Workflows

In Identity Governance, end users can request access to resources, and managers can request to revoke access to resources. Resources are target applications, entitlements, or roles.

There are various access request types that you can create using REST:

Access request type Name in REST APIs Description

Access request type	Name in REST APIs	Description
Grant Application	`BasicApplicationGrant`	Request access to an application.
Remove Application	`BasicApplicationRemove`	Request to remove access to an application for an end user.
Grant Role	`BasicRoleGrant`	Request access to an Identity Cloud provisioning role.
Remove Role	`BasicRoleRemove`	Request to remove access to a role from an end user.
Grant Entitlement	`BasicEntitlementGrant`	Request access to an entitlement (additional privilege inside an application).
Remove Entitlement	`BasicEntitlementRemove`	Request to remove access to an entitlement from an end user.

Grant Application

BasicApplicationGrant

Request access to an application.

Remove Application

BasicApplicationRemove

Request to remove access to an application for an end user.

Grant Role

BasicRoleGrant

Request access to an Identity Cloud provisioning role.

Remove Role

BasicRoleRemove

Request to remove access to a role from an end user.

Grant Entitlement

BasicEntitlementGrant

Request access to an entitlement (additional privilege inside an application).

Remove Entitlement

BasicEntitlementRemove

Request to remove access to an entitlement from an end user.

These access request types correspond to a default workflow definition that you can change to meet the needs of your organization. This referred to as identity orchestration. For example, you can create custom scripts for what actions to take when a BasicApplicationGrant access request type is approved.

For more information on using the endpoints in sequential steps, refer to Manage access request workflows.

YAML file

The REST APIs contain many parameters and, in some instances, large request bodies. For your convenience, you can view the entire API using a YAML file based on the OpenAPI specification.

To download the YAML file, click here.

Adjust the configurations of the file to match your specific details, such as your Identity Cloud tenant FQDN.

Endpoints

The following table displays the actions available with workflow definitions for access request types:

URI HTTP method Description

URI	HTTP method	Description
`/orchestration/script`	POST	Validate a workflow script.
`/orchestration/defaultScript`	GET	Get the default JavaScript used in the script node.
`/orchestration/definition`	GET	Get a list of workflow definitions saved to the backend. Workflow definitions have two statuses: `draft`: Draft workflow definitions are editable by end users and can be published to the backend. `published`: Published definitions are used in the processing of corresponding access requests. The `id` and `name` attributes of the draft workflow correspond to those of the published workflow definition.
`/orchestration/definition`	POST	Create, publish, or validate a workflow definition. NOTE: Copy the existing published workflow definition before overwriting it with a new one in case your new workflow definition has errors.
`/orchestration/{id}`	PUT	Update an existing workflow definition for an access request type in a `draft` state.
`/orchestration/{id}`	DELETE	Delete an existing workflow definition in a `draft` state. You cannot delete a workflow definition in its `published` state.
`/orchestration/{id}/{status}`	GET	Get definitions by `id` and `status` (status is `draft` or `published`).

/orchestration/script

POST

Validate a workflow script.

/orchestration/defaultScript

GET

Get the default JavaScript used in the script node.

/orchestration/definition

GET

Get a list of workflow definitions saved to the backend. Workflow definitions have two statuses:

draft: Draft workflow definitions are editable by end users and can be published to the backend.
published: Published definitions are used in the processing of corresponding access requests.

The id and name attributes of the draft workflow correspond to those of the published workflow definition.

/orchestration/definition

POST

Create, publish, or validate a workflow definition.

NOTE: Copy the existing published workflow definition before overwriting it with a new one in case your new workflow definition has errors.

/orchestration/{id}

PUT

Update an existing workflow definition for an access request type in a draft state.

/orchestration/{id}

DELETE

Delete an existing workflow definition in a draft state. You cannot delete a workflow definition in its published state.

/orchestration/{id}/{status}

GET

Get definitions by id and status (status is draft or published).