Verify Governance REST APIs

The Verify Governance platform provides a REST API set for managing the main elements of the data model (users, entitlements, permissions, rights, accounts, and also authorization work-flows and SOD attributes.

The API implements the Simple Cloud Identity Management (SCIM) standard (version 2.0), with custom schema extensions. This implementation enables developers to access and manage identity resources directly by developing client applications that can be invoked from anywhere within the network.

Prerequisites

Before you proceed, you must be familiar with the following technologies:
  • RESTful API
  • JSON (JavaScript Object Notation)
  • SCIM specification (RFC7643, RFC7644)

You must also be familiar with the Verify Governance data model.

Restrictions

There is no support for SCIM query filter expressions with or operator.

There is no support for using parenthesis or brackets for building query filters.

In a filter string, each attribute must be preceded by the Universal Resource Name (URN).

For example:

urn:ietf:params:scim:schemas:core:2.0:User:name.givenName co \"James\").

Currently, the available operators are:

and
Boolean operator
eq
Operator for comparing if a field of a schema is equal to another entity.
co
Operator for checking whether a field of a schema is contained into another entity.
sw
Operator for checking whether a string starts with a preset string.
ew
Operator for checking whether a string ends with a preset string.

In the current release, some SCIM operations are not supported:

PATCH
Not applicable.
BULK
Not applicable.

Some SCIM standard attributes are not mapped in Verify Governance data model.

You can find this information looking at the Resource Schema.

In SCIM query, the paging mechanism that is adopted is different from the SCIM specification.

The paging is page-based, where the startPage field of SCIM Search Request indicates the page target and the count field specifies the number of elements in that page.

Supported REST APIs

The following table lists the supported Verify Governance REST APIs.

Table 1. Supported Verify Governance REST APIs
Category API Name Resource Endpoint Operation Description
Access Certifier (AC) API methods Act on Account by Campaign
Note: Available with Fix Pack 1.
Account /igi/v2/ac/campaigns/{campaign_id}/accounts/assignmentsreviews POST Acts on one or more accounts to work by campaign.
Find Account by Campaign
Note: Available with Fix Pack 1.
Account /igi/v2/ac/campaigns/{campaign_id}/accounts/assignmentsreviews.search POST Finds one or more accounts to work on by campaign.
Find Account by Reviewer by Campaign
Note: Available with Fix Pack 1.
Account /igi/v2/ac/campaigns/{campaign_id}/supervisor/reviewers/{reviewer_id}/accounts/assignmentsreviews/.search POST Shows to supervisor the assignments for one or more accounts that a selected reviewer is reviewing in a selected campaign.
Find Supervisor to Escalate Account
Note: Available with Fix Pack 1.
Account /igi/v2/ac/campaigns/{campaign_id}/accounts/{assignmentid_towork}/escalate/supervisors GET Finds a supervisor to whom to escalate review.
Find User to Redirect Account
Note: Available with Fix Pack 1.
Account /igi/v2/ac/campaigns/{campaign_id}/accounts/{assignmentid_towork}/redirectors/.search POST Finds one or more users to whom to redirect an account for review.
Get Statistics about Account Assignments
Note: Available with Fix Pack 1.
Account /igi/v2/ac/campaigns/{campaign_id}/stats/accounts/assignmentsreviews GET Gets statistics about the account assignments that were reviewed in a campaign.
Find Campaign Campaigns /igi/v2/ac/campaigns/.search POST Finds one or more campaigns in visibility to the user.
Stats Campaigns Campaigns /igi/v2/ac/campaigns/stats GET Returns the number of campaigns of each type for which the logged in user is reviewer or supervisor.
Find Reviewers Campaigns-Supervisor /igi/v2/ac/campaigns/{campaign_id}/supervisor/reviewers/.search POST Finds one or more reviewers involved in a campaign.
Act on Assignment by Campaign User Assignment /igi/v2/ac/campaigns/{campaign_id}/assignmentsreviews POST Acts on one or more assignments to work by campaign.
Find Assignment Reviewer by Campaign User Assignment /igi/v2/ac/campaigns/{campaign_id}/assignmentsreviews GET Finds the reviewer of an assignment to work by campaign.
Find Entitlement by Campaign User Assignment /igi/v2/ac/campaigns/{campaign_id}/assignmentsreviews/.search POST Finds one or more entitlements to work of a user by campaign.
Find Supervisor to Escalate User Assignment User Assignment /v2/ac/campaigns/{campaign_id}/assignmentsreviews/{assignmentid_towork}/escalate/supervisors GET For a given campaign, finds supervisors for escalation.
Find User by Campaign User Assignment /igi/v2/ac/campaigns/{campaign_id}/users GET Finds one or more users to work by campaign.
Find User to Redirect User Assignment User Assignment /igi/v2/ac/campaigns/{campaign_id}/assignmentsreviews/{assignmentid_towork}/redirectors/.search POST Finds one or more users to redirect an assignment to work.
Get Statistics about User Assignments User Assignment /v2/ac/campaigns/{campaign_id}/stats/assignmentsreviews GET Gets statistics about the assignments that were reviewed in a given campaign.
User View by Campaign User Assignment /igi/v2/ac/campaigns/{campaign_id}/users/.search POST Shows the users (User View) that are listed for review in a selected campaign.
Entitlement View by Reviewer User Assignment-Supervisor /igi/v2/ac/campaigns/{campaign_id}/supervisor/reviewers/{reviewer_id}/assignmentsreviews/.search POST Shows to supervisor the assignments for one or more users (Entitlement View) that a selected reviewer is reviewing in a selected campaign.
User View by Reviewer User Assignment-Supervisor /igi/v2/ac/campaigns/{campaign_id}/supervisor/reviewers/{reviewer_id}/users/.search POST Shows to supervisor the users (User View) that a selected reviewer is reviewing in a selected campaign.
Act on Job Unit by Campaign Organizational Unit /igi/v2/ac/campaigns/{campaign_id}/organizationalunits/assignmentsreviews POST Acts on (approve/revoke/sign-off/redirect/note) one or more OU assignments to review by campaign.
Find Job Unit by Campaign Organizational Unit /igi/v2/ac/campaigns/{campaign_id}/organizationalunits/assignmentsreviews.search POST Finds all the OU assignments to review (filtered by OU) by campaign.
Find Organizational Unit by Campaign Organizational Unit /igi/v2/ac/campaigns/{campaign_id}/organizationalunits/.search POST Finds all the organizational units to review by campaign.
Find Supervisor to Escalate OU Organizational Unit /igi/v2/ac/campaigns/{campaign_id}/organizationalunits/{assignmentid_towork}/escalate/supervisors GET For a given campaign, finds supervisors for escalation.
Find User to Redirect OU Organizational Unit /igi/v2/ac/campaigns/{campaign_id}/organizationalunits/{assignmentid_towork}/redirectors/.search POST Finds one or more users to redirect an organizational unit to review.
Get Statistics about OU Assignments Organizational Unit /igi/v2/ac/campaigns/{campaign_id}/stats/organizationalunits/assignmentsreviews GET Gets statistics about the assignments that were reviewed in a given campaign.
Inspect OU by Reviewer Organizational Unit-Supervisor /igi/v2/ac/campaigns/{campaign_id}/supervisor/reviewers/{reviewer_id}/organizationalunits/assignmentsreviews/.search POST Shows to supervisor the assignments for one or more Organizational Units (Inspect OU View) that a selected reviewer is reviewing in a selected campaign.
Org. Unit View by Reviewer Organizational Unit-Supervisor /igi/v2/ac/campaigns/{campaign_id}/supervisor/reviewers/{reviewer_id}/organizationalunits/.search POST Shows to supervisor the Organizational Units (Org. Unit View) that a selected reviewer is reviewing in a selected campaign.
Access Governance Core (AGC) API methods Add User Users /igi/v2/agc/users POST Creates the object User that represents the digital identity of a common user of an organization.
Delete User Users /igi/v2/agc/users/{userId} DELETE Deletes the object User.
Find User Users /igi/v2/agc/users/.search POST Finds user by a SCIM search request.
Info Application User Users /igi/v2/agc/users/info/applications/.search POST Returns application information for the logged in user.
Info User Users /igi/v2/agc/users/info GET Returns personal information of the logged in user.
Move OU User Users /igi/v2/agc/users/{userId}/group GET Moves a user from an OU to another, and assigns the roles based on the parameter set.
Find User Advanced Users /igi/v2/agc/users/advanced/.search POST Finds users allowing also to filter by external attributes.
Replace User Users /igi/v2/agc/users/{userId} PUT Updates user information.
Find User by ID Users /igi/v2/agc/users/{userId} GET Finds a user through the User ID.
Add User Account Users - Accounts /igi/v2/agc/users/accounts POST Adds an Account object to the data model.
Change Password Account Users - Accounts /igi/v2/agc/users/accounts/{account_id} PATCH Changes the password of a specific account. The password field represents the Verify Governance current password for the account.
Change Password Accounts Users - Accounts /igi/v2/agc/users/accounts/password POST Changes the password of a set of accounts.
Change Password Users - Accounts /igi/v2/agc/users/accounts/{account_id}/password POST Changes the password of a specific account. The IGIPwd field represents the IGI current password for that account.
Attention: If the rest.api.visibility parameter is set to true, an end user can change passwords only for owned accounts. Also, to avoid password enumeration, the account is blocked based on the password management Maximum number of password retries field. This is the default.

If the parameter is set to false, an end user can change passwords for any account. There is not control if the caller is the owner of the account.

An admin user can change passwords for any account.

See Changing the user visibility of selected REST APIs for details.

Important: To be able to use the IBM Security Verify Request mobile app, or to integrate with the ServiceNow platform, the rest.api.visibility parameter must be set to false.
Check Password Accounts Users - Accounts /igi/v2/agc/users/accounts/password/check POST Checks if the specified password complies with the password policies of a set of accounts.
Check Password For New Account Users - Accounts /igi/v2/agc/accountcfg/{accountcfg_id}/password/check POST Checks if the password specified for a new account complies with the password policies of a specific account (see Get Password Policy).
Check Password Users - Accounts /igi/v2/agc/users/accounts/{account_id}/password/check POST Checks if the password specified complies with the password policies of a specific account (see Get Password Policy).
Delete User Account Users - Accounts /igi/v2/agc/users/accounts/{accountId} DELETE Deletes an account.
Find User Account Users - Accounts /igi/v2/agc/users/{user-id}/accounts/.search POST Finds one or more Account objects that are associated to a user through a SCIM search request.
Attention: If the rest.api.visibility parameter is set to true, an end user can find information only about owned accounts. This is the default.

If the parameter is set to false, an end user can find information about all the accounts in the system.

An admin user can always find details for all the accounts in the system.

See Changing the user visibility of selected REST APIs for details.

Important: To be able to use the IBM Security Verify Request mobile app, or to integrate with the ServiceNow platform, the rest.api.visibility parameter must be set to false.
Change User Account Status Users - Accounts /igi/v2/agc/users/accounts/{account_id}/status PUT Changes the user account status: disable or enable the account according to specific values.
Replace User Account Users - Accounts /igi/v2/agc/users/accounts/{accountId} PUT Replaces an account.
Get Account Target Attributes Users - Accounts /igi/v2/agc/users/accounts/{accountId}/targetattributes GET Gets the target attributes of an account.
Validate Password Users - Accounts /igi/v2/agc/users/accounts/PasswordValidateRequests POST Validates if a specified password complies with the password policies of a specific account (see Get Password Policy).
Add Account Configuration Account Configurations /igi/v2/agc/accountcfg POST Adds an Account Configuration object to the data model.
Delete Account Configuration Account Configurations /igi/v2/agc/accountcfg/{cfgId} DELETE Deletes an Account Configuration.
Find Account Configurations Account Configurations /igi/v2/agc/accountcfg/.search POST Finds account configurations in the Verify Governance database.
Find Attribute Keys by Account Configuration Account Configurations /igi/v2/agc/accountcfg/{cfgId}/attributekeys GET Finds attribute keys by account configuration.
Get Password Policy Account Configurations /igi/v2/agc/accountcfg/password/policy GET Gets the password policy that is shared by a set of account configurations.
Attention: If the rest.api.visibility parameter is set to true, an end user can find information only for the password policies that are related to account configurations of owned accounts. This is the default.

If the parameter is set to false, an end user can find information about all the password policies in the system.

An admin user can always find details for all the password policies in the system.

See Changing the user visibility of selected REST APIs for details.

Important: To be able to use the IBM Security Verify Request mobile app, or to integrate with the ServiceNow platform, the rest.api.visibility parameter must be set to false.
Replace Account Configuration Account Configurations /igi/v2/agc/accountcfg/{cfgId} PUT Replaces an account configuration.
Find Label Localizations by Attribute Key by Account Configuration Account Configurations /igi/v2/agc/accountcfg/{cfgId}/attributekeys/{attrkeyId}/localizations GET Finds the label for one or more localizations by Attribute Key by Account Configuration
Add Application Applications /igi/v2/agc/applications POST Adds an Application object to the data model.
Delete Application Applications /igi/v2/agc/applications/{appId} DELETE Deletes an Application.
Find Application Applications /igi/v2/agc/applications/.search POST Finds an Application through a SCIM search request.
Replace Application Applications /igi/v2/agc/applications/{appId} PUT Replaces an Application.
Find User Entitlement Entitlement /igi/v2/agc/users/{userId}/entitlement/.search POST Finds the entitlements of the user through a SCIM search request.
Find Available User Entitlement Entitlements /igi/v2/agc/users/{userId}/entitlement/available/.search POST Finds all the available entitlements for a user through a SCIM search request.
Find User Rights Rights /igi/v2/agc/users/{userId}/entitlement/rights GET Finds the list of rights that are associated to an entitlement.
Add User Entitlement Entitlements /igi/v2/agc/users/{userId}/entitlement POST Adds an entitlement to a user.
Remove User Entitlement Entitlements /igi/v2/agc/users/{userId}/entitlement/{entId} DELETE Removes an entitlement that is associated to a user.
Add Entitlement Entitlements /igi/v2/agc/entitlements POST Adds an object Entitlement to the data model.
Find Entitlement Entitlements /igi/v2/agc/entitlements/.search POST Finds entitlements through a SCIM search request.
Delete Entitlement Entitlements /igi/v2/agc/entitlements/{entId} DELETE Deletes one or more objects of type Entitlement.
Replace Entitlement Entitlements /igi/v2/agc/entitlements/{entitlementId} PUT Updates an entitlement.
Add Entitlement Child Entitlements /igi/v2/agc/entitlements/{entld}/entitlement POST Adds one or more entitlements to a Business role or IT role.
Remove Entitlement Child Entitlements /igi/v2/agc/entitlements/{entld}/entitlement DELETE Removes one or more entitlements from a Business role or IT role.
Find Entitlement Child Entitlements /igi/v2/agc/entitlements/{entld}/entitlement/.search POST Finds entitlement's child through a SCIM search request.
Add Entitlement in Group Hierarchies-Groups /igi/v2/agc/groups/{group_id}/entitlement POST Adds one or more entitlements to a group.
Add Group Hierarchies-Groups igi/v2/agc/hierarchies/{hierarchy_id}/groups/{groupParentId} POST Adds an object Group to the data model.
Delete Group Hierarchies-Groups igi/v2/agc/hierarchies/{hierarchy_id}/groups/{groupId} DELETE Deletes an object Group.
Find Entitlement in Group Hierarchies-Groups igi/v2/agc/groups/{group_id}/entitlement/.search POST Finds entitlements in a group by a SCIM search request.
Find Group Hierarchies-Groups /igi/v2/agc/hierarchies/{hierarchy_id}/groups/.search POST Specifies the group hierarchy to find. If you do not specify a value, the default value is set to 1, indicating the default group ORGANIZATIONAL_UNIT.
Remove Entitlement from Group Hierarchies-Groups /igi/v2/agc/groups/{group_id}/entitlement DELETE Removes one or more entitlements from a group.
Replace Group Hierarchies-Groups /igi/v2/agc/hierarchies/{hierarchy_id}/groups/{groupId} PUT Updates the details of a group.
Add Group Hierarchy Hierarchies igi/v2/agc/hierarchies POST Adds a group hierarchy.
Build Group Hierarchy Hierarchies /igi/v2/agc/hierarchies/build/{hierarchy_id} GET Builds a group hierarchy.
Find Group Hierarchy Hierarchies igi/v2/agc/hierarchies/.search POST Finds a group hierarchy through a SCIM search request.
Remove Group Hierarchy Hierarchies /igi/v2/agc/hierarchies/{hierarchy_id} DELETE Removes a group hierarchy.
Replace Group Hierarchy Hierarchies /igi/v2/agc/hierarchies/{hierarchy_id} PUT Updates the details of a group hierarchy.
Get Lookup Values by Lookup Lookup /igi/v2/agc/lookup/{name_lookup} GET Gets the lookup values by lookup.
Add Target Targets /igi/v2/agc/targets POST Adds a Target object to the data model.
Delete Target Targets /igi/v2/agc/targets/{targetId} DELETE Deletes a Target.
Find Target Targets /igi/v2/agc/targets/.search POST Finds a Target through a SCIM search request.
Replace Target Targets /igi/v2/agc/targets/{targetId} PUT Replaces a Target.
Access Request Management (ARM) API methods Find Workflow Workflows /igi/v2/arm/workflows/.search POST Finds the workflow IDs available for the logged user.
Find User by Workflow Requests-Access /igi/v2/arm/{workflowId}/users/.search POST Finds users according to a variable set of parameters.
Find User Entitlement by Workflow Requests-Access /igi/v2/arm/{workflowId}/users/{user_id}/entitlements/.search POST Finds the entitlements that are assigned to a user according to the workflow associated to a user.
Generate User Role Request Requests-Access /igi/v2/arm/{workflowId}/requests/user/entitlements POST Generates request for user role assignment (add roles, remove roles, update roles).
Find Request Requests /igi/v2/arm/requests GET Gets one or more requests by type.
Find Request to Work Requests /igi/v2/arm/{workflowId}/requests/.search POST Finds the IDs of the requests that are related to the next activities to be processed.
Find Request Detail Requests /igi/v2/arm/requests/{request_id} GET Gets the details of a request.
Attention: If the rest.api.visibility parameter is set to true, an end user can find details only for the requests of which is applicant. This is the default.

If the parameter is set to false an end user can find details for all the requests in the system.

An admin user can always find details for all the requests in the system.

See Changing the user visibility of selected REST APIs for details.

Important: To be able to use the IBM Security Verify Request mobile app, or to integrate with the ServiceNow platform, the rest.api.visibility parameter must be set to false.
Auth or Exe Request Requests /igi/v2/arm/requests/{request_id} POST If the request is of type AUTH, approves or rejects a generated request. If the request is of type EXE, after the approving of the request, an operator makes the needed updates on the target system. Thus, flag the request as "completed".
Requests Summary Requests /igi/v2/arm/{workflowId}/requests/.search POST Gets a summary of all the requests that were submitted by the logged user. It is important to pass a report workflow.
Find User Admin Roles by workflow Delegation /igi/v2/arm/{workflowId}/users/{user_id}/adminentitlements/.search POST Finds the admin roles that are assigned to a user, according to the workflow associated to a user through a SCIM search request.
Find User Admin Roles delegated by workflow Delegation /igi/v2/arm/{workflowId}/users/{userid_beneficiary}/delegated/users/{userid_delegator}/adminentitlements/.search POST Finds the admin roles, that are delegated from one user to another, according to the workflow associated to a user through a SCIM search request.
Find User Delegator by workflow Delegation /igi/v2/arm/{workflowId}/users/delegators/.search POST Finds delegating users, according to a variable set of parameters through a SCIM search request.
Generate Delegation Request Delegation /igi/v2/arm/{workflowId}/requests/user/delegation POST Generates a request for user role delegation (add roles, remove roles, update roles).
SCIM API methods Resource Schema Resource Schema /igi/v2/schemas/{resourceSchema} GET Gets resource schema, according to the Universal Resource Name (URN).
Service Provider Configuration Service Provider Configuration /igi/v2/serviceproviderconfig GET Gets the list of SCIM operations supported, such as filtering, bulk, change password, authentication, and patch. Each operation can be supported or not.
Resource Discovery Resource Discovery /igi/v2/resourcetype GET Gets list of resources that are provided by server.
Security API methods Act As Delegate for Security Token /igi/v2/security/login/actas/{represented} GET Acts As Delegate to Verify Governance system and obtains token needed to call next methods
Find Delegator User Admin Entitlement Security Token /igi/v2/security/users/adminentitlements/delegated/.search POST Finds all the users that have delegated almost an admin entitlement to logged user.
Login Security Token /igi/v2/security/login GET Logs in to Verify Governance system and obtains the token that is needed to call next methods.
Logout Security Token /igi/v2/security/logout GET Invalidates any Verify Governance token, provided to the API as the bearer token. These tokens are received by the clients through the login API. Once a token is invalidated, it can no longer be used for authenticating other API calls. The restart of the Verify Governance server will invalidate any\all tokens that were issued until then.
Refresh Token Security Token /igi/v2/security/refresh GET Refresh token. Token expires after N minutes. The value N can be configured through the Virtual Appliance setting.
Return to Self Security Token /igi/v2/security/login/actas GET Returns to Self (after an Act As action) to Verify Governance system and obtains token needed to call next methods
Separation of Duties API Check User Risk /igi/v2/arc/risks/users/{user_id} POST Checks the risks that are associated to a user.
Check User Full Risk /igi/v2/arc/risks/users/{user_id}/full POST Checks the full SoD risks that are associated to a user.

Procedure for enabling HTTPS communication

Only HTTPS communication is supported.

See Managing certificates to enable secure communication.

API documentation

To access the REST APIs documentation:
  1. For Version 10.0.1, download the ISVG-REST-API_10_0_1.zip file from https://www.ibm.com/support/pages/node/6407700 to your computer.

  2. Extract the files from ISVG-REST-API_10_0_1.zip into a folder.
  3. Open the index.html file in your web browser to display the REST API documentation.