This endpoint simulates provisioning a set of access items, and then checks against a set of policies to determine if granting the access items would cause creation of new policy violations.

>This submits a set of access items to request and a set of policies to check after the access provisioning is simulated in order to determine if policy violations would be created by provisioning the access items. It receives a payload that includes:

An identity: Used as the recipient for the access items on the simulation.

A provisioning plan: To specify the changes to be simulatedly provisioned in the provided identity

A list of policies: to check after the simulation of provisioning plan was applied to the identity in order to determine if the access granted in the simulation causes new policy violations.

Optionally you can pass a list of attributes, as query params, to be included or excluded from the response, this setting is applicable only to top level attributes as defined in the schema urn:ietf:params:scim:schemas:sailpoint:1.0:CheckedPolicyViolation.

Valid values: - policies - identity - plan - violations - leftBundles - rightBundles

Query Parameters

• attributes string

  A list of attributes to indicate what top level attributes to include in the response

• authnPassword string

  Password for authentication

• authnUsername string

  Username for authentication

• excludedAttributes string

  A list of attributes to indicate what top level attributes to exclude from the response

• lookupByName boolean

  This is not required in this endpoint, the returned object is a new PolicyViolation and not one returned from the persistence layer. This is inherited from the BaseSCIMResource and is used to override the default id based lookup, and use a name based lookup instead, if for any reason the artifact id is not present.

application/json

Request Body required

• identity string

  An identity for whom access is requested on the provisioning simulation

• plan object

  A provisioning plan detailing the access to request on the simulation

  value object

  accounts object[]

  op string

  The operation to perform on the provisioning.

  instance string

  A particular instance to provision this access to

  application string

  The application that owns the access items in the request

  attributes object[]

  op string

  The operation to perform on the access item.

  name string

  The type of access item to provision.

  value string

  The name of the access item to provision.

• type string
• policies string[]

  A list of policies to check for new policy violations on the access provisioned by the simulation.

Responses

• 201

---

Returns a list of violations based on simulated requested access

application/json

• Schema
• Example (from schema)

---

Schema

• identity string

  An identity for whom access was requested on the provisioning simulation

• meta object

  resourceType string
• violations undefined[]

  entitlements string[]

  An array of the entitlements used in the provisioning simulation.

  policyName string

  The name of the policy that conflicted with the access items provisioned in the simulation causing policy violation.

  policyType string

  The type of the policy that conflicted with the access items provisioned in the simulation causing policy violation(s).

  description string

  The description of the policy violation(s) caused by the access provisioned in the simulation.

  constraintName string

  The specific constraint in the policy that conflicted with the access items provisioned in the simulation.

  leftBundles string[]

  The left set of entitlements defined in the policy constraint in order to check against another set of entitlements for compliance.

  rightBundles string[]

  The right set of entitlements defined in the policy constraint in order to check against another set of entitlements for compliance.

• schemas string[]

  The SCIM schema for Checked Policy Violations.

• policies string[]

  The set of policies used to check for conflicting access in the provisioning simulation

• plan object

  A provisioning plan detailing the access to request on the simulation

  value object

  accounts object[]

  op string

  The operation performed on the access in the provisioning simulation.

  instance string

  A particular instance to provision this access to

  application string

  The application that owns the access provisioned in the simulation.

  attributes object[]

  op string

  The operation performed on the access in the provisioning simulation.

  name string

  The type of provisioned access.

  value string

  The name of the provisioned access items.

  type string

{
  "identity": {
    "identity": "Ryan.Russell"
  },
  "meta": {
    "resourceType": "CheckedPolicyViolation"
  },
  "violations": [
    {
      "entitlements": [
        "a2a",
        "a2b",
        "benefits"
      ],
      "policyName": "SOD Policy",
      "policyType": "SOD",
      "description": "Security design should not be combined with administrative permissions.",
      "constraintName": " IT SOD-117",
      "leftBundles": [
        "Security Architect - IT"
      ],
      "rightBundles": [
        "Unix Administrator - IT"
      ]
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:schemas:sailpoint:1.0:CheckedPolicyViolation"
  ],
  "policies": [
    "SOD Policy",
    "Entitlement Policy",
    "RandomPolicyNotExisting"
  ],
  "plan": {
    "value": {
      "accounts": [
        {
          "op": "Modify",
          "instance": "null",
          "application": "Active_Directory",
          "attributes": [
            {
              "op": "Add",
              "name": "groupmbr",
              "value": "UnixAdministration"
            }
          ]
        }
      ]
    },
    "type": "application/sailpoint.object.ProvisioningPlan+json"
  }
}

Loading...