access_request
Description of a complete access request.
The UUID of the returned object, unique to a access request.
eef4aefc-d64e-4c2c-aba4-4914c86ce059
requester object
The ID & display name of the user making the access request.
It indicates whether a user is present in the system or not.
requested_role objectrequired
The ID and display name of the access requested role. Display name stored for posterity.
The ID of the requested role.
It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.
Justification for the access request.
Is the role granted permanently, or is the grant time restricted, or a floating window. The floating window starts upon initial connection at which time the Role Store converts the floating window to explicit time-restricted window. Can be overriden in decision phase.
Date & time after which the role is granted to the user. Can be overriden in decision phase.
2017-01-01T15:05:05Z
Date & time after which the role is removed from the user. Can be overriden in decision phase.
2017-01-01T15:05:05Z
Time in hours how long the grant should last after initial connection. Can be overriden in decision phase.
24
Time in hours how long the grant should not exceed after initial connection.
48
Maximum time in days where duration between start-date and end-date of role request must not exceeded this duration.
15
target_user object
The ID of the user the request is made for.
It indicates whether a user is present in the system or not.
target_roles object[]
A list of roles this workflow targets.
It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.
requestor_roles object[]
The ID and display name of the access requestor roles. Display name stored for posterity.
The ID of the requestor role.
It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.
Does the workflow GRANT or REMOVE the user from the role. Workflow engine needs to check that the requested action matches allowed actions defined in the template.
Possible values: [GRANT
, REMOVE
, BOTH
]
When the object was created.
2017-01-01T15:05:05Z
When the object was updated.
2017-01-01T15:05:05Z
ID of the user who updated the object.
eef4aefc-d64e-4c2c-aba4-4914c86ce059
ID of the user who originally authored the object.
eef4aefc-d64e-4c2c-aba4-4914c86ce059
Name of the workflow.
Possible values: >= 4 characters
and <= 4096 characters
An example workflow
Computed status for the instance of the workflow - based on step statuses.
Possible values: [WAITING
, APPROVED
, DENIED
]
WAITING
A comment describing the object.
A comment
A flag used to determine if approvers can bypass the revoke workflow to revoke a role.
false
steps object[]
Array of steps.
Access request name.
All approvers must approve or any approver can approve. When enabled, AUTO steps means that these will be automatically approved.
Possible values: [ALL
, ANY
, AUTO
]
approvers object[]required
Who are the approvers in this step.
role objectrequired
Approving role's ID and display name.
It indicates whether a role is present in the system or not.
Approver's decision
Possible values: [WAITING
, APPROVED
, DENIED
]
user object
User who made the decision for the step.
When the decision was made.
2017-01-01T15:05:05Z
A comment accompanying the decision.
A flag used to determine if approvers can revoke a role from target user.
false
Is set to true only when the target role has been revoked via the request by one of the approvers.
false
Date and time of revocation.
2017-01-01T15:05:05Z
target_role_revoked_by object
User object of who revoked the target role.
It indicates whether a role is present in the system or not.
{
"id": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"requester": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"display_name": "string",
"deleted": true
},
"requested_role": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"deleted": true
},
"request_justification": "string",
"grant_type": "string",
"grant_start": "2017-01-01T15:05:05Z",
"grant_end": "2017-01-01T15:05:05Z",
"floating_length": 24,
"max_floating_duration": 48,
"max_time_restricted_duration": 15,
"target_user": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"display_name": "string",
"deleted": true
},
"target_roles": [
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"deleted": true
}
],
"requestor_roles": [
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"deleted": true
}
],
"action": "GRANT",
"created": "2017-01-01T15:05:05Z",
"updated": "2017-01-01T15:05:05Z",
"updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"author": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"name": "An example workflow",
"status": "WAITING",
"comment": "A comment",
"can_bypass_revoke_workflow": false,
"steps": [
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"match": "ALL",
"approvers": [
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"role": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"deleted": true
},
"decision": "WAITING",
"user": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"display_name": "string"
},
"decision_time": "2017-01-01T15:05:05Z",
"comment": "string"
}
]
}
],
"approver_can_revoke": false,
"target_role_revoked": false,
"target_role_revocation_time": "2017-01-01T15:05:05Z",
"target_role_revoked_by": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"display_name": "string",
"deleted": true
}
}