Request Conditions

Request conditions define what resources and access levels requesters can request from their resource catalog.

Each request condition defines the following:

  • Who can request access
  • What resource and access level they can request
  • How long the access should be granted for
  • What request sequence to use for approval
  • A priority to control what condition should take precedence when a requester matches against multiple request conditions

See Access request conditions for more information on Access request conditions and Identity Governance.

List all resource request conditions
Beta
Admin permissions required: Access Requests Administrator
OAuth 2.0: okta.accessRequests.condition.read

Lists request conditions for the resource specified by resourceId

Request
path Parameters
resourceId
required
string

The id of the resouce in okta id format or ORN format

Responses
200

A successful request condition list response

401

When authentication fails

403

When authorization fails

404

When the requested resource was not found

429

When the rate limit has been exceeded

500

When there is a server fault due to an unexpected error

get/governance/api/v2/resources/{resourceId}/request-conditions
Request samples 
Response samples 
application/json
Basic request conditions that are returned from a get call


{
  • "data": [
    • {
      • "id": "rcob0oNGTSWTBKOLGLNR",
      • "name": "Default resource access",
      • "description": "This is a condition for requesting default resource access, access duration settings are not defined here",
      • "priority": 0,
      • "status": "ACTIVE",
      • "requesterSettings": {
        },
      • "accessScopeSettings": {
        },
      • "approvalSequenceId": "61eb0f06c462d20007f051ac",
      • "created": "2019-08-24T14:15:22Z",
      • "createdBy": "00ub0oNGTSWTBKOLGLNR",
      • "lastUpdated": "2019-08-24T14:15:22Z",
      • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
      • "_links": {}
      },
    • {
      • "id": "rcob0oNGTSWTBKOLPGRN",
      • "name": "Group resource access",
      • "description": "This is a condition for requesting access to a Group in the resource",
      • "priority": 0,
      • "status": "ACTIVE",
      • "requesterSettings": {
        },
      • "accessScopeSettings": {
        },
      • "accessDurationSettings": {
        },
      • "approvalSequenceId": "61eb0f06c462d20007f051ac",
      • "created": "2019-08-24T14:15:22Z",
      • "createdBy": "00ub0oNGTSWTBKOLBTSA",
      • "lastUpdated": "2019-08-24T14:15:22Z",
      • "lastUpdatedBy": "00ub0oNGTSWTBKOLBTSA",
      • "_links": {}
      },
    • {
      • "id": "rcob0oNGTSWTBKOLPGRT",
      • "name": "Requester specified access",
      • "description": "This is a condition for requesting time bound access set by Requester for a resource",
      • "priority": 0,
      • "status": "ACTIVE",
      • "requesterSettings": {
        },
      • "accessScopeSettings": {
        },
      • "accessDurationSettings": {
        },
      • "approvalSequenceId": "61eb0f06c462d20007f051ac",
      • "created": "2019-08-24T14:15:22Z",
      • "createdBy": "00ub0oNGTSWTBKOLBTSA",
      • "lastUpdated": "2019-08-24T14:15:22Z",
      • "lastUpdatedBy": "00ub0oNGTSWTBKOLBTSA",
      • "_links": {}
      }
    ],
  • "_links": {}
}
Create a request condition
Beta
Admin permissions required: Access Requests Administrator
OAuth 2.0: okta.accessRequests.condition.manage
Creates a request condition, which governs how a resource can be requested.


When creating a request condition, you specify:


    

  • What resource can be requested? (resourceId in path)
    • 

  • What access scope can be requested? (accessScopeSettings in request body)
    • 

  • Who can request access? (requesterSettings in request body)
    • 

  • What is the approval process? (approvalSequenceId in request body)
    • 



Any requesterSettings, accessScopeSettings in the update request body will be validated against the resource's current request settings.


Request conditions will have an inactive status after succesful creation.


Request 
path Parameters
resourceId
required
string
The id of the resouce in okta id format or ORN format


 
Request Body schema: application/json
required
required
object
Settings specifying if groups or entitlements may be used for requesting finer grained access


 
approvalSequenceId
required
string  = 24 characters 
The ID of the approval sequence


 
name
required
string  [ 1 .. 50 ] characters 
Writable unique key on Create. Not modifiable on update.


 
required
object
Requester settings define who may submit an access request for the related resource and access scopes.


 
object
Settings that control who may specify the access duration allowed by this request condition, as well as what duration may be requested.


Note The resource request settings effect what access duration settings are valid. See the validAccessDurationSettings property.


 
description
string  [ 1 .. 2000 ] characters 
Human readable description.


 
priority
integer  [ 0 .. 100 ] 
The priority of the condition. The smaller the number, the higher the priority. The highest priority is 0. A new condition will default to the lowest priority.


 
Responses 
201
A successful response for creating request condition


400
An invalid request to create a request type


401
When authentication fails


403
When authorization fails


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


post/governance/api/v2/resources/{resourceId}/request-conditions
Request samples 
application/json
A request condition allowing everyone to request permanent access to an application


{
  • "name": "Application | Permanent | Everyone",
  • "description": "A request condition allowing everyone to request permanent access to an application",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "priority": 0
}
Response samples 
application/json
A request condition allowing everyone to request permanent access to an application


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Application | Permanent | Everyone",
  • "description": "A request condition allowing everyone to request permanent access to an application",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "priority": 0,
  • "status": "INACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}
Retrieve a resource request condition
Beta
Admin permissions required: Access Requests Administrator
OAuth 2.0: okta.accessRequests.condition.read
Retrieves a resource request condition


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
resourceId
required
string
The id of the resouce in okta id format or ORN format


 
Responses 
200
A successful resource request condition get response


401
When authentication fails


403
When authorization fails


404
When the requested resource was not found


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


get/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}
Request samples 
Response samples 
application/json
Full representation of a request condition


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Default resource access",
  • "description": "This is a condition for requesting default resource access",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "accessDurationSettings": {
    • "type": "ADMIN_FIXED_DURATION",
    • "duration": "P2W"
    },
  • "priority": 0,
  • "status": "ACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}
Delete a request condition
Beta
Admin permissions required: Access Requests Administrator
OAuth 2.0: okta.accessRequests.condition.manage
Deletes a request condition


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
resourceId
required
string
The id of the resouce in okta id format or ORN format


 
Responses 
204
A successful request condition delete response


401
When authentication fails


403
When authorization fails


404
When the requested resource was not found


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


delete/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000004",
  • "errorSummary": "Authentication failed.",
  • "errorLink": "E0000004",
  • "errorId": "oaeWCGz73hpRCG75VHP6-RRXw",
  • "errorCauses": [ ]
}
Update the request condition
Beta
Admin permissions required: Access Requests Administrator
OAuth 2.0: okta.accessRequests.condition.manage
Updates the request condition


Conditions can be updated while their status is ACTIVE, INACTIVE or INVALID.


An update will be rejected if it would lead to the condition entering an INVALID status.


While an update request body may not contain status, a successful update request condition operation will always result in the condition entering ACTIVE or INACTIVE status.


Any requesterSettings, accessScopeSettings in the update request body will be validated against the resource's current request settings.


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
resourceId
required
string
The id of the resouce in okta id format or ORN format


 
Request Body schema: application/json
required
object or null
Settings that control who may specify the access duration allowed by this request condition, as well as what duration may be requested.


Note The resource request settings effect what access duration settings are valid. See the validAccessDurationSettings property.


 
object
Settings specifying if groups or entitlements may be used for requesting finer grained access


 
approvalSequenceId
string  = 24 characters 
The ID of the approval sequence


 
description
string  [ 1 .. 2000 ] characters 
Human readable description.


 
name
string  [ 1 .. 50 ] characters 
Writable unique key on Create. Not modifiable on update.


 
priority
integer  [ 0 .. 100 ] 
The priority of the condition. The smaller the number, the higher the priority. The highest priority is 0. A new condition will default to the lowest priority.


 
object
Requester settings define who may submit an access request for the related resource and access scopes.


 
Responses 
200
A successful request condition patch response


401
When authentication fails


403
When authorization fails


404
When the requested resource was not found


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


patch/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}
Request samples 
application/json
A request condition allowing everyone to request permanent access to an application


{
  • "name": "Application | Permanent | Everyone",
  • "description": "A request condition allowing everyone to request permanent access to an application",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "priority": 0
}
Response samples 
application/json
Full representation of a request condition


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Default resource access",
  • "description": "This is a condition for requesting default resource access",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "accessDurationSettings": {
    • "type": "ADMIN_FIXED_DURATION",
    • "duration": "P2W"
    },
  • "priority": 0,
  • "status": "ACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}
Activate the request condition
Beta
Admin permissions required: Access Requests Administrator
OAuth 2.0: okta.accessRequests.condition.manage
Activates the request condition


Conditions can be activated while their status is INACTIVE.


Activating a condition allows it to provide catalog entries to endusers.


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
resourceId
required
string
The id of the resouce in okta id format or ORN format


 
Responses 
200
A successful request condition activate response


401
When authentication fails


403
When authorization fails


404
When the requested resource was not found


409
A conflict request condition activate response


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


post/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}/activate
Request samples 
Response samples 
application/json
When request condition is INACTIVE, then the activate operation succeeds.


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Default resource access",
  • "description": "This is a condition for requesting default resource access",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "accessDurationSettings": {
    • "type": "ADMIN_FIXED_DURATION",
    • "duration": "P2W"
    },
  • "priority": 0,
  • "status": "ACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}
Deactivate the request condition
Beta
Admin permissions required: Access Requests Administrator
OAuth 2.0: okta.accessRequests.condition.manage
Deactivates the request condition


Conditions can be deactivated while their status is ACTIVE.


Deactivating a condition prevents the condition from providing catalog entries to endusers.


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
resourceId
required
string
The id of the resouce in okta id format or ORN format


 
Responses 
200
A successful request condition deactivate response


401
When authentication fails


403
When authorization fails


404
When the requested resource was not found


409
A conflict request condition deactivate response


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


post/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}/deactivate
Request samples 
Response samples 
application/json
When request condition is ACTIVE, then the deactivate operation succeeds.


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Default resource access",
  • "description": "This is a condition for requesting default resource access",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "accessDurationSettings": {
    • "type": "ADMIN_FIXED_DURATION",
    • "duration": "P2W"
    },
  • "priority": 0,
  • "status": "INACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}