • Paginate through results with the offset parameter. For example, you can page through 50 executions per page and use that as a way to get to the records past the first 250. Refer to Paginating Results for more information about the query parameters you can use to achieve pagination.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Workflow ID.

query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=status eq "Failed"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

start_time: eq, lt, le, gt, ge

status: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get workflow execution

Use this API to get a single workflow execution. Workflow executions are available for up to 90 days before being archived. If you attempt to access a workflow execution that has been archived, you will receive a "404 Not Found" response.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Workflow execution ID.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get workflow execution history

Get a detailed history of a single workflow execution. Workflow executions are available for up to 90 days before being archived. If you attempt to access a workflow execution that has been archived, you will receive a 404 Not Found.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the workflow execution

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Get updated workflow execution history

Gets a workflow execution history, trigger input, and workflow definition of a single workflow execution. Workflow executions are available for up to 90 days before being archived. If you attempt to access a workflow execution that has been archived, you will receive a 404 Not Found.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the workflow execution

Responses

Response samples

Content type
application/json
{
  • "definition": {
    },
  • "history": {
    },
  • "trigger": {
    }
}

Cancel workflow execution by id

Use this API to cancel a running workflow execution.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

The workflow execution ID

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

List complete workflow library

This lists all triggers, actions, and operators in the library

Additional documentation for workflows
Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List workflow library actions

This lists the workflow actions available to you.

Additional documentation for each action
Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "sp:create-campaign"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List workflow library triggers

This lists the workflow triggers available to you

Additional documentation for each trigger
Authorizations:
Personal Access Token
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "idn:identity-attributes-changed"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq

name: eq

type: eq

Responses

Response samples

Content type
application/json
[
  • {
    }
]

List workflow library operators

This lists the workflow operators available to you

Authorizations:
Personal Access Token

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Generate external trigger oauth client

Create OAuth client ID, client secret, and callback URL for use in an external trigger. External triggers will need this information to generate an access token to authenticate to the callback URL and submit a trigger payload that will initiate the workflow.

Authorizations:
Personal Access Token
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the workflow

Responses

Response samples

Content type
application/json
{}

Execute workflow via external trigger

This endpoint allows a service outside of IdentityNow to initiate a workflow that uses the "External Trigger" step. The external service will invoke this endpoint with the input data it wants to send to the workflow in the body.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the workflow

Request Body schema: application/json
input
object

The input for the workflow

Responses

Request samples

Content type
application/json
{
  • "input": {
    }
}

Response samples

Content type
application/json
{
  • "workflowExecutionId": "0e11cefa-96e7-4b67-90d0-065bc1da5753",
  • "message": "Workflow was not executed externally. Check enabled flag on workflow definition"
}

Test workflow via external trigger

Validate a workflow with an "External Trigger" can receive input. The response includes the input that the workflow received, which can be used to validate that the input is intact when it reaches the workflow.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: c17bea3a-574d-453c-9e04-4365fbf5af0b

Id of the workflow

Request Body schema: application/json
input
object

The test input for the workflow

Responses

Request samples

Content type
application/json
{
  • "input": {
    }
}

Response samples

Content type
application/json
{
  • "payload": {
    }
}

Launchers

List all launchers for tenant

Return a list of Launchers for the authenticated tenant

Authorizations:
Personal Access Token
query Parameters
filters
string
Example: filters=disabled eq "true"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

description: sw

disabled: eq

name: sw

next
string
Example: next=eyJuZXh0IjoxMjN9Cg==

Pagination marker

limit
integer <int32> [ 1 .. 100 ]
Default: 10
Example: limit=42

Number of Launchers to return

Responses

Response samples

Content type
application/json
{
  • "next": "string",
  • "items": [
    ]
}

Create launcher

Create a Launcher with given information

Authorizations:
Personal Access Token
Request Body schema: application/json

Payload to create a Launcher

name
required
string

Name of the Launcher, limited to 255 characters

description
required
string

Description of the Launcher, limited to 2000 characters

type
required
string
Value: "INTERACTIVE_PROCESS"

Launcher type

disabled
required
boolean

State of the Launcher

object
config
required
string^\{\}$

JSON configuration associated with this Launcher, restricted to a max size of 4KB

Responses

Request samples

Content type
application/json
{
  • "name": "Group Create",
  • "description": "Create a new Active Directory Group",
  • "type": "INTERACTIVE_PROCESS",
  • "disabled": false,
  • "reference": {
    },
  • "config": "{\"workflowId\" : \"6b42d9be-61b6-46af-827e-ea29ba8aa3d9\"}"
}

Response samples

Content type
application/json
{
  • "id": "1b630bed-0941-4792-a712-57a5868ca34d",
  • "created": "2024-04-16T20:07:30.601016489Z",
  • "modified": "2024-04-17T18:02:07.320143194Z",
  • "owner": {
    },
  • "name": "Group Create",
  • "description": "Create a new Active Directory Group",
  • "type": "INTERACTIVE_PROCESS",
  • "disabled": false,
  • "reference": {
    },
  • "config": "{\"workflowId\" : \"6b42d9be-61b6-46af-827e-ea29ba8aa3d9\"}"
}

Get launcher by id

Get details for the given Launcher ID

Authorizations:
Personal Access Token
path Parameters
launcherID
required
string <uuid>
Example: e3012408-8b61-4564-ad41-c5ec131c325b

ID of the Launcher to be retrieved

Responses

Response samples

Content type
application/json
{
  • "id": "1b630bed-0941-4792-a712-57a5868ca34d",
  • "created": "2024-04-16T20:07:30.601016489Z",
  • "modified": "2024-04-17T18:02:07.320143194Z",
  • "owner": {
    },
  • "name": "Group Create",
  • "description": "Create a new Active Directory Group",
  • "type": "INTERACTIVE_PROCESS",
  • "disabled": false,
  • "reference": {
    },
  • "config": "{\"workflowId\" : \"6b42d9be-61b6-46af-827e-ea29ba8aa3d9\"}"
}

Replace launcher

Replace the given Launcher ID with given payload

Authorizations:
Personal Access Token
path Parameters
launcherID
required
string <uuid>
Example: e3012408-8b61-4564-ad41-c5ec131c325b

ID of the Launcher to be replaced

Request Body schema: application/json

Payload to replace Launcher

name
required
string

Name of the Launcher, limited to 255 characters

description
required
string

Description of the Launcher, limited to 2000 characters

type
required
string
Value: "INTERACTIVE_PROCESS"

Launcher type

disabled
required
boolean

State of the Launcher

object
config
required
string^\{\}$

JSON configuration associated with this Launcher, restricted to a max size of 4KB

Responses

Request samples

Content type
application/json
{
  • "name": "Group Create",
  • "description": "Create a new Active Directory Group",
  • "type": "INTERACTIVE_PROCESS",
  • "disabled": false,
  • "reference": {
    },
  • "config": "{\"workflowId\" : \"6b42d9be-61b6-46af-827e-ea29ba8aa3d9\"}"
}

Response samples

Content type
application/json
{
  • "id": "1b630bed-0941-4792-a712-57a5868ca34d",
  • "created": "2024-04-16T20:07:30.601016489Z",
  • "modified": "2024-04-17T18:02:07.320143194Z",
  • "owner": {
    },
  • "name": "Group Create",
  • "description": "Create a new Active Directory Group",
  • "type": "INTERACTIVE_PROCESS",
  • "disabled": false,
  • "reference": {
    },
  • "config": "{\"workflowId\" : \"6b42d9be-61b6-46af-827e-ea29ba8aa3d9\"}"
}

Delete launcher

Delete the given Launcher ID

Authorizations:
Personal Access Token
path Parameters
launcherID
required
string <uuid>
Example: e3012408-8b61-4564-ad41-c5ec131c325b

ID of the Launcher to be deleted

Responses

Response samples

Content type
application/json
{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "e7eab60924f64aa284175b9fa3309599",
  • "messages": [
    ],
  • "causes": [
    ]
}

Launch a launcher

Launch the given Launcher ID

Authorizations:
Personal Access Token
path Parameters
launcherID
required
string <uuid>
Example: e3012408-8b61-4564-ad41-c5ec131c325b

ID of the Launcher to be launched

Responses

Response samples

Content type
application/json
{
  • "interactiveProcessId": "5da68cfe-2d60-4b09-858f-0d03acd2f47a"
}

Tags

List tags

This API returns a list of tags.

A token with API, ORG_ADMIN, CERT_ADMIN, REPORT_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
query Parameters
limit
integer <int32> [ 0 .. 250 ]
Default: 250
Example: limit=250

Max number of results to return. See V3 API Standard Collection Parameters for more information.

offset
integer <int32> >= 0
Default: 0

Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

count
boolean
Default: false
Example: count=true

If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

See V3 API Standard Collection Parameters for more information.

filters
string
Example: filters=id eq "27462f54-61c7-4140-b5da-d5dbe27fc6db"

Filter results using the standard syntax described in V3 API Standard Collection Parameters

Filtering is supported for the following fields and operators:

id: eq, in

name: eq, in, sw

sorters
string <comma-separated>
Example: sorters=name,-modified

Sort results using the standard syntax described in V3 API Standard Collection Parameters

Sorting is supported for the following fields: id, name, created, modified

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create tag

This API creates new tag.

A token with API, ORG_ADMIN, CERT_ADMIN, REPORT_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
Request Body schema: application/json
name
required
string

Name of the tag.

Responses

Request samples

Content type
application/json
{
  • "name": "PCI"
}

Response samples

Content type
application/json
{
  • "id": "449ecdc0-d4ff-4341-acf6-92f6f7ce604f",
  • "name": "PCI",
  • "created": "2022-05-04T14:48:49Z",
  • "modified": "2022-07-14T16:31:11Z",
  • "tagCategoryRefs": [
    ]
}

Get tag by id

Returns a tag by its id.

A token with API, ORG_ADMIN, CERT_ADMIN, REPORT_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 329d96cf-3bdb-40a9-988a-b5037ab89022

The ID of the object reference to retrieve.

Responses

Response samples

Content type
application/json
{
  • "id": "449ecdc0-d4ff-4341-acf6-92f6f7ce604f",
  • "name": "PCI",
  • "created": "2022-05-04T14:48:49Z",
  • "modified": "2022-07-14T16:31:11Z",
  • "tagCategoryRefs": [
    ]
}

Delete tag

This API deletes a tag by specified id.

A token with API, ORG_ADMIN, CERT_ADMIN, REPORT_ADMIN, ROLE_ADMIN, ROLE_SUBADMIN, SOURCE_ADMIN, or SOURCE_SUBADMIN authority is required to call this API.

Authorizations:
Personal Access TokenClient Credentials
path Parameters
id
required
string
Example: 329d96cf-3bdb-40a9-988a-b5037ab89022

The ID of the object reference to delete.

Responses

Response samples

Content type
application/json
Example

Response for bad request content

{
  • "detailCode": "400.1 Bad Request Content",
  • "trackingId": "1ea1adcb84da4dcb890145e05745774e",
  • "messages": [
    ]
}