Identity Cloud


In Identity Governance, end users can request access to resources, and managers can request to revoke access to resources. Resources are target applications, entitlements, or roles.

There are various access request types that you can create using REST:

Access request type Name in REST APIs Description

Grant Application


Request access to an application.

Remove Application


Request to remove access to an application for an end user.

Grant Role


Request access to an Identity Cloud provisioning role.

Remove Role


Request to remove access to a role from an end user.

Grant Entitlement


Request access to an entitlement (additional privilege inside an application).

Remove Entitlement


Request to remove access to an entitlement from an end user.

These access request types correspond to a default workflow definition that you can change to meet the needs of your company. This referred to as identity orchestration. For example, you can create custom scripts for what actions to take when a BasicApplicationGrant access request type is approved.

For more information on using the endpoints in sequential steps, refer to Manage access request using workflows.

YAML file

The REST APIs contain many parameters and, in some instances, large request bodies. For your convenience, you can view the entire API using a YAML file based on the OpenAPI specification.

To download the YAML file, click here.

Adjust the configurations of the file to match your specific details, such as your Identity Cloud tenant FQDN.


The following table displays the actions available with workflow definitions for access request types:

URI HTTP method Description



Validate a workflow script.



Get the default JavaScript used in the script node.



Get a list of workflow definitions saved to the backend. Workflow definitions have two statuses:

  • draft: Draft workflow definitions are editable by end users and can be published to the backend.

  • published: Published definitions are used in the processing of corresponding access requests.

The id and name attributes of the draft workflow correspond to those of the published workflow definition.



Create, publish, or validate a workflow definition.

NOTE: Copy the existing published workflow definition before overwriting it with a new one in case your new workflow definition has errors.



Update an existing workflow definition for an access request type in a draft state.



Delete an existing workflow definition in a draft state. You cannot delete a workflow definition in its published state.



Get definitions by id and status (status is draft or published).

Copyright © 2010-2024 ForgeRock, all rights reserved.