AppRole Permissions
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following pages are organized by AppRole and provide the endpoints and the allowed operations for that endpoint.
Application Administrator
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that an application administrator AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AdaptiveAccessSettings | GET/<ID>, GET(Search) |
| AccountMgmtInfos | ALL |
| AccountObjectClasses | ALL |
| AccountObjectClassTemplates | GET/<ID>, GET(Search) |
| AccountOwnerLinker | ALL |
| AccountPasswordResetter | ALL |
| AccountStatusChanger | ALL |
| AnalyticEvents | GET/<ID>, GET(Search) |
| AppAllowedScopesChanger | ALL |
| AppClientSecretRegenerator | ALL |
| AppEntitlementCollections | ALL |
| AppRoleExportJob | GET/<ID>, GET(Search) |
| AppRoleExportJobHistory | GET/<ID>, GET(Search) |
| AppRoleExportJobProgress | ALL |
| AppRoleExportJobReport | GET/<ID>, GET(Search) |
| AppRoleExportJobSchedule | ALL |
| AppRoleImportJob | GET/<ID>, GET(Search) |
| AppRoleImportJobHistory | GET/<ID>, GET(Search) |
| AppRoleImportJobReport | GET/<ID>, GET(Search) |
| AppRoleImportJobProgress | ALL |
| AppRoleImportJobSchedule | ALL |
| AppRoleMembershipImportDetailedJobReports | GET/<ID>, GET(Search) |
| AppRoleMembershipImportSummaryJobReports | ALL |
| AppRoles | ALL |
| Apps | ALL |
| AppStatusChanger | ALL |
| AppTemplates | GET/<ID>, GET(Search) |
| AppTemplateStatusChanger | GET/<ID>, GET(Search) |
| AppUpgrader | ALL |
| AsyncTargetActions | ALL |
| AuditEvents | GET/<ID>, GET(Search) |
| Bulk | ALL |
| ConditionGroups | ALL |
| Conditions | ALL |
| ConnectorBundles | GET/<ID>, GET(Search) |
| CustomAllowedValues | ALL |
| Files | ALL |
| GrantEvaluationJob | GET/<ID>, GET(Search) |
| GrantEvaluationJobHistory | GET/<ID>, GET(Search) |
| GrantEvaluationJobProgress | ALL |
| GrantEvaluationJobReport | GET/<ID>, GET(Search) |
| GrantEvaluationJobSchedule | ALL |
| GrantImportDetailedJobReports | GET/<ID>, GET(Search) |
| GrantImportSummaryJobReports | GET/<ID>, GET(Search) |
| Grants | ALL |
| Groups | GET/<ID>, GET(Search) |
| IDCSGroups | GET/<ID>, GET(Search) |
| IDCSUsers | GET/<ID>, GET(Search) |
| Images | GET/<ID>, GET(Search) |
| Jobs | GET/<ID>, GET(Search) |
| JobHistories | GET/<ID>, GET(Search) |
| JobProgress | GET/<ID>, GET(Search) |
| JobReports | GET/<ID>, GET(Search) |
| JobSchedules | GET/<ID>, GET(Search) |
| ManagedApp | ALL |
| ManagedAppAttributeMappings | ALL |
| ManagedAppConnectionTester | ALL |
| ManagedAppOperations | ALL |
| ManagedAppOperationTemplates | GET/<ID>, GET(Search) |
| ManagedObjectClasses | ALL |
| ManagedObjectClassTemplates | GET/<ID>, GET(Search) |
| ManagedObjectSyncDetailedJobReports | GET/<ID>, GET(Search) |
| ManagedObjectSyncJob | GET/<ID>, GET(Search) |
| ManagedObjectSyncJobHistory | GET/<ID>, GET(Search) |
| ManagedObjectSyncJobProgress | ALL |
| ManagedObjectSyncJobReports | GET/<ID>, GET(Search) |
| ManagedObjectSyncJobSchedule | ALL |
| MappedActions | ALL |
| MappedActionTemplates | GET/<ID>, GET(Search) |
| MappedAttributes | ALL |
| MappedAttributeTemplates | GET/<ID>, GET(Search) |
| NetworkPerimeters | ALL |
| OAuthClientCertificates | ALL |
| ObjectMgmtInfos | ALL |
| Policies | ALL |
| RefreshAccessStatisticsJob | GET/<ID>, GET(Search) |
| RefreshAccessStatisticsJobHistory | GET/<ID>, GET(Search) |
| RefreshAccessStatisticsJobProgres | ALL |
| RefreshAccessStatisticsJobReport | GET/<ID>, GET(Search) |
| RefreshAccessStatisticsJobSchedule | ALL |
| RefreshAppAccessTokensJob | GET/<ID>, GET(Search) |
| RefreshAppAccessTokensJobHistory | GET/<ID>, GET(Search) |
| RefreshAppAccessTokensJobProgress | GET/<ID>, GET(Search) |
| RefreshAppAccessTokensJobSchedule | ALL |
| Reports | POST |
| RiskProviderProflies | GET/<ID>, GET(Search) |
| RiskScoreHistories | GET/<ID>, GET(Search) |
| Rules | ALL |
| SFFCustomApps | ALL |
| SigningCert/jwk | GET/<ID>, GET(Search) |
| SocialAccounts | GET/<ID>, GET(Search) |
| SyncEvents | ALL |
| Tags | GET/<ID>, GET(Search), POST/.search |
| TargetActionResults | ALL |
| TargetActions | ALL |
| TermsOfUseConsents | GET/<ID>, GET(Search) |
| TermsOfUses | ALL |
| TermsOfUseStatements | ALL |
| UserAppsEnabledForAuthentication | GET/<ID>, GET(Search) |
| UserAppsEnabledForDelegatedAuthentication | GET/<ID>, GET(Search) |
| Users | GET/<ID>, GET(Search) |
| WebTierPolicyJsonValidator | ALL |
Audit Administrator
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that an audit administrator AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AdaptiveAccessSettings | GET/<ID>, GET(Search) |
| AnalyticEvents | GET/<ID>, GET(Search) |
| AuditEvents | GET/<ID>, GET(Search) |
| Files | GET/<ID>, GET(Search) |
| Groups | GET/<ID>, GET(Search) |
| IDBridgeConfig | GET/<ID>, GET(Search) |
| IDCSGroups | GET/<ID>, GET(Search) |
| IDSUsers | GET/<ID>, GET(Search) |
| IdentityAgents | GET/<ID>, GET(Search) |
| IdentitySources | GET/<ID>, GET(Search) |
| IdentitySourceContainers | GET/<ID>, GET(Search) |
| Images | GET/<ID>, GET(Search) |
| MappedIdcsAttributes | GET/<ID>, GET(Search) |
| Reports | POST |
| RiskProviderProfiles | GET/<ID>, GET(Search) |
| RiskScoreHistories | GET/<ID>, GET(Search) |
| SocialAccounts | GET/<ID>, GET(Search) |
| TermsOfUseConsents | GET/<ID>, GET(Search) |
| UnMappedIdcsAttributes | GET/<ID>, GET(Search) |
| UserAppEnabledForAuthentication | GET/<ID>, GET(Search) |
| UserAppsEnabledForDelegatedAuthentication | GET/<ID>, GET(Search) |
| Users | GET/<ID>, GET(Search) |
Authenticated Client
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that an Authenticated Client AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AccountObjectClassTemplates | ALL |
| AdaptiveAccessConfig | ALL |
| AdaptiveAccessSettings | GET/<ID>, GET(Search) |
| AdminSharedFiles | GET |
| AllIdentityProviders | GET(Search), POST/.search |
| AllowedValues | ALL |
| AppAllowedScopesChanger | POST |
| AppClientSecretRegenerator | ALL |
| AppConfig | ALL |
| ApplicablePasswordPolicyRetriever | ALL |
| AppRoles | DELETE, GET(Search), POST, POST/.search, GET, PATCH |
| Apps | GET(Search), POST/.search, GET/<ID>, PUT, PATCH |
| AppStatusChanger | PUT |
| AppTemplates | ALL |
| AppTemplateStatusChanger | ALL |
| AuditEvents | GET/<ID>, GET(Search) |
| AuthenticationFactorSettings | GET/<ID>, GET(Search) |
| BinaryFileInfos | DELETE, POST, GET(Search), POST/.search, GET<ID>, PATCH |
| BrandingSettings | GET/<ID>, GET(Search) |
| Bulk | ALL |
| BulkConfig | ALL |
| CacheFlusher | ALL |
| CacheStats | GET/<ID>, GET(Search) |
| CASettings | ALL |
| CertificateGetter | POST |
| ConditionGroupTemplates | ALL |
| ConditionTemplates | ALL |
| ConnectorBundles | ALL |
| CredentialMaps | GET/<ID>, GET(Search) |
| Credentials | GET/<ID>, GET(Search) |
| DataMigrationJob | GET/<ID>, GET(Search) |
| DataMigrationJobHistory | GET/<ID>, GET(Search) |
| DataMigrationJobProgress | ALL |
| DataMigrationJobReport | GET/<ID>, GET(Search) |
| DataMigrationJobSchedule | ALL |
| DataMigrationWorkerJob | GET/<ID>, GET(Search) |
| DataMigrationWorkerJobHistory | GET/<ID>, GET(Search) |
| DataMigrationWorkerJobProgress | ALL |
| DataMigrationWorkerJobReport | GET/<ID>, GET(Search) |
| DataMigrationWorkerJobSchedule | ALL |
| DefaultSocialIdentityProviders | ALL |
| ExternalIdentityProviders | GET(Search), POST/.search |
| Files | GET/<ID>, GET(Search) |
| GlobalConfig | ALL |
| Grants | DELETE, GET(Search), POST, POST/.search, GET |
| GroupOwnerUpdateJob | GET/<ID>, GET(Search) |
| GroupOwnerUpdateJobHistory | GET/<ID>, GET(Search) |
| GroupOwnerUpdateJobProgress | GET/<ID>, GET(Search) |
| GroupOwnerUpdateJobReport | GET/<ID>, GET(Search) |
| GroupOwnerUpdateJobSchedule | GET/<ID>, GET(Search) |
| Groups | GET/<ID>, GET(Search) |
| IDBridgeConfig | ALL |
| IDSGroups | GET/<ID>, GET(Search) |
| IDSUsers | GET/<ID>, GET(Search) |
| IdentitySourceTemplates | ALL |
| IdentitySettings | GET/<ID>, GET(Search) |
| Images | GET/<ID>, GET(Search) |
| JobConfig | ALL |
| JobHistories | GET/<ID>, GET(Search) |
| JobProgress | GET/<ID>, GET(Search) |
| JobReports | GET/<ID>, GET(Search) |
| Jobs | GET/<ID>, GET(Search) |
| JobSchedules | GET/<ID>, GET(Search) |
| KeyGetter | POST |
| KeyStoreGetter | POST |
| KeyStores | GET/<ID>, GET(Search) |
| KMSConfig | ALL |
| LatestBinaryFileInfoVersionRetriever | GET(Search), POST/.search |
| LicenseConfig | ALL |
| ManagedAppOperationTemplates | ALL |
| ManagedObjectClassTemplates | ALL |
| ManageSigningKeyJob | GET/<ID>, GET(Search) |
| ManageSigningKeyJobHistory | GET/<ID>, GET(Search) |
| ManageSigningKeyJobProgress | ALL |
| ManageSigningKeyJobReport | GET/<ID>, GET(Search) |
| ManageSigningKeyJobSchedule | ALL |
| MappedActionTemplates | ALL |
| MappedAttributeTemplates | ALL |
| Me | GET/<ID>, GET(Search) for MeteringJobJobHistory,
MeteringJob, MeteringJobJobReport ALL for MeteringJobJobSchedule, MeteringJobJobProgress |
| MeEmailVerifier | ALL |
| MePasswordChanger | ALL |
| MessagingConfig | ALL |
| MyAccesses | ALL |
| MyAppFavoriteSetter | ALL |
| MyApps | ALL |
| MyAuthenticationFactorEnroller. | POST |
| MyAuthenticationFactorInitiator | POST |
| MyAuthenticationFactorsRemover | POST |
| MyAuthenticationFactorValidator | POST |
| MyBypassCodes | DELETE, POST, GET(Search), POST/.search, GET |
| MyBypassCodeNotifications | POST |
| MyDevices | DELETE, GET(Search), GET, PATCH |
| MyGroups | GET(Search), POST/.search |
| MyRequestableApps | GET(Search), POST/.search |
| MyRequestableGroups | GET(Search), POST/.search |
| MyRequests | POST, GET(Search), POST/.search |
| MySFFCredentials | ALL |
| MySocialAccounts | ALL |
| MyTermsOfUseConsents | DELETE, GET(Search), POST/.search, GET |
| MyTrustedUserAgents | DELETE, GET(Search), GET |
| NotificationConfig | ALL |
| OAuthConfig | ALL |
| OAuthConsents | DELETE, GET(Search), GET |
| PasswordPolicies | GET/<ID>, GET(Search) |
| PolicyTemplates | ALL |
| PolicyTypes | ALL |
| POSIXSetupJob | GET/<ID>, GET(Search) |
| POSIXSetupJobHistory | GET/<ID>, GET(Search) |
| POSIXSetupJobProgress | ALL |
| POSIXSetupJobReport | GET/<ID>, GET(Search) |
| POSIXSetupJobSchedule | ALL |
| PurgeResourcesJob | GET/<ID>, GET(Search) |
| PurgeResourcesJobHistory | GET/<ID>, GET(Search) |
| PurgeResourcesJobProgress | ALL |
| PurgeResourcesJobReport | GET/<ID>, GET(Search) |
| PurgeResourcesJobSchedule | ALL |
| Reports | POST |
| ResourceTypes | ALL |
| ResourceTypeSchemaAttributes | ALL |
| RuleTemplates | ALL |
| SamlRuntimeData | ALL |
| Schemas | ALL |
| SecurityQuestions | GET/<ID>, GET(Search) |
| SecurityQuestionSettings | GET/<ID>, GET(Search) |
| SeededAuthorizationPolicies | ALL |
| ServiceProviderConfig | ALL |
| SffXtnUrl | GET/<ID>, GET(Search) |
| SigningCert/jwk | GET/<ID>, GET(Search) |
| SignJWT | POST |
| SMRequests | GET/<ID>, GET(Search) |
| SocialAccounts | GET/<ID>, GET(Search) |
| SocialIdentityProviderMetadata | ALL |
| SsoConfig | ALL |
| SsoEncryptionKey | GET/<ID>, GET(Search) for
SsoEncryptionKeyRollOverJobReport, SsoEncryptionKeyRollOverJob,
SsoEncryptionKeyRollOverJobHistory ALL for SsoEncryptionKeyRollOverJobSchedule, SsoEncryptionKeyRollOverJobProgress, |
| StorageConfig | ALL |
| Tags | GET(Search), POST/.search, GET/<ID> |
| Tenants | GET/<ID>, GET(Search) |
| TermsOfUseConsents | GET/<ID>, GET(Search) |
| UpdateFromEmailDomainValidationStatusJob | GET/<ID>, GET(Search) |
| UpdateFromEmailDomainValidationStatusJobHistory | GET/<ID>, GET(Search) |
| UpdateFromEmailDomainValidationStatusJobProgress | ALL |
| UpdateFromEmailDomainValidationStatusJobReport | GET/<ID>, GET(Search) |
| UpdateFromEmailDomainValidationStatusJobSchedule | ALL |
| UpdateQuotaResourcesJob | GET/<ID>, GET(Search) |
| UpdateQuotaResourcesJobHistory | GET/<ID>, GET(Search) |
| UpdateQuotaResourcesJobProgress | ALL |
| UpdateQuotaResourcesJobReport | GET/<ID>, GET(Search) |
| UpdateQuotaResourcesJobSchedule | ALL |
| UpdateTenantSigningKeyChainJob | GET/<ID>, GET(Search) |
| UpdateTenantSigningKeyChainJobHistory | GET/<ID>, GET(Search) |
| UpdateTenantSigningKeyChainJobProgress | ALL |
| UpdateTenantSigningKeyChainJobReport | GET/<ID>, GET(Search) |
| UpdateTenantSigningKeyChainJobSchedule | ALL |
| UserAppsEnabledForAuthentication | GET/<ID>, GET(Search) |
| UserAppsEnabledForDelegatedAuthentication | GET/<ID>, GET(Search) |
| UserPasswordValidator | PUT |
| UserSharedFiles | GET |
| UserTokens | ALL |
| VerifyCredentials | POST |
| VerifyJWT | POST |
Authenticator Client
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that an Authenticator Client AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| Asserter | ALL |
| HTTPAuthenticator | ALL |
| PasswordAuthenticator | ALL |
| /mfa/v1/requests | POST, GET, PATCH |
| /mfa/v1/users | GET |
Change Password
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a Change Password AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AccountRecoverySettings | ALL |
| AllowedValues | GET/<ID>, GET(Search) |
| ApplicablePasswordPolicyRetriever | ALL |
| Authenticate | ALL |
| AuthenticationFactorSettings | GET/<ID>, GET(Search) |
| BrandingSettings | GET/<ID>, GET(Search) |
| MePasswordMustChanger | ALL |
| PasswordPolicies | GET/<ID>, GET(Search) |
| SecurityQuestionSettings | GET/<ID>, GET(Search) |
| TermsOfUseStatements | GET/<ID>, GET(Search) |
| UserPasswordValidator | ALL |
Cloud Gate
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a Cloud Gate AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AccountRecoverySettings | ALL |
| AdaptiveAccessSettings | GET/<ID>, GET(Search) |
| AdaptiveEvents | GET/<ID>, GET(Search) |
| ApplicablePasswordPolicyRetriever | ALL |
| Apps | GET/<ID>, GET(Search) |
| Asserter | ALL |
| AuthenticationFactorSettings | GET/<ID>, GET(Search) |
| BrandingSettings | GET/<ID>, GET(Search) |
| DiagnosticRecords | POST, PUT, PATCH |
| EncryptionKeys | ALL |
| EmailTemplates | GET/<ID>, GET(Search) |
| Files | GET/<ID>, GET(Search) |
| HTTPAuthenticator | ALL |
| IDBridgeSettings | GET/<ID>, GET(Search) |
| IDSUsers | GET/<ID>, GET(Search) |
| IdentitySettings | GET/<ID>, GET(Search) |
| Images | GET/<ID>, GET(Search) |
| IncidentDetails | GET/<ID>, GET(Search) |
| Notifications | GET/<ID>, GET(Search) |
| NotificationSettings | GET/<ID>, GET(Search) |
| PasswordAuthenticator | ALL |
| PasswordPolicies | GET/<ID>, GET(Search) |
| RiskProviderProfiles | GET/<ID>, GET(Search) |
| RiskScoreHistories | GET/<ID>, GET(Search) |
| Rules | GET/<ID>, GET(Search) |
| SamlSettings | GET/<ID>, GET(Search) |
| SecurityQuestionSettings | GET/<ID>, GET(Search) |
| Settings | GET/<ID>, GET(Search) |
| SMSTemplates | GET/<ID>, GET(Search) |
| SocialAccounts | GET/<ID>, GET(Search) |
| SsoSettings | GET/<ID>, GET(Search) |
| TermsOfUseConsents | GET/<ID>, GET(Search) |
| Threats | GET/<ID>, GET(Search) |
| UserAgentLocations | GET/<ID>, GET(Search) |
| UserAuditEventsPurger | GET/<ID>, GET(Search) |
| UserDevices | GET/<ID>, GET(Search) |
| UserAppsEnabledForAuthentication | GET/<ID>, GET(Search) |
| UserAppsEnabledForDelegatedAuthentication | GET/<ID>, GET(Search) |
| Users | GET/<ID>, GET(Search) |
DB Admin
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a DB Admin AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| DBGroups | GET(Search), POST/.search, GET<ID> |
| DBUserAuthenticationStatus | PATCH |
| DBUsers | GET(Search), POST/.search, GET<ID> |
Forgot Password
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a Forgot Password AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| BrandingSettings | GET(Search), GET<ID> |
| MePasswordRecoveryFactorValidator | ALL |
| MePasswordRecoveryOptionRetriever | ALL |
| MePasswordResetRequestor | ALL |
| MeSecurityQuestionsRetriever | ALL |
Help Desk Administrator
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a help desk administrator AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| Apps | GET/<ID> |
| AnalyticEvents | GET/<ID> |
| AuditEvents | GET/<ID> |
| AuthenticationFactorsRemover | POST |
| Bulk | ALL |
| BulkUserPasswordChanger | ALL |
| BulkUserPasswordResetter | ALL |
| BypassCodeNotifications | POST |
| BypassCodes | POST |
| IDSGroups | GET/<ID> |
| IDSUser | GET/<ID> |
| Images | ALL |
| Groups | GET/<ID> |
| Requests | GET(Search), POST |
| UserActivationInitiator | ALL |
| UserAppsEnabledForAuthentication | GET/<ID> |
| UserLockedStateChanger | ALL |
| UserPasswordChanger | ALL |
| UserPasswordGenerator | ALL |
| UserPasswordResetter | ALL |
| UserPasswordValidator | ALL |
| Users | GET/<ID> |
| UserStateChanger | ALL |
Identity Domain Administrator
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that an identity domain administrator AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AdminSharedFiles | GET |
| AccountMgmtInfos | ALL |
| AccountObjectClasses | ALL |
| AccountObjectClassTemplates | GET(Search), GET<ID> |
| AccountOwnerLinker | ALL |
| AccountPasswordResetter | ALL |
| AccountRecoverySettings | ALL |
| AccountStatusChanger | ALL |
| AdaptiveAccessSettings | ALL |
| AdaptiveEvents | ALL |
| AllIdentityProviders | GET(Search), POST/.search |
| AllowedValues | GET(Search), GET<ID> |
| AnalyticEvents | GET(Search), GET<ID> |
| AppAllowedScopesChanger | ALL |
| AppClientSecretRegenerator | ALL |
| AppEntitlementCollections | ALL |
| AppKerberosRealmUpdater | ALL |
| ApplicablePasswordPolicyRetriever | ALL |
| AppRoleExportJob | GET(Search), GET<ID> |
| AppRoleExportJobHistory | GET(Search), GET<ID> |
| AppRoleExportJobProgress | ALL |
| AppRoleExportJobReport | GET(Search), GET<ID> |
| AppRoleExportJobSchedule | ALL |
| AppRoleImportJob | GET(Search), GET<ID> |
| AppRoleImportJobHistory | GET(Search), GET<ID> |
| AppRoleImportJobProgressv | ALL |
| AppRoleImportJobReport | GET(Search), GET<ID> |
| AppRoleImportJobSchedule | ALL |
| AppRoleMembershipImportDetailedJobReports | GET(Search), GET<ID> |
| AppRoleMembershipImportSummaryJobReports | GET(Search), GET<ID> |
| AppRoles | ALL |
| Apps | ALL |
| AppStatusChanger | ALL |
| AppTemplates | GET(Search), GET<ID> |
| AppTemplateStatusChanger | GET(Search), GET<ID> |
| AppUpgrader | ALL |
| Asserter | ALL |
| AsyncTargetActions | ALL |
| AuditEvents | GET(Search), GET<ID> |
| AuthenticationFactorEnroller | POST |
| AuthenticationFactorEnrollmentRequest | POST |
| AuthenticationFactorInitiator | POST |
| AuthenticationFactorSettings | ALL |
| AuthenticationFactorsRemover | POST |
| AuthenticationFactorValidator | POST |
| BinaryFileInfos | GET(Search), GET<ID> |
| BrandingSettings | GET(Search), GET<ID> |
| Bulk | ALL for BulkUserPasswordResetJobProgress,
BulkUserPasswordMustChangeSetJobProgress,
BulkUserPasswordResetJobSchedule,
BulkUserPasswordMustChangeSetJobSchedule GET(Search), GET<ID> for BulkUserPasswordResetJobHistory, BulkUserPasswordMustChangeSetJobReport, BulkUserPasswordMustChangeSetJobHistory, BulkUserPasswordResetJob, BulkUserPasswordMustChangeSetJob |
| BulkSourceEvents | ALL |
| BulkUserPasswordChanger | ALL |
| BulkUserPasswordResetJobReports | GET(Search), GET<ID> |
| BulkUserPasswordResetter | ALL |
| BypassCodeNotifications | POST |
| BypassCodes | ALL |
| ConnectorBundles | GET(Search), GET<ID> |
| CustomAllowedValues | ALL |
| ConditionGroups | ALL |
| Conditions | ALL |
| DBGroups | GET(Search), POST/.search, GET<ID> |
| DBUserAuthenticationStatus | PATCH |
| DBUsers | GET(Search), POST/.search, GET<ID> |
| Devices | ALL |
| DiagnosticRecords | GET(Search), GET<ID> |
| EmailTemplates | ALL |
| ExportJob | GET(Search), GET<ID> |
| ExportJobHistory | GET(Search), GET<ID> |
| ExportJobProgress | ALL |
| ExportJobReport | GET(Search), GET<ID> |
| ExportJobSchedule | ALL |
| ExternalIdentityProviders | GET(Search), POST/.search |
| Files | ALL |
| GrantEvaluationJob | GET(Search), GET<ID> |
| GrantEvaluationJobHistory | GET(Search), GET<ID> |
| GrantEvaluationJobProgress | ALL |
| GrantEvaluationJobReport | GET(Search), GET<ID> |
| GrantEvaluationJobSchedule | ALL |
| GrantImportDetailedJobReports | GET(Search), GET<ID> |
| GrantImportSummaryJobReports | GET(Search), GET<ID> |
| Grants | ALL |
| GroupExportJob | GET(Search), GET<ID> |
| GroupExportJobHistory | GET(Search), GET<ID> |
| GroupExportJobProgress | ALL |
| GroupExportJobReport | GET(Search), GET<ID> |
| GroupExportJobSchedule | ALL |
| GroupImportDetailedJobReports | GET(Search), GET<ID> |
| GroupImportJob | GET(Search), GET<ID> |
| GroupImportJobHistory | GET(Search), GET<ID> |
| GroupImportJobProgress | ALL |
| GroupImportJobReport | GET(Search), GET<ID> |
| GroupImportJobSchedule | ALL |
| GroupImportSummaryJobReports | GET(Search), GET<ID> |
| Groups | ALL |
| HTTPAuthenticator | ALL |
| IdBridgeAppRegistrar | ALL |
| IDBridgeConfig | GET(Search), GET<ID> |
| IDBridgeSettings | ALL |
| IDSGroups | ALL |
| IDSUsers | ALL |
| IdentityAgents | ALL |
| IdentityProviders | ALL |
| IdentitySettings | ALL |
| IdentitySourceContainers | ALL |
| IdentitySources | ALL |
| IdentitySourceTemplates | GET(Search), GET<ID> |
| Images | ALL |
| ImportJob | GET(Search), GET<ID> |
| ImportJobHistory | GET(Search), GET<ID> |
| ImportJobProgress | ALL |
| ImportJobReport | GET(Search), GET<ID> |
| ImportJobSchedule | ALL |
| IncidentDetails | GET(Search), GET<ID> |
| Jobs | GET(Search), GET<ID> |
| JobHistories | GET(Search), GET<ID> |
| JobProgress | GET(Search), GET<ID> |
| JobReports | GET(Search), GET<ID> |
| JobSchedules | GET(Search), GET<ID> |
| KerberosRealmUsers | ALL |
| LatestBinaryFileInfoVersionRetriever | GET(Search), GET<ID> |
| ManagedApp | ALL |
| ManagedAppAttributeMappings | ALL |
| ManagedAppConnectionTester | ALL |
| ManagedAppOperations | ALL |
| ManagedAppOperationTemplates | GET(Search), GET<ID> |
| ManagedObjectClassTemplates | GET(Search), GET<ID> |
| ManagedObjectSyncDetailedJobReports | GET(Search), GET<ID> |
| ManagedObjectSyncJob | GET(Search), GET<ID> |
| ManagedObjectSyncJobHistory | GET(Search), GET<ID> |
| ManagedObjectSyncJobProgress | ALL |
| ManagedObjectSyncJobReports | GET(Search), GET<ID> |
| ManagedObjectSyncJobSchedule | ALL |
| MappedActions | ALL |
| MappedActionTemplates | GET(Search), GET<ID> |
| MappedAttributes | ALL |
| MappedAttributeTemplates | GET(Search), GET<ID> |
| MappedIdcsAttributes | ALL |
| Me | GET, PATCH, PUT |
| MeEmailVerified | ALL |
| MeEmailVerifier | ALL |
| MePasswordMustChanger | ALL |
| MePasswordRecoveryFactorValidator | ALL |
| MePasswordRecoveryOptionRetriever | ALL |
| MePasswordResetChanger | ALL |
| MePasswordResetRequestor | ALL |
| MePasswordResetter | ALL |
| MeRemovePendingEmailVerification | POST |
| MeSecurityQuestionAnswerValidator | ALL |
| MeSecurityQuestionsRetriever | ALL |
| MyAppFavoriteSetter | ALL |
| MyApps | ALL |
| MyAccesses | ALL |
| MyAuthenticationFactorEnroller | POST |
| MyAuthenticationFactorInitiator | POST |
| MyAuthenticationFactorsRemover | POST |
| MyAuthenticationFactorValidator | POST |
| MyBypassCodeNotifications | POST |
| MyBypassCodes | DELETE, POST, GET(Search), POST/.search, GET<ID> |
| MyDevices | DELETE, GET(Search), GET<ID>, PATCH |
| MyGroups | GET(Search), POST/.search |
| MePasswordChanger | ALL |
| MyRequestableApps | GET(Search), POST/.search |
| MyRequestableGroups | GET(Search), POST/.search |
| MyRequests | POST, GET(Search), POST/.search |
| MySFFCredentials | ALL |
| MySocialAccountLinker | POST |
| MySocialAccounts | ALL |
| MyTermsOfUseConsents | DELETE, GET(Search), POST/.search, GET<ID> |
| MyTrustedUserAgents | DELETE, GET(Search), GET<ID> |
| Notifications | ALL |
| NotificationSettings | ALL |
| OAuthClientCertificates | ALL |
| OAuthPartnerCertificates | ALL |
| ObjectMgmtInfos | ALL |
| PasswordAuthenticator | ALL |
| NetworkPerimeters | ALL |
| PasswordPolicies | ALL |
| Policies | ALL |
| PushNotificationRequesters | ALL |
| RefreshAccessStatisticsJob | GET(Search), GET<ID> |
| RefreshAccessStatisticsJobHistory | GET(Search), GET<ID> |
| RefreshAccessStatisticsJobProgress | ALL |
| RefreshAccessStatisticsJobReport | GET(Search), GET<ID> |
| RefreshAccessStatisticsJobSchedule | ALL |
| RefreshAppAccessTokensJob | GET(Search), GET<ID> |
| RefreshAppAccessTokensJobHistory | GET(Search), GET<ID> |
| RefreshAppAccessTokensJobProgress | GET(Search), GET<ID> |
| RefreshAppAccessTokensJobSchedule | ALL |
| Reports | POST |
| Requests | GET(Search), POST/.search |
| ResourceExporter | POST |
| ResourceImporter | POST |
| RiskLevelUpdateJob | GET(Search), GET<ID> |
| RiskLevelUpdateJobHistory | GET(Search), GET<ID> |
| RiskLevelUpdateJobProgress | ALL |
| RiskLevelUpdateJobReport | GET(Search), GET<ID> |
| RiskLevelUpdateJobSchedule | ALL |
| RiskProviderProfiles | ALL |
| RiskProviderProfileValidation | ALL |
| RiskScoreCleanupJob | GET(Search), GET<ID> |
| RiskScoreCleanupJobHistory | GET(Search), GET<ID> |
| RiskScoreCleanupJobProgress | ALL |
| RiskScoreCleanupJobReport | GET(Search), GET<ID> |
| RiskScoreCleanupJobSchedule | ALL |
| RiskScoreHistories | ALL |
| RiskScoreProviderJob | GET(Search), GET<ID> |
| RiskScoreProviderJobHistory | GET(Search), GET<ID> |
| RiskScoreProviderJobProgress | ALL |
| RiskScoreProviderJobReport | GET(Search), GET<ID> |
| RiskScoreProviderJobSchedule | ALL |
| RiskScoreTemporalDecayJob | GET(Search), GET<ID> |
| RiskScoreTemporalDecayJobHistory | GET(Search), GET<ID> |
| RiskScoreTemporalDecayJobProgress | ALL |
| RiskScoreTemporalDecayJobReport | GET(Search), GET<ID> |
| RiskScoreTemporalDecayJobSchedule | ALL |
| Rules | ALL |
| SafeDeleteSocialIdentityProviderJob | GET(Search), GET<ID> |
| SafeDeleteSocialIdentityProviderJobHistory | GET(Search), GET<ID> |
| SafeDeleteSocialIdentityProviderJobProgress | GET(Search), GET<ID> |
| SafeDeleteSocialIdentityProviderJobSchedule | ALL |
| SafeDeleteSocialIdentityProviderJobReport | GET(Search), GET<ID> |
| SamlSettings | ALL |
| Schemas | GET(Search), POST/.search, GET<ID>, PUT, PATCH |
| SecurityQuestions | ALL |
| SecurityQuestionSettings | ALL |
| SelfRegistrationProfiles | ALL |
| Settings | ALL |
| SFFCustomApps | ALL |
| SffXtnUrl | GET(Search), GET<ID> |
| SigningCert/jwk | GET(Search), GET<ID> |
| SMSTemplates | ALL |
| SocialAccounts | ALL |
| SocialIdentityProviders | ALL |
| SourceEvents | ALL |
| SsoSettings | ALL |
| SyncEvents | ALL |
| Tags | GET(Search), POST/.search, GET<ID> |
| TargetActionResults | ALL |
| TargetActions | ALL |
| TargetAuthenticationTester | POST |
| TermsOfUseConsents | ALL |
| TermsOfUses | ALL |
| TermsOfUseStatements | ALL |
| Threats | ALL |
| TrustedUserAgents | ALL |
| UnMappedIdcsAttributes | GET(Search), POST/.search, GET<ID>, PATCH |
| UserActivationInitiator | ALL |
| UserAgentLocations | ALL |
| UserAttributesSettings | GET(Search), POST, POST/.search, GET<ID>, PATCH |
| UserAuditEventsPurger | ALL |
| UserAppsEnabledForAuthentication | GET(Search), GET<ID> |
| UserAppsEnabledForDelegatedAuthentication | GET(Search), GET<ID> |
| UserDevices | ALL |
| UserExportJob | GET(Search), GET<ID> |
| UserExportJobHistory | GET(Search), GET<ID> |
| UserExportJobReport | GET(Search), GET<ID> |
| UserExportJobSchedule | ALL |
| UserImportJob | GET(Search), GET<ID> |
| UserImportJobHistory | GET(Search), GET<ID> |
| UserImportJobProgress | ALL |
| UserImportJobReport | GET(Search), GET<ID> |
| UserImportJobSchedule | ALL |
| UserLockedStateChanger | POST |
| UserNameGenerator | ALL |
| UserPasswordChanger | ALL |
| UserPasswordGenerator | ALL |
| UserPasswordResetter | ALL |
| UserPasswordValidator | ALL |
| UserSharedFiles | GET |
| UserStateChanger | ALL |
| UserTokens | ALL |
| UserTokenValidator | ALL |
| Users | ALL |
| UserStatusChanger | PUT |
| WebTierPolicyJsonValidator | ALL |
Kerberos
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a Kerberos AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AppKerberosRealmUpdater | ALL |
| Groups | GET/<ID>, GET(Search) |
| KerberosRealmUsers | GET(Search), POST/.search, GET/<ID>, PATCH, PUT |
| PasswordAuthenticator | ALL |
| PasswordPolicies | GET/<ID>, GET(Search) |
| Users | GET/<ID>, GET(Search) |
Me
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a Me AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AccountRecoverySettings | ALL |
| AllIdentityProviders | GET(Search), POST/.search |
| AllowedValues | GET(Search), GET/<ID> |
| ApplicablePasswordPolicyRetriever | ALL |
| AuthenticationFactorEnrollmentRequest | POST |
| AuthenticationFactorSettings | GET(Search), GET/<ID> |
| BrandingSettings | GET(Search), GET/<ID> |
| ExternalIdentityProviders | GET(Search), POST/.search |
| IdentitySettings | GET(Search), GET/<ID> |
| Me | ALL |
| MeEmailVerifier | ALL |
| MePasswordChanger | ALL |
| MeRemovePendingEmailVerification | POST |
| MyAccesses | ALL |
| MyAppFavoriteSetter | ALL |
| MyApps | ALL |
| MyAuthenticationFactorEnroller | POST |
| MyAuthenticationFactorInitiator | POST |
| MyAuthenticationFactorsRemover | POST |
| MyAuthenticationFactorValidator | POST |
| MyBypassCodeNotifications | POST |
| MyBypassCodes | DELETE, POST, GET(Search), POST/.search, GET/<ID> |
| MyDevices | DELETE, GET(Search), GET/<ID>, PATCH |
| MyGroups | GET(Search), POST/.search |
| MyRequestableApps | GET(Search), POST/.search |
| MyRequestableGroups | GET(Search), POST/.search |
| MyRequests | POST, GET(Search), POST/.search |
| MySFFCredentials | ALL |
| MySocialAccountLinker | POST |
| MySocialAccounts | ALL |
| MyTermsOfUseConsents | DELETE, GET(Search), POST/.search, GET/<ID> |
| MyTrustedUserAgents | DELETE, GET(Search), GET/<ID> |
| OAuthConsents | DELETE, GET(Search), GET/<ID> |
| PasswordPolicies | GET/<ID>, GET(Search) |
| SecurityQuestions | GET/<ID>, GET(Search) |
| SecurityQuestionSettings | GET/<ID>, GET(Search) |
| SffXtnUrl | GET/<ID>, GET(Search) |
| SupportedSocialIdentityProviders | GET |
| UserPasswordValidator | PUT |
| UserSharedFiles | GET/<ID> |
MFA Client
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that an MFA Client AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| Asserter | ALL |
| HTTPAuthenticator | ALL |
| PasswordAuthenticator | ALL |
| /mfa/v1/requests | POST, GET, PATCH |
| /mfa/v1/users | DELETE, POST, GET, PATCH |
POSIX Viewer
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The POSIX Viewer role is intended to be granted to confidential applications for configuring the Linux-PAM. The role was meant for creating OAUTH Clients with lower privileges, that are supposed to be used for PAM. This role isn't meant for assigning to any users or groups. For more information see, Configuring a Confidential Application.
Reset Password
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a Reset Password AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| ApplicablePasswordPolicyRetriever | ALL |
| BrandingSettings | GET(Search), GET/<ID> |
| MePasswordRecoveryFactorValidator | ALL |
| MePasswordResettert | ALL |
| MeSecurityQuestionAnswerValidator | ALL |
| PasswordPolicies | GET(Search), GET/<ID> |
| UserPasswordValidator | ALL |
| UserTokenValidator | ALL |
Security Administrator
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a security administrator AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AdminSharedFiles | GET/<ID> |
| AccountObjectClassTemplates | GET(Search), GET/<ID> |
| AccountRecoverySettings | ALL |
| AdaptiveAccessSettings | ALL |
| AdaptiveEvents | ALL |
| AllIdentityProviders | ALL |
| AnalyticEvents | GET(Search), GET/<ID> |
| AppClientSecretRegenerator | ALL |
| ApplicablePasswordPolicyRetriever | ALL |
| Apps | ALL |
| AppTemplates | GET(Search), GET/<ID> |
| AppTemplateStatusChanger | GET(Search), GET/<ID> |
| AuditEvents | GET(Search), GET/<ID> |
| AuthenticationFactorEnroller | GET(Search), GET/<ID> |
| AuthenticationFactorEnrollmentRequest | GET(Search), GET/<ID> |
| AuthenticationFactorSettings | ALL |
| AuthenticationFactorInitiator | GET(Search), GET/<ID> |
| AuthenticationFactorsRemover | GET(Search), GET/<ID> |
| AuthenticationFactorValidator | GET(Search), GET/<ID> |
| BinaryFileInfos | GET(Search), GET/<ID> |
| BrandingSettings | ALL |
| Bulk | ALL |
| BulkReports | POST |
| BypassCodes | GET(Search), GET/<ID> |
| Columns | GET(Search), GET/<ID> |
| ConditionGroups | ALL |
| Conditions | ALL |
| ConnectorBundles | GET(Search), GET/<ID> |
| Devices | GET(Search), GET/<ID> |
| EmailTemplates | ALL |
| ExternalIdentityProviders | ALL |
| Files | GET(Search), GET/<ID> |
| Groups | GET(Search), GET/<ID> |
| IdBridgeAppRegistrar | ALL |
| IDBridgeConfig | GET(Search), GET/<ID> |
| IDBridgeSettings | ALL |
| IdentitySettings | ALL |
| IdentityAgents | ALL |
| IdentityProviders | ALL |
| IdentitySourceContainers | ALL |
| IdentitySources | ALL |
| IDSGroups | GET(Search), GET/<ID> |
| IdcsReports | POST |
| IDSUsers | GET(Search), GET/<ID> |
| Images | ALL |
| IncidentDetails | GET(Search), GET/<ID> |
| LatestBinaryFileInfoVersionRetriever | GET(Search), GET/<ID> |
| MappedActionTemplates | GET(Search), GET/<ID> |
| MappedAttributeTemplates | GET(Search), GET/<ID> |
| MappedIdcsAttributes | ALL |
| ManagedAppOperationTemplates | GET(Search), GET/<ID> |
| ManagedObjectClassTemplates | GET(Search), GET/<ID> |
| NetworkPerimeters | ALL |
| Notifications | ALL |
| NotificationSettings | ALL |
| OAuthClientCertificates | ALL |
| OAuthPartnerCertificates | ALL |
| PasswordPolicies | ALL |
| Policies | ALL |
| PushNotificationRequesters | ALL |
| Reports | POST |
| ReportTemplates | GET(Search), GET/<ID> |
| RiskProviderProfiles | ALL |
| RiskProviderProfileValidation | ALL |
| RiskScoreHistories | ALL |
| Rules | ALL |
| SamlSettings | ALL |
| SecurityQuestionSettings | ALL |
| Settings | ALL |
| SFFCustomApps | ALL |
| SigningCert/jwk | GET(Search), GET/<ID> |
| SMSTemplates | ALL |
| SocialAccounts | GET(Search), GET/<ID> |
| SocialIdentityProviders | ALL |
| SsoSettings | ALL |
| SupportedSocialIdentityProviders | GET |
| TargetAuthenticationTester | POST |
| TermsOfUseConsents | GET(Search), GET/<ID> |
| TermsOfUses | ALL |
| TermsOfUseStatements | ALL |
| Threats | ALL |
| TrustedUserAgents | GET(Search), GET/<ID> |
| UnMappedIdcsAttributes | GET(Search), GET/<ID> |
| UserAgentLocations | ALL |
| UserAppsEnabledForAuthentication | GET(Search), GET/<ID> |
| UserAppsEnabledForDelegatedAuthentication | GET(Search), GET/<ID> |
| UserAuditEventsPurger | ALL |
| UserDevices | ALL |
| Users | GET(Search), GET/<ID> |
Self Registration
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a Self Registration AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| BrandingSettings | GET/<ID> |
| Me | POST |
| SelfRegistrationProfiles | GET/<ID> |
| UserNameGenerator | POST |
Signin
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a Signin AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AccountRecoverySettings | ALL |
| AllowedValues | GET(Search), GET/<ID> |
| Authenticate | ALL |
| AuthenticationFactorSettings | GET(Search), GET/<ID> |
| BrandingSettings | GET(Search), GET/<ID> |
| SecurityQuestions | GET(Search), GET/<ID> |
| SecurityQuestionSettings | GET(Search), GET/<ID> |
| TermsOfUseStatements | GET(Search), GET/<ID> |
User Administrator
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a user administrator AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AccountMgmtInfos | ALL |
| AdaptiveAccessSettings | GET(Search), GET/<ID> |
| AnalyticEvents | GET(Search), GET/<ID> |
| AppRoles | GET(Search), GET/<ID> |
| Apps | GET(Search), GET/<ID> |
| AppStatusChanger | GET(Search), GET/<ID> |
| AuthenticationFactorsRemover | POST |
| AuditEvents | GET(Search), GET/<ID> |
| Bulk | ALL |
| BulkReports | POST |
| BulkUserPasswordChanger | ALL |
| BulkUserPasswordMustChangeSetJob | GET(Search), GET/<ID> |
| BulkUserPasswordMustChangeSetJobHistory | GET(Search), GET/<ID> |
| BulkUserPasswordMustChangeSetJobProgress | ALL |
| BulkUserPasswordMustChangeSetJobReport | GET(Search), GET/<ID> |
| BulkUserPasswordMustChangeSetJobSchedule | ALL |
| BulkUserPasswordResetJob | GET(Search), GET/<ID> |
| BulkUserPasswordResetJobHistory | GET(Search), GET/<ID> |
| BulkUserPasswordResetJobProgress | ALL |
| BulkUserPasswordResetJobReports | GET(Search), GET/<ID> |
| BulkUserPasswordResetJobSchedule | ALL |
| BulkUserPasswordResetter | ALL |
| BypassCodeNotifications | POST |
| BypassCodes | POST |
| Columns | GET(Search), GET/<ID> |
| CustomAllowedValues | ALL |
| Files | ALL |
| Grants | ALL |
| GroupExportJob | GET(Search), GET/<ID> |
| GroupExportJobHistory | GET(Search), GET/<ID> |
| GroupExportJobProgress | ALL |
| GroupExportJobReport | GET(Search), GET/<ID> |
| GroupExportJobSchedule | ALL |
| GroupImportJob | GET(Search), GET/<ID> |
| GroupImportJobHistory | GET(Search), GET/<ID> |
| GroupImportJobProgress | ALL |
| GroupImportJobReport | GET(Search), GET/<ID> |
| GroupImportJobSchedule | ALL |
| GroupImportDetailedJobReports | GET(Search), GET/<ID> |
| GroupImportSummaryJobReports | GET(Search), GET/<ID> |
| Groups | ALL |
| IDBridgeConfig | GET(Search), GET/<ID> |
| IdcsReports | POST |
| IdentityAgents | GET(Search), GET/<ID> |
| IdentitySourceContainers | GET(Search), GET/<ID> |
| IdentitySources | GET(Search), GET/<ID> |
| IDSGroups | ALL |
| IDSUsers | ALL |
| Images | ALL |
| Jobs | GET(Search), GET/<ID> |
| JobHistories | GET(Search), GET/<ID> |
| JobReports | GET(Search), GET/<ID> |
| JobProgress | GET(Search), GET/<ID> |
| JobSchedules | GET(Search), GET/<ID> |
| ManagedApp | ALL |
| MappedIdcsAttributes | GET(Search), GET/<ID> |
| MeEmailVerified | ALL |
| MePasswordMustChanger | ALL |
| MePasswordRecoveryFactorValidator | ALL |
| MePasswordRecoveryOptionRetriever | ALL |
| MePasswordResetChanger | ALL |
| MePasswordResetRequestor | ALL |
| MePasswordResetter | ALL |
| MeSecurityQuestionAnswerValidator | ALL |
| MeSecurityQuestionsRetriever | ALL |
| OAuthClientCertificates | GET(Search), GET/<ID> |
| ObjectMgmtInfos | ALL |
| ReportTemplates | GET(Search), GET/<ID> |
| RiskLevelUpdateJob | GET(Search), GET/<ID> |
| RiskLevelUpdateJobHistory | GET(Search), GET/<ID> |
| RiskLevelUpdateJobProgress | ALL |
| RiskLevelUpdateJobReport | GET(Search), GET/<ID> |
| RiskLevelUpdateJobSchedule | ALL |
| RiskProviderProfiles | GET(Search), GET/<ID> |
| RiskScoreCleanupJob | GET(Search), GET/<ID> |
| RiskScoreCleanupJobHistory | GET(Search), GET/<ID> |
| RiskScoreCleanupJobProgress | ALL |
| RiskScoreCleanupJobReport | GET(Search), GET/<ID> |
| RiskScoreCleanupJobSchedule | ALL |
| RiskScoreHistories | GET(Search), GET/<ID> |
| RiskScoreProviderJob | GET(Search), GET/<ID> |
| RiskScoreProviderJobHistory | GET(Search), GET/<ID> |
| RiskScoreProviderJobProgress | ALL |
| RiskScoreProviderJobReport | GET(Search), GET/<ID> |
| RiskScoreProviderJobSchedule | ALL |
| RiskScoreTemporalDecayJob | GET(Search), GET/<ID> |
| RiskScoreTemporalDecayJobHistory | GET(Search), GET/<ID> |
| RiskScoreTemporalDecayJobProgress | ALL |
| RiskScoreTemporalDecayJobReport | GET(Search), GET/<ID> |
| RiskScoreTemporalDecayJobSchedule | ALL |
| Reports | POST |
| Requests | GET(Search),POST/.search |
| SafeDeleteSocialIdentityProviderJob | GET(Search), GET/<ID> |
| SafeDeleteSocialIdentityProviderJobReport | GET(Search), GET/<ID> |
| SafeDeleteSocialIdentityProviderJobHistory | GET(Search), GET/<ID> |
| SafeDeleteSocialIdentityProviderJobProgress | ALL |
| SafeDeleteSocialIdentityProviderJobSchedule | ALL |
| SecurityQuestions | ALL |
| SocialAccounts | ALL |
| TermsOfUseConsents | ALL |
| UnMappedIdcsAttributes | GET(Search), GET/<ID> |
| UserActivationInitiator | ALL |
| UserAppsEnabledForAuthentication | GET(Search), GET/<ID> |
| UserAppsEnabledForDelegatedAuthentication | GET(Search), GET/<ID> |
| UserExportJob | GET(Search), GET/<ID> |
| UserExportJobHistory | GET(Search), GET/<ID> |
| UserExportJobProgress | ALL |
| UserExportJobReport | GET(Search), GET/<ID> |
| UserExportJobSchedule | ALL |
| UserImportJob | GET(Search), GET/<ID> |
| UserImportJobHistory | GET(Search), GET/<ID> |
| UserImportJobProgress | ALL |
| UserImportJobReport | GET(Search), GET/<ID> |
| UserImportJobSchedule | ALL |
| UserLockedStateChanger | POST |
| UserNameGenerator | ALL |
| UserPasswordChanger | ALL |
| UserPasswordGenerator | ALL |
| UserPasswordResetter | ALL |
| UserPasswordValidator | ALL |
| Users | ALL |
| UserStateChanger | ALL |
| UserTokens | GET(Search), GET/<ID> |
| UserTokenValidator | ALL |
User Manager
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a User Manager AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| AdaptiveAccessSettings | GET/<ID>, GET(Search) |
| AnalyticEvents | GET/<ID> |
| Apps | GET/<ID> |
| AuditEvents | GET/<ID> |
| AuthenticationFactorsRemover | POST |
| Bulk | ALL |
| BulkUserPasswordChanger | ALL |
| BulkUserPasswordResetter | ALL |
| BypassCodes | POST |
| BypassCodeNotifications | POST |
| IDCSGroups | GET/<ID>, GET(Search), POST(Search), PATCH |
| IDSUser | ALL |
| Images | ALL |
| Groups | GET/<ID>, GET(Search), POST(Search), PATCH |
| Jobs | GET/<ID> |
| JobSchedules | GET/<ID>, can schedule only BulkUserPasswordReset job. |
| JobHistories | GET/<ID> |
| JobProgress | GET/<ID> |
| JobReports | GET/<ID> |
| Requests | GET(Search), POST(Search) |
| RiskProviderProfiles | GET/<ID>, GET(Search) |
| RiskScoreHistories | GET/<ID>, GET(Search) |
| SecurityQuestions | ALL |
| SocialAccounts | ALL |
| UserActivationInitiator | ALL |
| UserAppsEnabledForAuthentication | GET/<ID> |
| UserAppsEnabledForDelegatedAuthentication | GET/<ID> |
| UserLockedStateChanger | ALL |
| UserPasswordChanger | ALL |
| UserPasswordResetter | ALL |
| UserPasswordGenerator | ALL |
| UserPasswordValidator | ALL |
| UserStateChanger | ALL |
| Users | ALL |
| UserStatusChanger | ALL |
| WebrootUsage | GET/<ID>, GET(Search) |
Verify Email
To grant an application access to the identity domains REST API, you must first know the allowed operations that you need the application to access. Then, assign the AppRoles with access to those operations to your application.
The following table displays the endpoints and the allowed operations for that endpoint that a Verify Email AppRole can access.
| Endpoint | Allowed Operations |
|---|---|
| BrandingSettings | GET(Search), GET/<ID> |
| MeEmailVerified | ALL |
| UserTokenValidator | ALL |