Create and act upon role requests
/workflow-engine/api/v1/requests
Get the request queue for the user.
offset
int
Offset where to start fetching the items
limit
int
Number of items to return
filter
string
required
Filter request items - possible values: requests (all the requests the user has made, active, approved or denied), active_requests (requests currently active, waiting to be approved), approvals (all the requests the current user has made a decision or needs to decide), active_approvals (all the requests the current user can make a decision on), all
Successful response, returns an array of workflows, returns an empty array if no workflows defined
{
"count": 123,
"items": [
{
"id": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"requester": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
},
"requested_role": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
},
"request_justification": "string",
"grant_type": "string",
"grant_start": "2017-01-01T15:05:05Z",
"grant_end": "2017-01-01T15:05:05Z",
"floating_length": 24,
"max_floating_duration": 48,
"max_time_restricted_duration": 15,
"target_user": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
},
"target_roles": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
}
],
"requestor_roles": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
}
],
"action": "GRANT",
"created": "2017-01-01T15:05:05Z",
"updated": "2017-01-01T15:05:05Z",
"updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"author": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"name": "An example workflow",
"status": "WAITING",
"comment": "A comment",
"can_bypass_revoke_workflow": true,
"steps": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"match": "ALL",
"approvers": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"role": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
},
"decision": "WAITING",
"user": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string"
},
"decision_time": "2017-01-01T15:05:05Z",
"comment": "string"
}
]
}
],
"approver_can_revoke": true,
"target_role_revoked": true,
"target_role_revocation_time": "2017-01-01T15:05:05Z",
"target_role_revoked_by": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
}
}
]
}
/workflow-engine/api/v1/requests
Add a workflow to the request queue.
id
string
The UUID of the returned object, unique to a access request.
requester
object
The ID & display name of the user making the access request.
id
string
display_name
string
deleted
boolean
It indicates whether a user is present in the system or not.
requested_role
object
required
The ID and display name of the access requested role. Display name stored for posterity.
id
string
The ID of the requested role.
name
string
deleted
boolean
It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.
request_justification
string
Justification for the access request.
grant_type
string
Is the role granted permanently, or is the grant time restricted, or a floating window. The floating window starts upon initial connection at which time the Role Store converts the floating window to explicit time-restricted window. Can be overriden in decision phase.
grant_start
string
Date & time after which the role is granted to the user. Can be overriden in decision phase.
grant_end
string
Date & time after which the role is removed from the user. Can be overriden in decision phase.
floating_length
int
Time in hours how long the grant should last after initial connection. Can be overriden in decision phase.
max_floating_duration
int
Time in hours how long the grant should not exceed after initial connection.
max_time_restricted_duration
int
Maximum time in days where duration between start-date and end-date of role request must not exceeded this duration.
target_user
object
The ID of the user the request is made for.
id
string
display_name
string
deleted
boolean
It indicates whether a user is present in the system or not.
target_roles
array
A list of roles this workflow targets.
id
string
name
string
deleted
boolean
It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.
requestor_roles
array
The ID and display name of the access requestor roles. Display name stored for posterity.
id
string
The ID of the requestor role.
name
string
deleted
boolean
It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.
action
string
Does the workflow GRANT or REMOVE the user from the role. Workflow engine needs to check that the requested action matches allowed actions defined in the template.
created
string
When the object was created.
updated
string
When the object was updated.
updated_by
string
ID of the user who updated the object.
author
string
ID of the user who originally authored the object.
name
string
Name of the workflow.
status
string
Computed status for the instance of the workflow - based on step statuses.
comment
string
A comment describing the object.
can_bypass_revoke_workflow
boolean
A flag used to determine if approvers can bypass the revoke workflow to revoke a role.
steps
array
Array of steps.
id
string
name
string
required
Access request name.
match
string
required
All approvers must approve or any approver can approve.
approvers
array
required
Who are the approvers in this step.
approver_can_revoke
boolean
A flag used to determine if approvers can revoke a role from target user.
target_role_revoked
boolean
Is set to true only when the target role has been revoked via the request by one of the approvers.
target_role_revocation_time
string
Date and time of revocation.
target_role_revoked_by
object
User object of who revoked the target role.
id
string
display_name
string
deleted
boolean
It indicates whether a role is present in the system or not.
{
"id": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"requester": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
},
"requested_role": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
},
"request_justification": "string",
"grant_type": "string",
"grant_start": "2017-01-01T15:05:05Z",
"grant_end": "2017-01-01T15:05:05Z",
"floating_length": 24,
"max_floating_duration": 48,
"max_time_restricted_duration": 15,
"target_user": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
},
"target_roles": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
}
],
"requestor_roles": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
}
],
"action": "GRANT",
"created": "2017-01-01T15:05:05Z",
"updated": "2017-01-01T15:05:05Z",
"updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"author": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"name": "An example workflow",
"status": "WAITING",
"comment": "A comment",
"can_bypass_revoke_workflow": true,
"steps": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"match": "ALL",
"approvers": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"role": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
},
"decision": "WAITING",
"user": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string"
},
"decision_time": "2017-01-01T15:05:05Z",
"comment": "string"
}
]
}
],
"approver_can_revoke": true,
"target_role_revoked": true,
"target_role_revocation_time": "2017-01-01T15:05:05Z",
"target_role_revoked_by": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
}
}
Workflow successfully added to the request queue
{
"id": "5bf77342-221c-11ee-be56-0242ac120002"
}
/workflow-engine/api/v1/requests/{request_id}
Gets a request object by ID.
request_id
string
required
Request item ID
Successful response, returns the request item if found
{
"id": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"requester": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
},
"requested_role": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
},
"request_justification": "string",
"grant_type": "string",
"grant_start": "2017-01-01T15:05:05Z",
"grant_end": "2017-01-01T15:05:05Z",
"floating_length": 24,
"max_floating_duration": 48,
"max_time_restricted_duration": 15,
"target_user": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
},
"target_roles": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
}
],
"requestor_roles": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
}
],
"action": "GRANT",
"created": "2017-01-01T15:05:05Z",
"updated": "2017-01-01T15:05:05Z",
"updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"author": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"name": "An example workflow",
"status": "WAITING",
"comment": "A comment",
"can_bypass_revoke_workflow": true,
"steps": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"match": "ALL",
"approvers": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"role": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
},
"decision": "WAITING",
"user": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string"
},
"decision_time": "2017-01-01T15:05:05Z",
"comment": "string"
}
]
}
],
"approver_can_revoke": true,
"target_role_revoked": true,
"target_role_revocation_time": "2017-01-01T15:05:05Z",
"target_role_revoked_by": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
}
}
/workflow-engine/api/v1/requests/{request_id}
Delete Request item by ID.
request_id
string
required
Request ID
Request item successfully deleted
Empty response
/workflow-engine/api/v1/requests/{request_id}/decision
Update a request in queue. Only users with matching role are permitted to change the status of a step requiring such role.
step
int
Workflow step requires approval
decision
string
The user's decision
comment
string
A comment accompanying the decision
{
"step": 123,
"decision": "WAITING",
"comment": "string"
}
Decision recorded
Empty response
/workflow-engine/api/v1/requests/{request_id}/role/revoke
Revoke the target user role. Only original approvers of the request can revoke a role this way.
request_id
string
required
Request item ID
Role revoked
Empty response
/workflow-engine/api/v1/requests/search
Search access requests
keywords
string
start_time
string
end_time
string
filter
string
{
"keywords": "GRANT",
"start_time": "2017-01-01T15:05:05Z",
"end_time": "2017-01-01T15:05:05Z",
"filter": "requests"
}
Successful response, returns an array of requests, returns an empty array if no requests found
{
"count": 123,
"items": [
{
"id": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"requester": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
},
"requested_role": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
},
"request_justification": "string",
"grant_type": "string",
"grant_start": "2017-01-01T15:05:05Z",
"grant_end": "2017-01-01T15:05:05Z",
"floating_length": 24,
"max_floating_duration": 48,
"max_time_restricted_duration": 15,
"target_user": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
},
"target_roles": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
}
],
"requestor_roles": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
}
],
"action": "GRANT",
"created": "2017-01-01T15:05:05Z",
"updated": "2017-01-01T15:05:05Z",
"updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"author": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"name": "An example workflow",
"status": "WAITING",
"comment": "A comment",
"can_bypass_revoke_workflow": true,
"steps": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"match": "ALL",
"approvers": [
{
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"role": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"name": "string",
"deleted": true
},
"decision": "WAITING",
"user": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string"
},
"decision_time": "2017-01-01T15:05:05Z",
"comment": "string"
}
]
}
],
"approver_can_revoke": true,
"target_role_revoked": true,
"target_role_revocation_time": "2017-01-01T15:05:05Z",
"target_role_revoked_by": {
"id": "5bf77342-221c-11ee-be56-0242ac120002",
"display_name": "string",
"deleted": true
}
}
]
}
Was this page helpful?