List SOD policies

This gets list of all SOD policies. Requires role of ORG_ADMIN

Query Parameters

• limit int32

  Possible values: <= 250

  Default value: 250

  Max number of results to return. See V3 API Standard Collection Parameters for more information.

  Example: 250
• offset int32

  Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.

• count boolean

  If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.

  Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.

  See V3 API Standard Collection Parameters for more information.

  Example: true
• filters string

  Filter results using the standard syntax described in V3 API Standard Collection Parameters

  Filtering is supported for the following fields and operators:

  id: eq name: eq state: eq

  Example: id eq "bc693f07e7b645539626c25954c58554"

Responses

• 200
• 400
• 401
• 403
• 429
• 500

---

List of all SOD policies.

application/json

• Schema
• Example (from schema)
• Example

---

Schema array

• id string

  Policy id

• name string

  Policy Business Name

• created date-time

  The time when this SOD policy is created.

• modified date-time

  The time when this SOD policy is modified.

• description string

  Optional description of the SOD policy

• ownerRef object

  type string

  Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY]

  DTO type

  id string

  ID of the object to which this reference applies

  name string

  Human-readable display name of the object to which this reference applies

• externalPolicyReference string

  Optional External Policy Reference

• policyQuery string

  Search query of the SOD policy

• compensatingControls string

  Optional compensating controls(Mitigating Controls)

• correctionAdvice string

  Optional correction advice

• state string

  Possible values: [ENFORCED, NOT_ENFORCED]

  whether the policy is enforced or not

• tags string[]

  tags for this policy object

• creatorId string

  Policy's creator ID

• modifierId string

  Policy's modifier ID

• violationOwnerAssignmentConfig object

  assignmentRule string

  Possible values: [MANAGER, STATIC, null]

  Details about the violations owner. MANAGER - identity's manager STATIC - Governance Group or Identity

  ownerRef object

  type string

  Possible values: [ACCOUNT_CORRELATION_CONFIG, ACCESS_PROFILE, ACCESS_REQUEST_APPROVAL, ACCOUNT, APPLICATION, CAMPAIGN, CAMPAIGN_FILTER, CERTIFICATION, CLUSTER, CONNECTOR_SCHEMA, ENTITLEMENT, GOVERNANCE_GROUP, IDENTITY, IDENTITY_PROFILE, IDENTITY_REQUEST, LIFECYCLE_STATE, PASSWORD_POLICY, ROLE, RULE, SOD_POLICY, SOURCE, TAG, TAG_CATEGORY, TASK_RESULT, REPORT_RESULT, SOD_VIOLATION, ACCOUNT_ACTIVITY]

  DTO type

  id string

  ID of the object to which this reference applies

  name string

  Human-readable display name of the object to which this reference applies

• scheduled boolean

  Default value: false

  defines whether a policy has been scheduled or not

• type string

  Possible values: [GENERAL, CONFLICTING_ACCESS_BASED]

  Default value: GENERAL

  whether a policy is query based or conflicting access based

• conflictingAccessCriteria object

  leftCriteria object

  name string

  Business name for the access construct list

  criteriaList object[]

  List of criteria. There is a min of 1 and max of 50 items in the list.

  type string

  Possible values: [ENTITLEMENT]

  DTO type

  id string

  ID of the object to which this reference applies to

  name string

  Human-readable display name of the object to which this reference applies to

  rightCriteria object

  name string

  Business name for the access construct list

  criteriaList object[]

  List of criteria. There is a min of 1 and max of 50 items in the list.

  type string

  Possible values: [ENTITLEMENT]

  DTO type

  id string

  ID of the object to which this reference applies to

  name string

  Human-readable display name of the object to which this reference applies to

[
  {
    "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
    "name": "policy-xyz",
    "created": "2020-01-01T00:00:00.000000Z",
    "modified": "2020-01-01T00:00:00.000000Z",
    "description": "This policy ensures compliance of xyz",
    "ownerRef": {
      "type": "IDENTITY",
      "id": "2c91808568c529c60168cca6f90c1313",
      "name": "William Wilson"
    },
    "externalPolicyReference": "XYZ policy",
    "policyQuery": "@access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdg) AND @access(id:0f11f2a4-7c94-4bf3-a2bd-742580fe3bdf)",
    "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
    "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
    "state": "ENFORCED",
    "tags": [
      "TAG1",
      "TAG2"
    ],
    "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
    "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
    "violationOwnerAssignmentConfig": {
      "assignmentRule": "MANAGER",
      "ownerRef": {
        "type": "IDENTITY",
        "id": "2c91808568c529c60168cca6f90c1313",
        "name": "William Wilson"
      }
    },
    "scheduled": true,
    "type": "GENERAL",
    "conflictingAccessCriteria": {
      "leftCriteria": {
        "name": "money-in",
        "criteriaList": [
          {
            "type": "ENTITLEMENT",
            "id": "2c9180866166b5b0016167c32ef31a66",
            "name": "Administrator"
          },
          {
            "type": "ENTITLEMENT",
            "id": "2c9180866166b5b0016167c32ef31a67",
            "name": "Administrator"
          }
        ]
      },
      "rightCriteria": {
        "name": "money-in",
        "criteriaList": [
          {
            "type": "ENTITLEMENT",
            "id": "2c9180866166b5b0016167c32ef31a66",
            "name": "Administrator"
          },
          {
            "type": "ENTITLEMENT",
            "id": "2c9180866166b5b0016167c32ef31a67",
            "name": "Administrator"
          }
        ]
      }
    }
  }
]

[
  {
    "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
    "name": "Conflicting-Policy-Name",
    "created": "2020-01-01T00:00:00.000000Z",
    "modified": "2020-01-01T00:00:00.000000Z",
    "description": "This policy ensures compliance of xyz",
    "ownerRef": {
      "type": "IDENTITY",
      "id": "2c91808568c529c60168cca6f90c1313",
      "name": "Owner Name"
    },
    "externalPolicyReference": "XYZ policy",
    "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c9180866166b5b0016167c32ef31a68 OR id:2c9180866166b5b0016167c32ef31a69)",
    "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee",
    "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.",
    "state": "ENFORCED",
    "tags": [
      "string"
    ],
    "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
    "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
    "violationOwnerAssignmentConfig": {
      "assignmentRule": "MANAGER",
      "ownerRef": {
        "type": "IDENTITY",
        "id": "2c91808568c529c60168cca6f90c1313",
        "name": "Violation Owner Name"
      }
    },
    "scheduled": true,
    "type": "CONFLICTING_ACCESS_BASED",
    "conflictingAccessCriteria": {
      "leftCriteria": {
        "name": "money-in",
        "criteriaList": [
          {
            "type": "ENTITLEMENT",
            "id": "2c9180866166b5b0016167c32ef31a66"
          },
          {
            "type": "ENTITLEMENT",
            "id": "2c9180866166b5b0016167c32ef31a67"
          }
        ]
      },
      "rightCriteria": {
        "name": "money-out",
        "criteriaList": [
          {
            "type": "ENTITLEMENT",
            "id": "2c9180866166b5b0016167c32ef31a68"
          },
          {
            "type": "ENTITLEMENT",
            "id": "2c9180866166b5b0016167c32ef31a69"
          }
        ]
      }
    }
  },
  {
    "description": "Description",
    "ownerRef": {
      "type": "IDENTITY",
      "id": "2c918087682f9a86016839c05e8f1aff",
      "name": "Owner Name"
    },
    "externalPolicyReference": "New policy",
    "policyQuery": "policy query implementation",
    "compensatingControls": "Compensating controls",
    "correctionAdvice": "Correction advice",
    "tags": [],
    "state": "ENFORCED",
    "scheduled": false,
    "creatorId": "2c918087682f9a86016839c05e8f1aff",
    "modifierId": null,
    "violationOwnerAssignmentConfig": null,
    "type": "GENERAL",
    "conflictingAccessCriteria": null,
    "id": "52c11db4-733e-4c31-949a-766c95ec95f1",
    "name": "General-Policy-Name",
    "created": "2020-05-12T19:47:38Z",
    "modified": "2020-05-12T19:47:38Z"
  }
]

Client Error - Returned if the request body is invalid.

application/json

• Schema
• Example (from schema)

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.

application/json

• Schema
• Example (from schema)

---

Schema

• error

  A message describing the error

{
  "error": "JWT validation failed: JWT is expired"
}

Forbidden - Returned if the user you are running as, doesn't have access to this end-point.

application/json

• Schema
• Example (from schema)
• 403

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 403 response object

{
  "detailCode": "403 Forbidden",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The server understood the request but refuses to authorize it."
    }
  ]
}

Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.

application/json

• Schema
• Example (from schema)

---

Schema

• message

  A message describing the error

{
  "message": " Rate Limit Exceeded "
}

Internal Server Error - Returned if there is an unexpected error.

application/json

• Schema
• Example (from schema)
• 500

---

Schema

• detailCode string

  Fine-grained error code providing more detail of the error.

• trackingId string

  Unique tracking id for the error.

• messages object[]

  Generic localized reason for error

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

• causes object[]

  Plain-text descriptive reasons to provide additional detail to the text provided in the messages field

  locale string

  The locale for the message text, a BCP 47 language tag.

  localeOrigin string

  Possible values: [DEFAULT, REQUEST]

  An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.

  text string

  Actual text of the error message in the indicated locale.

{
  "detailCode": "400.1 Bad Request Content",
  "trackingId": "e7eab60924f64aa284175b9fa3309599",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ],
  "causes": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "The request was syntactically correct but its content is semantically invalid."
    }
  ]
}

An example of a 500 response object

{
  "detailCode": "500.0 Internal Fault",
  "trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "An internal fault occurred."
    }
  ]
}

Loading...