Create Access Request with Unique Question Value
Create Access request for DBUM Access Bundles with unique question value for all identities.
Requesting Access for DBUM Access Bundles with Unique Question Value for all Identities
In this example, we will raise request for a Database User
Management (DBUM)-specific Access Bundle. For this scenario, we will assign the
unique value for an account attribute, which means, isIdentitySpecific:
true and include values for account attributes, where
isQuestion: true.
In a single access request, you can request multiple access bundles for multiple identities.
At a high level, use
the following endpoints to achieve this:
- List all identities to retrieve the ID of the specific global identity for which you intend to raise a request. You may retrieve multiple IDs.
- List all Access Bundles to retrieve the ID of the specific Access Bundle and Orchestrated System ID that you want to assign.
- Get Account Profile details for a specific Account Profile
- Create a new POST Access Request
Note:
In a single access request, you can request to assign one or more access bundles to multiple identities.
Step 1: Retrieve Identity Details
List all identities to retrieve the IDs of identities for which you intend to raise a request.
Sample cURLcurl -i -X \
POST \
-H \
"Authorization:Bearer <your access token>" \
-H \
"Content-Type:application/json" \
-d \
'{
"keywordContains": ["Bill"],
"suggestedFilter": [],
"filterCriteria": null,
"attributes": ["displayName"]
}' \
'${service-instance-url}/access-governance/identities/${version}/identities'Sample GET Command using REST Client
${si}/access-governance/identities/20250331/identities?keywordContains=BillSample Response
You should receive a 200 response code, with a following response body:
{
"id" : "globalId.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.1fbb825aef0ceab8xxxxxxxxxxx",
"type" : "IDENTITY",
"name" : "Bill.Clark@example.COM",
"timeCreated" : "2025-01-21T01:05:35.558Z",
"timeUpdated" : "2025-01-21T01:05:35.558Z",
"entityType" : "USER",
"attributes" : [ {
"name" : "agTerminated",
"value" : false
} ],
"value" : "{\"name\":{\"formatted\":\"Bill Clark\",\"familyName\":\"Clark\",\"givenName\":\"Bill\"},\"userName\":\"Bill.Clark@example.COM\",\"displayName\":\"Bill Clark\",\"primaryEmail\":\"Bill.Clark@example.COM\",\"organization\":{\"value\":\"organization.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.4eec1f689ba5647xxxxxx6\"},\"status\":\"Active\",\"emails\":[{\"primary\":false,\"secondary\":false,\"type\":\"recovery\",\"value\":\"0E5EB262.82DBD46A@testociemail-blackhole.com\",\"verified\":false},{\"primary\":true,\"secondary\":false,\"type\":\"work\",\"value\":\"Bill.Clark@example.COM\",\"verified\":false}],\"addresses\":[],\"phoneNumbers\":[],\"agStatus\":\"AG_ACTIVE\",\"agSubType\":\"WORKFORCE\",\"agRisk\":{\"value\":0,\"customAttributes\":{}},\"agDelegation\":{\"hasDelegations\":false,\"customAttributes\":{}},\"agTerminate\":{\"terminated\":false,\"customAttributes\":{}},\"domainOCID\":\"ocid1.domain.oc1..aaaaaaaayrdl7hgnjeqbpi4nvt72hxtki4uwxxxxxxx\",\"userNameDb2\":\"0E5EB26282DBD46A@testociemailbla\",\"userNameMysql\":\"0E5EB26282DBD46Atestociemailblac\",\"userNameOracle\":\"Bill.Clark@example.COM\",\"userNameMSSQl\":\"_0E5EB26282DBD46A@testociemailblackholecom\",\"agOrganizations\":[],\"targetId\":\"bd49ff2a-5c47-4242-8975-9ba235fbb0ec\",\"identityTargetId\":\"targetId.account.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.1fbb825aef0ceab8c084a645f4953107\",\"compartmentId\":\"resource.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.dd795ea6fd73983db4c97d0eb2c77c91\",\"domainId\":\"resource.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.1540420f1040686f5fcecf2d4043feb5\",\"region\":\"iad:us-ashburn-1\",\"customAttributes\":{\"targetAccounts\":[\"5bb2bb40b6394262ab74539a60714607\"],\"lastModifiedBy\":{\"displayName\":\"Abel Maclead\",\"ref\":\"https://idcs-824f604a4d4b48b8918cde1416682c66.identity.oraclecloud.com:443/admin/v1/Users/e4b4b893e2f8448ab76bf5ba85dad344\",\"resourceType\":\"ACCOUNT\",\"value\":\"ocid1.user.oc1..aaaaaaaaad25h6toymcbv6yf5dlymvwmlcemzmkepltjntiw5r3efzrtkzeq\"},\"createdBy\":{\"displayName\":\"Ama Maclead\",\"ref\":\"https://idcs-824f604a4d4b48b8918cde1416682c66.identity.oraclecloud.com:443/admin/v1/Users/e4b4b893e2f8448ab76bf5ba85dad344\",\"resourceType\":\"ACCOUNT\",\"value\":\"ocid1.user.oc1..aaaaaaaaad25h6toymcbv6yf5dlymvwmlcemzmkepltjntiw5r3efzrtkzeq\"},\"isCorrelated\":true,\"fullDN\":\"0E5EB262.82DBD46A@TESTOCIEMAIL-BLACKHOLE.COM_Tags\",\"domainName\":\"Default\",\"ocid\":\"ocid1.user.oc1..aaaaaaaayb7oyq66q64nytjoy5d4t64asklfeflrx6ghtlarguhhrhg6em6a\",\"compartmentOCID\":\"ocid1.tenancy.oc1..aaaaaaaazp2vvzjsn6newkqrpkwndxpdoixtqfgyhnf4y24h7d5ny27h6f3q\",\"compartmentName\":\"accessgovtest\",\"cloudAccountName\":\"accessgovtest\"},\"id\":\"globalId.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.1fbb825aef0ceab8c084a645f4953107\",\"externalId\":\"5bb2bb40b6394262ab74539a60714607\",\"schemas\":[],\"meta\":{\"resourceType\":\"USER\",\"created\":1737421535558,\"lastModified\":1737421535558,\"version\":\"1\",\"location\":\"\"}}"
}Save Identity IDs for later use.
Step 2: Retrieve Access Bundle and Orchestrated System Details
List all Access Bundles to retrieve the IDs and Orchestrated System IDs that you want to assign. For this scenario, we will use DBUM-specific Access Bundle, for application roles.
Sample cURLcurl -i -X \
GET \
-H \
"Authorization:Bearer <your access token>" \
'${service-instance-url}/access-governance/access-controls/20250331/accessBundles?keywordContains=OCI'
}Sample GET Command using REST Client
${service-instance-url}/access-governance/access-controls/${version}/accessBundles?keywordContains=OCISample Response
You should receive a 200 response code, with a following response body:
{
"items": [
{
"id": "c7568c3d-32bc-481f-87d3-6be2a5a1b36a",
"name": "OCI-AB",
"description": "AB for OCI",
"tags": null,
"timeCreated": "2025-04-11T07:00:41.456Z",
"timeUpdated": "2025-04-11T07:00:41.456Z",
"createdBy": {
"id": "globalId.125123c3-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4xxxxxx",
"name": "Amel Maclead",
"displayName": "Amel Maclead"
},
"requestableBy": "ANY",
"status": "ACTIVE",
"approvalWorkflowId": "NO_APPROVAL_REQUIRED",
"orchestratedSystem": {
"id": "bd49ff2a-5c47-4242-8975-9ba235fcccec",
"name": "accessgovtest",
"displayName": "accessgovtest"
},
"accessBundleType": "PERMISSION_BUNDLE",
"primaryOwner": {
"value": "globalId.125123c3-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b2014xxxxxxx",
"displayName": "Ama Maclead"
},
"isOwner": false,
"customAttributes": null
}
]
}
Save the Access Bundle ID and Orchestrated System ID for later use.
Step 3: Get Account Profile Details for a specific Account Profile
Before running this, you can run List Account Profiles to fetch Account Profile ID. For a specific account profile system, retrieve corresponding account profile details.
Sample cURLcurl -i -X \
GET \
-H \
"Authorization:Bearer <your access token>" \
'${service-instance-url}/access-governance/service-administration/${version}/orchestratedSystems/${orchestratedsystemId}/accountProfiles/${accountProfileId}'Sample GET Command using REST Client
${service-instance-url}/access-governance/service-administration/${version}/orchestratedSystems/${orchestratedsystemId}/accountProfiles/${accountProfileId}Sample Response
You should receive a 200 response code, with a following response body:
{
"id": "84321700-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"orchestratedSystemId": "da7efca4-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"displayName": "dbum AP 1",
"description": "DBUM Account Profile",
"tags": [],
"accountAttributes": [
{
"name": "authenticationType",
"title": "Authentication type",
"values": ["EXTERNAL"],
"type": "String",
"permissionType": null,
"children": [],
"discriminator": null,
"isQuestion": false
},
{
"name": "defaultTablespace",
"title": "Default tablespace",
"values": ["DEV1105_CATALOG_TEXT_IND_TAB"],
"type": "String",
"permissionType": null,
"children": [],
"discriminator": null,
"isQuestion": false
},
{
"name": "defaultTablespaceQuotaInMB",
"title": "Default tablespace quota (in MB)",
"values": [],
"type": "Long",
"permissionType": null,
"children": [],
"discriminator": null,
"isQuestion": true
},
{
"name": "temporaryTablespace",
"title": "Temporary tablespace",
"values": [],
"type": "String",
"permissionType": null,
"children": [],
"discriminator": null,
"isQuestion": false
},
{
"name": "profileName",
"title": "Profile name",
"values": [],
"type": "String",
"permissionType": null,
"children": [],
"discriminator": null,
"isQuestion": false
},
{
"name": "password",
"title": "Password",
"values": [],
"type": "GuardedString",
"permissionType": null,
"children": [],
"discriminator": "AccountPassword",
"isQuestion": false
}
],
"accountUiAttributes": [
{
"name": "authenticationType",
"type": "String",
"title": "Authentication type",
"children": [],
"lookupType": "authType",
"defaultValues": ["EXTERNAL"],
"permissionType": null,
"discriminator": null
},
{
"name": "defaultTablespace",
"type": "String",
"title": "Default tablespace",
"children": [],
"lookupType": "tablespace",
"defaultValues": ["DEV1105_CATALOG_TEXT_IND_TAB"],
"permissionType": null,
"discriminator": null
},
{
"name": "defaultTablespaceQuotaInMB",
"type": "Long",
"title": "Default tablespace quota (in MB)",
"children": [],
"lookupType": null,
"defaultValues": [],
"permissionType": null,
"discriminator": null
},
{
"name": "temporaryTablespace",
"type": "String",
"title": "Temporary tablespace",
"children": [],
"lookupType": "tempTablespace",
"defaultValues": [],
"permissionType": null,
"discriminator": null
},
{
"name": "profileName",
"type": "String",
"title": "Profile name",
"children": [],
"lookupType": "profile",
"defaultValues": [],
"permissionType": null,
"discriminator": null
},
{
"name": "password",
"type": "GuardedString",
"title": "Password",
"children": [],
"lookupType": null,
"defaultValues": [],
"permissionType": null,
"discriminator": "AccountPassword"
}
],
"isDefault": true,
"isInUseByAccessBundle": false,
"timeCreated": "2025-03-21T06:19:01.234Z",
"timeLastModified": "2025-03-21T06:19:01.234Z",
"createdBy": {
"id": "globalId.125123c3-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "Ama Maclead"
},
"lastModifiedBy": {
"id": "globalId.125123c3-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "Ama Maclead"
}
}
Step 4: Create an Access Request for an Identity
Create a
self-service access request for one or more identities using the details we
extracted from the above steps. In this example, we will use the same question value
for all the identities by keeping "identitySpecific":
true.
curl -i -X \
\
POST \
-H \
\
"Authorization:Bearer <your access token>" \
-H \
\
"Content-Type:application/json" \
-d \
'{
"justification": "UA AR Test for Identity Specific",
"createdBy": "globalId.125123c3-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aaxxxxxxxxxa",
"accessBundles": [
"6adcbc8d-1816-xxxxx-af70-xxxc40bf850fb"
],
"identities": [
"globalId.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.xxxxxxx4394960469c2af598b63d4"
],
"accountProfileDetails": [
{
"accountProfileId": "84321700-1a93-4cf2-9226-3f4c2xxxxx9768",
"identitySpecific": true,
"accountAttributes": [
{
"name": "defaultTablespaceQuotaInMB",
"values": [
"100"
],
"children": [],
"isQuestion": true
}
],
"identityAccountAttributesDetails": [
{
"identityId": "globalId.OCI.bd49ff2a-5c47-4242-8975-xxxxxxxec.9f6e4161d84394960469cxxxxxxxx3d4",
"accountAttributes": [
{
"name": "defaultTablespaceQuotaInMB",
"values": [
"40"
],
"children": [],
"isQuestion": true
}
]
}
]
}
]
}'\
'${service-instance-url}/access-governance/access-controls/20250331/accessRequests'Sample POST Command using REST Client
Include the following
Headers:
| Authorization | Bearer <your access token> |
| Content-Type | application/json |
${service-instance-url}/access-governance/access-controls/${version}/accessRequestsSample Request Body
{
"justification": "UA AR Test for Identity Specific",
"createdBy": "globalId.125123c3-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aaxxxxxxxxxa",
"accessBundles": [
"6adcbc8d-1816-xxxxx-af70-xxxc40bf850fb"
],
"identities": [
"globalId.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.xxxxxxx4394960469c2af598b63d4"
],
"accountProfileDetails": [
{
"accountProfileId": "84321700-1a93-4cf2-9226-3f4c2xxxxx9768",
"identitySpecific": true,
"accountAttributes": [
{
"name": "defaultTablespaceQuotaInMB",
"values": [
"100"
],
"children": [],
"isQuestion": true
}
],
"identityAccountAttributesDetails": [
{
"identityId": "globalId.OCI.bd49ff2a-5c47-4242-8975-xxxxxxxec.9f6e4161d84394960469cxxxxxxxx3d4",
"accountAttributes": [
{
"name": "defaultTablespaceQuotaInMB",
"values": [
"40"
],
"children": [],
"isQuestion": true
}
]
}
]
}
]
}Sample Response Body
You should receive a 200 response code, with a following response body:
{
"id": "f303f482-1ace-43c2-xxxx-4719e507eb6a",
"justification": "UA AR Test for Identity Specific",
"requestStatus": "PENDING_APPROVALS",
"timeCreated": "2025-04-11T11:07:28.348Z",
"timeUpdated": "2025-04-11T11:07:28.348Z",
"createdBy": "globalId.125123c3-eedc-4d6a-b6d4-6xxxxxbad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"permissionRoles": [
],
"accessBundles": [
{
"id": "6adcbc8d-1816-44a7-xxxx-78c40bf850fb",
"name": "test min payload",
"displayName": "test min payload",
"accountProfileId": "84321700-1a93-4xxxx-9226-3f4c26fd9768"
}
],
"identities": [
{
"id": "globalId.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.xxxxxx394960469c2af598b63d4",
"name": "Bill.Clark@Example.com",
"displayName": "Bill Clark",
"owners": null
}
],
"attributes": {
"orchestratedSystemAttributes": null
},
"approvalRequests": null
}
You
can verify or check the status of the access request that you just created by
running the following
endpoint:
GET ${service-instance-url}/access-governance/access-controls/${versionId}/accessRequests/${accessRequestId}