diff --git a/idn/beta/paths/dimension-access-profiles.yaml b/idn/beta/paths/dimension-access-profiles.yaml new file mode 100644 index 00000000..7bd80eee --- /dev/null +++ b/idn/beta/paths/dimension-access-profiles.yaml @@ -0,0 +1,98 @@ +get: + operationId: listDimensionAccessProfiles + tags: + - Dimensions + summary: List Dimension's Access Profiles + description: >- + This API lists the Access Profiles associated with a given Dimension + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all Access Profiles included in the Role are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + - $ref: '../../v3/parameters/limit.yaml' + - $ref: '../../v3/parameters/offset.yaml' + - $ref: '../../v3/parameters/count.yaml' + - in: query + name: filters + schema: + type: string + description: >- + Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) + + + Filtering is supported for the following fields and operators: + + + **id**: *eq, in* + + + **name**: *eq, sw* + + + **created**: *gt, lt, ge, le* + + + **modified**: *gt, lt, ge, le* + + + **owner.id**: *eq, in* + + + **source.id**: *eq, in* + example: source.id eq "2c91808982f979270182f99e386d00fa" + required: false + - in: query + name: sorters + schema: + type: string + format: comma-separated + description: >- + Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) + + + Sorting is supported for the following fields: **name, created, modified** + example: name,-modified + required: false + responses: + '200': + description: List of Access Profiles + content: + application/json: + schema: + type: array + items: + $ref: '../../v3/schemas/access/AccessProfile.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '404': + $ref: '../../v3/responses/404.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN diff --git a/idn/beta/paths/dimension-bulk-delete.yaml b/idn/beta/paths/dimension-bulk-delete.yaml new file mode 100644 index 00000000..d629f05e --- /dev/null +++ b/idn/beta/paths/dimension-bulk-delete.yaml @@ -0,0 +1,95 @@ +post: + operationId: deleteBulkDimensions + summary: Delete Dimension(s) + tags: + - Dimensions + description: >- + This endpoint initiates a bulk deletion of one or more dimensions. + + When the request is successful, the endpoint returns the bulk delete's task result ID. + To follow the task, you can use [Get Task Status by ID](https://developer.sailpoint.com/docs/api/beta/get-task-status), which will return the task result's status and information. + + This endpoint can only bulk delete up to a limit of 50 roles per request. + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this endpoint. In addition, a + token with ROLE_SUBADMIN authority can only call this endpoint if all dimensions included in the request are associated + with sources with management workgroups the ROLE_SUBADMIN is a member of. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimensions. + example: 6603fba3004f43c687610a29195252ce + requestBody: + required: true + content: + application/json: + schema: + $ref: '../../v3/schemas/access/DimensionBulkDeleteRequest.yaml' + example: + { + "dimensionIds": [ "2c91808876438bb2017668b91919ecca","2c91808876438ba801766e129f151816" ] + } + responses: + '202': + description: Returns an object with the id of the task performing the delete operation. + content: + application/json: + schema: + $ref: '../../v3/schemas/TaskResultDto.yaml' + example: + { + "type": "TASK_RESULT", + "id": "464ae7bf791e49fdb74606a2e4a89635", + "name": null + } + '400': + description: Client Error - Returned if the request body is invalid. + content: + application/json: + schema: + $ref: '../../v3/schemas/ErrorResponseDto.yaml' + examples: + 400.1 Bad Request Content: + description: Response for bad request content + value: + detailCode: 400.1 Bad Request Content + trackingId: 1ea1adcb84da4dcb890145e05745774e + messages: + - locale: en-US + localeOrigin: DEFAULT + text: The request was syntactically correct but its content is semantically invalid. + 400.1 Dimension ids limit violation: + description: Dimension ids limit violation response + value: + detailCode: 400.1 Bad Request Content + trackingId: 77aa89ac6f0e422dbc588866abc22be9 + messages: + - locale: en-US + localeOrigin: DEFAULT + text: dimensionIds count exceeded max limit of 50 for bulk-delete. + 400.1.404 Referenced object not found: + description: Referenced object not found response + value: + detailCode: 400.1.404 Referenced object not found + trackingId: 77aa89ac6f0e422dbc588866abc22be9 + messages: + - locale: en-US + localeOrigin: DEFAULT + text: Referenced dimensionIds ["2c91808876438bb2017668b91919ecca"] was not found. + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [idn:role-unchecked:manage, idn:role-checked:manage] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN diff --git a/idn/beta/paths/dimension-entitlements.yaml b/idn/beta/paths/dimension-entitlements.yaml new file mode 100644 index 00000000..cb94e069 --- /dev/null +++ b/idn/beta/paths/dimension-entitlements.yaml @@ -0,0 +1,102 @@ +get: + operationId: getDimensionEntitlements + tags: + - Dimensions + summary: List Dimension's Entitlements + description: >- + This API lists the Entitlements associated with a given dimension. + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + - $ref: '../../v3/parameters/limit.yaml' + - $ref: '../../v3/parameters/offset.yaml' + - $ref: '../../v3/parameters/count.yaml' + - in: query + name: filters + schema: + type: string + description: >- + Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) + + + Filtering is supported for the following fields and operators: + + + **id**: *eq, in* + + + **name**: *eq, sw* + + + **attribute**: *eq, sw* + + + **value**: *eq, sw* + + + **created**: *gt, lt, ge, le* + + + **modified**: *gt, lt, ge, le* + + + **owner.id**: *eq, in* + + + **source.id**: *eq, in* + example: attribute eq "memberOf" + required: false + - in: query + name: sorters + schema: + type: string + format: comma-separated + description: >- + Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) + + + Sorting is supported for the following fields: **name, attribute, value, created, modified** + example: name,-modified + required: false + responses: + '200': + description: List of Entitlements + content: + application/json: + schema: + type: array + items: + $ref: '../schemas/Entitlement.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN + + diff --git a/idn/beta/paths/dimension.yaml b/idn/beta/paths/dimension.yaml new file mode 100644 index 00000000..05d2aa4f --- /dev/null +++ b/idn/beta/paths/dimension.yaml @@ -0,0 +1,252 @@ +get: + operationId: getDimension + tags: + - Dimensions + summary: Get a Dimension under Role. + description: >- + This API returns a Dimension by its ID. + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all Access Profiles or Entitlements included in the Dimension or Parent Role are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + responses: + '200': + description: Dimension + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Dimension.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN +patch: + operationId: patchDimension + tags: + - Dimensions + summary: Patch a specified Dimension + description: >- + This API updates an existing dimension using [JSON Patch](https://tools.ietf.org/html/rfc6902) syntax. + + The following fields are patchable: + **name** + **description** + **owner** + **accessProfiles** + **entitlements** + **membership** + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all access profiles/entitlements included in the dimension are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + + The maximum supported length for the description field is 2000 characters. + + When you use this API to modify a dimension's membership identities, you can only modify up to a limit of 500 membership identities at a time. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + requestBody: + content: + application/json-patch+json: + schema: + type: array + items: + $ref: '../schemas/JsonPatchOperation.yaml' + examples: + Update a Dimension name and description field in One Call: + description: This example shows how multiple fields may be updated with a single patch call. + value: + [ + { + "op": "replace", + "path": "/description", + "value": 'Test Description' + }, + { + "op": "replace", + "path": "/name", + "value": 'new name' + } + ] + + Set the Membership Selection Criteria to a List of Identities: + description: >- + This example shows how to define a Dimension's membershp by providing a list of Identities, referenced by their + IDs. + value: + [ + { + "op": "replace", + "path": "/membership", + "value": { + "type": "IDENTITY_LIST", + "identities": [ + { + "id": "2c91808973fe906c0174262092014ed9" + }, + { + "id": "2c918086262092014ed94fb8a47612f3" + } + ] + } + } + ] + + Set the Membership Selection Criteria to a Standard Expression: + description: >- + This example shows how to define a Dimensions's membership using STANDARD criteria. In this case, the Dimension + will be granted to all Identities which have the *Engineering* attribute from the indicated Source. + value: + [ + { + "op": "replace", + "path": "/membership", + "value": { + "type": "STANDARD", + "criteria": { + "operation": "OR", + "children": [ + { + "operation": "EQUALS", + "key": { + "type": "ENTITLEMENT", + "property": "attribute.memberOf", + "sourceId": "2c9180887701fb2014213e122092014e" + }, + "stringValue": "Engineering" + } + ] + } + } + } + ] + + Add a New Clause as the Child of an Existing Standard Expression: + description: >- + This example shows how to add a child clause to an existing STANDARD criteria expression. + value: + [ + { + "op": "add", + "path": "/membership/criteria/children/-", + "value": { + "operation": "ENDS_WITH", + "key": { + "type": "IDENTITY", + "property": "attribute.email" + }, + "stringValue": "@identitynow.com" + } + } + ] + + required: true + responses: + '200': + description: Responds with the Dimension as updated. + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Dimension.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:manage,idn:role-checked:manage ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN +delete: + operationId: deleteDimension + tags: + - Dimensions + summary: Delete a Dimension + description: >- + This API deletes a Dimension by its ID. + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all Access Profiles/Entitlements included in the Dimension are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + responses: + '204': + $ref: "../../v3/responses/204.yaml" + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:manage,idn:role-checked:manage ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN diff --git a/idn/beta/paths/dimensions.yaml b/idn/beta/paths/dimensions.yaml new file mode 100644 index 00000000..8da3c370 --- /dev/null +++ b/idn/beta/paths/dimensions.yaml @@ -0,0 +1,148 @@ +get: + operationId: listDimensions + tags: + - Dimensions + summary: List Dimensions + description: >- + This API returns a list of dimensions under a specified role. + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to + call this API. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: query + name: for-subadmin + schema: + type: string + description: >- + If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN Identity. + The value of the parameter is either an Identity ID, or the special value **me**, + which is shorthand for the calling Identity's ID. + A 400 Bad Request error is returned if the **for-subadmin** parameter is specified for an Identity that is not + a subadmin. + example: 5168015d32f890ca15812c9180835d2e + required: false + - $ref: '../../v3/parameters/limit50.yaml' + - $ref: '../../v3/parameters/offset.yaml' + - $ref: '../../v3/parameters/count.yaml' + - in: query + name: filters + schema: + type: string + description: >- + Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) + + + Filtering is supported for the following fields and operators: + + + **id**: *eq, in* + + + **name**: *eq, sw* + + + **created**: *gt, lt, ge, le* + + + **modified**: *gt, lt, ge, le* + + + **owner.id**: *eq, in* + example: id eq '2c918086749d78830174a1a40e121518' + required: false + - in: query + name: sorters + schema: + type: string + format: comma-separated + description: >- + Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) + + + Sorting is supported for the following fields: **name, created, modified** + example: name,-modified + required: false + responses: + '200': + description: List of Dimensions + content: + application/json: + schema: + type: array + items: + $ref: '../../v3/schemas/access/Dimension.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN +post: + operationId: createDimension + tags: + - Dimensions + summary: Create a Dimension + description: >- + This API creates a dimension. + + You must have a token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority to + call this API. + + Additionally, a ROLE_SUBADMIN cannot create a dimension that includes an access profile or entitlement if that access profile or entitlement is linked to a source that the ROLE_SUBADMIN is not associated with. + + The maximum supported length for the description field is 2000 characters. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + requestBody: + required: true + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Dimension.yaml' + responses: + '201': + description: Dimension created + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Dimension.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:manage, idn:role-checked:manage ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN diff --git a/idn/beta/paths/role.yaml b/idn/beta/paths/role.yaml index 8df96752..211cde96 100644 --- a/idn/beta/paths/role.yaml +++ b/idn/beta/paths/role.yaml @@ -36,8 +36,11 @@ get: '500': $ref: '../../v3/responses/500.yaml' security: - - - UserContextAuth: [idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read] + - userAuth: [idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN patch: operationId: patchRole @@ -70,7 +73,7 @@ patch: * revokeRequestConfig * segments - + * accessModelMetadata A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a @@ -199,6 +202,7 @@ patch: } ] + Assign a Access Model Metadata to a role: description: This example shows how to assign a existing metadata to a role. value: @@ -216,6 +220,16 @@ patch: } } ] + Make a Role Dimensional: + description: This example demonstrates how to transform a role into a dynamic role. + value: + [ + { + "op": "replace", + "path": "/dimensional", + "value": true + } + ] required: true responses: @@ -236,8 +250,11 @@ patch: '500': $ref: '../../v3/responses/500.yaml' security: - - - UserContextAuth: [idn:role-unchecked:manage,idn:role-checked:manage] + - userAuth: [idn:role-unchecked:manage,idn:role-checked:manage] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN delete: operationId: deleteRole @@ -274,6 +291,9 @@ delete: '500': $ref: '../../v3/responses/500.yaml' security: - - - UserContextAuth: [idn:role-unchecked:manage,idn:role-checked:manage] + - userAuth: [idn:role-unchecked:manage,idn:role-checked:manage] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN diff --git a/idn/sailpoint-api.v2024.yaml b/idn/sailpoint-api.v2024.yaml index 2c0ba945..f326d4eb 100644 --- a/idn/sailpoint-api.v2024.yaml +++ b/idn/sailpoint-api.v2024.yaml @@ -418,6 +418,16 @@ tags: For example, an administrator can use the pageId forget-username:user-email to set the custom text for the case when users forget their usernames and must enter their emails. Refer to [Creating Custom Instruction Text](https://documentation.sailpoint.com/saas/help/pwd/pwd_reset.html#creating-custom-instruction-text) for more information about creating custom password instructions. + - name: Dimensions + description: + Use this API to implement and customize dynamic role functionality. + With this functionality in place, administrators can create dimensions and configure them for use throughout Identity Security Cloud. + Identity Security Cloud can use established criteria to automatically assign the dimensions to qualified users. This enables users to get all the access they need quickly and securely and administrators to spend their time on other tasks. + Entitlements represent the most granular level of access in Identity Security Cloud. + + Access profiles represent the next level and often group entitlements. + Dimension represent access selectively based on the evaluation of contextual information that is available or provided. Each Dimension include context attributes and access selection expressions which map criteria to access right assignments. Each dimension can contain up to 5 context attributes. + Dynamic Access Roles represent the broadest level of access and often group access profiles ,entitlements and dimensions.Each Dynamic Access Role may contain one or more Dimensions. - name: Discovered Applications description: | Use this API to retrieve all the available discovered apps for a given tenant id. @@ -1500,6 +1510,16 @@ paths: $ref: ./v3/paths/role-bulk-delete.yaml /roles/{id}/assigned-identities: $ref: ./v3/paths/role-assigned-identities.yaml + /roles/{roleId}/dimensions: + $ref: './beta/paths/dimensions.yaml' + /roles/{roleId}/dimensions/{dimensionId}: + $ref: './beta/paths/dimension.yaml' + /roles/{roleId}/dimensions/bulk-delete: + $ref: './beta/paths/dimension-bulk-delete.yaml' + /roles/{roleId}/dimensions/{dimensionId}/access-profiles: + $ref: './beta/paths/dimension-access-profiles.yaml' + /roles/{roleId}/dimensions/{dimensionId}/entitlements: + $ref: './beta/paths/dimension-entitlements.yaml' /saved-searches: $ref: ./v3/paths/saved-searches.yaml /saved-searches/{id}: diff --git a/idn/v2024/paths/dimension-access-profiles.yaml b/idn/v2024/paths/dimension-access-profiles.yaml new file mode 100644 index 00000000..b3dc50c3 --- /dev/null +++ b/idn/v2024/paths/dimension-access-profiles.yaml @@ -0,0 +1,98 @@ +get: + operationId: listDimensionAccessProfiles + tags: + - Dimensions + summary: List Dimension's Access Profiles + description: >- + This API lists the Access Profiles associated with a given Dimension + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all Access Profiles included in the Role are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + - $ref: '../../v3/parameters/limit.yaml' + - $ref: '../../v3/parameters/offset.yaml' + - $ref: '../../v3/parameters/count.yaml' + - in: query + name: filters + schema: + type: string + description: >- + Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) + + + Filtering is supported for the following fields and operators: + + + **id**: *eq, in* + + + **name**: *eq, sw* + + + **created**: *gt, lt, ge, le* + + + **modified**: *gt, lt, ge, le* + + + **owner.id**: *eq, in* + + + **source.id**: *eq, in* + example: source.id eq "2c91808982f979270182f99e386d00fa" + required: false + - in: query + name: sorters + schema: + type: string + format: comma-separated + description: >- + Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) + + + Sorting is supported for the following fields: **name, created, modified** + example: name,-modified + required: false + responses: + '200': + description: List of Access Profiles + content: + application/json: + schema: + type: array + items: + $ref: '../../v3/schemas/access/AccessProfile.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '404': + $ref: '../../v3/responses/404.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN \ No newline at end of file diff --git a/idn/v2024/paths/dimension-bulk-delete.yaml b/idn/v2024/paths/dimension-bulk-delete.yaml new file mode 100644 index 00000000..51deae66 --- /dev/null +++ b/idn/v2024/paths/dimension-bulk-delete.yaml @@ -0,0 +1,95 @@ +post: + operationId: deleteBulkDimensions + summary: Delete Dimension(s) + tags: + - Dimensions + description: >- + This endpoint initiates a bulk deletion of one or more dimensions. + + When the request is successful, the endpoint returns the bulk delete's task result ID. + To follow the task, you can use [Get Task Status by ID](https://developer.sailpoint.com/docs/api/beta/get-task-status), which will return the task result's status and information. + + This endpoint can only bulk delete up to a limit of 50 roles per request. + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this endpoint. In addition, a + token with ROLE_SUBADMIN authority can only call this endpoint if all dimensions included in the request are associated + with sources with management workgroups the ROLE_SUBADMIN is a member of. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimensions. + example: 6603fba3004f43c687610a29195252ce + requestBody: + required: true + content: + application/json: + schema: + $ref: '../../v3/schemas/access/DimensionBulkDeleteRequest.yaml' + example: + { + "dimensionIds": [ "2c91808876438bb2017668b91919ecca","2c91808876438ba801766e129f151816" ] + } + responses: + '202': + description: Returns an object with the id of the task performing the delete operation. + content: + application/json: + schema: + $ref: '../../v3/schemas/TaskResultDto.yaml' + example: + { + "type": "TASK_RESULT", + "id": "464ae7bf791e49fdb74606a2e4a89635", + "name": null + } + '400': + description: Client Error - Returned if the request body is invalid. + content: + application/json: + schema: + $ref: '../../v3/schemas/ErrorResponseDto.yaml' + examples: + 400.1 Bad Request Content: + description: Response for bad request content + value: + detailCode: 400.1 Bad Request Content + trackingId: 1ea1adcb84da4dcb890145e05745774e + messages: + - locale: en-US + localeOrigin: DEFAULT + text: The request was syntactically correct but its content is semantically invalid. + 400.1 Dimension ids limit violation: + description: Dimension ids limit violation response + value: + detailCode: 400.1 Bad Request Content + trackingId: 77aa89ac6f0e422dbc588866abc22be9 + messages: + - locale: en-US + localeOrigin: DEFAULT + text: dimensionIds count exceeded max limit of 50 for bulk-delete. + 400.1.404 Referenced object not found: + description: Referenced object not found response + value: + detailCode: 400.1.404 Referenced object not found + trackingId: 77aa89ac6f0e422dbc588866abc22be9 + messages: + - locale: en-US + localeOrigin: DEFAULT + text: Referenced dimensionIds ["2c91808876438bb2017668b91919ecca"] was not found. + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [idn:role-unchecked:manage, idn:role-checked:manage] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN \ No newline at end of file diff --git a/idn/v2024/paths/dimension-entitlements.yaml b/idn/v2024/paths/dimension-entitlements.yaml new file mode 100644 index 00000000..269d752d --- /dev/null +++ b/idn/v2024/paths/dimension-entitlements.yaml @@ -0,0 +1,103 @@ +get: + operationId: getDimensionEntitlements + tags: + - Dimensions + summary: List Dimension's Entitlements + description: >- + This API lists the Entitlements associated with a given dimension. + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + - $ref: '../../v3/parameters/limit.yaml' + - $ref: '../../v3/parameters/offset.yaml' + - $ref: '../../v3/parameters/count.yaml' + - in: query + name: filters + schema: + type: string + description: >- + Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) + + + Filtering is supported for the following fields and operators: + + + **id**: *eq, in* + + + **name**: *eq, sw* + + + **attribute**: *eq, sw* + + + **value**: *eq, sw* + + + **created**: *gt, lt, ge, le* + + + **modified**: *gt, lt, ge, le* + + + **owner.id**: *eq, in* + + + **source.id**: *eq, in* + example: attribute eq "memberOf" + required: false + - in: query + name: sorters + schema: + type: string + format: comma-separated + description: >- + Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) + + + Sorting is supported for the following fields: **name, attribute, value, created, modified** + example: name,-modified + required: false + responses: + '200': + description: List of Entitlements + content: + application/json: + schema: + type: array + items: + $ref: '../schemas/Entitlement.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN + + + diff --git a/idn/v2024/paths/dimension.yaml b/idn/v2024/paths/dimension.yaml new file mode 100644 index 00000000..a9310f30 --- /dev/null +++ b/idn/v2024/paths/dimension.yaml @@ -0,0 +1,252 @@ +get: + operationId: getDimension + tags: + - Dimensions + summary: Get a Dimension under Role. + description: >- + This API returns a Dimension by its ID. + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all Access Profiles or Entitlements included in the Dimension or Parent Role are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + responses: + '200': + description: Dimension + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Dimension.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN +patch: + operationId: patchDimension + tags: + - Dimensions + summary: Patch a specified Dimension + description: >- + This API updates an existing dimension using [JSON Patch](https://tools.ietf.org/html/rfc6902) syntax. + + The following fields are patchable: + **name** + **description** + **owner** + **accessProfiles** + **entitlements** + **membership** + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all access profiles/entitlements included in the dimension are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + + The maximum supported length for the description field is 2000 characters. + + When you use this API to modify a dimension's membership identities, you can only modify up to a limit of 500 membership identities at a time. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + requestBody: + content: + application/json-patch+json: + schema: + type: array + items: + $ref: '../schemas/JsonPatchOperation.yaml' + examples: + Update a Dimension name and description field in One Call: + description: This example shows how multiple fields may be updated with a single patch call. + value: + [ + { + "op": "replace", + "path": "/description", + "value": 'Test Description' + }, + { + "op": "replace", + "path": "/name", + "value": 'new name' + } + ] + + Set the Membership Selection Criteria to a List of Identities: + description: >- + This example shows how to define a Dimension's membershp by providing a list of Identities, referenced by their + IDs. + value: + [ + { + "op": "replace", + "path": "/membership", + "value": { + "type": "IDENTITY_LIST", + "identities": [ + { + "id": "2c91808973fe906c0174262092014ed9" + }, + { + "id": "2c918086262092014ed94fb8a47612f3" + } + ] + } + } + ] + + Set the Membership Selection Criteria to a Standard Expression: + description: >- + This example shows how to define a Dimensions's membership using STANDARD criteria. In this case, the Dimension + will be granted to all Identities which have the *Engineering* attribute from the indicated Source. + value: + [ + { + "op": "replace", + "path": "/membership", + "value": { + "type": "STANDARD", + "criteria": { + "operation": "OR", + "children": [ + { + "operation": "EQUALS", + "key": { + "type": "ENTITLEMENT", + "property": "attribute.memberOf", + "sourceId": "2c9180887701fb2014213e122092014e" + }, + "stringValue": "Engineering" + } + ] + } + } + } + ] + + Add a New Clause as the Child of an Existing Standard Expression: + description: >- + This example shows how to add a child clause to an existing STANDARD criteria expression. + value: + [ + { + "op": "add", + "path": "/membership/criteria/children/-", + "value": { + "operation": "ENDS_WITH", + "key": { + "type": "IDENTITY", + "property": "attribute.email" + }, + "stringValue": "@identitynow.com" + } + } + ] + + required: true + responses: + '200': + description: Responds with the Dimension as updated. + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Dimension.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:manage,idn:role-checked:manage ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN +delete: + operationId: deleteDimension + tags: + - Dimensions + summary: Delete a Dimension + description: >- + This API deletes a Dimension by its ID. + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all Access Profiles/Entitlements included in the Dimension are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: path + name: dimensionId + schema: + type: string + required: true + description: Id of the Dimension + example: 2c9180835d191a86015d28455b4a2329 + responses: + '204': + $ref: "../../v3/responses/204.yaml" + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:manage,idn:role-checked:manage ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN diff --git a/idn/v2024/paths/dimensions.yaml b/idn/v2024/paths/dimensions.yaml new file mode 100644 index 00000000..9c9c4ecf --- /dev/null +++ b/idn/v2024/paths/dimensions.yaml @@ -0,0 +1,148 @@ +get: + operationId: listDimensions + tags: + - Dimensions + summary: List Dimensions + description: >- + This API returns a list of dimensions under a specified role. + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to + call this API. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + - in: query + name: for-subadmin + schema: + type: string + description: >- + If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN Identity. + The value of the parameter is either an Identity ID, or the special value **me**, + which is shorthand for the calling Identity's ID. + A 400 Bad Request error is returned if the **for-subadmin** parameter is specified for an Identity that is not + a subadmin. + example: 5168015d32f890ca15812c9180835d2e + required: false + - $ref: '../../v3/parameters/limit50.yaml' + - $ref: '../../v3/parameters/offset.yaml' + - $ref: '../../v3/parameters/count.yaml' + - in: query + name: filters + schema: + type: string + description: >- + Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) + + + Filtering is supported for the following fields and operators: + + + **id**: *eq, in* + + + **name**: *eq, sw* + + + **created**: *gt, lt, ge, le* + + + **modified**: *gt, lt, ge, le* + + + **owner.id**: *eq, in* + example: id eq '2c918086749d78830174a1a40e121518' + required: false + - in: query + name: sorters + schema: + type: string + format: comma-separated + description: >- + Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) + + + Sorting is supported for the following fields: **name, created, modified** + example: name,-modified + required: false + responses: + '200': + description: List of Dimensions + content: + application/json: + schema: + type: array + items: + $ref: '../../v3/schemas/access/Dimension.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN +post: + operationId: createDimension + tags: + - Dimensions + summary: Create a Dimension + description: >- + This API creates a dimension. + + You must have a token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority to + call this API. + + Additionally, a ROLE_SUBADMIN cannot create a dimension that includes an access profile or entitlement if that access profile or entitlement is linked to a source that the ROLE_SUBADMIN is not associated with. + + The maximum supported length for the description field is 2000 characters. + parameters: + - in: path + name: roleId + required: true + schema: + type: string + description: Parent Role Id of the dimension. + example: 6603fba3004f43c687610a29195252ce + requestBody: + required: true + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Dimension.yaml' + responses: + '201': + description: Dimension created + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Dimension.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:manage, idn:role-checked:manage ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN diff --git a/idn/v2024/paths/role.yaml b/idn/v2024/paths/role.yaml new file mode 100644 index 00000000..ca396498 --- /dev/null +++ b/idn/v2024/paths/role.yaml @@ -0,0 +1,285 @@ +get: + operationId: getRole + tags: + - Roles + summary: Get a Role + description: >- + This API returns a Role by its ID. + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all Access Profiles included in the Role are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + parameters: + - in: path + name: id + required: true + schema: + type: string + description: >- + ID of the Role + example: 2c91808a7813090a017814121e121518 + responses: + '200': + description: List of all Roles + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Role.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN +patch: + operationId: patchRole + tags: + - Roles + summary: Patch a specified Role + description: >- + This API updates an existing role using [JSON Patch](https://tools.ietf.org/html/rfc6902) syntax. + + + The following fields are patchable: + + + * name + + * description + + * enabled + + * owner + + * accessProfiles + + * membership + + * requestable + + * accessRequestConfig + + * revokeRequestConfig + + * segments + + * accessModelMetadata + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all access profiles included in the role are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + + + The maximum supported length for the description field is 2000 characters. + Longer descriptions will be preserved for existing roles, however, any new roles as well as any updates to existing descriptions will be limited to 2000 characters. + + + When you use this API to modify a role's membership identities, you can only modify up to a limit of 500 membership identities at a time. + parameters: + - name: id + in: path + description: ID of the Role to patch + required: true + schema: + type: string + example: 2c91808a7813090a017814121e121518 + requestBody: + content: + application/json-patch+json: + schema: + type: array + items: + $ref: '../schemas/JsonPatchOperation.yaml' + examples: + Make a Role Requestable and Enable it in One Call: + description: This example shows how multiple fields may be updated with a single patch call. + value: + [ + { + "op": "replace", + "path": "/requestable", + "value": true + }, + { + "op": "replace", + "path": "/enabled", + "value": true + } + ] + + Assign a Role to a Segment: + description: >- + This example illustrates the use of patch to assign a Role to a Segment by adding the Segment's ID to the + Role's segments array. + value: + [ + { + "op": "add", + "path": "/segments/-", + "value": "f7b1b8a3-5fed-4fd4-ad29-82014e137e19" + } + ] + + Set the Membership Selection Criteria to a List of Identities: + description: >- + This example shows how to define a Role's membershp by providing a list of Identities, referenced by their + IDs. + value: + [ + { + "op": "replace", + "path": "/membership", + "value": { + "type": "IDENTITY_LIST", + "identities": [ + { + "id": "2c91808973fe906c0174262092014ed9" + }, + { + "id": "2c918086262092014ed94fb8a47612f3" + } + ] + } + } + ] + + Set the Membership Selection Criteria to a Standard Expression: + description: >- + This example shows how to define a Role's membership using STANDARD criteria. In this case, the Role + will be granted to all Identities which have the *Engineering* attribute from the indicated Source. + value: + [ + { + "op": "replace", + "path": "/membership", + "value": { + "type": "STANDARD", + "criteria": { + "operation": "OR", + "children": [ + { + "operation": "EQUALS", + "key": { + "type": "ENTITLEMENT", + "property": "attribute.memberOf", + "sourceId": "2c9180887701fb2014213e122092014e" + }, + "stringValue": "Engineering" + } + ] + } + } + } + ] + + Add a New Clause as the Child of an Existing Standard Expression: + description: >- + This example shows how to add a child clause to an existing STANDARD criteria expression. + value: + [ + { + "op": "add", + "path": "/membership/criteria/children/-", + "value": { + "operation": "ENDS_WITH", + "key": { + "type": "IDENTITY", + "property": "attribute.email" + }, + "stringValue": "@identitynow.com" + } + } + ] + + Assign a Access Model Metadata to a role: + description: This example shows how to assign a existing metadata to a role. + value: + [ + { + "op": "add", + "path": "/accessModelMetadata/attributes/0", + "value": { + "key": "iscFederalClassifications", + "values": [ + { + "value": "secret" + } + ] + } + } + ] + + required: true + responses: + '200': + description: Responds with the Role as updated. + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Role.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [idn:role-unchecked:manage,idn:role-checked:manage] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN +delete: + operationId: deleteRole + tags: + - Roles + summary: Delete a Role + description: >- + This API deletes a Role by its ID. + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to call this API. In addition, a + token with ROLE_SUBADMIN authority may only call this API if all Access Profiles included in the Role are associated + to Sources with management workgroups of which the ROLE_SUBADMIN is a member. + parameters: + - in: path + name: id + required: true + schema: + type: string + description: >- + ID of the Role + example: 2c91808a7813090a017814121e121518 + responses: + '204': + $ref: "../../v3/responses/204.yaml" + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [ idn:role-unchecked:manage,idn:role-checked:manage ] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN \ No newline at end of file diff --git a/idn/v2024/paths/roles.yaml b/idn/v2024/paths/roles.yaml new file mode 100644 index 00000000..f8995616 --- /dev/null +++ b/idn/v2024/paths/roles.yaml @@ -0,0 +1,165 @@ +get: + operationId: listRoles + tags: + - Roles + summary: List Roles + description: >- + This API returns a list of Roles. + + + A token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority is required to + call this API. + parameters: + - in: query + name: for-subadmin + schema: + type: string + description: >- + If provided, filters the returned list according to what is visible to the indicated ROLE_SUBADMIN Identity. + The value of the parameter is either an Identity ID, or the special value **me**, + which is shorthand for the calling Identity's ID. + A 400 Bad Request error is returned if the **for-subadmin** parameter is specified for an Identity that is not + a subadmin. + example: 5168015d32f890ca15812c9180835d2e + required: false + - $ref: '../../v3/parameters/limit50.yaml' + - $ref: '../../v3/parameters/offset.yaml' + - $ref: '../../v3/parameters/count.yaml' + - in: query + name: filters + schema: + type: string + description: >- + Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) + + + Filtering is supported for the following fields and operators: + + + **id**: *eq, in* + + + **name**: *eq, sw* + + + **created**: *gt, lt, ge, le* + + + **modified**: *gt, lt, ge, le* + + + **owner.id**: *eq, in* + + + **requestable**: *eq* + example: requestable eq false + required: false + - in: query + name: sorters + schema: + type: string + format: comma-separated + description: >- + Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) + + + Sorting is supported for the following fields: **name, created, modified** + example: name,-modified + required: false + - in: query + name: for-segment-ids + schema: + type: string + format: comma-separated + description: >- + If present and not empty, additionally filters Roles to those which are assigned to the Segment(s) + with the specified IDs. + + + If segmentation is currently unavailable, specifying this parameter results in an error. + example: 0b5c9f25-83c6-4762-9073-e38f7bb2ae26,2e8d8180-24bc-4d21-91c6-7affdb473b0d + required: false + - in: query + name: include-unsegmented + schema: + type: boolean + default: true + description: >- + Whether or not the response list should contain unsegmented Roles. + If *for-segment-ids* is absent or empty, specifying *include-unsegmented* as false results in an error. + example: false + required: false + responses: + '200': + description: List of Roles + content: + application/json: + schema: + type: array + items: + $ref: '../../v3/schemas/access/Role.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [idn:role-unchecked:read, idn:role-unchecked:manage, idn:role-checked:manage, idn:role-checked:read] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN + +post: + operationId: createRole + tags: + - Roles + summary: Create a Role + description: >- + This API creates a role. + + + You must have a token with API, ORG_ADMIN, ROLE_ADMIN, or ROLE_SUBADMIN authority to + call this API. + + + In addition, a ROLE_SUBADMIN may not create a role including an access profile if that access profile + is associated with a source the ROLE_SUBADMIN is not associated with themselves. + + + The maximum supported length for the description field is 2000 characters. + Longer descriptions will be preserved for existing roles. However, any new roles as well as any updates to existing descriptions will be limited to 2000 characters. + requestBody: + required: true + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Role.yaml' + responses: + '201': + description: Role created + content: + application/json: + schema: + $ref: '../../v3/schemas/access/Role.yaml' + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' + security: + - userAuth: [idn:role-unchecked:manage, idn:role-checked:manage] + x-sailpoint-userLevels: + - ORG_ADMIN + - ROLE_ADMIN + - ROLE_SUBADMIN diff --git a/idn/v3/schemas/access/Dimension.yaml b/idn/v3/schemas/access/Dimension.yaml new file mode 100644 index 00000000..494a81a0 --- /dev/null +++ b/idn/v3/schemas/access/Dimension.yaml @@ -0,0 +1,55 @@ +type: object +description: A Dimension +properties: + id: + type: string + description: The id of the Dimension. This field must be left null when creating a dimension, otherwise a 400 Bad Request error will result. + example: 2c918086749d78830174a1a40e121518 + name: + type: string + description: The human-readable display name of the Dimension + maxLength: 128 + example: Dimension 2567 + created: + type: string + description: Date the Dimension was created + format: 'date-time' + example: '2021-03-01T22:32:58.104Z' + readOnly: true + modified: + type: string + description: Date the Dimension was last modified. + format: 'date-time' + example: '2021-03-02T20:22:28.104Z' + readOnly: true + description: + type: string + nullable: true + description: A human-readable description of the Dimension + example: Urna amet cursus pellentesque nisl orci maximus lorem nisl euismod fusce morbi placerat adipiscing maecenas nisi tristique et metus et lacus sed morbi nunc nisl maximus magna arcu varius sollicitudin elementum enim maecenas nisi id ipsum tempus fusce diam ipsum tortor. + owner: + $ref: './OwnerReference.yaml' + accessProfiles: + type: array + items: + $ref: './AccessProfileRef.yaml' + nullable: true + entitlements: + type: array + items: + $ref: './EntitlementRef.yaml' + membership: + $ref: './DimensionMembershipSelector.yaml' + nullable: true + parentId: + type: string + nullable: true + description: The ID of the parent role. This field can be left null when creating a dimension, but if provided, it must match the role ID specified in the path variable of the API call. + example: 2c918086749d78830174a1a40e121518 + +required: + - name + - owner + + + diff --git a/idn/v3/schemas/access/DimensionBulkDeleteRequest.yaml b/idn/v3/schemas/access/DimensionBulkDeleteRequest.yaml new file mode 100644 index 00000000..321e2fe8 --- /dev/null +++ b/idn/v3/schemas/access/DimensionBulkDeleteRequest.yaml @@ -0,0 +1,10 @@ +type: object +properties: + dimensionIds: + description: List of IDs of Dimensions to be deleted. + type: array + items: + type: string + example: ["2c9180847812e0b1017817051919ecca","2c9180887812e0b201781e129f151816"] +required: + - dimensionIds \ No newline at end of file diff --git a/idn/v3/schemas/access/DimensionCriteriaKey.yaml b/idn/v3/schemas/access/DimensionCriteriaKey.yaml new file mode 100644 index 00000000..21c03476 --- /dev/null +++ b/idn/v3/schemas/access/DimensionCriteriaKey.yaml @@ -0,0 +1,15 @@ +type: object +nullable: true +description: Refers to a specific Identity attribute used in Dimension membership criteria. +properties: + type: + $ref: './DimensionCriteriaKeyType.yaml' + property: + type: string + description: The name of the identity attribute to which the associated criteria applies. + example: "attribute.email" +required: + - type + - property + + diff --git a/idn/v3/schemas/access/DimensionCriteriaKeyType.yaml b/idn/v3/schemas/access/DimensionCriteriaKeyType.yaml new file mode 100644 index 00000000..fffd8b38 --- /dev/null +++ b/idn/v3/schemas/access/DimensionCriteriaKeyType.yaml @@ -0,0 +1,6 @@ +type: string +enum: + - IDENTITY +description: >- + Indicates whether the associated criteria represents an expression on identity attributes. +example: IDENTITY diff --git a/idn/v3/schemas/access/DimensionCriteriaLevel1.yaml b/idn/v3/schemas/access/DimensionCriteriaLevel1.yaml new file mode 100644 index 00000000..059051ec --- /dev/null +++ b/idn/v3/schemas/access/DimensionCriteriaLevel1.yaml @@ -0,0 +1,27 @@ +type: object +nullable: true +description: Defines STANDARD type Dimension membership +properties: + operation: + $ref: './DimensionCriteriaOperation.yaml' + key: + $ref: './DimensionCriteriaKey.yaml' + stringValue: + type: string + nullable: true + description: >- + String value to test the Identity attribute specified in the key w/r/t + the specified operation. If this criteria is a leaf node, that is, if the operation is + EQUALS, this field is required. Otherwise, specifying it + is an error. + example: "carlee.cert1c9f9b6fd@mailinator.com" + children: + type: array + items: + $ref: './DimensionCriteriaLevel2.yaml' + nullable: true + description: >- + Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum + of three levels of criteria are supported, including leaf nodes. Additionally, AND nodes can only be + children or OR nodes and vice-versa. + diff --git a/idn/v3/schemas/access/DimensionCriteriaLevel2.yaml b/idn/v3/schemas/access/DimensionCriteriaLevel2.yaml new file mode 100644 index 00000000..e43f83a9 --- /dev/null +++ b/idn/v3/schemas/access/DimensionCriteriaLevel2.yaml @@ -0,0 +1,27 @@ +type: object +nullable: true +description: Defines STANDARD type Role membership +properties: + operation: + $ref: './DimensionCriteriaOperation.yaml' + key: + $ref: './DimensionCriteriaKey.yaml' + stringValue: + type: string + nullable: true + description: >- + String value to test the Identity attribute specified in the key w/r/t + the specified operation. If this criteria is a leaf node, that is, if the operation is one of + EQUALS, this field is required. Otherwise, specifying it + is an error. + example: "carlee.cert1c9f9b6fd@mailinator.com" + children: + type: array + items: + $ref: './DimensionCriteriaLevel3.yaml' + nullable: true + description: >- + Array of child criteria. Required if the operation is AND or OR, otherwise it must be left null. A maximum + of three levels of criteria are supported, including leaf nodes. Additionally, AND nodes can only be + children or OR nodes and vice-versa. + diff --git a/idn/v3/schemas/access/DimensionCriteriaLevel3.yaml b/idn/v3/schemas/access/DimensionCriteriaLevel3.yaml new file mode 100644 index 00000000..af715050 --- /dev/null +++ b/idn/v3/schemas/access/DimensionCriteriaLevel3.yaml @@ -0,0 +1,16 @@ +type: object +description: Defines STANDARD type Dimension membership +properties: + operation: + $ref: './DimensionCriteriaOperation.yaml' + key: + $ref: './DimensionCriteriaKey.yaml' + stringValue: + type: string + description: >- + String value to test the Identity attribute specified in the key w/r/t + the specified operation. If this criteria is a leaf node, that is, if the operation is one of + EQUALS, this field is required. Otherwise, specifying it + is an error. + example: "carlee.cert1c9f9b6fd@mailinator.com" + diff --git a/idn/v3/schemas/access/DimensionCriteriaOperation.yaml b/idn/v3/schemas/access/DimensionCriteriaOperation.yaml new file mode 100644 index 00000000..df9f3559 --- /dev/null +++ b/idn/v3/schemas/access/DimensionCriteriaOperation.yaml @@ -0,0 +1,7 @@ +type: string +enum: + - EQUALS + - AND + - OR +description: An operation +example: EQUALS diff --git a/idn/v3/schemas/access/DimensionMembershipSelector.yaml b/idn/v3/schemas/access/DimensionMembershipSelector.yaml new file mode 100644 index 00000000..4c5d7e52 --- /dev/null +++ b/idn/v3/schemas/access/DimensionMembershipSelector.yaml @@ -0,0 +1,10 @@ +type: object +nullable: true +description: >- + When present, specifies that the Dimension is to be granted to Identities which either satisfy specific criteria. +properties: + type: + $ref: './DimensionMembershipSelectorType.yaml' + criteria: + $ref: './DimensionCriteriaLevel1.yaml' + nullable: true \ No newline at end of file diff --git a/idn/v3/schemas/access/DimensionMembershipSelectorType.yaml b/idn/v3/schemas/access/DimensionMembershipSelectorType.yaml new file mode 100644 index 00000000..ef8066c5 --- /dev/null +++ b/idn/v3/schemas/access/DimensionMembershipSelectorType.yaml @@ -0,0 +1,11 @@ +type: string +enum: + - STANDARD +description: >- + This enum characterizes the type of a Dimension's membership selector. Only the STANDARD type supported: + + + STANDARD: Indicates that Dimension membership is defined in terms of a criteria expression + + +example: STANDARD \ No newline at end of file