Raise an Access Request with High Risk Violations
Create access request for DBUM Access Bundles attached with an access guardrail that will trigger a high risk violation.
Requesting Access for an Access Bundle with a High Risk Violation Access Guardrails
In this example, we will raise request for a Database User Management (DBUM)-specific Access Bundle and attach a high-risk violation.
At
a high level, use the following endpoints to achieve this:
- List all identities to retrieve the ID of the specific global identity for which you intend to raise a request. You may retrieve multiple IDs.
- List all Access Guardrails to retrieve ID.
- Update or Create Access Bundle to attach an Access Guardrail
- Create a new POST Access Request for an Access Bundle.
- Get Details of an Access Request
Step 1: Retrieve Identity Details
List all identities to retrieve the IDs of identities for which you intend to raise a request.
Sample cURLcurl -i -X \
POST \
-H \
"Authorization:Bearer <your access token>" \
-H \
"Content-Type:application/json" \
-d \
'{
"keywordContains": ["Bill"],
"suggestedFilter": [],
"filterCriteria": null,
"attributes": ["displayName"]
}' \
'${service-instance-url}/access-governance/identities/${version}/identities'Sample GET Command using REST Client
${si}/access-governance/identities/20250331/identities?keywordContains=BillSample Response
You should receive a 200 response code, with a following response body:
{
"id" : "globalId.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.1fbb825aef0ceab8xxxxxxxxxxx",
"type" : "IDENTITY",
"name" : "Bill.Clark@example.COM",
"timeCreated" : "2025-01-21T01:05:35.558Z",
"timeUpdated" : "2025-01-21T01:05:35.558Z",
"entityType" : "USER",
"attributes" : [ {
"name" : "agTerminated",
"value" : false
} ],
"value" : "{\"name\":{\"formatted\":\"Bill Clark\",\"familyName\":\"Clark\",\"givenName\":\"Bill\"},\"userName\":\"Bill.Clark@example.COM\",\"displayName\":\"Bill Clark\",\"primaryEmail\":\"Bill.Clark@example.COM\",\"organization\":{\"value\":\"organization.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.4eec1f689ba5647xxxxxx6\"},\"status\":\"Active\",\"emails\":[{\"primary\":false,\"secondary\":false,\"type\":\"recovery\",\"value\":\"0E5EB262.82DBD46A@testociemail-blackhole.com\",\"verified\":false},{\"primary\":true,\"secondary\":false,\"type\":\"work\",\"value\":\"Bill.Clark@example.COM\",\"verified\":false}],\"addresses\":[],\"phoneNumbers\":[],\"agStatus\":\"AG_ACTIVE\",\"agSubType\":\"WORKFORCE\",\"agRisk\":{\"value\":0,\"customAttributes\":{}},\"agDelegation\":{\"hasDelegations\":false,\"customAttributes\":{}},\"agTerminate\":{\"terminated\":false,\"customAttributes\":{}},\"domainOCID\":\"ocid1.domain.oc1..aaaaaaaayrdl7hgnjeqbpi4nvt72hxtki4uwxxxxxxx\",\"userNameDb2\":\"0E5EB26282DBD46A@testociemailbla\",\"userNameMysql\":\"0E5EB26282DBD46Atestociemailblac\",\"userNameOracle\":\"Bill.Clark@example.COM\",\"userNameMSSQl\":\"_0E5EB26282DBD46A@testociemailblackholecom\",\"agOrganizations\":[],\"targetId\":\"bd49ff2a-5c47-4242-8975-9ba235fbb0ec\",\"identityTargetId\":\"targetId.account.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.1fbb825aef0ceab8c084a645f4953107\",\"compartmentId\":\"resource.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.dd795ea6fd73983db4c97d0eb2c77c91\",\"domainId\":\"resource.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.1540420f1040686f5fcecf2d4043feb5\",\"region\":\"iad:us-ashburn-1\",\"customAttributes\":{\"targetAccounts\":[\"5bb2bb40b6394262ab74539a60714607\"],\"lastModifiedBy\":{\"displayName\":\"Abel Maclead\",\"ref\":\"https://idcs-824f604a4d4b48b8918cde1416682c66.identity.oraclecloud.com:443/admin/v1/Users/e4b4b893e2f8448ab76bf5ba85dad344\",\"resourceType\":\"ACCOUNT\",\"value\":\"ocid1.user.oc1..aaaaaaaaad25h6toymcbv6yf5dlymvwmlcemzmkepltjntiw5r3efzrtkzeq\"},\"createdBy\":{\"displayName\":\"Ama Maclead\",\"ref\":\"https://idcs-824f604a4d4b48b8918cde1416682c66.identity.oraclecloud.com:443/admin/v1/Users/e4b4b893e2f8448ab76bf5ba85dad344\",\"resourceType\":\"ACCOUNT\",\"value\":\"ocid1.user.oc1..aaaaaaaaad25h6toymcbv6yf5dlymvwmlcemzmkepltjntiw5r3efzrtkzeq\"},\"isCorrelated\":true,\"fullDN\":\"0E5EB262.82DBD46A@TESTOCIEMAIL-BLACKHOLE.COM_Tags\",\"domainName\":\"Default\",\"ocid\":\"ocid1.user.oc1..aaaaaaaayb7oyq66q64nytjoy5d4t64asklfeflrx6ghtlarguhhrhg6em6a\",\"compartmentOCID\":\"ocid1.tenancy.oc1..aaaaaaaazp2vvzjsn6newkqrpkwndxpdoixtqfgyhnf4y24h7d5ny27h6f3q\",\"compartmentName\":\"accessgovtest\",\"cloudAccountName\":\"accessgovtest\"},\"id\":\"globalId.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.1fbb825aef0ceab8c084a645f4953107\",\"externalId\":\"5bb2bb40b6394262ab74539a60714607\",\"schemas\":[],\"meta\":{\"resourceType\":\"USER\",\"created\":1737421535558,\"lastModified\":1737421535558,\"version\":\"1\",\"location\":\"\"}}"
}Save Identity IDs for later use.
Step 2: Retrieve Access Guardrail IDs
List all Access Guardrails to retrieve the ID of an Access Guardrail that you want to attach.
Sample cURLcurl -i -X \
GET \
-H \
"Authorization:Bearer <your access token>" \
'${service-instance-url}/access-governance/access-controls/20250331/accessGuardrails
}Sample GET Command using REST Client
${service-instance-url}/access-governance/access-controls/${version}/accessGuardrailsSample Response
You should receive a 200 response code, with a following response body:
{
"items": [
{
"id": "a4203401-xxxx-4fb3-891a-b1c127fa94ba",
"name": "UA-High-Risk-Access Guardrails",
"lifecycleState": "ACTIVE",
"tags": [
"Guardrails-Test-HighRisk"
],
"primaryOwnerDisplayName": "Amel Maclead",
"timeCreated": "2025-04-28T04:59:03.646Z",
"timeUpdated": "2025-04-28T04:59:03.646Z"
}
]
}
Save the Access Guardrail ID for attaching to the Access Bundle.
Step 3: Create an Access Bundle and attach an Access Guardrail
In this request, create an access bundle and attach an access guardrail to it.
Before running this, you can run List Account Profiles to fetch Account Profile ID.
Sample Curl for Creating an Access Bundle with Access Guardrails
curl -i -X \
\
POST \
-H \
\
"Authorization:Bearer <your access token>" \
-H \
\
"Content-Type:application/json" \
-d \
'{
"name": "DBUM Standard SQL Tuning Access",
"displayName": "DBUM AB UA API",
"description": "DBUM AB UA API",
"tags": [
"DBUM UA"],
"owners": [
{
"id": "globalId.xxxxxx-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Amel MacLead",
"isPrimary": true
}
],
"requestableBy": "ANY",
"approvalWorkflowId": "NO_APPROVAL_REQUIRED",
"orchestratedSystemId": "da7efca4-8c7a-xxxx-8ad3-c55ac9362de6",
"accessBundleType": "PERMISSION_BUNDLE",
"verb": "string",
"items": [
{
"id": "privileges.ICF.da7efca4-8c7a-4d4f-8ad3-c55ac9362de6.f5f2648ad9cec98929xxxx2f31e6ccda",
"name": "ADMINISTER ANY SQL TUNING SET"
}
],
"externalId": null,
"domainName": null,
"resourceType": null,
"accountProfileId": "84321700-xxxx-4cf2-9226-3f4c26fd9768",
"accountProfileName": "dbum AP 1",
"orchestratedSystemAttributes": {
"accountAttributes": [
],
"permissionAttributes": [
{
"name": "privileges.ICF.da7efca4-8c7a-4d4f-8ad3-c55ac9362de6.f5f2648cxxxxec9892927642f31e6ccda",
"type": "RepeatableFieldSet",
"title": null,
"values":[
"ADMINISTER ANY SQL TUNING SET"],
"children": [
{
"items": [
{
"name": "privilegeAdminOption",
"type": "String",
"title": "dbum.targetAccount.armd.privileges.privilegeAdminOption.title",
"children": [
],
"lookupType": "withAdminOption",
"permissionType": null,
"discriminator": null,
"values": [
"YES"]
}
]
}
],
"discriminator": null,
"isQuestion": true
}
]
},
"customAttributes": {
},
"accessGuardrails": [
"a4203401-xxxx-4fb3-891a-b1c127fa94ba"
]
}'\
'${service-instance-url}/access-governance/access-controls/20250331/accessBundles'Sample Request Payload for Creating an Access Bundle with Access Guardrails
{
"name": "DBUM Standard SQL Tuning Access",
"displayName": "DBUM AB UA API",
"description": "DBUM AB UA API",
"tags": [
"DBUM UA"],
"owners": [
{
"id": "globalId.xxxxxx-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Amel MacLead",
"isPrimary": true
}
],
"requestableBy": "ANY",
"approvalWorkflowId": "NO_APPROVAL_REQUIRED",
"orchestratedSystemId": "da7efca4-8c7a-xxxx-8ad3-c55ac9362de6",
"accessBundleType": "PERMISSION_BUNDLE",
"verb": "string",
"items": [
{
"id": "privileges.ICF.da7efca4-8c7a-4d4f-8ad3-c55ac9362de6.f5f2648ad9cec98929xxxx2f31e6ccda",
"name": "ADMINISTER ANY SQL TUNING SET"
}
],
"externalId": null,
"domainName": null,
"resourceType": null,
"accountProfileId": "84321700-xxxx-4cf2-9226-3f4c26fd9768",
"accountProfileName": "dbum AP 1",
"orchestratedSystemAttributes": {
"accountAttributes": [
],
"permissionAttributes": [
{
"name": "privileges.ICF.da7efca4-8c7a-4d4f-8ad3-c55ac9362de6.f5f2648cxxxxec9892927642f31e6ccda",
"type": "RepeatableFieldSet",
"title": null,
"values":[
"ADMINISTER ANY SQL TUNING SET"],
"children": [
{
"items": [
{
"name": "privilegeAdminOption",
"type": "String",
"title": "dbum.targetAccount.armd.privileges.privilegeAdminOption.title",
"children": [
],
"lookupType": "withAdminOption",
"permissionType": null,
"discriminator": null,
"values": [
"YES"]
}
]
}
],
"discriminator": null,
"isQuestion": true
}
]
},
"customAttributes": {
},
"accessGuardrails": [
"a4203401-xxxx-4fb3-891a-b1c127fa94ba"
]
}'\
'${service-instance-url}/access-governance/access-controls/20250331/accessBundles'Sample Response
You should receive a 200 response code, with a following response body:
{
"accessBundleType": "PERMISSION_BUNDLE",
"id": "434328xxx9f-928d-4255-abbe-2d76e6xxx39d38e",
"name": "DBUM Standard SQL Tuning Access UA 7",
"displayName": "DBUM AB UA API",
"description": "DBUM AB UA API",
"tags": [
"DBUM UA"
],
"timeCreated": "2025-04-28T08:48:03.799Z",
"timeUpdated": "2025-04-28T08:48:03.799Z",
"createdBy": {
"id": "AG-ownership-reviews-july-tfrhgbuxxxq7a_APPID",
"name": "AG-ownership-reviews-july-tfrhgbuxxxq7a_APPID",
"displayName": "AG-ownership-reviews-july-tfrhgbuxxxq7a_APPID"
},
"updatedBy": {
"id": "AG-ownership-reviews-july-tfrhgbuxxxq7a_APPID",
"name": "AG-ownership-reviews-july-tfrhgbuxxxq7a_APPID",
"displayName": "AG-ownership-reviews-july-tfrhgbuxxxq7a_APPID"
},
"requestableBy": {
"id": "ANY",
"name": "Anyone",
"displayName": "Anyone"
},
"status": "ACTIVE",
"approvalWorkflowId": {
"id": "NO_APPROVAL_REQUIRED",
"name": "No Approval Required",
"displayName": "No Approval Required"
},
"orchestratedSystem": {
"id": "da7efcaxxx4-8c7a-4d4f-8ad3-c55ac9362de6",
"name": "ownership-reviews-july-DBUM",
"displayName": "ownership-reviews-july-DBUM"
},
"orchestratedSystemType": "ICF",
"ownershipCollectionId": "1a06018xxx8fa4-4863-9394-e0195002e314",
"owners": [
{
"id": "globalId.125123xxx3-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"name": "Alex Mason",
"isPrimary": true
}
],
"externalId": "ocid1.agcsgovernanceinstance.dev.dev.amaaaaaapzw5xxx4pv5rudpgmf5enb2yzcloj2pbd5ogxaructfrhgbuq7a",
"cloudAccountName": null,
"domainName": null,
"resourceType": null,
"compartmentName": null,
"compartmentFqn": null,
"orchestratedSystemAttributes": {
"accountAttributes": [
{
"name": "authenticationType",
"title": "Authentication type",
"values": [
"EXTERNAL"
],
"type": "String",
"permissionType": null
},
{
"name": "defaultTablespace",
"title": "Default tablespace",
"values": [
"DEV1105_CATALOG_TEXT_IND_TAB"
],
"type": "String",
"permissionType": null
}
],
"permissionAttributes": [
{
"name": "privileges.ICF.da7efcaxxx4-8c7a-4d4f-8ad3-c55ac9362de6.f5f2648ad9cec9892927642f31e6ccda",
"values": [
"ADMINISTER ANY SQL TUNING SET"
],
"type": "RepeatableFieldSet",
"permissionType": null
}
]
},
"accountProfileId": "843217xx00-1a93-4cf2-9226-3f4c26fd9768",
"accountProfileName": "dbum AP 1",
"customAttributes": {},
"accessGuardrails": [
{
"id": "a42034xxx1-46c3-4fb3-891a-b1c127fa94ba",
"name": "UA-AD-Access Guardrails"
}
],
"permissions": [
{
"id": "privileges.ICF.da7efcaxxx4-8c7a-4d4f-8ad3-c55ac9362de6.f5f2648ad9cec9892927642f31e6ccda",
"name": "ADMINISTER ANY SQL TUNING SET",
"type": "ENTITLEMENTS",
"timeCreated": "2024-09-25T13:02:20.369Z",
"resource": {
"id": "resource.ICF.da7efcaxxx4-8c7a-4d4f-8ad3-c55ac9362de6.153c14344ccda28d2c2106cc5b5a8e4d",
"name": "ownership-reviews-july-DBUM",
"displayName": "ownership-reviews-july-DBUM",
"type": "DBUM"
}
}
]
}
Note the Access Bundle ID for creating an access request.
Step 4: Create an Access Request for an Identity
Create a self-service access request for one or more identities using the details we extracted from the above steps. In this example, we will raise for identity that doesn't match the conditions given in the Access Guardrail, resulting in failure of an Access Request.
Sample cURLcurl -i -X \
\
POST \
-H \
\
"Authorization:Bearer <your access token>" \
-H \
\
"Content-Type:application/json" \
-d \
'{
"justification": "UA Request test",
"createdBy": "globalId.125123c3-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"accessBundles": [
"4343289f-928d-4255-abbe-2d76e639d38e"
],
"identities": [
"globalId.OCI.bd49ff2a-5c47-4242-8975-9ba235fbb0ec.9f6e4161d84394960469c2af598b63d4"
],
"accountProfileDetails": [
{
"accountProfileId": "84321700-1a93-4cf2-9226-3f4c26fd9768",
"identitySpecific": true,
"accountAttributes": [
{
"name": "defaultTablespaceQuotaInMB",
"values": [
"100"
],
"children": [],
"isQuestion": true
}
],
"identityAccountAttributesDetails": [
{
"identityId": "globalId.OCI.bd49ff2a-xxxx-4242-8975-xxx235fbb0ec.9f6e4161d84394960469c2af598b63d4",
"accountAttributes": [
{
"name": "defaultTablespaceQuotaInMB",
"values": [
"40"
]
}
]
}
]
}
]
}'\
'${service-instance-url}/access-governance/access-controls/20250331/accessRequests'Sample POST Command using REST Client
Include the following
Headers:
| Authorization | Bearer <your access token> |
| Content-Type | application/json |
${si}/access-governance/access-controls/${version}/accessRequestsSample Request Body
{
"justification": "UA Access Guardrails Test - High-Risk Violation",
"createdBy": "globalId.125123c3-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"accessBundles": [
"4343289f-xxxx-4255-abbe-2d76e639d38e"
],
"identities": [
"globalId.OCI.bd49ff2a-xxxx-4242-8975-9ba235fbb0ec.9f6e4161d84394960469c2af598b63d4"
],
"accountProfileDetails": [
{
"accountProfileId": "84321700-1a93-4cf2-9226-3f4c26fd9768",
"identitySpecific": true,
"accountAttributes": [
{
"name": "defaultTablespaceQuotaInMB",
"values": [
"100"
],
"children": [],
"isQuestion": true
}
],
"identityAccountAttributesDetails": [
{
"identityId": "globalId.OCI.bd49ff2a-xxxx-4242-8975-xxx235fbb0ec.9f6e4161d84394960469c2af598b63d4",
"accountAttributes": [
{
"name": "defaultTablespaceQuotaInMB",
"values": [
"40"
]
}
]
}
]
}
]
}Sample Response Body
You should receive a 200 response code, with a following response body:
{
"id": "4eb12922-7b6c-4654-xxxx-a795a5e29e62",
"justification": "UA Access Guardrails Test - High-Risk Violations",
"requestStatus": "PENDING_APPROVALS",
"timeCreated": "2025-04-28T08:55:09.285Z",
"timeUpdated": "2025-04-28T08:55:09.285Z",
"createdBy": "globalId.125123c3-xxxx-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"permissionRoles": [
],
"accessBundles": [
{
"id": "4343289f-xxxx-4255-abbe-2d76e639d38e",
"name": "DBUM Standard SQL Tuning Access UA 7",
"displayName": "DBUM Standard SQL Tuning Access UA 7",
"accountProfileId": "84321700-xxxx-4cf2-9226-3f4c26fd9768"
}
],
"identities": [
{
"id": "globalId.OCI.bd49ff2a-xxxx-4242-8975-9ba235fbb0ec.9f6e4161d84394960469c2af598b63d4",
"name": "Adam Steve",
"displayName": "Adam Steve",
"owners": null
}
],
"attributes": {
"orchestratedSystemAttributes": null
},
"approvalRequests": null
}
Get Details of an Access Request
You can verify or check the status of the access request that you just created by running the following endpoint:GET ${service-instance-url}/access-governance/access-controls/${versionId}/accessRequests/${accessRequestId}If a high-risk violation is triggered, the request status is Failed
{
"id": "4eb12922-7b6c-4654-xxxx-a795a5e29e62",
"justification": "UA Access Guardrails Test - High-Risk Violations",
"requestStatus": "FAILED",
"timeCreated": "2025-04-28T08:55:09.285Z",
"timeUpdated": "2025-04-28T08:55:09.285Z",
"createdBy": "globalId.125123c3-eedc-4d6a-xxxx-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"permissionRoles": [
],
"accessBundles": [
{
"id": "4343289f-928d-xxxx-abbe-2d76e639d38e",
"name": "DBUM Standard SQL Tuning Access UA 7",
"displayName": "DBUM Standard SQL Tuning Access UA 7",
"accountProfileId": "84321700-1a93-4cf2-9226-3f4c26fd9768"
}
],
"identities": [
{
"id": "globalId.OCI.bd49ff2a-xxxx-4242-8975-9ba235fbb0ec.9f6e4161d84394960469c2af598b63d4",
"name": "Adam Steve",
"displayName": "Adam Steve",
"owners": null
}
],
"attributes": {
},
"approvalRequests": [
{
"id": "INPROGRESS_abdef814-xxxx-472d-8387-974013591139",
"requestor": "Amel Maclead",
"beneficiary": "Adam Steve",
"beneficiaryEmail": "Adam Steve.example.com",
"status": "FAILED",
"assignmentName": "DBUM Standard SQL Tuning Access UA 7",
"assignmentType": "ACCESS_BUNDLE",
"assignmentDescription": "DBUM AB UA API",
"requestType": "NO_WORKFLOW",
"timeUpdated": "2025-04-28T08:55:09.285Z",
"failedDueToAccessGuardrailViolations": true
}
]
}
Get Details of an Access Request with Approved Status and No Violations Raised
If you request for an identity that passes the condition defined in Access Guardrails then no violations are raised, and the request follows the approval workflow. In this case, it is Approved as no approval workflow was required for this access bundle.
{
"id" : "428c4xxx55c-163c-4ca7-aecb-a6c9da6da507",
"justification" : "Request Access to Access Bundles Violation Passed",
"requestStatus" : "APPROVED",
"timeCreated" : "2025-04-28T09:12:14.761Z",
"timeUpdated" : "2025-04-28T09:12:14.761Z",
"createdBy" : "globalId.1251xxx23c3-eedc-4d6a-b6d4-6c0f6537bad2.18.02e36bbb4b201421b44aa046b3ceb16a",
"permissionRoles" : [ ],
"accessBundles" : [ {
"id" : "43432xxx89f-928d-4255-abbe-2d76e639d38e",
"name" : "DBUM Standard SQL Tuning Access UA 7",
"displayName" : "DBUM Standard SQL Tuning Access UA 7",
"accountProfileId" : "84321xxx700-1a93-4cf2-9226-3f4c26fd9768"
} ],
"identities" : [ {
"id" : "globalId.1251xxx23c3-eedc-4d6a-b6d4-6c0f6537bad2.55045.02e36bbb4b201421b44aa046b3ceb16a",
"name" : "Bill Clark",
"displayName" : "Bill Clark",
"owners" : null
} ],
"attributes" : { },
"approvalRequests" : [ {
"id" : "NOWORKFLOW_cea6xxx6f6b-d372-47c5-8755-0a05cf04fe14",
"requestor" : "Ama Maclead",
"beneficiary" : "Bill Clark",
"beneficiaryEmail" : "bill.clark@oracle.com",
"status" : "APPROVED",
"assignmentName" : "DBUM Standard SQL Tuning Access UA 7",
"assignmentType" : "ACCESS_BUNDLE",
"assignmentDescription" : "DBUM AB UA API",
"requestType" : "NO_WORKFLOW",
"timeUpdated" : "2025-04-28T09:12:14.761Z",
"failedDueToAccessGuardrailViolations" : false
} ]
}