diff --git a/static/api-specs/idn/sailpoint-api.v3.yaml b/static/api-specs/idn/sailpoint-api.v3.yaml index 772383d50..9442545d3 100644 --- a/static/api-specs/idn/sailpoint-api.v3.yaml +++ b/static/api-specs/idn/sailpoint-api.v3.yaml @@ -854,6 +854,8 @@ paths: $ref: './v3/paths/password-org-config.yaml' /sod-policies: $ref: './v3/paths/sod-policies.yaml' + /sod-policies/{id}: + $ref: './v3/paths/sod-policy.yaml' /sources: $ref: "./v3/paths/sources.yaml" /sources/{id}: diff --git a/static/api-specs/idn/v3/paths/sod-policy.yaml b/static/api-specs/idn/v3/paths/sod-policy.yaml new file mode 100644 index 000000000..c1f9e9cf0 --- /dev/null +++ b/static/api-specs/idn/v3/paths/sod-policy.yaml @@ -0,0 +1,560 @@ +get: + security: + - oauth2: [idn:sod-policy:read] + operationId: getSodPolicy + tags: + - SOD Policy + summary: Get SOD policy by ID + description: >- + This gets specified SOD policy. + + Requires role of ORG_ADMIN. + parameters: + - in: path + name: id + schema: + type: string + required: true + description: The ID of the SOD Policy to retrieve. + example: ef38f943-47e9-4562-b5bb-8424a56397d8 + responses: + '200': + description: SOD policy ID. + content: + application/json: + schema: + $ref: '../schemas/SodPolicy.yaml' + examples: + Conflicting Access Based Policy: + value: + { + "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde", + "name": "Conflicting-Policy-Name", + "created": "2020-01-01T00:00:00.000000Z", + "modified": "2020-01-01T00:00:00.000000Z", + "description": "This policy ensures compliance of xyz", + "ownerRef": { + "type": "IDENTITY", + "id": "2c91808568c529c60168cca6f90c1313", + "name": "Owner Name" + }, + "externalPolicyReference": "XYZ policy", + "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c9180866166b5b0016167c32ef31a68 OR id:2c9180866166b5b0016167c32ef31a69)", + "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee", + "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.", + "state": "ENFORCED", + "tags": [ + "string" + ], + "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde", + "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde", + "violationOwnerAssignmentConfig": { + "assignmentRule": "MANAGER", + "ownerRef": { + "type": "IDENTITY", + "id": "2c91808568c529c60168cca6f90c1313", + "name": "Violation Owner Name" + } + }, + "scheduled": true, + "type": "CONFLICTING_ACCESS_BASED", + "conflictingAccessCriteria": { + "leftCriteria": { + "name": "money-in", + "criteriaList": [ + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a66" + }, + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a67" + } + ] + }, + "rightCriteria": { + "name": "money-out", + "criteriaList": [ + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a68" + }, + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a69" + } + ] + } + } + } + General Policy: + value: + { + "description": "Description", + "ownerRef": { + "type": "IDENTITY", + "id": "2c918087682f9a86016839c05e8f1aff", + "name": "Owner Name" + }, + "externalPolicyReference": "New policy", + "policyQuery": "policy query implementation", + "compensatingControls": "Compensating controls", + "correctionAdvice": "Correction advice", + "tags": [], + "state": "ENFORCED", + "scheduled": false, + "creatorId": "2c918087682f9a86016839c05e8f1aff", + "modifierId": null, + "violationOwnerAssignmentConfig": null, + "type": "GENERAL", + "conflictingAccessCriteria": null, + "id": "52c11db4-733e-4c31-949a-766c95ec95f1", + "name": "General-Policy-Name", + "created": "2020-05-12T19:47:38Z", + "modified": "2020-05-12T19:47:38Z" + } + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '404': + $ref: '../../v3/responses/404.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' +put: + security: + - oauth2: [idn:sod-policy:write] + operationId: setSodPolicy + tags: + - SOD Policy + summary: Update SOD policy by ID + description: >- + This updates a specified SOD policy. + + Requires role of ORG_ADMIN. + parameters: + - in: path + name: id + schema: + type: string + required: true + description: The ID of the SOD policy to update. + example: ef38f943-47e9-4562-b5bb-8424a56397d8 + requestBody: + required: true + content: + application/json: + schema: + $ref: '../schemas/SodPolicy.yaml' + examples: + Conflicting Access Based Policy: + value: + { + "name": "Conflicting-Policy-Name", + "description": "Modified Description", + + "externalPolicyReference": "XYZ policy", + "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee", + "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.", + "state": "ENFORCED", + "tags": [ + "string" + ], + "violationOwnerAssignmentConfig": { + "assignmentRule": "MANAGER", + "ownerRef": { + "type": "IDENTITY", + "id": "2c91808568c529c60168cca6f90c1313", + "name": "Violation Owner Name" + } + }, + "scheduled": true, + "type": "CONFLICTING_ACCESS_BASED", + "conflictingAccessCriteria": { + "leftCriteria": { + "name": "money-in", + "criteriaList": [ + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a66" + }, + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a67" + } + ] + }, + "rightCriteria": { + "name": "money-out", + "criteriaList": [ + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a68" + }, + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a69" + } + ] + } + } + } + General Policy: + value: + { + "description": "Modified Description", + "ownerRef": { + "type": "IDENTITY", + "id": "2c918087682f9a86016839c05e8f1aff", + "name": "Owner Name" + }, + "externalPolicyReference": "New policy", + "policyQuery": "policy query implementation", + "compensatingControls": "Compensating controls", + "correctionAdvice": "Correction advice", + "tags": [], + "state": "ENFORCED", + "scheduled": false, + "creatorId": "2c918087682f9a86016839c05e8f1aff", + "modifierId": null, + "violationOwnerAssignmentConfig": null, + "type": "GENERAL", + "conflictingAccessCriteria": null, + "id": "52c11db4-733e-4c31-949a-766c95ec95f1", + "name": "General-Policy-Name", + "created": "2020-05-12T19:47:38Z", + "modified": "2020-05-12T19:47:38Z" + } + responses: + '200': + description: SOD Policy by ID + content: + application/json: + schema: + $ref: '../schemas/SodPolicy.yaml' + examples: + Conflicting Access Based Policy: + value: + { + "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde", + "name": "Conflicting-Policy-Name", + "created": "2020-01-01T00:00:00.000000Z", + "modified": "2020-01-01T00:00:00.000000Z", + "description": "Modified description", + "ownerRef": { + "type": "IDENTITY", + "id": "2c91808568c529c60168cca6f90c1313", + "name": "Owner Name" + }, + "externalPolicyReference": "XYZ policy", + "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c9180866166b5b0016167c32ef31a68 OR id:2c9180866166b5b0016167c32ef31a69)", + "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee", + "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.", + "state": "ENFORCED", + "tags": [ + "string" + ], + "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde", + "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde", + "violationOwnerAssignmentConfig": { + "assignmentRule": "MANAGER", + "ownerRef": { + "type": "IDENTITY", + "id": "2c91808568c529c60168cca6f90c1313", + "name": "Violation Owner Name" + } + }, + "scheduled": true, + "type": "CONFLICTING_ACCESS_BASED", + "conflictingAccessCriteria": { + "leftCriteria": { + "name": "money-in", + "criteriaList": [ + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a66" + }, + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a67" + } + ] + }, + "rightCriteria": { + "name": "money-out", + "criteriaList": [ + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a68" + }, + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a69" + } + ] + } + } + } + General Policy: + value: + { + "description": "Modified Description", + "ownerRef": { + "type": "IDENTITY", + "id": "2c918087682f9a86016839c05e8f1aff", + "name": "Owner Name" + }, + "externalPolicyReference": "New policy", + "policyQuery": "policy query implementation", + "compensatingControls": "Compensating controls", + "correctionAdvice": "Correction advice", + "tags": [], + "state": "ENFORCED", + "scheduled": false, + "creatorId": "2c918087682f9a86016839c05e8f1aff", + "modifierId": null, + "violationOwnerAssignmentConfig": null, + "type": "GENERAL", + "conflictingAccessCriteria": null, + "id": "52c11db4-733e-4c31-949a-766c95ec95f1", + "name": "General-Policy-Name", + "created": "2020-05-12T19:47:38Z", + "modified": "2020-05-12T19:47:38Z" + } + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '404': + $ref: '../../v3/responses/404.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' +delete: + security: + - oauth2: [idn:sod-policy:write] + operationId: deleteSodPolicy + tags: + - SOD Policy + summary: Delete SOD policy by ID + description: >- + This deletes a specified SOD policy. + + Requires role of ORG_ADMIN. + parameters: + - in: path + name: id + schema: + type: string + required: true + description: The ID of the SOD Policy to delete. + example: ef38f943-47e9-4562-b5bb-8424a56397d8 + - in: query + name: logical + schema: + type: boolean + default: true + description: >- + Indicates whether this is a soft delete (logical true) or a hard delete. + Soft delete marks the policy as deleted and just save it with this status. It could be fully deleted or recovered further. + Hard delete vise versa permanently delete SOD request during this call. + example: true + required: false + responses: + '204': + description: No content. + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '404': + $ref: '../../v3/responses/404.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' +patch: + security: + - oauth2: [idn:sod-policy:write] + operationId: patchSodPolicy + tags: + - SOD Policy + summary: Patch SOD policy by ID + description: >- + Allows updating SOD Policy fields other than ["id","created","creatorId","policyQuery","type"] using the [JSON Patch](https://tools.ietf.org/html/rfc6902) standard. + + Requires role of ORG_ADMIN. + + This endpoint can only patch CONFLICTING_ACCESS_BASED type policies. Do not use this endpoint to patch general policies - doing so will build an API exception. + + parameters: + - in: path + name: id + schema: + type: string + required: true + description: The ID of the SOD policy being modified. + example: 2c918083-5d19-1a86-015d-28455b4a2329 + requestBody: + required: true + description: | + A list of SOD Policy update operations according to the [JSON Patch](https://tools.ietf.org/html/rfc6902) standard. + + The following fields are patchable: + * name + * description + * ownerRef + * externalPolicyReference + * compensatingControls + * correctionAdvice + * state + * tags + * violationOwnerAssignmentConfig + * scheduled + * conflictingAccessCriteria + content: + application/json-patch+json: + schema: + type: array + items: + $ref: '../schemas/JsonPatchOperation.yaml' + examples: + Conflicting Access Based Policy: + value: + - op: "replace" + path: "/description" + value: "Modified description" + - op: "replace" + path: "/conflictingAccessCriteria/leftCriteria/name" + value: "money-in-modified" + - op: "replace" + path: "/conflictingAccessCriteria/rightCriteria" + value: { + "name": "money-out-modified", + "criteriaList": [ + { + "type": "ENTITLEMENT", + "id": "2c918087682f9a86016839c0509c1ab2" + } + ] + } + General Policy: + value: + - op: "replace" + path: "/description" + value: "Modified description" + + responses: + '200': + description: >- + Indicates the PATCH operation succeeded, and returns the SOD policy's new representation. + content: + application/json: + schema: + $ref: '../schemas/SodPolicy.yaml' + examples: + Conflicting Access Based Policy: + value: + { + "id": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde", + "name": "Conflicting-Policy-Name", + "created": "2020-01-01T00:00:00.000000Z", + "modified": "2020-01-01T00:00:00.000000Z", + "description": "Modified description", + "ownerRef": { + "type": "IDENTITY", + "id": "2c91808568c529c60168cca6f90c1313", + "name": "Owner Name" + }, + "externalPolicyReference": "XYZ policy", + "policyQuery": "@access(id:2c9180866166b5b0016167c32ef31a66 OR id:2c9180866166b5b0016167c32ef31a67) AND @access(id:2c918087682f9a86016839c0509c1ab2)", + "compensatingControls": "Have a manager review the transaction decisions for their \"out of compliance\" employee", + "correctionAdvice": "Based on the role of the employee, managers should remove access that is not required for their job function.", + "state": "ENFORCED", + "tags": [ + "string" + ], + "creatorId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde", + "modifierId": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde", + "violationOwnerAssignmentConfig": { + "assignmentRule": "MANAGER", + "ownerRef": { + "type": "IDENTITY", + "id": "2c91808568c529c60168cca6f90c1313", + "name": "Violation Owner Name" + } + }, + "scheduled": true, + "type": "CONFLICTING_ACCESS_BASED", + "conflictingAccessCriteria": { + "leftCriteria": { + "name": "money-in-modified", + "criteriaList": [ + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a66" + }, + { + "type": "ENTITLEMENT", + "id": "2c9180866166b5b0016167c32ef31a67" + } + ] + }, + "rightCriteria": { + "name": "money-out-modified", + "criteriaList": [ + { + "type": "ENTITLEMENT", + "id": "2c918087682f9a86016839c0509c1ab2" + } + ] + } + } + } + General Policy: + value: + { + "description": "Modified description", + "ownerRef": { + "type": "IDENTITY", + "id": "2c918087682f9a86016839c05e8f1aff", + "name": "Owner Name" + }, + "externalPolicyReference": "New policy", + "policyQuery": "policy query implementation", + "compensatingControls": "Compensating controls", + "correctionAdvice": "Correction advice", + "tags": [], + "state": "ENFORCED", + "scheduled": false, + "creatorId": "2c918087682f9a86016839c05e8f1aff", + "modifierId": null, + "violationOwnerAssignmentConfig": null, + "type": "GENERAL", + "conflictingAccessCriteria": null, + "id": "52c11db4-733e-4c31-949a-766c95ec95f1", + "name": "General-Policy-Name", + "created": "2020-05-12T19:47:38Z", + "modified": "2020-05-12T19:47:38Z" + } + '400': + $ref: '../../v3/responses/400.yaml' + '401': + $ref: '../../v3/responses/401.yaml' + '403': + $ref: '../../v3/responses/403.yaml' + '404': + $ref: '../../v3/responses/404.yaml' + '429': + $ref: '../../v3/responses/429.yaml' + '500': + $ref: '../../v3/responses/500.yaml' diff --git a/static/api-specs/idn/v3/schemas/SodPolicy.yaml b/static/api-specs/idn/v3/schemas/SodPolicy.yaml index 4ac419745..262ba09bb 100644 --- a/static/api-specs/idn/v3/schemas/SodPolicy.yaml +++ b/static/api-specs/idn/v3/schemas/SodPolicy.yaml @@ -4,6 +4,7 @@ properties: type: string description: Policy id example: "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde" + readOnly: true name: type: string description: Policy Business Name @@ -13,11 +14,13 @@ properties: format: date-time description: The time when this SOD policy is created. example: "2020-01-01T00:00:00.000000Z" + readOnly: true modified: type: string format: date-time description: The time when this SOD policy is modified. example: "2020-01-01T00:00:00.000000Z" + readOnly: true description: type: string description: Optional description of the SOD policy @@ -25,6 +28,7 @@ properties: nullable: true ownerRef: $ref: '../schemas/BaseReferenceDto.yaml' + readOnly: true externalPolicyReference: type: string description: Optional External Policy Reference @@ -61,11 +65,13 @@ properties: type: string description: Policy's creator ID example: "0f11f2a47c944bf3a2bd742580fe3bde" + readOnly: true modifierId: type: string description: Policy's modifier ID example: "0f11f2a47c944bf3a2bd742580fe3bde" nullable : true + readOnly: true violationOwnerAssignmentConfig: $ref: './ViolationOwnerAssignmentConfig.yaml' nullable: true