Identity Governance-related APIs

Identity Governance has many features, including access requests, the governance glossary (catalog), and entitlements. The following sections comprehensively explore the Identity Governance REST API endpoints.

YAML file

The REST APIs contain many parameters and, in some instances, large request bodies. For your convenience, you can view the entire API using a YAML file based on the OpenAPI specification.

To download the YAML file, click here.

Adjust the configurations of the file to match your specific details, such as your Identity Cloud tenant FQDN.

Endpoints

Access request

In Identity Governance, end users can request access to resources. Resources are target applications, entitlements, or roles. You define which resources are requestable.

For more information, refer to access requests.

The following table shows the endpoints used by access requests:

You can define workflows for access requests, such as what email gets sent to who for an access request type. These endpoints are used, in tandem, with the access request endpoints. For more information, refer to Identity orchestration (access request workflows).

URI HTTP operation Description

URI	HTTP operation	Description
`/governance/requests`	POST	For submitting a new request for access, which validates the contents of the request, and if there are no issues, create a request for each end user and associated resource item in the request. To only check validation, the endpoint supports the action of `validate`, which allows the caller to see any errors in the current request payload. When you use this action, no requests are created.
`/governance/requests/requestId`	GET	Retrieve the details of a single access request using an unique identifier, `requestId`.
`/governance/requests/requestId`	POST	Perform various actions on a specific request, such as: `approve` `reject` `comment` `cancel` `update` `reassign` Depending on the information the caller provides, each action has different request payloads.
`/governance/user/userId/requests`	GET	Get access requests based on the permissions the user has without additional filtering. For additional search capabilities, use the POST `/governance/user/{userId}/requests?_action=search` API.
`/governance/user/userId/requests`	POST	Retrieve access requests submitted to review based on the permissions the user has with filtering. Use the `targetFilter` property in the API payload to filter the requests based on desired criteria.
`/governance/user/userId/approvals`	POST	Get access requests the authenticated user needs to make a decision on either through a role or through a delegate. Use the `targetFilter` property in the API payload to filter the requests based on desired criteria.

/governance/requests

POST

For submitting a new request for access, which validates the contents of the request, and if there are no issues, create a request for each end user and associated resource item in the request.

To only check validation, the endpoint supports the action of validate, which allows the caller to see any errors in the current request payload. When you use this action, no requests are created.

/governance/requests/requestId

GET

Retrieve the details of a single access request using an unique identifier, requestId.

/governance/requests/requestId

POST

Perform various actions on a specific request, such as:

approve
reject
comment
cancel
update
reassign

Depending on the information the caller provides, each action has different request payloads.

/governance/user/userId/requests

GET

Get access requests based on the permissions the user has without additional filtering.

For additional search capabilities, use the POST /governance/user/{userId}/requests?_action=search API.

/governance/user/userId/requests

POST

Retrieve access requests submitted to review based on the permissions the user has with filtering.

Use the targetFilter property in the API payload to filter the requests based on desired criteria.

/governance/user/userId/approvals

POST

Get access requests the authenticated user needs to make a decision on either through a role or through a delegate.

Use the targetFilter property in the API payload to filter the requests based on desired criteria.

Governance glossary (catalog)

In Identity Governance, you can use the governance glossary to attach custom attributes (metadata) to applications, entitlements, or roles to enhance certifications or access requests.

For more information, refer to the Governance glossary.

The following table shows the endpoints used by access requests:

URI HTTP operation Description

URI	HTTP operation	Description
`/governance/catalog`	GET	Retrieve all resources in the access catalog without additional filtering. Each entry represents a single type of requestable access that you can add to a request. The supported types of access that are requestable are application, entitlement, and role.
`/governance/catalog`	POST	Get a list of resources (catalog items) with additional filtering. Each entry represents a single type of requestable access that you can add to a request. The supported types of access that are requestable are application, entitlement, and role.
`/governance/search/schema`	GET	Retrieve configured properties that are eligible for searching and sorting when querying the access catalog. Each property includes metadata, such as whether the property is multi-valued and its data type.
`/governance/search/schema/objectType`	GET	Retrieve configured properties that are eligible for searching and sorting when querying access catalog for a single given object. For example, entitlement specific properties you can use to search. Each property includes metadata, such as whether the property is multi-valued and its data type.

/governance/catalog

GET

Retrieve all resources in the access catalog without additional filtering. Each entry represents a single type of requestable access that you can add to a request. The supported types of access that are requestable are application, entitlement, and role.

/governance/catalog

POST

Get a list of resources (catalog items) with additional filtering. Each entry represents a single type of requestable access that you can add to a request. The supported types of access that are requestable are application, entitlement, and role.

/governance/search/schema

GET

Retrieve configured properties that are eligible for searching and sorting when querying the access catalog. Each property includes metadata, such as whether the property is multi-valued and its data type.

/governance/search/schema/objectType

GET

Retrieve configured properties that are eligible for searching and sorting when querying access catalog for a single given object. For example, entitlement specific properties you can use to search. Each property includes metadata, such as whether the property is multi-valued and its data type.

Add or remove resources from users

In the Identity Cloud admin UI, you can add or remove resources from end users, however; you can do the same through REST APIs.

The following table shows the endpoints to add or remove users from resources:

URI HTTP operation Description

URI	HTTP operation	Description
`/governance/user/userId/applications`	POST	Add or remove applications for an end user.
`/governance/user/userId/roles`	POST	Add or remove roles for an end user.
`/governance/user/userId/entitlements`	POST	Add or remove entitlements for an end user.

/governance/user/userId/applications

POST

Add or remove applications for an end user.

/governance/user/userId/roles

POST

Add or remove roles for an end user.

/governance/user/userId/entitlements

POST

Add or remove entitlements for an end user.

Evolving APIs

The APIs referenced in this section are evolving, which means they can change or become deprecated at any time.

The current evolving APIs focus on entitlements. For more information, refer to Entitlements.

URI HTTP operation Description

URI	HTTP operation	Description
`/governance/resource/id`	GET	Retrieve an entitlement by an ID.
`/governance/resource/search`	POST	Retrieve a list of entitlements with additional filtering.
`/governance/resource/id/assignments/user`	GET	Retrieve users assigned to a specific entitlement.

/governance/resource/id

GET

Retrieve an entitlement by an ID.

/governance/resource/search

POST

Retrieve a list of entitlements with additional filtering.

/governance/resource/id/assignments/user

GET

Retrieve users assigned to a specific entitlement.

Identity Governance configurations

Identity Governance has overarching configurations, such as requiring a justification when rejecting an access request.

The following table shows the endpoints relating to Identity Governance configurations:

URI HTTP operation Description

/commons/config

GET

Reads and returns all Identity Governance configuration properties across all categories.

Only access request-related properties are available. These properties are used to determine the behavior behind functionality For example, access request features contain configuration on whether justification is required to reject a request or whether a user can approve their own access.

/commons/config

PUT

Update the configuration properties across all categories. Only access request-related properties are available.

You must include all current configurations when saving changes, Identity Governance replaces any omitted keys with default values.

/commons/config/key

GET

Get Identity Governance access request configurations for a given key.

/commons/config/key

PUT

Update Identity Governance access request configurations for a given key.