diff --git a/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md b/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md index 6e6b71fefb4..f23b871c6c5 100644 --- a/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md +++ b/api-reference/beta/api/accesspackage-getapplicablepolicyrequirements.md @@ -43,14 +43,14 @@ None. |Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).| ## Request body -Don't supply a request body for this method if you wish to retrieve a list of access package requirements as in example 1. If you want to get policy requirements for user scope as in example 2, you must supply a request body. +Don't supply a request body for this method. ## Response If successful, this method returns a `200 OK` response code and an [accessPackageAssignmentRequestRequirements](../resources/accesspackageassignmentrequestrequirements.md) collection in the response body, one object for each policy for which the user is an **allowedRequestor**. If there's a policy with no requirements, the **accessPackageAssignmentRequestRequirements** has `false` and `null` values. If there are no policies where the user is an **allowedRequestor**, an empty collection is returned instead. ## Examples -### Example 1: Retrieve a list of access package requirements to create an access package +### Example 1: Retrieve a list of access package requirements #### Request @@ -141,123 +141,7 @@ Content-Type: application/json } ``` -### Example 2: Get policy requirements for a given user scope - -#### Request - -The following example shows a request. - -# [HTTP](#tab/http) - - -```http -POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/b15419bb-5ffc-ea11-b207-c8d9d21f4e9a/getApplicablePolicyRequirements - -{ - "subject": { - "objectId": "5acd375c-8acb-45de-a958-fa0dd89259ad" - } - } -``` - -# [C#](#tab/csharp) -[!INCLUDE [sample-code](../includes/snippets/csharp/get-req-for-given-user-csharp-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [Go](#tab/go) -[!INCLUDE [sample-code](../includes/snippets/go/get-req-for-given-user-go-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [Java](#tab/java) -[!INCLUDE [sample-code](../includes/snippets/java/get-req-for-given-user-java-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [JavaScript](#tab/javascript) -[!INCLUDE [sample-code](../includes/snippets/javascript/get-req-for-given-user-javascript-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [PHP](#tab/php) -[!INCLUDE [sample-code](../includes/snippets/php/get-req-for-given-user-php-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [PowerShell](#tab/powershell) -[!INCLUDE [sample-code](../includes/snippets/powershell/get-req-for-given-user-powershell-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [Python](#tab/python) -[!INCLUDE [sample-code](../includes/snippets/python/get-req-for-given-user-python-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - ---- - -#### Response - -The following example shows the response. - - - -```http -HTTP/1.1 200 OK -Content-Type: application/json - -{ - "value": [ - { - "policyId": "d6322c23-04d6-eb11-b22b-c8d9d21f4e9a", - "policyDisplayName": "Initial Policy", - "policyDescription": "Initial Policy", - "isApprovalRequired": false, - "isApprovalRequiredForExtension": false, - "isRequestorJustificationRequired": false, - "questions": [ - { - "@odata.type": "#microsoft.graph.textInputQuestion", - "id": "5a7f2a8f-b802-4438-bec6-09599bc43e13", - "isRequired": false, - "isAnswerEditable": true, - "sequence": 0, - "isSingleLineQuestion": true, - "text": { - "defaultText": "Enter your mail", - "localizedTexts": [] - } - } - ], - "existingAnswers": [ - { - "@odata.type": "#microsoft.graph.answerString", - "displayValue": "admin@contoso.com", - "value": "admin@contoso.com", - "answeredQuestion": { - "@odata.type": "#microsoft.graph.textInputQuestion", - "id": "5a7f2a8f-b802-4438-bec6-09599bc43e13", - "isRequired": false, - "isAnswerEditable": true, - "sequence": 0, - "isSingleLineQuestion": true, - "text": { - "defaultText": "Enter your mail", - "localizedTexts": [] - } - } - } - ], - "schedule": [] - } - ] -} -``` - -### Example 3: Get policy requirements for verifiable credential status requirements +### Example 2: Get policy requirements for verifiable credential status requirements #### Request diff --git a/api-reference/beta/api/accesspackageassignmentrequest-cancel.md b/api-reference/beta/api/accesspackageassignmentrequest-cancel.md index aae258266a9..2ed95117a54 100644 --- a/api-reference/beta/api/accesspackageassignmentrequest-cancel.md +++ b/api-reference/beta/api/accesspackageassignmentrequest-cancel.md @@ -23,7 +23,7 @@ Choose the permission or permissions marked as least privileged for this API. Us [!INCLUDE [permissions-table](../includes/permissions/accesspackageassignmentrequest-cancel-permissions.md)] -[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write.md)] +[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md)] ## HTTP request diff --git a/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md b/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md index 3607e861216..9ad0b68616b 100644 --- a/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md +++ b/api-reference/beta/api/entitlementmanagement-post-assignmentrequests.md @@ -25,7 +25,7 @@ Choose the permission or permissions marked as least privileged for this API. Us [!INCLUDE [permissions-table](../includes/permissions/entitlementmanagement-post-assignmentrequests-permissions.md)] -[!INCLUDE [rbac-entitlement-end-user-apis-write](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write.md)] +[!INCLUDE [rbac-entitlement-end-user-apis-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md)] ## HTTP request diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md new file mode 100644 index 00000000000..e55b9143a29 --- /dev/null +++ b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md @@ -0,0 +1,27 @@ +--- +author: simranm +ms.topic: include +--- + + + +> [!TIP] +> The role and permission required for delegated access using work or school accounts depend on whose request is being canceled. +> +> **End users canceling their own request:** +> - The signed-in user **doesn't need** an administrator role. +> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`. +> +> **Administrators canceling requests submitted by others:** +> - The least privileged permission is `EntitlementManagement.ReadWrite.All`. +> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged: +> - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate): +> - *Access package assignment manager*. **This is the least privileged option** +> - *Access package manager* +> - *Catalog owner* +> - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): +> - *Identity Governance Administrator* +> +> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers). diff --git a/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md new file mode 100644 index 00000000000..27658f76459 --- /dev/null +++ b/api-reference/beta/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md @@ -0,0 +1,30 @@ +--- +author: simranm +ms.topic: include +--- + + + +> [!TIP] +> The role and permission required for delegated access using work or school accounts depend on the `requestType` of the request being submitted. +> +> **End-user requests** — `userAdd`, `userExtend`, `userUpdate`, `userRemove`, and `approverRemove`: +> - The signed-in user **doesn't need** an administrator role. +> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`. +> - Holding the permission isn't sufficient on its own — whether an end-user can submit a request is also governed by the corresponding accessPackageAssignmentPolicy, which controls who can be assigned to an access package and who can request it (`requestorSettings`). +> +> **Administrator requests** — `adminAdd`, `adminUpdate`, and `adminRemove`: +> - The least privileged permission is `EntitlementManagement.ReadWrite.All`. +> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged: +> - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate): +> - *Access package assignment manager*. **This is the least privileged option** +> - *Access package manager* +> - *Catalog owner* +> - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): +> - *Identity Governance Administrator* +> +> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission. +> +> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers). diff --git a/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md b/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md index 684827d93f9..acde5b68dba 100644 --- a/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md +++ b/api-reference/v1.0/api/accesspackage-getapplicablepolicyrequirements.md @@ -104,7 +104,33 @@ Content-Type: application/json { "value": [ { - "@odata.type": "microsoft.graph.accessPackageAssignmentRequestRequirements" + "policyId": "d6322c23-04d6-eb11-b22b-c8d9d21f4e9a", + "policyDisplayName": "Initial Policy", + "policyDescription": "Initial Policy", + "isApprovalRequiredForAdd": false, + "isApprovalRequiredForUpdate": false, + "isRequestorJustificationRequired": false, + "allowCustomAssignmentSchedule": true, + "schedule": { + "expiration": { + "endDateTime": null, + "duration": "P365D", + "type": "afterDuration" + } + }, + "questions": [ + { + "@odata.type": "#microsoft.graph.textInputQuestion", + "id": "0fd349e2-a3a7-4712-af08-660f29c12b90", + "isRequired": true, + "sequence": 0, + "isSingleLineQuestion": true, + "text": { + "defaultText": "What is your display name", + "localizedTexts": [] + } + } + ] } ] } diff --git a/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md b/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md index 58a7641ff27..24eee63c7c4 100644 --- a/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md +++ b/api-reference/v1.0/api/accesspackageassignmentrequest-cancel.md @@ -21,7 +21,7 @@ Choose the permission or permissions marked as least privileged for this API. Us [!INCLUDE [permissions-table](../includes/permissions/accesspackageassignmentrequest-cancel-permissions.md)] -[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write.md)] +[!INCLUDE [rbac-entitlement-access-package-assignment-manager-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md)] ## HTTP request diff --git a/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md b/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md index ef5da5747be..a94034cfd1f 100644 --- a/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md +++ b/api-reference/v1.0/api/entitlementmanagement-post-assignmentrequests.md @@ -22,7 +22,7 @@ Choose the permission or permissions marked as least privileged for this API. Us [!INCLUDE [permissions-table](../includes/permissions/entitlementmanagement-post-assignmentrequests-permissions.md)] -[!INCLUDE [rbac-entitlement-end-user-apis-write](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write.md)] +[!INCLUDE [rbac-entitlement-end-user-apis-write-including-subject-access](../includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md)] ## HTTP request diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md new file mode 100644 index 00000000000..e55b9143a29 --- /dev/null +++ b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-access-package-assignment-manager-apis-write-including-subject-access.md @@ -0,0 +1,27 @@ +--- +author: simranm +ms.topic: include +--- + + + +> [!TIP] +> The role and permission required for delegated access using work or school accounts depend on whose request is being canceled. +> +> **End users canceling their own request:** +> - The signed-in user **doesn't need** an administrator role. +> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`. +> +> **Administrators canceling requests submitted by others:** +> - The least privileged permission is `EntitlementManagement.ReadWrite.All`. +> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged: +> - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate): +> - *Access package assignment manager*. **This is the least privileged option** +> - *Access package manager* +> - *Catalog owner* +> - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): +> - *Identity Governance Administrator* +> +> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers). diff --git a/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md new file mode 100644 index 00000000000..c31c0882803 --- /dev/null +++ b/api-reference/v1.0/includes/rbac-for-apis/rbac-entitlement-management-end-user-apis-write-including-subject-access.md @@ -0,0 +1,30 @@ +--- +author: simranm +ms.topic: include +--- + + + +> [!TIP] +> The role and permission required for delegated access using work or school accounts depend on the `requestType` of the request being submitted. +> +> **End-user requests** — `userAdd`, `userUpdate`, `userRemove`, and `approverRemove`: +> - The signed-in user **doesn't need** an administrator role. +> - The least privileged permission is `EntitlementMgmt-SubjectAccess.ReadWrite`. +> - Holding the permission isn't sufficient on its own — whether an end-user can submit a request is also governed by the corresponding accessPackageAssignmentPolicy, which controls who can be assigned to an access package and who can request it (`allowedTargetScope`, `specificAllowedTargets`, and `requestorSettings`). +> +> **Administrator requests** — `adminAdd`, `adminUpdate`, and `adminRemove`: +> - The least privileged permission is `EntitlementManagement.ReadWrite.All`. +> - The signed-in user **must** be assigned a supported administrator role. Supported roles, from least to most privileged: +> - A [role in the Entitlement Management system](/entra/id-governance/entitlement-management-delegate): +> - *Access package assignment manager*. **This is the least privileged option** +> - *Access package manager* +> - *Catalog owner* +> - A more privileged [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): +> - *Identity Governance Administrator* +> +> In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the `EntitlementManagement.ReadWrite.All` application permission. The *Access package assignment manager* role is less privileged than the `EntitlementManagement.ReadWrite.All` application permission. +> +> For more information, see [Delegation and roles in entitlement management](/entra/id-governance/entitlement-management-delegate) and [how to delegate access governance to access package managers in entitlement management](/entra/id-governance/entitlement-management-delegate-managers).