Identity orchestration (access request workflows)

In Identity Governance, end users can request access to resources, and managers can request to revoke access to resources. Resources are target applications, entitlements, or roles.

There are various access request types that you can create using REST:

Access request type Name in REST APIs Description

Access request type	Name in REST APIs	Description
Grant Application	`BasicApplicationGrant`	Request access to an application.
Remove Application	`BasicApplicationRemove`	Request to remove access to an application for an end user.
Grant Role	`BasicRoleGrant`	Request access to an Identity Cloud provisioning role.
Remove Role	`BasicRoleRemove`	Request to remove access to a role from an end user.
Grant Entitlement	`BasicEntitlementGrant`	Request access to an entitlement (additional privilege inside an application).
Remove Entitlement	`BasicEntitlementRemove`	Request to remove access to an entitlement from an end user.

Grant Application

BasicApplicationGrant

Request access to an application.

Remove Application

BasicApplicationRemove

Request to remove access to an application for an end user.

Grant Role

BasicRoleGrant

Request access to an Identity Cloud provisioning role.

Remove Role

BasicRoleRemove

Request to remove access to a role from an end user.

Grant Entitlement

BasicEntitlementGrant

Request access to an entitlement (additional privilege inside an application).

Remove Entitlement

BasicEntitlementRemove

Request to remove access to an entitlement from an end user.

These access request types correspond to a default workflow definition that you can change to meet the needs of your organization. This referred to as identity orchestration. For example, you can create custom scripts for what actions to take when a BasicApplicationGrant access request type is approved.

For more information on using the endpoints in sequential steps, refer to identity orchestration.

YAML file

The REST APIs contain many parameters and, in some instances, large request bodies. For your convenience, you can view the entire API using a YAML file based on the OpenAPI specification.

To download the YAML file, click here.

Adjust the configurations of the file to match your specific details, such as your Identity Cloud tenant FQDN.

Endpoints

The following table displays the actions available with workflow definitions for access request types:

URI HTTP operation Description

/auto/orchestration/definition

GET

Get the workflow definitions for each access request type.

/auto/orchestration/definition/{id}/{status}

GET

Get definitions by id and status (status is draft or published).

/auto/orchestration/definition

POST

Perform the following using the _action parameter:

create — Use the GET request to retrieve a workflow definition, make a copy, or update.

IMPORTANT:There can only be one draft workflow definition and one publish per access request type. When you create a workflow definition, it’s in a draft state, not in a publish state. You must promote the draft state to a publish state for the workflow definition to be active.
validate — After you create a workflow definition that is in a draft state, validate the syntax.
publish — Publish the workflow definition for the access request type. This action overwrites the existing workflow definition for an access request type.

Copy the existing published workflow definition before overwriting it with a new one in case your new workflow definition has errors.

/auto/orchestration/definition/{id}

PUT

Update an existing workflow definition for an access request type in a draft state.

/auto/orchestration/definition/{id}

Delete

Delete an existing workflow definition in a draft state. You can’t delete a workflow definition in its published state.