workflow

Description of a complete workflow.

idstring<uuid>

The UUID of the returned object, unique to a workflow template.

Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059

requester object

The ID & display name of the user making the request.

idstring<uuid>

display_namestring

deletedboolean

It indicates whether a user is present in the system or not.

requested_role object

The ID and display name of the requested role. Display name stored for posterity.

idstring<uuid>

The ID of the requested role.

namestring

deletedboolean

It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.

request_justificationstring

Justification for the request.

grant_typesstring[]

List of role granting types. Is the role granted permanently, or is the grant time restricted, or a floating window. The floating window starts upon initial connection at which time the Role Store converts the floating window to explicit time-restricted window.

Possible values: [PERMANENT, TIME_RESTRICTED, FLOATING]

grant_startstring<date-time>

Date & time after which the role is granted to the user. Can be overriden in decision phase.

Example: 2017-01-01T15:05:05Z

grant_endstring<date-time>

Date & time after which the role is removed from the user. Can be overriden in decision phase.

Example: 2017-01-01T15:05:05Z

floating_lengthinteger

Time in hours how long the grant should last after initial connection. Can be overriden in decision phase.

Example: 24

max_active_requestsintegerrequired

Maximum number of concurrent open requests a user can have per target role. Set to -1 to allow an unlimited number of open requests. Assumed 1 if not specified.

Example: 1

max_floating_durationinteger

Time in hours how long the grant should not exceed after initial connection.

Example: 48

max_time_restricted_durationinteger

Maximum time in days where duration between start-date and end-date of role request must not exceeded this duration.

Example: 15

target_user object

The ID of the user the request is made for.

idstring<uuid>

display_namestring

deletedboolean

It indicates whether a user is present in the system or not.

target_roles object[]required

A list of roles this workflow targets.

Array [

idstring<uuid>

namestring

deletedboolean

It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.

]

actionstringrequired

Does the workflow GRANT or REMOVE the user from the role. Workflow engine needs to check that the requested action matches allowed actions defined in the template.

Possible values: [GRANT, REMOVE, BOTH]

createdstring<date-time>

When the object was created.

Example: 2017-01-01T15:05:05Z

updatedstring<date-time>

When the object was updated.

Example: 2017-01-01T15:05:05Z

updated_bystring<uuid>

ID of the user who updated the object.

Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059

authorstring<uuid>

ID of the user who originally authored the object.

Example: eef4aefc-d64e-4c2c-aba4-4914c86ce059

namestringrequired

Name of the workflow.

Possible values: >= 4 characters and <= 4096 characters

Example: An example workflow

statusstring

Computed status for the instance of the workflow - based on step statuses.

Possible values: [WAITING, APPROVED, DENIED]

Default value: WAITING

commentstring

A comment describing the object.

Example: A comment

can_bypass_revoke_workflowboolean

A flag used to determine if approvers can bypass the revoke workflow to revoke a role.

Default value: false

requires_justificationboolean

A flag used to determine if requesters can bypass the justification on role requests.

Default value: false

steps object[]required

Array of steps.

Array [

namestringrequired

Workflow-step name

matchstringrequired

All approvers must approve or any approver can approve. When enabled, AUTO steps means that these will be automatically approved.

Possible values: [ALL, ANY, AUTO]

approvers object[]required

Who are the approvers in this step

Array [

role objectrequired

Approving role's ID and display name

idstring<uuid>

namestring

deletedboolean

It indicates whether a role is present in the system or not. Create/Update workflow/request operations doesn't need to pass any value to this attribute. This field is not read during the Write operations.

]

]

workflow

{
  "id": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
  "requester": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "display_name": "string",
    "deleted": true
  },
  "requested_role": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "name": "string",
    "deleted": true
  },
  "request_justification": "string",
  "grant_types": [
    "PERMANENT"
  ],
  "grant_start": "2017-01-01T15:05:05Z",
  "grant_end": "2017-01-01T15:05:05Z",
  "floating_length": 24,
  "max_active_requests": 1,
  "max_floating_duration": 48,
  "max_time_restricted_duration": 15,
  "target_user": {
    "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "display_name": "string",
    "deleted": true
  },
  "target_roles": [
    {
      "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "name": "string",
      "deleted": true
    }
  ],
  "action": "GRANT",
  "created": "2017-01-01T15:05:05Z",
  "updated": "2017-01-01T15:05:05Z",
  "updated_by": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
  "author": "eef4aefc-d64e-4c2c-aba4-4914c86ce059",
  "name": "An example workflow",
  "status": "WAITING",
  "comment": "A comment",
  "can_bypass_revoke_workflow": false,
  "requires_justification": false,
  "steps": [
    {
      "name": "string",
      "match": "ALL",
      "approvers": [
        {
          "role": {
            "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
            "name": "string",
            "deleted": true
          }
        }
      ]
    }
  ]
}