Request Conditions

Request conditions define what resources and access levels requesters can request from their resource catalog.

Each request condition defines the following:

  • Who can request access
  • What resource and access level they can request
  • How long the access should be granted for
  • What request sequence to use for approval
  • A priority to control what condition should take precedence when a requester matches against multiple request conditions

See Access request conditions for more information on Access request conditions and Identity Governance.

List all resource request conditions
OAuth 2.0 scope:
  • okta.accessRequests.condition.read
Admin roles:
  • ACCESS_REQUESTS_ADMIN

Lists request conditions for a resource specified by resourceId

Request
path Parameters
resourceId
required
string

The ID of the resource in Okta instance ID format or ORN format

Responses
200

A successful request condition list response

401

When authentication fails

403

When authorization fails

404

When the requested resource wasn't found

429

When the rate limit has been exceeded

500

When there is a server fault due to an unexpected error

get/governance/api/v2/resources/{resourceId}/request-conditions
Request samples 
Response samples 
application/json
Basic request conditions that are returned from a get call


{
  • "data": [
    • {
      • "id": "rcob0oNGTSWTBKOLGLNR",
      • "name": "Default resource access",
      • "description": "This is a condition for requesting default resource access, access duration settings are not defined here",
      • "priority": 0,
      • "status": "ACTIVE",
      • "requesterSettings": {
        },
      • "accessScopeSettings": {
        },
      • "approvalSequenceId": "61eb0f06c462d20007f051ac",
      • "created": "2019-08-24T14:15:22Z",
      • "createdBy": "00ub0oNGTSWTBKOLGLNR",
      • "lastUpdated": "2019-08-24T14:15:22Z",
      • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
      • "_links": {}
      },
    • {
      • "id": "rcob0oNGTSWTBKOLPGRN",
      • "name": "Group resource access",
      • "description": "This is a condition for requesting access to a Group in the resource",
      • "priority": 0,
      • "status": "ACTIVE",
      • "requesterSettings": {
        },
      • "accessScopeSettings": {
        },
      • "accessDurationSettings": {
        },
      • "approvalSequenceId": "61eb0f06c462d20007f051ac",
      • "created": "2019-08-24T14:15:22Z",
      • "createdBy": "00ub0oNGTSWTBKOLBTSA",
      • "lastUpdated": "2019-08-24T14:15:22Z",
      • "lastUpdatedBy": "00ub0oNGTSWTBKOLBTSA",
      • "_links": {}
      },
    • {
      • "id": "rcob0oNGTSWTBKOLPGRT",
      • "name": "Requester specified access",
      • "description": "This is a condition for requesting time bound access set by Requester for a resource",
      • "priority": 0,
      • "status": "ACTIVE",
      • "requesterSettings": {
        },
      • "accessScopeSettings": {
        },
      • "accessDurationSettings": {
        },
      • "approvalSequenceId": "61eb0f06c462d20007f051ac",
      • "created": "2019-08-24T14:15:22Z",
      • "createdBy": "00ub0oNGTSWTBKOLBTSA",
      • "lastUpdated": "2019-08-24T14:15:22Z",
      • "lastUpdatedBy": "00ub0oNGTSWTBKOLBTSA",
      • "_links": {}
      }
    ],
  • "_links": {}
}
Create a request condition
OAuth 2.0 scope: 
  • okta.accessRequests.condition.manage
Admin roles: 
  • ACCESS_REQUESTS_ADMIN
Creates a request condition to govern how a resource can be requested.


Specify the following to create a request condition:


    

  • What resource can be requested? (resourceId in path)
    • 

  • What access scope can be requested? (accessScopeSettings in request body)
    • 

  • Who can request access? (requesterSettings in request body)
    • 

  • What is the approval process? (approvalSequenceId in request body)
    • 



Any requesterSettings or accessScopeSettings parameters in the request body are validated against the resource's current request settings.
After a request condition is created successfully, its status is set to INACTIVE.




Note: You can define a maximum of 100 conditions for each resource (app).




Request 
path Parameters
resourceId
required
string
The ID of the resource in Okta instance ID format or ORN format


 
Request Body schema: application/json
required
required
object
Settings for the access request scope (such as groups, entitlement bundles, or default resources)


 
approvalSequenceId
required
string  = 24 characters 
The ID of the approval sequence


 
name
required
string  [ 1 .. 255 ] characters 
Writable unique key on create. Modifiable on update.


 
required
object
Requester settings define who may submit an access request for the related resource and access scopes.


 
object
Settings that control who may specify the access duration allowed by this request condition or risk settings, as well as what duration may be requested.


Note: The resource request settings affect what access duration settings are valid. See the validAccessDurationSettings property.


 
description
string  [ 1 .. 2000 ] characters 
Human readable description


 
priority
integer  >= 0 
The priority of the condition. The smaller the number, the higher the priority. The highest priority is 0. A new condition will default to the lowest priority.


 
Responses 
201
A successful response for creating request condition


400
An invalid request to create a request type


401
When authentication fails


403
When authorization fails


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


post/governance/api/v2/resources/{resourceId}/request-conditions
Request samples 
application/json
A request condition allowing everyone to request permanent access to an application


{
  • "name": "Application | Permanent | Everyone",
  • "description": "A request condition allowing everyone to request permanent access to an application",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "priority": 0
}
Response samples 
application/json
A request condition allowing everyone to request permanent access to an application


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Application | Permanent | Everyone",
  • "description": "A request condition allowing everyone to request permanent access to an application",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "priority": 0,
  • "status": "INACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}
Retrieve a resource request condition
OAuth 2.0 scope: 
  • okta.accessRequests.condition.read
Admin roles: 
  • ACCESS_REQUESTS_ADMIN
Retrieves a resource request condition


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
 Example:  rcord7d69lUIn7u5D1d5
resourceId
required
string
The ID of the resource in Okta instance ID format or ORN format


 
Responses 
200
A successful resource request condition get response


401
When authentication fails


403
When authorization fails


404
When the requested resource wasn't found


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


get/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}
Request samples 
Response samples 
application/json
Full representation of a request condition


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Default resource access",
  • "description": "This is a condition for requesting default resource access",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "accessDurationSettings": {
    • "type": "ADMIN_FIXED_DURATION",
    • "duration": "P2W"
    },
  • "priority": 0,
  • "status": "ACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}
Delete a request condition
OAuth 2.0 scope: 
  • okta.accessRequests.condition.manage
Admin roles: 
  • ACCESS_REQUESTS_ADMIN
Deletes a request condition


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
 Example:  rcord7d69lUIn7u5D1d5
resourceId
required
string
The ID of the resource in Okta instance ID format or ORN format


 
Responses 
204
A successful request condition delete response


401
When authentication fails


403
When authorization fails


404
When the requested resource wasn't found


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


delete/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000004",
  • "errorSummary": "Authentication failed.",
  • "errorLink": "E0000004",
  • "errorId": "oaeWCGz73hpRCG75VHP6-RRXw",
  • "errorCauses": [ ]
}
Update the request condition
OAuth 2.0 scope: 
  • okta.accessRequests.condition.manage
Admin roles: 
  • ACCESS_REQUESTS_ADMIN
Updates the request condition


Conditions can be updated while their status is ACTIVE, INACTIVE or INVALID.


An update will be rejected if it would lead to the condition entering an INVALID status.


While an update request body may not contain status, a successful update request condition operation will always result in the condition entering ACTIVE or INACTIVE status.


Any requesterSettings, accessScopeSettings in the update request body will be validated against the resource's current request settings.


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
 Example:  rcord7d69lUIn7u5D1d5
resourceId
required
string
The ID of the resource in Okta instance ID format or ORN format


 
Request Body schema: application/json
required
object or null
Settings that control who may specify the access duration allowed by this request condition, as well as what duration may be requested.


Note: The resource request settings affect what access duration settings are valid. See the validAccessDurationSettings property.


 
object
Settings for the access request scope (such as groups, entitlement bundles, or default resources)


 
approvalSequenceId
string  = 24 characters 
The ID of the approval sequence


 
description
string  [ 1 .. 2000 ] characters 
Human readable description


 
name
string  [ 1 .. 255 ] characters 
Writable unique key on create. Modifiable on update.


 
priority
integer  >= 0 
The priority of the condition. The smaller the number, the higher the priority. The highest priority is 0. A new condition will default to the lowest priority.


 
object
Requester settings define who may submit an access request for the related resource and access scopes.


 
Responses 
200
A successful request condition patch response


401
When authentication fails


403
When authorization fails


404
When the requested resource wasn't found


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


patch/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}
Request samples 
application/json
A request condition allowing everyone to request permanent access to an application


{
  • "name": "Application | Permanent | Everyone",
  • "description": "A request condition allowing everyone to request permanent access to an application",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "priority": 0
}
Response samples 
application/json
Full representation of a request condition


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Default resource access",
  • "description": "This is a condition for requesting default resource access",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "accessDurationSettings": {
    • "type": "ADMIN_FIXED_DURATION",
    • "duration": "P2W"
    },
  • "priority": 0,
  • "status": "ACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}
Activate the request condition
OAuth 2.0 scope: 
  • okta.accessRequests.condition.manage
Admin roles: 
  • ACCESS_REQUESTS_ADMIN
Activates the request condition


Conditions can be activated while their status is INACTIVE.


Activating a condition allows it to provide catalog entries to endusers.


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
 Example:  rcord7d69lUIn7u5D1d5
resourceId
required
string
The ID of the resource in Okta instance ID format or ORN format


 
Responses 
200
A successful request condition activate response


401
When authentication fails


403
When authorization fails


404
When the requested resource wasn't found


409
A conflict request condition activate response


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


post/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}/activate
Request samples 
Response samples 
application/json
When request condition is INACTIVE, then the activate operation succeeds.


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Default resource access",
  • "description": "This is a condition for requesting default resource access",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "accessDurationSettings": {
    • "type": "ADMIN_FIXED_DURATION",
    • "duration": "P2W"
    },
  • "priority": 0,
  • "status": "ACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}
Deactivate the request condition
OAuth 2.0 scope: 
  • okta.accessRequests.condition.manage
Admin roles: 
  • ACCESS_REQUESTS_ADMIN
Deactivates the request condition


Conditions can be deactivated while their status is ACTIVE.


Deactivating a condition prevents the condition from providing catalog entries to endusers.


Request 
path Parameters
requestConditionId
required
string <request-condition-id>   = 20 characters 
The id of the request condition


 
 Example:  rcord7d69lUIn7u5D1d5
resourceId
required
string
The ID of the resource in Okta instance ID format or ORN format


 
Responses 
200
A successful request condition deactivate response


401
When authentication fails


403
When authorization fails


404
When the requested resource wasn't found


409
A conflict request condition deactivate response


429
When the rate limit has been exceeded


500
When there is a server fault due to an unexpected error


post/governance/api/v2/resources/{resourceId}/request-conditions/{requestConditionId}/deactivate
Request samples 
Response samples 
application/json
When request condition is ACTIVE, then the deactivate operation succeeds.


{
  • "id": "rcob0oNGTSWTBKOLGLNR",
  • "name": "Default resource access",
  • "description": "This is a condition for requesting default resource access",
  • "approvalSequenceId": "61eb0f06c462d20007f051ac",
  • "requesterSettings": {
    • "type": "EVERYONE"
    },
  • "accessScopeSettings": {
    • "type": "RESOURCE_DEFAULT"
    },
  • "accessDurationSettings": {
    • "type": "ADMIN_FIXED_DURATION",
    • "duration": "P2W"
    },
  • "priority": 0,
  • "status": "INACTIVE",
  • "created": "2019-08-24T14:15:22Z",
  • "createdBy": "00ub0oNGTSWTBKOLGLNR",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "lastUpdatedBy": "00ub0oNGTSWTBKOLGLNR",
  • "_links": {}
}