access_request
Description of a complete access request.
The UUID of the returned object, unique to a access request.
eef4aefc-d64e-4c2c-aba4-4914c86ce059requester object
The ID & display name of the user making the access request.
It indicates whether a user is present in the system or not.
requested_role objectrequired
The ID and display name of the access requested role. Display name stored for posterity.
The ID of the requested role.
It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.
Justification for the access request.
Is the role granted permanently, or is the grant time restricted, or a floating window. The floating window starts upon initial connection at which time the Role Store converts the floating window to explicit time-restricted window. Can be overriden in decision phase.
Date & time after which the role is granted to the user. Can be overriden in decision phase.
2017-01-01T15:05:05ZDate & time after which the role is removed from the user. Can be overriden in decision phase.
2017-01-01T15:05:05ZTime in hours how long the grant should last after initial connection. Can be overriden in decision phase.
24Time in hours how long the grant should not exceed after initial connection.
48Maximum time in days where duration between start-date and end-date of role request must not exceeded this duration.
15target_user object
The ID of the user the request is made for.
It indicates whether a user is present in the system or not.
target_roles object[]
A list of roles this workflow targets.
It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.
requestor_roles object[]
The ID and display name of the access requestor roles. Display name stored for posterity.
The ID of the requestor role.
It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.
Does the workflow GRANT or REMOVE the user from the role. Workflow engine needs to check that the requested action matches allowed actions defined in the template.
Possible values: [GRANT, REMOVE, BOTH]
When the object was created.
2017-01-01T15:05:05ZWhen the object was updated.
2017-01-01T15:05:05ZID of the user who updated the object.
eef4aefc-d64e-4c2c-aba4-4914c86ce059ID of the user who originally authored the object.
eef4aefc-d64e-4c2c-aba4-4914c86ce059Name of the workflow.
Possible values: >= 4 characters and <= 4096 characters
An example workflowComputed status for the instance of the workflow - based on step statuses.
Possible values: [WAITING, APPROVED, DENIED]
WAITINGA comment describing the object.
A commentA flag used to determine if approvers can bypass the revoke workflow to revoke a role.
falsesteps object[]
Array of steps.
Access request name.
All approvers must approve or any approver can approve. When enabled, AUTO steps means that these will be automatically approved.
Possible values: [ALL, ANY, AUTO]
approvers object[]required
Who are the approvers in this step.
role objectrequired
Approving role's ID and display name.
It indicates whether a role is present in the system or not.
Approver's decision
Possible values: [WAITING, APPROVED, DENIED]
user object
User who made the decision for the step.
When the decision was made.
2017-01-01T15:05:05ZA comment accompanying the decision.
A flag used to determine if approvers can revoke a role from target user.
falseIs set to true only when the target role has been revoked via the request by one of the approvers.
falseDate and time of revocation.
2017-01-01T15:05:05Ztarget_role_revoked_by object
User object of who revoked the target role.
It indicates whether a role is present in the system or not.
{
"id": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"requester": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"display_name": "string",
"deleted": true
},
"requested_role": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"deleted": true
},
"request_justification": "string",
"grant_type": "string",
"grant_start": "2017-01-01T15:05:05Z",
"grant_end": "2017-01-01T15:05:05Z",
"floating_length": 24,
"max_floating_duration": 48,
"max_time_restricted_duration": 15,
"target_user": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"display_name": "string",
"deleted": true
},
"target_roles": [
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"deleted": true
}
],
"requestor_roles": [
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"deleted": true
}
],
"action": "GRANT",
"created": "2017-01-01T15:05:05Z",
"updated": "2017-01-01T15:05:05Z",
"updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"author": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
"name": "An example workflow",
"status": "WAITING",
"comment": "A comment",
"can_bypass_revoke_workflow": false,
"steps": [
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"match": "ALL",
"approvers": [
{
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"role": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"name": "string",
"deleted": true
},
"decision": "WAITING",
"user": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"display_name": "string"
},
"decision_time": "2017-01-01T15:05:05Z",
"comment": "string"
}
]
}
],
"approver_can_revoke": false,
"target_role_revoked": false,
"target_role_revocation_time": "2017-01-01T15:05:05Z",
"target_role_revoked_by": {
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"display_name": "string",
"deleted": true
}
}