Identity Cloud


In Identity Governance, end users can request access to resources, and managers can request to revoke access to resources. Resources are target applications, entitlements, or roles.

There are various access request types that you can create using REST:

Access request type Name in REST APIs Description

Grant Application


Request access to an application.

Remove Application


Request to remove access to an application for an end user.

Grant Role


Request access to an Identity Cloud provisioning role.

Remove Role


Request to remove access to a role from an end user.

Grant Entitlement


Request access to an entitlement (additional privilege inside an application).

Remove Entitlement


Request to remove access to an entitlement from an end user.

These access request types correspond to a default workflow definition that you can change to meet the needs of your organization. This referred to as identity orchestration. For example, you can create custom scripts for what actions to take when a BasicApplicationGrant access request type is approved.

For more information on using the endpoints in sequential steps, refer to Manage access request workflows.

YAML file

The REST APIs contain many parameters and, in some instances, large request bodies. For your convenience, you can view the entire API using a YAML file based on the OpenAPI specification.

To download the YAML file, click here.

Adjust the configurations of the file to match your specific details, such as your Identity Cloud tenant FQDN.


The following table displays the actions available with workflow definitions for access request types:

URI HTTP operation Description



Get the workflow definitions for each access request type.



Get definitions by id and status (status is draft or published).



Perform the following using the _action parameter:

  • create — Use the GET request to retrieve a workflow definition, make a copy, or update.

    IMPORTANT:There can only be one draft workflow definition and one publish per access request type. When you create a workflow definition, it’s in a draft state, not in a publish state. You must promote the draft state to a publish state for the workflow definition to be active.

  • validate — After you create a workflow definition that is in a draft state, validate the syntax.

  • publish — Publish the workflow definition for the access request type. This action overwrites the existing workflow definition for an access request type.

    Copy the existing published workflow definition before overwriting it with a new one in case your new workflow definition has errors.



Update an existing workflow definition for an access request type in a draft state.



Delete an existing workflow definition in a draft state. You can’t delete a workflow definition in its published state.

Copyright © 2010-2024 ForgeRock, all rights reserved.