diff --git a/security/identity-and-access-management/oracle-access-governance/postman-rest-request-sample/LICENSE b/security/identity-and-access-management/oracle-access-governance/postman-rest-request-sample/LICENSE new file mode 100644 index 000000000..8dc7c0703 --- /dev/null +++ b/security/identity-and-access-management/oracle-access-governance/postman-rest-request-sample/LICENSE @@ -0,0 +1,35 @@ +Copyright (c) 2025 Oracle and/or its affiliates. + +The Universal Permissive License (UPL), Version 1.0 + +Subject to the condition set forth below, permission is hereby granted to any +person obtaining a copy of this software, associated documentation and/or data +(collectively the "Software"), free of charge and under any and all copyright +rights in the Software, and any and all patent rights owned or freely +licensable by each licensor hereunder covering either (i) the unmodified +Software as contributed to or provided by such licensor, or (ii) the Larger +Works (as defined below), to deal in both + +(a) the Software, and +(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if +one is included with the Software (each a "Larger Work" to which the Software +is contributed by such licensors), + +without restriction, including without limitation the rights to copy, create +derivative works of, display, perform, and distribute the Software and make, +use, sell, offer for sale, import, export, have made, and have sold the +Software and the Larger Work(s), and to sublicense the foregoing rights on +either these or other terms. + +This license is subject to the following condition: +The above copyright notice and either this complete permission notice or at +a minimum a reference to the UPL must be included in all copies or +substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/security/identity-and-access-management/oracle-access-governance/postman-rest-request-sample/README.md b/security/identity-and-access-management/oracle-access-governance/postman-rest-request-sample/README.md new file mode 100644 index 000000000..456b19fcb --- /dev/null +++ b/security/identity-and-access-management/oracle-access-governance/postman-rest-request-sample/README.md @@ -0,0 +1,36 @@ +# Oracle Access Governance REST Postman Request Samples + +A Postman collection of sample REST API requests for Oracle Access Governance (OAG) that showcases the ability to submit requests, trigger guardrail violations and interrogate OAG objects using REST API calls. Note that these samples are meant for reference only and are not intended for use in production systems. + +Review Date: 12.09.2025 + +# When to use this asset? + +The collection can be used for demonstration purposes, to showcase the REST API capabilities of OAG or as a general reference in OAG request automation. This provides a streamlined approach to the more hardcoded flow described in the following Developer Coaching session: https://www.youtube.com/watch?v=bDUIrKldGU0 + +# How to use this asset? + +## Pre-requisites + +- The prerequisites section of the OAG REST API integration document must be followed in order to set up a client credentials authentication flow. More details at: https://docs.oracle.com/en/cloud/paas/access-governance/pmapi/prerequisites.html +- The collection relies on collection variables in order to properly construct the REST queries. Before running any of the queries please ensure you update the `{{ociiam_url}}` and `{{oag_url}}` variables in order to point to the OIG environment you intend to use. These URLs are the same values you have used in the configuration step above. In order to do that, access the "Variables" tab by first clicking on the Postman collection name. Feel free to also update the `{{beneficiary_filter}}` and `{{beneficiary_filter_violation}}` values as per your needs - these will be used as filters in the ID identification of the users who will act as beneficiaries for the two submitted access requests. +- Open the "Authorization" tab of the "Get Authorization Token" request and update the credentials with the client ID and client secret generated during the setup of the client credentials authentication flow. Note that Postman will automatically handle the required base64 encoding for you once you've filled in those details. + +## Executing the queries + +- Make sure you run the queries in sequence, as you will first need a valid `{{access_token}}`, then IDs for the access bundle used in the request, the associated access guardrail, and the two users: one that will trigger the access guardrail violation and one that will not. Note that it is up to you to set up the user details and access guardrail rule in such a way that the violation is triggered and the access requests are rejected during those API calls. For more details on how to do that please consult the Developer Coaching session video shared above. +- Note that the interrogation REST calls extracting the IDs for the access bundle and access guardrail will always save the first listed ID in the returned list. If this is not the intended behavior in your flow, please update these collection variables manually with the correct ID from the response of the corresponding requests. +- If set up properly, the response of the failed request should contain: `"justification": "Access Request REST API Guardrail Violation Test", "requestStatus": "FAILED"`, whereas the successful request response should contain: `"justification": "Access Request REST API Test", "requestStatus": "IN_PROGRESS"`, assuming the requested access bundle is protected by an approval workflow. + +# Useful Links + +- [Oracle Access Governance REST API reference](https://docs.oracle.com/en/cloud/paas/access-governance/pmapi/) +- [Postman collections guide](https://learning.postman.com/docs/collections/collections-overview/) + +# License + +Copyright (c) 2025 Oracle and/or its affiliates. + +Licensed under the Universal Permissive License (UPL), Version 1.0. + +See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details. diff --git a/security/identity-and-access-management/oracle-access-governance/postman-rest-request-sample/files/OAG_POSTMAN_REQUEST_SAMPLES.postman_collection.json b/security/identity-and-access-management/oracle-access-governance/postman-rest-request-sample/files/OAG_POSTMAN_REQUEST_SAMPLES.postman_collection.json new file mode 100644 index 000000000..fbe692d67 --- /dev/null +++ b/security/identity-and-access-management/oracle-access-governance/postman-rest-request-sample/files/OAG_POSTMAN_REQUEST_SAMPLES.postman_collection.json @@ -0,0 +1,410 @@ +{ + "info": { + "_postman_id": "018c3537-dde3-4f9d-9e5e-6780074bbae2", + "name": "OAG_POSTMAN_REQUEST_SAMPLES", + "schema": "https://schema.getpostman.com/json/collection/v2.0.0/collection.json", + "_exporter_id": "37345996" + }, + "item": [ + { + "name": "Get Authorization Token", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "// Retrieve access token.\r", + "pm.collectionVariables.set(\"access_token\",JSON.parse(pm.response.text()).access_token);" + ], + "type": "text/javascript", + "packages": {} + } + } + ], + "request": { + "auth": { + "type": "basic", + "basic": { + "password": "", + "username": "" + } + }, + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/x-www-form-urlencoded", + "type": "text" + } + ], + "body": { + "mode": "urlencoded", + "urlencoded": [ + { + "key": "scope", + "value": "{{oag_url}}/urn:opc:agcs:all", + "type": "text" + }, + { + "key": "grant_type", + "value": "client_credentials", + "type": "text" + } + ] + }, + "url": "{{ociiam_url}}/oauth2/v1/token" + }, + "response": [] + }, + { + "name": "Get Access Bundle Identifier", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "// Retrieve access bundles and retain the ID of the first access bundle in the result.\r", + "pm.collectionVariables.set(\"access_bundle_id\", JSON.parse(pm.response.text()).items[0].id);" + ], + "type": "text/javascript", + "packages": {} + } + } + ], + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + }, + { + "key": "Authorization", + "value": "Bearer {{access_token}}", + "type": "text" + } + ], + "url": "{{oag_url}}/access-governance/access-controls/20250331/accessBundles" + }, + "response": [] + }, + { + "name": "Get Access Guardrail Identifier", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "// Retrieve access guardrails and retain the ID of the first access guardrail in the result.\r", + "pm.collectionVariables.set(\"access_guardrail_id\",JSON.parse(pm.response.text()).items[0].id);" + ], + "type": "text/javascript", + "packages": {} + } + } + ], + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + }, + { + "key": "Authorization", + "value": "Bearer {{access_token}}", + "type": "text" + } + ], + "url": "{{oag_url}}/access-governance/access-controls/20250331/accessGuardrails" + }, + "response": [] + }, + { + "name": "Get User Identifier - Violation", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "// Retrieve the violation user ID based on the beneficiary_filter_violation value.\r", + "pm.collectionVariables.set(\"beneficiary_id_violation\",JSON.parse(pm.response.text()).items[0].id);" + ], + "type": "text/javascript", + "packages": {} + } + } + ], + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + }, + { + "key": "Authorization", + "value": "Bearer {{access_token}}", + "type": "text" + } + ], + "url": { + "raw": "{{oag_url}}/access-governance/identities/20250331/identities?keywordContains={{beneficiary_filter_violation}}", + "host": [ + "{{oag_url}}" + ], + "path": [ + "access-governance", + "identities", + "20250331", + "identities" + ], + "query": [ + { + "key": "keywordContains", + "value": "{{beneficiary_filter_violation}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Get User Identifier - No Violation", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "// Retrieve the user ID based on the beneficiary_filter value.\r", + "pm.collectionVariables.set(\"beneficiary_id\",JSON.parse(pm.response.text()).items[0].id);" + ], + "type": "text/javascript", + "packages": {} + } + } + ], + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + }, + { + "key": "Authorization", + "value": "Bearer {{access_token}}", + "type": "text" + } + ], + "url": { + "raw": "{{oag_url}}/access-governance/identities/20250331/identities?keywordContains={{beneficiary_filter}}", + "host": [ + "{{oag_url}}" + ], + "path": [ + "access-governance", + "identities", + "20250331", + "identities" + ], + "query": [ + { + "key": "keywordContains", + "value": "{{beneficiary_filter}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Create Access Request - Violation", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "" + ], + "type": "text/javascript", + "packages": {} + } + } + ], + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + }, + { + "key": "Authorization", + "value": "Bearer {{access_token}}", + "type": "text" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"justification\": \"Access Request REST API Guardrail Violation Test\",\r\n \"createdBy\": \"{{beneficiary_id_violation}}\",\r\n \"accessBundles\": [\r\n \"{{access_bundle_id}}\"\r\n ],\r\n \"identities\": [\r\n \"{{beneficiary_id_violation}}\"\r\n ],\r\n \"accountProfileDetails\": []\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": "{{oag_url}}/access-governance/access-controls/20250331/accessRequests" + }, + "response": [] + }, + { + "name": "Analyze Access Guardrail", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "" + ], + "type": "text/javascript", + "packages": {} + } + } + ], + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + }, + { + "key": "Authorization", + "value": "Bearer {{access_token}}", + "type": "text" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"globalIdentityIds\": [\r\n \"{{beneficiary_id_violation}}\"\r\n ],\r\n \"accessGuardrailIds\": [\r\n \"{{access_guardrail_id}}\"\r\n ]\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": "{{oag_url}}/access-governance/access-controls/20250331/accessGuardrails/analyze" + }, + "response": [] + }, + { + "name": "Create Access Request - No Violation", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "// Retrieve org id.\r", + "pm.collectionVariables.set(\"organization_id\",JSON.parse(responseBody).id);" + ], + "type": "text/javascript", + "packages": {} + } + } + ], + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + }, + { + "key": "Authorization", + "value": "Bearer {{access_token}}", + "type": "text" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"justification\": \"Access Request REST API Test\",\r\n \"createdBy\": \"{{beneficiary_id}}\",\r\n \"accessBundles\": [\r\n \"{{access_bundle_id}}\"\r\n ],\r\n \"identities\": [\r\n \"{{beneficiary_id}}\"\r\n ],\r\n \"accountProfileDetails\": []\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": "{{oag_url}}/access-governance/access-controls/20250331/accessRequests" + }, + "response": [] + } + ], + "event": [ + { + "listen": "prerequest", + "script": { + "type": "text/javascript", + "packages": {}, + "exec": [ + "" + ] + } + }, + { + "listen": "test", + "script": { + "type": "text/javascript", + "packages": {}, + "exec": [ + "" + ] + } + } + ], + "variable": [ + { + "key": "ociiam_url", + "value": "https://idcs-" + }, + { + "key": "oag_url", + "value": "https://oag-" + }, + { + "key": "beneficiary_filter", + "value": "Klein" + }, + { + "key": "beneficiary_filter_violation", + "value": "Adams" + }, + { + "key": "access_token", + "value": "" + }, + { + "key": "access_bundle_id", + "value": "" + }, + { + "key": "access_guardrail_id", + "value": "" + }, + { + "key": "beneficiary_id_violation", + "value": "" + }, + { + "key": "beneficiary_id", + "value": "" + } + ] +} \ No newline at end of file