- Can be requested for multiple identities in a single request.
- Supports self request and request on behalf of other users, see ‘/beta/access-request-config’ endpoint for request configuration options.
- Allows any authenticated token (except API) to call this endpoint to request to grant access to themselves. Depending on the configuration, a user can request access for others.
- Roles, Access Profiles and Entitlements can be requested.
- While requesting entitlements, maximum of 5 entitlements and 10 recipients are allowed in a request. REVOKE_ACCESS
- Can only be requested for a single identity at a time.
- Does not support self request. Only manager can request to revoke access for their directly managed employees.
- If removeDate is specified, then the access will be removed on that date and time.
- Allows a manager to request to revoke access for direct employees. A token with ORG_ADMIN authority can also request to revoke access from anyone.
- Roles and Access Profiles can be requested for revocation. Revoke request for entitlements are not supported currently.
Basic Parameters
Parameter | Description |
---|---|
Comment | A Comment provided by requester. Comment is required when the request is of type Revoke Access. |
Remove Date | The date the role or access profile is no longer assigned to the specified identity. Specify a date in the future. The current SLA for the deprovisioning is 24 hours. This date can be modified to either extend or decrease the duration of access item assignments for the specified identity. Currently it is not supported for entitlements. If sunset date for role or access profile specified, removeDate cannot be established. This rule doesn’t apply for entitlements. |
Request Type | Access request type. Defaults to GRANT_ACCESS. REVOKE_ACCESS type can only have a single Identity ID in the requestedFor field. Currently REVOKE_ACCESS is not supported for entitlements. |
Requested For | A list of Identity IDs for whom the Access is requested. If it’s a Revoke request, there can only be one Identity ID. |
Requested Item ID | The ID of the Role, Access Profile or Entitlement that are being requested. |
Requested Item Type | The type of the item being requested. |
Advanced Parameters
Parameter | Description |
---|---|
Client Metadata | Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities. |