Requests

Quick navigation

• GET Requests
• POST Requests
• POST Aliases/{aliasId}/Requests
• PUT Requests/{id}/Checkin
• PUT Requests/{id}/Approve
• PUT Requests/{id}/Deny
• PUT Requests/{id}/RotateOnCheckin

For more information on related topics, please see Credentials.

GET Requests

Purpose

Lists requests for the current user.

Query parameters

• status: (optional, default: all) Status of requests to return.
  • all: Both active and pending requests.
  • active: Requests that have been approved (including auto-approved).
  • pending: Requests that have not yet been approved.
• queue: (optional, default: req): Type of request queue to return.
  • req: Requestor queue, returns requests available to the user as a requestor.
  • app: Approver queue, returns requests for an approver or requestor/approver that have either been approved by the user (active) or have not yet been approved (pending).

Request body

None.

Response body

Content-Type: application/json

[
    {
        RequestID: int,
        SystemID: int,
        SystemName: string,
        AccountID: int,
        AccountName: string,
        DomainName: string,
        AliasID: int,
        ApplicationID: int,
        RequestReleaseDate: date-formatted string,
        ApprovedDate: date-formatted string,
        ExpiresDate: date-formatted string,
        Status: string,
        AccessType: string,
        Reason: string
    },
    …
]

Response codes

• 200 – Request successful. Requests in the response body.
• 403 – Access forbidden. Response body contains a message or status code indicating the reason for this forbidden access:
  • 4033 – Approver Only API or account. Only Approvers can access this API or account.

For more information, please see Common response codes.

POST Requests

Purpose

Creates a new release request.

Required roles

• Requestor or requestor/approver role to managed account referenced by ID

For information on ISA role access, please see ISA requests.

Request body

Content-Type: application/json

{
    AccessType: string,
    SystemID: int,
    AccountID: int,
    ApplicationID: int, // can be null
    DurationMinutes : int,
    Reason : string,
    AccessPolicyScheduleID : int, // can be null
    ConflictOption : string,
    TicketSystemID : int,
    TicketNumber : string,
    RotateOnCheckin: bool
}

Request body details

• AccessType: (optional, default: View) The type of access requested (View, RDP, SSH, App).
  • View: View Password access.
  • RDP: RDP access (corresponds to POST Sessions SessionType RDP or rdpfile).
  • SSH: SSH access (corresponds to POST Sessions SessionType SSH).
  • App: Application access (corresponds to POST Sessions SessionType App or appfile).
• SystemID: (required) ID of the managed system to request.
• AccountID: (required) ID of the managed account to request.
• ApplicationID: (required when AccessType=App): ID of the application for an application-based request.
• DurationMinutes: (required: 1-525600) The request duration (in minutes).
• Reason: (optional) The reason for the request.
• AccessPolicyScheduleID: (optional) The schedule ID of an access policy to use for the request. If omitted, automatically selects the best schedule.
• ConflictOption: (optional) The conflict resolution option to use if an existing request is found for the same user, system, and account (reuse, renew). If omitted and a conflicting request is found, returns a 409 code (see below).
  • reuse: Returns an existing, approved request ID for the same user/system/account/access type (if one exists). If the request does not already exist, creates a new request using the request body details.
  • renew: Cancels any existing approved requests for the same user/system/account and creates a new request using the request body details.
• TicketSystemID: ID of the ticket system. If omitted, then default ticket system will be used.
• TicketNumber: Number of associated ticket. Can be required if ticket system is marked as required in the access policy used. Max string length is 20.
• RotateOnCheckin: (optional, default: true) True to rotate the credentials on check-in/expiry, otherwise false. This property can only be used if the access policy (either auto-selected or given in AccessPolicyScheduleID) supports it.

In reference to RotateOnCheckin, If the Managed Account given in AccountID does not rotate the credentials after check-in/expiry, this setting is ignored.

For more information, please see the Allow API Rotation Override access policy setting under View access.

Response body

{
    RequestID: int
}

Response codes

• 200 – Existing request is being reused. Existing request ID in the response body.
• 201 – Request successful. Request ID in the response body.
• 403 – User does not have permissions to request the indicated account or the account does not have API access enabled. Response body contains a status code indicating the reason for this forbidden access:
  • 4031 – User does not have permission to request the account or the account is not valid for the system.
  • 4033 – Approver Only API or account. Only Approvers can access this API or account.
  • 4035 - Not enough Approvers configured to approve a request.
• 409 – Conflicting request exists. This user or another user has already requested a password for the specified account within the next <durationMinutes> window.

For more information, please see Common response codes.

POST Aliases/{aliasId}/Requests

Purpose

Creates a new release request using an alias.

Required roles

Requestor or requestor/approver role to managed account referenced by the alias.

URL parameters

aliasId: ID of the managed account alias.

Request body

Content-Type: application/json

{
    AccessType: string,
    DurationMinutes : int,
    Reason : string,
    AccessPolicyScheduleID : int, // can be null
    ConflictOption : string,
    TicketSystemID : int,
    TicketNumber : string,
    RotateOnCheckin: bool
}

Request body details

• AccessType: (optional, default: View) The type of access requested (View, RDP, SSH, App).
  • View: View password access.
  • RDP: RDP access (corresponds to POST Sessions SessionType RDP or rdpfile).
  • SSH: SSH access (corresponds to POST Sessions SessionType SSH).
• DurationMinutes: (required: 1-525600): The request duration (in minutes).
• Reason: (optional) The reason for the request.
• AccessPolicyScheduleID: (optional) The schedule ID of an access policy to use for the request. If omitted, automatically selects the best schedule.
• ConflictOption: (optional) The conflict resolution option to use if an existing request is found for the same user, system, and account (reuse, renew). If omitted and a conflicting request is found, returns a 409 (see below).
  • reuse: Return an existing, approved request ID for the same user/system/account/access type (if one exists). If the request does not already exist, creates a new request using the request body details.
  • renew: Cancel any existing approved requests for the same user/system/account and create a new request using the request body details.
• TicketSystemID: ID of the ticket system. If omitted then default ticket system is used.
• TicketNumber: Number of associated ticket. Can be required if ticket system is marked as required in the access policy used. Max string length is 20.
• RotateOnCheckin: (optional, default: true) True to rotate the credentials on check-in/expiry, otherwise false. This property can only be used if the access policy (either auto-selected or given in AccessPolicyScheduleID) supports it. If the managed account given in AccountID does not rotate the credentials after check-in/expiry, this setting is ignored.

For more information, please see the Allow API Rotation Override access policy setting under View access.

Response body

{
    RequestID: int
}

Response codes

• 200 – Existing request is being reused. Existing request ID in the response body.
• 201 – Request successful. Request ID in the response body.
• 403 – User does not have permissions to request the indicated alias or the account referenced by the alias does not have API access enabled. Response body contains a status code indicating the reason for this forbidden access:
  • 4031 – User does not have permission to request the account or the account is not valid for the system.
  • 4033 – Approver Only API or account. Only Approvers can access this API or account.
  • 4035 - Not enough approvers configured to approve a request.
• 409 – Conflicting request exists. This user or another user has already requested a password for the specified account within the next <durationMinutes> window.

For more information, please see Common response codes.

PUT Requests/{id}/Checkin

Alternate URI (deprecated)

PUT Requests/Release/{id}

Purpose

Checks-in/releases a request before it has expired.

Required roles

Requestor role to managed account referenced by the request.

URL parameters

id: ID of the request to check-in/release.

Request body

Content-Type: application/json

{
    Reason : string
}

Request body details

Reason: (optional) A reason or comment why the request is being released. Max string length is 1000.

Response body

None.

Response codes

• 204 – Request successful. No content in body.
• 403 – User does not have permissions to release the indicated request or the associated account does not have API access enabled. Message or status code in response body:
  • 4031 – User does not have permission to release a password.
  • 4034 – Request is not yet approved.

For more information, please see Common response codes.

PUT Requests/{id}/Approve

Purpose

Approves a pending request.

Required roles

Approver or requestor/approver role to managed account referenced by the request.

URL parameters

id: ID of the request to approve.

Request body

Content-Type: application/json

{
    Reason : string
}

Request body details

Reason: (optional) A reason or comment why the request is being approved. Max string length is 1000.

Response body

None.

Response codes

• 204 – Request successful. No content in body.
• 403 – User does not have permissions to approve the indicated request or the associated account does not have API access enabled. Message or status code in response body:
  • 4033 – Approver only - User cannot approve his or her own request.
  • 4036 – Request has been approved already.

For more information, please see Common response codes.

PUT Requests/{id}/Deny

Purpose

Denies/cancels an active or pending request.

Required roles

Approver or requestor/approver role to managed account referenced by the request.

URL parameters

id: ID of the request to deny/cancel.

Request body

Content-Type: application/json

{
    Reason : string
}

Request body details

Reason: (optional) A reason or comment why the request is being denied/cancelled. Max string length is 1000.

Response body

None.

Response codes

• 204 – Request successful. No content in body.
• 403 – User does not have permissions to deny the indicated request or the associated account does not have API access enabled. Message or status code in response body:
• 4033 – Approver only - User cannot deny his or her own request.

For more information, please see Common response codes.

PUT Requests/{id}/RotateOnCheckin

Purpose

Updates a request to rotate the credentials on check-in/expiry.

If POST Requests RotateOnCheckin=false, this updates the request to true. If POST Requests RotateOnCheckin=true, the request is not modified.

Requirements

• Current user must be the owner of the request.
• Request must not be cancelled or expired.

URL parameters

id: ID of the request to update.

Request body

None.

Response body

None.

Response codes

204 – Request successful. No content in body.

For more information, please see Common response codes.