Skip to main content
Version: v41

access_request

Description of a complete access request.

idstring<uuid>

The UUID of the returned object, unique to a access request.

Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059
requester object

The ID & display name of the user making the access request.

idstring<uuid>
display_namestring
deletedboolean

It indicates whether a user is present in the system or not.

requested_role objectrequired

The ID and display name of the access requested role. Display name stored for posterity.

idstring<uuid>

The ID of the requested role.

namestring
deletedboolean

It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.

request_justificationstring

Justification for the access request.

grant_typestring

Is the role granted permanently, or is the grant time restricted, or a floating window. The floating window starts upon initial connection at which time the Role Store converts the floating window to explicit time-restricted window. Can be overriden in decision phase.

grant_startstring<date-time>

Date & time after which the role is granted to the user. Can be overriden in decision phase.

Example: 2017-01-01T15:05:05Z
grant_endstring<date-time>

Date & time after which the role is removed from the user. Can be overriden in decision phase.

Example: 2017-01-01T15:05:05Z
floating_lengthinteger

Time in hours how long the grant should last after initial connection. Can be overriden in decision phase.

Example: 24
max_floating_durationinteger

Time in hours how long the grant should not exceed after initial connection.

Example: 48
max_time_restricted_durationinteger

Maximum time in days where duration between start-date and end-date of role request must not exceeded this duration.

Example: 15
target_user object

The ID of the user the request is made for.

idstring<uuid>
display_namestring
deletedboolean

It indicates whether a user is present in the system or not.

target_roles object[]

A list of roles this workflow targets.

  • Array [
  • idstring<uuid>
    namestring
    deletedboolean

    It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.

  • ]
  • requestor_roles object[]

    The ID and display name of the access requestor roles. Display name stored for posterity.

  • Array [
  • idstring<uuid>

    The ID of the requestor role.

    namestring
    deletedboolean

    It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.

  • ]
  • actionstring

    Does the workflow GRANT or REMOVE the user from the role. Workflow engine needs to check that the requested action matches allowed actions defined in the template.

    Possible values: [GRANT, REMOVE, BOTH]

    createdstring<date-time>

    When the object was created.

    Example: 2017-01-01T15:05:05Z
    updatedstring<date-time>

    When the object was updated.

    Example: 2017-01-01T15:05:05Z
    updated_bystring<uuid>

    ID of the user who updated the object.

    Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059
    authorstring<uuid>

    ID of the user who originally authored the object.

    Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059
    namestring

    Name of the workflow.

    Possible values: >= 4 characters and <= 4096 characters

    Example: An example workflow
    statusstring

    Computed status for the instance of the workflow - based on step statuses.

    Possible values: [WAITING, APPROVED, DENIED]

    Default value: WAITING
    commentstring

    A comment describing the object.

    Example: A comment
    can_bypass_revoke_workflowboolean

    A flag used to determine if approvers can bypass the revoke workflow to revoke a role.

    Default value: false
    steps object[]

    Array of steps.

  • Array [
  • idstring<uuid>
    namestringrequired

    Access request name.

    matchstringrequired

    All approvers must approve or any approver can approve. When enabled, AUTO steps means that these will be automatically approved.

    Possible values: [ALL, ANY, AUTO]

    approvers object[]required

    Who are the approvers in this step.

  • Array [
  • idstring<uuid>
    role objectrequired

    Approving role's ID and display name.

    idstring<uuid>
    namestring
    deletedboolean

    It indicates whether a role is present in the system or not.

    decisionstringrequired

    Approver's decision

    Possible values: [WAITING, APPROVED, DENIED]

    user object

    User who made the decision for the step.

    idstring<uuid>
    display_namestring
    decision_timestring<date-time>

    When the decision was made.

    Example: 2017-01-01T15:05:05Z
    commentstring

    A comment accompanying the decision.

  • ]
  • ]
  • approver_can_revokeboolean

    A flag used to determine if approvers can revoke a role from target user.

    Default value: false
    target_role_revokedboolean

    Is set to true only when the target role has been revoked via the request by one of the approvers.

    Default value: false
    target_role_revocation_timestring<date-time>

    Date and time of revocation.

    Example: 2017-01-01T15:05:05Z
    target_role_revoked_by object

    User object of who revoked the target role.

    idstring<uuid>
    display_namestring
    deletedboolean

    It indicates whether a role is present in the system or not.

    access_request
    {
    "id": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
    "requester": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "display_name": "string",
    "deleted": true
    },
    "requested_role": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "name": "string",
    "deleted": true
    },
    "request_justification": "string",
    "grant_type": "string",
    "grant_start": "2017-01-01T15:05:05Z",
    "grant_end": "2017-01-01T15:05:05Z",
    "floating_length": 24,
    "max_floating_duration": 48,
    "max_time_restricted_duration": 15,
    "target_user": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "display_name": "string",
    "deleted": true
    },
    "target_roles": [
    {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "name": "string",
    "deleted": true
    }
    ],
    "requestor_roles": [
    {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "name": "string",
    "deleted": true
    }
    ],
    "action": "GRANT",
    "created": "2017-01-01T15:05:05Z",
    "updated": "2017-01-01T15:05:05Z",
    "updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
    "author": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
    "name": "An example workflow",
    "status": "WAITING",
    "comment": "A comment",
    "can_bypass_revoke_workflow": false,
    "steps": [
    {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "name": "string",
    "match": "ALL",
    "approvers": [
    {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "role": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "name": "string",
    "deleted": true
    },
    "decision": "WAITING",
    "user": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "display_name": "string"
    },
    "decision_time": "2017-01-01T15:05:05Z",
    "comment": "string"
    }
    ]
    }
    ],
    "approver_can_revoke": false,
    "target_role_revoked": false,
    "target_role_revocation_time": "2017-01-01T15:05:05Z",
    "target_role_revoked_by": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "display_name": "string",
    "deleted": true
    }
    }