Create Access Request
This submits the access request into IdentityNow, where it will follow any IdentityNow approval processes. This doesn't return a result because the request has been submitted/accepted by the system.
There are two types of access request:
GRANT_ACCESS
- Can be requested for multiple identities in a single request.
- Supports self request and request on behalf of other users, see '/beta/access-request-config' endpoint for request configuration options.
- Allows any authenticated token (except API) to call this endpoint to request to grant access to themselves. Depending on the configuration, a user can request access for others.
- Roles, Access Profiles and Entitlements can be requested.
- While requesting entitlements, maximum of 5 entitlements and 10 recipients are allowed in a request. REVOKE_ACCESS
- Can only be requested for a single identity at a time.
- Does not support self request. Only manager can request to revoke access for their directly managed employees.
- If removeDate is specified, then the access will be removed on that date and time.
- Allows a manager to request to revoke access for direct employees. A token with ORG_ADMIN authority can also request to revoke access from anyone.
- Roles and Access Profiles can be requested for revocation. Revoke request for entitlements are not supported currently.
NOTE: There is no indication to the approver in the IdentityNow UI that the approval request is for a revoke action. Take this into consideration when calling this API.
A token with API authority cannot be used to call this endpoint.
Basic Parameters
| Parameter | Description |
|---|---|
| Comment | A Comment provided by requester. Comment is required when the request is of type Revoke Access. |
| Remove Date | The date the role or access profile is no longer assigned to the specified identity.Specify a date in the future.The current SLA for the deprovisioning is 24 hours.This date can be modified to either extend or decrease the duration of access item assignments for the specified identity.Currently it is not supported for entitlements.If sunset date for role or access profile specified, removeDate cannot be established. This rule doesn't apply for entitlements. |
| Request Type | Access request type. Defaults to GRANTACCESS. REVOKEACCESS type can only have a single Identity ID in the requestedFor field. Currently REVOKE_ACCESS is not supported for entitlements. |
| Requested For | A list of Identity IDs for whom the Access is requested. If it's a Revoke request, there can only be one Identity ID. |
| Requested Item ID | The ID of the Role, Access Profile or Entitlement that are being requested. |
| Requested Item Type | The type of the item being requested. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Client Metadata | Arbitrary key-value pairs. They will never be processed by the IdentityNow system but will be returned on associated APIs such as /account-activities. |
Example Output
{}
Workflow Library Example
Create Access Request with Sailpoint and Send Results Via Email
Preview this Workflow on desktop