Creates a new Role
post
/access-governance/access-controls/20250331/roles
Creates a new role with the specified details.
Request
Header Parameters
-
opc-request-id: string
The client request ID for tracing. The only valid characters for request IDs are letters, numbers, underscore, and dash.
Details for the new Role
Root Schema : CreateRoleDetails
Type:
objectThe information about new Role.
Show Source
-
accessBundles:
array accessBundles
List of Access Bundles
-
approvalWorkflowId:
string
ApprovalWorkflowId that is applicable to the Role
-
customAttributes:
object customAttributes
Metadata associated with the role
-
description:
string
Role description
-
displayName:
string
Display Name of the Role
-
externalId:
string
ExternalId of the Role
-
name(required):
string
Minimum Length:
1Maximum Length:255Role Identifier -
owners:
array owners
List of owner entities
-
requestableBy:
string
Allowed Values:
[ "ANY", "NONE" ]Entities that can request the access bundle -
tags:
array tags
List of tags attached to the Role
Nested Schema : accessBundles
Type:
arrayList of Access Bundles
Show Source
-
Array of:
object Info
Generic information object.
Nested Schema : owners
Type:
arrayList of owner entities
Show Source
-
Array of:
object OwnerSummary
Owner entity object
Nested Schema : Info
Type:
objectGeneric information object.
Show Source
-
displayName:
string
Display Name of the entity.
-
id:
string
id of the entity.
-
name:
string
name of the entity.
Nested Schema : OwnerSummary
Type:
objectOwner entity object
Show Source
-
id(required):
string
Unique identifier that is immutable on creation
-
isPrimary(required):
boolean
Is this entity the primary owner?
-
name(required):
string
Name of the owner
Response
Supported Media Types
- application/json
200 Response
The newly created Role
Headers
-
etag: string
For optimistic concurrency control. See `if-match`.
-
opc-request-id: string
Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.
Root Schema : Role
Type:
objectRole object.
Show Source
-
accessBundles:
array accessBundles
List of Access Bundles
-
approvalWorkflowId:
object IdInfo
Generic identifying information object.
-
createdBy:
object IdInfo
Generic identifying information object.
-
customAttributes:
object customAttributes
Metadata associated with the role
-
description:
string
Description of the Role
-
displayName:
string
Display Name of the Role
-
externalId:
string
ExternalId of the Role
-
id(required):
string
Unique identifier that is immutable on creation
-
name:
string
Name of the Role
-
owners:
array owners
List of owner entities
-
ownershipCollectionId:
string
Ownership collection associate with the Role
-
requestableBy:
object IdInfo
Generic identifying information object.
-
status:
string
Allowed Values:
[ "ACTIVE", "DRAFT", "INACTIVE", "PENDING", "FAILED", "IN_PROGRESS", "SAVED", "SUCCESS", "TIMEOUT" ]Status of the Role -
tags:
array tags
List of tags attached to the Role
-
timeCreated:
string(date-time)
Time when the Role was created. An RFC3339 formatted datetime string
-
timeUpdated:
string(date-time)
Time when the Role was last updated. An RFC3339 formatted datetime string
-
updatedBy:
object IdInfo
Generic identifying information object.
Nested Schema : accessBundles
Type:
arrayList of Access Bundles
Show Source
-
Array of:
object AccessBundle
Access Bundle object.
Nested Schema : IdInfo
Type:
objectGeneric identifying information object.
Show Source
-
displayName:
string
Display Name of the entity.
-
id:
string
Id of the entity.
-
name:
string
Name of the entity.
Nested Schema : owners
Type:
arrayList of owner entities
Show Source
-
Array of:
object OwnerSummary
Owner entity object
Nested Schema : AccessBundle
Type:
objectAccess Bundle object.
Show Source
-
accessGuardrail:
object AccessGuardrailDetails
Access Guardrail object.
-
accessTimeLimit:
object AccessBundleTimeLimit
Time limit definition. Only one of daysLimit, hoursLimit, or dateTimeLimit should be specified.
-
accessTimeLimitType:
string
Allowed Values:
[ "INDEFINITELY", "NUMBER_OF_DAYS", "NUMBER_OF_HOURS" ]Time limit type of the access bundle. -
accountProfileId:
string
Configured account profile id for the access bundle.
-
accountProfileName:
string
configured account profile name for the access bundle.
-
approvalWorkflowId:
object IdInfo
Generic identifying information object.
-
autoApproveIfNoViolation:
boolean
Boolean flag to indicate auto approve if no violation in access request to the Access Bundle.
-
cloudAccountName:
string
Cloud Account name of OCI bundle i.e., OCI tenancy.
-
compartmentFqn:
string
Compartment full name of OCI bundle.
-
compartmentName:
string
Compartment name of OCI bundle.
-
createdBy:
object IdInfo
Generic identifying information object.
-
customAttributes:
object customAttributes
Metadata associated with the access bundle.
-
description:
string
Description of the Access Bundle.
-
displayName:
string
Display Name of the Access Bundle.
-
domainName:
string
Domain name of OCI bundle.
-
externalId:
string
ExternalId of the Access Bundle.
-
id(required):
string
Unique identifier that is immutable on creation.
-
name:
string
Name of the Access Bundle.
-
orchestratedSystem:
object IdInfo
Generic identifying information object.
-
orchestratedSystemAttributes:
object OrchestratedSystemAttributeSummary
Account & permission attributes.
-
orchestratedSystemType:
string
Orchestrated System type.
-
owners:
array owners
List of owner entities.
-
ownershipCollectionId:
string
Ownership collection associated with the Access Bundle.
-
permissions:
array permissions
List of permissions
-
requestableBy:
object IdInfo
Generic identifying information object.
-
resourceType:
string
Resource Type of an OCI Access Bundle.
-
status:
string
Allowed Values:
[ "ACTIVE", "DRAFT", "INACTIVE", "PENDING", "FAILED", "IN_PROGRESS", "SAVED", "SUCCESS", "TIMEOUT" ]Status of the Access Bundle. -
tags:
array tags
List of tags attached to the Access Bundle.
-
timeCreated:
string(date-time)
Time when the Access Bundle was created. An RFC3339 formatted datetime string.
-
timeUpdated:
string(date-time)
Time when the Access Bundle was last updated. An RFC3339 formatted datetime string.
-
updatedBy:
object IdInfo
Generic identifying information object.
Nested Schema : AccessGuardrailDetails
Type:
objectAccess Guardrail object.
Show Source
-
id(required):
string
The access guardrail id.
-
name(required):
string
The access guardrail name.
Nested Schema : AccessBundleTimeLimit
Type:
objectTime limit definition. Only one of daysLimit, hoursLimit, or dateTimeLimit should be specified.
Show Source
-
daysLimit:
object AccessBundleTimeLimitDays
Time limit definition in days.
-
hoursLimit:
object AccessBundleTimeLimitHours
Time limit definition in hours.
Nested Schema : customAttributes
Type:
objectMetadata associated with the access bundle.
Show Source
Nested Schema : OrchestratedSystemAttributeSummary
Type:
objectAccount & permission attributes.
Show Source
-
accountAttributes:
array accountAttributes
List of Orchestrated System account attributes.
-
permissionAttributes:
array permissionAttributes
List of Orchestrated System permission attributes.
Nested Schema : owners
Type:
arrayList of owner entities.
Show Source
-
Array of:
object OwnerSummary
Owner entity object
Nested Schema : permissions
Type:
arrayList of permissions
Show Source
-
Array of:
object PermissionSummary
Description of Permission.
Nested Schema : AccessBundleTimeLimitDays
Type:
objectTime limit definition in days.
Show Source
-
accessLimitInDays(required):
integer
Minimum Value:
1Maximum Value:365Maximum number of days allowed before expiry. -
extensionApprovalWorkflowId(required):
object IdInfo
Generic identifying information object.
-
extensionInDays(required):
integer
Minimum Value:
1Maximum Value:90Number of days extensions is allowed. -
notificationInDays(required):
integer
Minimum Value:
1Maximum Value:30Number of days when notification should be sent.
Nested Schema : AccessBundleTimeLimitHours
Type:
objectTime limit definition in hours.
Show Source
-
accessLimitInHours(required):
integer
Minimum Value:
1Maximum Value:24Maximum number of hours allowed before expiry. -
extensionApprovalWorkflowId(required):
object IdInfo
Generic identifying information object.
-
extensionInHours(required):
integer
Minimum Value:
1Maximum Value:8Number of hours extension is allowed. -
notificationInHours(required):
integer
Minimum Value:
1Maximum Value:24Number of hours when notification should be sent.
Nested Schema : accountAttributes
Type:
arrayList of Orchestrated System account attributes.
Show Source
-
Array of:
object OrchestratedSystemAttributeDataSummary
Orchestrated System Attributes
Nested Schema : permissionAttributes
Type:
arrayList of Orchestrated System permission attributes.
Show Source
-
Array of:
object OrchestratedSystemAttributeDataSummary
Orchestrated System Attributes
Nested Schema : OrchestratedSystemAttributeDataSummary
Type:
objectOrchestrated System Attributes
Show Source
-
children:
array children
nested attributes
-
discriminator:
string
this field signify attribute field is password
-
isQuestion:
boolean
Indicates if this Orchestrated System Attribute will be presented as a question.
-
name:
string
Attribute name - Unique identifier
-
permissionType:
string
Permission Type
-
title:
string
Display Name for the attribute.
-
type:
string
Type of attribute
-
values:
array values
Attribute Values
Nested Schema : children
Type:
arraynested attributes
Show Source
-
Array of:
object NestedAttributesSummary
Nested set of Orchestrated System attributes
Nested Schema : NestedAttributesSummary
Type:
objectNested set of Orchestrated System attributes
Show Source
-
items:
array items
Orchestrated System attributes
Nested Schema : items
Type:
arrayOrchestrated System attributes
Show Source
-
Array of:
object OrchestratedSystemAttributeDataSummary
Orchestrated System Attributes
Nested Schema : OwnerSummary
Type:
objectOwner entity object
Show Source
-
id(required):
string
Unique identifier that is immutable on creation
-
isPrimary(required):
boolean
Is this entity the primary owner?
-
name(required):
string
Name of the owner
Nested Schema : PermissionSummary
Type:
objectDescription of Permission.
Show Source
-
description:
string
Description of the permission
-
id(required):
string
The Unique Oracle ID (OCID) that is immutable on creation
-
name:
string
Name of the permission
-
permissionType:
object PermissionTypeSummary
PermissionType Summary.
-
resource:
object ResourceSummary
Resource Summary.
-
timeCreated:
string(date-time)
Time when the permission was last created. An RFC3339 formatted datetime string
-
timeUpdated:
string(date-time)
Time when the permission was last updated. An RFC3339 formatted datetime string
-
type:
string
Type of the permission
Nested Schema : PermissionTypeSummary
Type:
objectPermissionType Summary.
Show Source
-
displayName:
string
Display Name of the PermissionType.
-
externalId:
string
External Id of the PermissionType
-
id:
string
The Unique Oracle ID (OCID) that is immutable on creation.
-
name:
string
name of the PermissionType.
Nested Schema : ResourceSummary
Type:
objectResource Summary.
Show Source
-
customAttributes:
object customAttributes
Metadata associated with the resource
-
displayName:
string
Display Name of the Resource.
-
id(required):
string
The Unique Oracle ID (OCID) that is immutable on creation.
-
name:
string
name of the Resource.
-
type:
string
Type of the Resource
400 Response
Bad Request
Headers
-
opc-request-id: string
Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.
Root Schema : Error
Type:
objectError Information.
Show Source
-
code(required):
string
A short error code that defines the error, meant for programmatic parsing.
-
message(required):
string
A human-readable error string.
401 Response
Unauthorized
Headers
-
opc-request-id: string
Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.
Root Schema : Error
Type:
objectError Information.
Show Source
-
code(required):
string
A short error code that defines the error, meant for programmatic parsing.
-
message(required):
string
A human-readable error string.
404 Response
Not Found
Headers
-
opc-request-id: string
Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.
Root Schema : Error
Type:
objectError Information.
Show Source
-
code(required):
string
A short error code that defines the error, meant for programmatic parsing.
-
message(required):
string
A human-readable error string.
409 Response
Conflict
Headers
-
opc-request-id: string
Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.
Root Schema : Error
Type:
objectError Information.
Show Source
-
code(required):
string
A short error code that defines the error, meant for programmatic parsing.
-
message(required):
string
A human-readable error string.
429 Response
Too Many Requests
Headers
-
opc-request-id: string
Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.
Root Schema : Error
Type:
objectError Information.
Show Source
-
code(required):
string
A short error code that defines the error, meant for programmatic parsing.
-
message(required):
string
A human-readable error string.
500 Response
Internal Server Error
Headers
-
opc-request-id: string
Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.
Root Schema : Error
Type:
objectError Information.
Show Source
-
code(required):
string
A short error code that defines the error, meant for programmatic parsing.
-
message(required):
string
A human-readable error string.
Default Response
Unknown Error
Headers
-
opc-request-id: string
Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.
Root Schema : Error
Type:
objectError Information.
Show Source
-
code(required):
string
A short error code that defines the error, meant for programmatic parsing.
-
message(required):
string
A human-readable error string.
Examples
The following example shows how to create a role. Replace placeholder values with actual values before running the sample command.
Note:
Generate Access Token usinggrant_type = password or Authorization code.
Before creating a role, you need to run the following APIs to fetch the required data:
- List all Approval Workflows - [GET] {BasePath}/approvalWorkflows
- List Access Bundle - [GET] {BasePath}/accessBundles
cURL Request Example
curl -i -X POST \
-H "Authorization:Bearer <your-access-token>" \
-H "Content-Type:application/json" \
-d \
'{
"name": "Database Administrator",
"description": "Responsible for managing database access and ensuring optimized SQL performance.",
"requestableBy": "ANY",
"approvalWorkflowId": "NO_APPROVAL_REQUIRED",
"tags": [
"UA Role"
],
"accessBundles": [
{
"id": "b943f987-xxxx-4bac-bca0-6a09ded5dcad",
"name": "DBUM Standard SQL Tuning Access UA 8",
"displayName": "DBUM Standard SQL Tuning Access UA 8",
"owners": [
{
"id": "globalId.125123c3-xxxx-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Bill Clark",
"isPrimary": true
}
]
}
],
"customAttributes": null,
"displayName": "Database Administrator Role",
"owners": [
{
"id": "globalId.125123c3-xxxx-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Bill Clark",
"isPrimary": true
}
]
}' \
'<${service-instance-url}/access-governance/access-controls/20250331/roles>'
Example Request Payload
{
"name": "Database Administrator",
"description": "Responsible for managing database access and ensuring optimized SQL performance.",
"requestableBy": "ANY",
"approvalWorkflowId": "NO_APPROVAL_REQUIRED",
"tags": [
"UA Role"
],
"accessBundles": [
{
"id": "b943f987-xxxx-4bac-bca0-6a09ded5dcad",
"name": "DBUM Standard SQL Tuning Access UA 8",
"displayName": "DBUM Standard SQL Tuning Access UA 8",
"owners": [
{
"id": "globalId.125123c3-xxxx-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Bill Clark",
"isPrimary": true
}
]
}
],
"customAttributes": null,
"displayName": "Database Administrator Role",
"owners": [
{
"id": "globalId.125123c3-xxxx-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Bill Clark",
"isPrimary": true
}
]
}Example of the Response Code
It may take a few seconds to create a role. Do not try to abort the request.
You'll receive 200 OK response along with the following response body:
{
"id": "7642ff7d-xxxx-45c4-88d4-db7d2e79e85f",
"name": "Database Administrator",
"description": "Responsible for managing database access and ensuring optimized SQL performance.",
"requestableBy": {
"id": "ANY",
"name": "Anyone",
"displayName": "Anyone"
},
"status": "ACTIVE",
"approvalWorkflowId": {
"id": "NO_APPROVAL_REQUIRED",
"name": "No Approval Required",
"displayName": "No Approval Required"
},
"tags": [
"Database Role"
],
"accessBundles": null,
"timeCreated": "2025-04-24T06:55:26.546Z",
"timeUpdated": "2025-04-24T06:55:26.546Z",
"ownershipCollectionId": "b384e140-xxxx-413f-843b-bafc38182db7",
"owners": [
{
"id": "globalId.125123c3-xxxx-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Bill Clark",
"isPrimary": true
}
],
"createdBy": {
"id": "globalId.125123c3-xxxx-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Bill Clark",
"displayName": "Bill Clark"
},
"updatedBy": {
"id": "globalId.125123c3-xxxx-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Bill Clark",
"displayName": "Bill Clark"
},
"customAttributes": null,
"externalId": "ocid1.agcsgovernanceinstance.dev.dev.xxxxxxxxpzw5rdia4pv5rudpgmf5enb2yzcloj2pbd5ogxaructfrhgbuq7a",
"displayName": "Database Admin Role"
}