Time-Bound Access
Create an access bundle with a time limit task. Approver can request the request. Once provisioned, user can request an extension for the same.
Create an Access Bundle with Time limit Access
In this example, we will raise request for a Database User Management (DBUM)-specific Access Bundle with limited number of hours.
Before creating an access bundle, use the following
endpoints to achieve this:
- List all Orchestrated Systems - [GET] {BasePath}/orchestratedSystem
- List all Permissions for an Orchestrated Systems - [GET] {BasePath}/orchestratedSystem/{id}/permissions
- Find Permission Attributes for an Orchestrated Systems - [POST] {BasePath}/orchestratedSystem/{id}/permissionAttributes
- List all Lookup values for a given Lookup Type - [GET] {BasePath}/orchestratedSystem/{id}/lookupAttributes?lookupType=<lookupType>
- List all Account Profiles for an Orchestrated Systems - [GET] {BasePath}/orchestratedSystem/{id}/accountProfiles
- List all Approval Workflows - [GET] {BasePath}/approvalWorkflows
Step 1: Create an Access Bundle and time limit task
In this request, create an access bundle with the time limit task.
Sample Curl for Creating an Access Bundle with Time Bound Access
curl -i -X \
\
POST \
-H \
\
"Authorization:Bearer <your access token>" \
-H \
\
"Content-Type:application/json" \
-d \
'{
"name": "DBUM Standard SQL Tuning Access time limit",
"displayName": "DBUM AB UA API - Time limit",
"description": "DBUM AB UA API - Time Limit",
"tags": ["DBUM UA"],
"owners": [
{
"id": "globalId.8d51efxx-ab68-4f09-ae89-7bcc0fxxxxxxxx",
"name": "Amel Maclead",
"isPrimary": true
}
],
"requestableBy": "ANY",
"approvalWorkflowId": "NO_APPROVAL_REQUIRED",
"orchestratedSystemId": "180a797x-a20b-4ebf-b7b1-xxxxxxxxxxxx",
"accessBundleType": "PERMISSION_BUNDLE",
"verb": "string",
"items": [
{
"id": "privileges.ICF.180a797x-a20b-4ebf-b7b1-xxxxxxxxxxxx",
"name": "ADMINISTER ANY SQL TUNING SET"
}
],
"externalId": null,
"domainName": null,
"resourceType": null,
"accountProfileId": "eadea6xx-ad32-47ef-a69f-xxxxxxxxxxxx",
"accountProfileName": "Profile_other",
"orchestratedSystemAttributes": {
"accountAttributes": [],
"permissionAttributes": [
{
"name": "privileges.ICF.180a797x-a20b-4ebf-b7b1-xxxxxxxxxxxx",
"type": "RepeatableFieldSet",
"title": null,
"values": ["ADMINISTER ANY SQL TUNING SET"],
"children": [
{
"items": [
{
"name": "privilegeAdminOption",
"title": "Privilege admin option",
"values": ["YES"],
"children": [],
"lookupType": "withAdminOption",
"permissionType": null,
"discriminator": null,
"values": ["YES"]
}
]
}
],
"discriminator": null,
"isQuestion": true
}
]
},
"customAttributes": {},
"autoApproveIfNoViolation": false,
"accessTimeLimitType": "NUMBER_OF_HOURS",
"accessTimeLimit": {
"hoursLimit": {
"accessLimitInHours": 24,
"notificationInHours": 1,
"extensionInHours": 6,
"extensionApprovalWorkflowId": {
"id": "Guid_03f0exxx-129a-43dc-a8e9-xxxxxxxxxxxx",
"name": "Custom_WF_Amel Maclead",
"displayName": "Custom_WF_Amel Maclead"
}
}
}
}'\
'${service-instance-url}/access-governance/access-controls/20250331/accessBundles'Sample Request Payload for Creating an Access Bundle with Time Limit Task
{
"name": "DBUM Standard SQL Tuning Access time limit",
"displayName": "DBUM AB UA API - Time limit",
"description": "DBUM AB UA API - Time Limit",
"tags": ["DBUM UA"],
"owners": [
{
"id": "globalId.8d51efxx-ab68-4f09-ae89-7bcc0fxxxxxxxx",
"name": "Amel Maclead",
"isPrimary": true
}
],
"requestableBy": "ANY",
"approvalWorkflowId": "NO_APPROVAL_REQUIRED",
"orchestratedSystemId": "180a797x-a20b-4ebf-b7b1-xxxxxxxxxxxx",
"accessBundleType": "PERMISSION_BUNDLE",
"verb": "string",
"items": [
{
"id": "privileges.ICF.180a797x-a20b-4ebf-b7b1-xxxxxxxxxxxx",
"name": "ADMINISTER ANY SQL TUNING SET"
}
],
"externalId": null,
"domainName": null,
"resourceType": null,
"accountProfileId": "eadea6xx-ad32-47ef-a69f-xxxxxxxxxxxx",
"accountProfileName": "Profile_other",
"orchestratedSystemAttributes": {
"accountAttributes": [],
"permissionAttributes": [
{
"name": "privileges.ICF.180a797x-a20b-4ebf-b7b1-xxxxxxxxxxxx",
"type": "RepeatableFieldSet",
"title": null,
"values": ["ADMINISTER ANY SQL TUNING SET"],
"children": [
{
"items": [
{
"name": "privilegeAdminOption",
"title": "Privilege admin option",
"values": ["YES"],
"children": [],
"lookupType": "withAdminOption",
"permissionType": null,
"discriminator": null,
"values": ["YES"]
}
]
}
],
"discriminator": null,
"isQuestion": true
}
]
},
"customAttributes": {},
"autoApproveIfNoViolation": false,
"accessTimeLimitType": "NUMBER_OF_HOURS",
"accessTimeLimit": {
"hoursLimit": {
"accessLimitInHours": 24,
"notificationInHours": 1,
"extensionInHours": 6,
"extensionApprovalWorkflowId": {
"id": "Guid_03f0exxx-129a-43dc-a8e9-xxxxxxxxxxxx",
"name": "Custom_WF_Amel Maclead",
"displayName": "Custom_WF_Amel Maclead"
}
}
}
}'\
'${service-instance-url}/access-governance/access-controls/20250331/accessBundles'Sample Response
You should receive a 200 response code, with a following response body:
{
"id": "20f536xx-f8c1-40f5-98f7-6fc0e2xxxxxx",
"name": "DBUM Standard SQL Tuning Access time limit",
"displayName": "DBUM AB UA API - Time limit",
"description": "DBUM AB UA API - Time Limit",
"tags": ["DBUM UA"],
"timeCreated": "2025-06-16T06:44:xx.xxxZ",
"timeUpdated": "2025-06-16T06:44:xx.xxxZ",
"createdBy": {
"id": "88b969xxce3446539535704800xxxxxx",
"name": "88b969xxce3446539535704800xxxxxx",
"displayName": "88b969xxce3446539535704800xxxxxx"
},
"updatedBy": {
"id": "88b969xxce3446539535704800xxxxxx",
"name": "88b969xxce3446539535704800xxxxxx",
"displayName": "88b969xxce3446539535704800xxxxxx"
},
"owners": [
{
"id": "globalId.8d51efxx-ab68-4f09-ae89-7bcc0fxxxxxxxx",
"name": "Amel Maclead",
"isPrimary": true
}
],
"externalId": "ocid1.agcsgovernanceinstance.oc1.iad.amaaaaaaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"accountProfileId": "eadea6xx-ad32-47ef-a69f-94dfa2xxxxxxxx",
"accountProfileName": "Profile_other",
"permissions": [
{
"id": "privileges.ICF.180a797xx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "ADMINISTER ANY SQL TUNING SET",
"timeCreated": "2025-02-12T11:48:xx.xxxZ",
"resource": {
"id": "resource.ICF.180a797xx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "DBUM OnBoard QA",
"displayName": "DBUM OnBoard QA"
}
}
],
"accessTimeLimit": {
"hoursLimit": {
"accessLimitInHours": 24,
"notificationInHours": 1,
"extensionInHours": 6,
"extensionApprovalWorkflowId": {
"id": "Guid_03f0eaxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "Custom_WF_Amel Maclead",
"displayName": "Custom_WF_Amel Maclead"
}
}
}
}Note the Access Bundle ID for creating an access request.
Step 2: Create an Access Request with Time Limit Access
Create a self-service access request for one or more identities for limited number of hours. In this example, we will raise for identity to grant time-bound access.
Sample cURLcurl -i -X \
\
POST \
-H \
\
"Authorization:Bearer <your access token>" \
-H \
\
"Content-Type:application/json" \
-d \
'{
"justification": "time limit access 24 hours",
"createdBy": "globalId.8d51efbf-ab68-4fxx-ae89-7bcc0f9dexxbe.18.a84836862e0958ba29e9002afd63a7xx",
"accessBundles": ["20f536xx-f8c1-40f5-98f7-6fc0e2xx4bef"],
"identities": ["globalId.ICF.f9b1ccf2-5c61-4b4c-8f48-629ebxxx0b29.a7344253305c07c09062e31b13a7xxca"],
"accountProfileDetails": [],
"accessLimitDataDetails": [
{
"accessBundleId": "20f536xx-f8c1-40f5-98f7-6fc0e2xx4bef",
"isIdentitySpecific": false,
"accessLimitDataInfo": {
"accessLimitType": "NUMBER_OF_HOURS",
"accessLimitData": {
"daysConfig": null,
"hoursConfig": {
"expirationInHours": 24,
"notificationInHours": 1,
"extensionInHours": 6,
"extensionApprovalWorkflowId": {
"id": "Guid_03f0eacc-129x-43dc-a8e9-76c884d078x4",
"name": null,
"displayName": null
}
},
"dateTimeConfig": null
}
},
"identityAccessLimitDetails": [
{
"identityId": "globalId.ICF.f9b1ccf2-5c61-4b4c-8f48-629ebxxx0b29.a7344253305c07c09062e31b13a7xxca",
"accessLimitDataInfo": {
"accessLimitType": "NUMBER_OF_HOURS",
"accessLimitData": {
"daysConfig": null,
"hoursConfig": {
"expirationInHours": 24,
"notificationInHours": 1,
"extensionInHours": 6,
"extensionApprovalWorkflowId": {
"id": "Guid_03f0eacc-129x-43dc-a8e9-76c884d078x4"
}
},
"dateTimeConfig": null
}
}
}
]
}
]
}'\
'${service-instance-url}/access-governance/access-controls/20250331/accessRequests'Sample POST Command using REST Client
Include the following
Headers:
| Authorization | Bearer <your access token> |
| Content-Type | application/json |
${si}/access-governance/access-controls/${version}/accessRequestsSample Request Body
{
"justification": "time limit access 24 hours",
"createdBy": "globalId.8d51efbf-ab68-4fxx-ae89-7bcc0f9dexxbe.18.a84836862e0958ba29e9002afd63a7xx",
"accessBundles": ["20f536xx-f8c1-40f5-98f7-6fc0e2xx4bef"],
"identities": ["globalId.ICF.f9b1ccf2-5c61-4b4c-8f48-629ebxxx0b29.a7344253305c07c09062e31b13a7xxca"],
"accountProfileDetails": [],
"accessLimitDataDetails": [
{
"accessBundleId": "20f536xx-f8c1-40f5-98f7-6fc0e2xx4bef",
"isIdentitySpecific": false,
"accessLimitDataInfo": {
"accessLimitType": "NUMBER_OF_HOURS",
"accessLimitData": {
"daysConfig": null,
"hoursConfig": {
"expirationInHours": 24,
"notificationInHours": 1,
"extensionInHours": 6,
"extensionApprovalWorkflowId": {
"id": "Guid_03f0eacc-129x-43dc-a8e9-76c884d078x4",
"name": null,
"displayName": null
}
},
"dateTimeConfig": null
}
},
"identityAccessLimitDetails": [
{
"identityId": "globalId.ICF.f9b1ccf2-5c61-4b4c-8f48-629ebxxx0b29.a7344253305c07c09062e31b13a7xxca",
"accessLimitDataInfo": {
"accessLimitType": "NUMBER_OF_HOURS",
"accessLimitData": {
"daysConfig": null,
"hoursConfig": {
"expirationInHours": 24,
"notificationInHours": 1,
"extensionInHours": 6,
"extensionApprovalWorkflowId": {
"id": "Guid_03f0eacc-129x-43dc-a8e9-76c884d078x4"
}
},
"dateTimeConfig": null
}
}
}
]
}
]
}Sample Response Body
You should receive a 200 response code, with a following response body:
{
"id": "691422xx-a9d0-4e5a-b1xx-504faa82c6xx",
"justification": "time limit access 24 hours",
"requestStatus": "IN_PROGRESS",
"timeCreated": "2025-06-16T09:1x:52.793Z",
"timeUpdated": "2025-06-16T09:1x:52.793Z",
"createdBy": "clientId.External App for Local Dev.88b96xxece34465395357xx80031e7d0",
"permissionRoles": [],
"accessBundles": [
{
"id": "20f536xx-f8c1-40f5-98f7-6fc0e2xx4bef",
"name": "DBUM Standard SQL Tuning Access time limit",
"displayName": "DBUM Standard SQL Tuning Access time limit",
"accountProfileId": "eadea697-adxx-47ef-a6xx-94dfa2e8xx74"
}
],
"identities": [
{
"id": "globalId.ICF.f9b1ccf2-5cxx-4b4c-8f48-629ebxxx0b29.a7344253305c07c09062e31b13a7xxca",
"name": "Adam",
"displayName": "Steve",
"owners": null
}
],
"attributes": {
"orchestratedSystemAttributes": null
},
"approvalRequests": null
}
Step 3: Get Details of an Access Request
You can verify or check the status of the access request that you just created by running the following endpoint:GET ${service-instance-url}/access-governance/access-controls/${versionId}/accessRequests/${accessRequestId}Note the approvalRequestID that you may need for
extension.
{
"id": "4eb12922-7b6c-4654-xxxx-a795a5e29e62",
"justification": "time limit access 24 hours",
"requestStatus": "IN_PROGRESS",
"timeCreated": "2025-04-28T08:55:09.285Z",
"timeUpdated": "2025-04-28T08:55:09.285Z",
"createdBy": "clientId.External App.18.02e36bbb4b201421b44aa046b3ceb16a",
"permissionRoles": [
],
"accessBundles": [
{
"id": "4343289f-928d-xxxx-abbe-2d76e639d38e",
"name": "DBUM Standard SQL Tuning Access UA 7",
"displayName": "DBUM Standard SQL Tuning Access UA 7",
"accountProfileId": "84321700-1a93-4cf2-9226-3f4c26fd9768"
}
],
"identities": [
{
"id": "globalId.OCI.bd49ff2a-xxxx-4242-8975-9ba235fbb0ec.9f6e4161d84394960469c2af598b63d4",
"name": "Adam Steve",
"displayName": "Adam Steve",
"owners": null
}
],
"attributes": {
},
"approvalRequests": [
{
"id": "b55d0489-3c5f-4feb-8eef-xxdx:1d130fad-4a9b-11f0-bed0-5eb31851a1a7",
"requestor": "Amel Maclead",
"beneficiary": "Adam Steve",
"beneficiaryEmail": "Adam Steve.example.com",
"status": "APPROVED",
"assignmentName": "DBUM Standard SQL Tuning Access UA 7",
"assignmentType": "ACCESS_BUNDLE",
"assignmentDescription": "DBUM AB UA API",
"requestType": "NO_WORKFLOW",
"timeUpdated": "2025-04-28T08:55:09.285Z",
"failedDueToAccessGuardrailViolations": true
}
]
}
Step 4: Request Extension for an Expiring Access
Once your access
is provisioned and is near-expiry, you can request its extension using the following
API.
POST: ${si}/access-governance/access-controls/20250331/accessRequests/extensionapprovalRequestID as the process Instance ID and timestamp in
EPOC format milliseconds. The extension time should be after the expiration of the
access. Use EPOC Converter for timestamp.
{
"processInstanceId": "9da38df2-7738-xxx-9128-55e271e7ff34:93bd3f4c-xxx-11f0-a199-46069f5cec74",
"extensionDateInEpoch": 1750179992000,
"justification": "Extension till June 16 4:30pm"
}Response for Access
Extension
{
"id": "5996aa34-825f-4569-xxx-a0b2c4b64c7a",
"processInstanceId": "9da38df2-xxx-45eb-9128-55e271e7ff34:93bd3f4c-4ab3-11f0-a199-46069f5cec74",
"extensionDateInEpoch": 1750179992000,
"justification": "Extension till June 17 5:06:32 PM",
"requestStatus": "APPROVED",
"timeCreated": "2025-06-15T13:42:06.644Z",
"timeUpdated": "2025-06-16T13:42:06.644Z",
"createdBy": "clientId.External.88b9690ece344xxx53570480031e7d0"
}Use the same Access Request ID as in Step 3 to view extension request details. Use the Approvals API to act on approvals.