ForgeRock

ForgeRock Identity Governance API

REST API for identity governance operations including access reviews, certifications, role management, and policy enforcement. Provides endpoints for managing entitlements and compliance workflows.

GitHub OpenAPI

Documentation

📖
Documentation
https://backstage.forgerock.com/docs/identity-governance/7.1/api-guide/preface.html
📖
APIReference
https://backstage.forgerock.com/docs/idcloud/latest/identity-governance/rest-api/endpoints/rest-iga.html

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/openapi/forgerock-identity-governance-openapi.yml

Other Resources

🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-governance-access-requests.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-governance-access-reviews.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-governance-certifications.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-governance-entitlements.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-governance-roles.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/forgerock/refs/heads/main/capabilities/identity-governance-violations.yaml

OpenAPI Specification

forgerock-identity-governance-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: ForgeRock Identity Governance API
  description: >-
    REST API for ForgeRock Identity Governance providing access reviews,
    certifications, role management, entitlement management, access requests,
    and compliance workflows. Enables organizations to review and certify
    access assignments, manage entitlements from onboarded applications,
    and enforce compliance policies.
  version: 7.1.0
  contact:
    name: ForgeRock
    url: https://www.forgerock.com
  license:
    name: Proprietary
    url: https://www.forgerock.com/terms
  x-provider: forgerock
  x-api: identity-governance

servers:
  - url: https://{deployment}/iga
    description: ForgeRock Identity Governance server
    variables:
      deployment:
        default: iga.example.com
        description: The Identity Governance deployment hostname

security:
  - bearerAuth: []

tags:
  - name: Access Requests
    description: Request and approve access to resources
  - name: Access Reviews
    description: Conduct and manage access review items
  - name: Certifications
    description: Manage access certification campaigns
  - name: Entitlements
    description: Manage entitlements from onboarded applications
  - name: Roles
    description: Manage identity governance roles
  - name: Violations
    description: Manage policy violations and segregation of duties

paths:
  /governance/certification:
    get:
      operationId: listCertifications
      summary: ForgeRock List certification campaigns
      description: >-
        Query certification campaigns. Certifications enable authorized users
        to review and certify access assignments to ensure compliance.
      tags:
        - Certifications
      parameters:
        - $ref: '#/components/parameters/QueryFilter'
        - $ref: '#/components/parameters/PageSize'
        - $ref: '#/components/parameters/PagedResultsOffset'
        - $ref: '#/components/parameters/SortKeys'
      responses:
        '200':
          description: List of certification campaigns
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CertificationList'
        '403':
          description: Insufficient privileges
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    post:
      operationId: createCertification
      summary: ForgeRock Create a certification campaign
      description: >-
        Create a new access certification campaign. Supports identity
        certification, role definition certification, and role membership
        certification types.
      tags:
        - Certifications
      requestBody:
        required: true
        description: Certification campaign definition
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Certification'
      responses:
        '201':
          description: Certification campaign created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Certification'
        '400':
          description: Invalid certification configuration
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /governance/certification/{certificationId}:
    get:
      operationId: getCertification
      summary: ForgeRock Get a certification campaign
      description: Retrieve details of a specific certification campaign.
      tags:
        - Certifications
      parameters:
        - $ref: '#/components/parameters/CertificationId'
      responses:
        '200':
          description: Certification campaign details
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Certification'
        '404':
          description: Certification not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    patch:
      operationId: patchCertification
      summary: ForgeRock Update a certification campaign
      description: Partially update a certification campaign (e.g., close or cancel it).
      tags:
        - Certifications
      parameters:
        - $ref: '#/components/parameters/CertificationId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PatchOperations'
      responses:
        '200':
          description: Certification updated
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Certification'

  /governance/certification/{certificationId}/items:
    get:
      operationId: listCertificationItems
      summary: ForgeRock List certification items
      description: >-
        List individual review items within a certification campaign. Each
        item represents a user-entitlement assignment to be reviewed.
      tags:
        - Access Reviews
      parameters:
        - $ref: '#/components/parameters/CertificationId'
        - $ref: '#/components/parameters/QueryFilter'
        - $ref: '#/components/parameters/PageSize'
        - $ref: '#/components/parameters/PagedResultsOffset'
      responses:
        '200':
          description: List of certification review items
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CertificationItemList'

  /governance/certification/{certificationId}/items/{itemId}:
    get:
      operationId: getCertificationItem
      summary: ForgeRock Get a certification item
      description: Retrieve details of a specific certification review item.
      tags:
        - Access Reviews
      parameters:
        - $ref: '#/components/parameters/CertificationId'
        - name: itemId
          in: path
          required: true
          description: The certification item identifier
          schema:
            type: string
      responses:
        '200':
          description: Certification item details
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CertificationItem'
        '404':
          description: Item not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    patch:
      operationId: reviewCertificationItem
      summary: ForgeRock Review a certification item
      description: >-
        Submit a review decision for a certification item. Decisions include
        certify (approve), revoke, or exception.
      tags:
        - Access Reviews
      parameters:
        - $ref: '#/components/parameters/CertificationId'
        - name: itemId
          in: path
          required: true
          description: The certification item identifier
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                decision:
                  type: string
                  description: Review decision
                  enum:
                    - certify
                    - revoke
                    - exception
                    - abstain
                comment:
                  type: string
                  description: Reviewer comment
                exceptionDuration:
                  type: string
                  description: Duration for exception (ISO 8601 period)
      responses:
        '200':
          description: Review submitted
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CertificationItem'

  /governance/request:
    get:
      operationId: listAccessRequests
      summary: ForgeRock List access requests
      description: >-
        Query access requests. Users can request access to applications,
        entitlements, or roles, and managers can request revocation.
      tags:
        - Access Requests
      parameters:
        - $ref: '#/components/parameters/QueryFilter'
        - $ref: '#/components/parameters/PageSize'
        - $ref: '#/components/parameters/PagedResultsOffset'
        - $ref: '#/components/parameters/SortKeys'
      responses:
        '200':
          description: List of access requests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AccessRequestList'
    post:
      operationId: createAccessRequest
      summary: ForgeRock Create an access request
      description: >-
        Submit a new access request for a user to gain access to a
        resource (application, entitlement, or role).
      tags:
        - Access Requests
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AccessRequest'
      responses:
        '201':
          description: Access request created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AccessRequest'
        '400':
          description: Invalid request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /governance/request/{requestId}:
    get:
      operationId: getAccessRequest
      summary: ForgeRock Get an access request
      description: Retrieve details of a specific access request.
      tags:
        - Access Requests
      parameters:
        - name: requestId
          in: path
          required: true
          description: The access request identifier
          schema:
            type: string
      responses:
        '200':
          description: Access request details
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AccessRequest'
        '404':
          description: Request not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    post:
      operationId: accessRequestAction
      summary: ForgeRock Perform an access request action
      description: >-
        Approve, deny, or cancel an access request via the _action query
        parameter.
      tags:
        - Access Requests
      parameters:
        - name: requestId
          in: path
          required: true
          description: The access request identifier
          schema:
            type: string
        - name: _action
          in: query
          required: true
          description: The action to perform
          schema:
            type: string
            enum:
              - approve
              - deny
              - cancel
      requestBody:
        description: Action details
        content:
          application/json:
            schema:
              type: object
              properties:
                comment:
                  type: string
                  description: Approval or denial comment
      responses:
        '200':
          description: Action completed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AccessRequest'

  /governance/entitlement:
    get:
      operationId: listEntitlements
      summary: ForgeRock List entitlements
      description: >-
        Query the entitlements catalog. Entitlements are aggregated from
        onboarded target applications into a centralized repository.
      tags:
        - Entitlements
      parameters:
        - $ref: '#/components/parameters/QueryFilter'
        - $ref: '#/components/parameters/PageSize'
        - $ref: '#/components/parameters/PagedResultsOffset'
        - $ref: '#/components/parameters/SortKeys'
      responses:
        '200':
          description: List of entitlements
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EntitlementList'

  /governance/entitlement/{entitlementId}:
    get:
      operationId: getEntitlement
      summary: ForgeRock Get an entitlement
      description: Retrieve details of a specific entitlement.
      tags:
        - Entitlements
      parameters:
        - name: entitlementId
          in: path
          required: true
          description: The entitlement identifier
          schema:
            type: string
      responses:
        '200':
          description: Entitlement details
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Entitlement'
        '404':
          description: Entitlement not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

  /governance/role:
    get:
      operationId: listGovernanceRoles
      summary: ForgeRock List governance roles
      description: Query governance roles used in access policies and certifications.
      tags:
        - Roles
      parameters:
        - $ref: '#/components/parameters/QueryFilter'
        - $ref: '#/components/parameters/PageSize'
        - $ref: '#/components/parameters/PagedResultsOffset'
      responses:
        '200':
          description: List of governance roles
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GovernanceRoleList'

  /governance/violation:
    get:
      operationId: listViolations
      summary: ForgeRock List policy violations
      description: >-
        Query segregation of duties (SoD) and compliance policy violations.
      tags:
        - Violations
      parameters:
        - $ref: '#/components/parameters/QueryFilter'
        - $ref: '#/components/parameters/PageSize'
        - $ref: '#/components/parameters/PagedResultsOffset'
      responses:
        '200':
          description: List of violations
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ViolationList'

  /governance/violation/{violationId}:
    get:
      operationId: getViolation
      summary: ForgeRock Get a policy violation
      description: Retrieve details of a specific policy violation.
      tags:
        - Violations
      parameters:
        - name: violationId
          in: path
          required: true
          description: The violation identifier
          schema:
            type: string
      responses:
        '200':
          description: Violation details
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Violation'
        '404':
          description: Violation not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
    post:
      operationId: violationAction
      summary: ForgeRock Resolve a policy violation
      description: >-
        Perform an action on a violation such as remediate, allow (exception),
        or escalate.
      tags:
        - Violations
      parameters:
        - name: violationId
          in: path
          required: true
          description: The violation identifier
          schema:
            type: string
        - name: _action
          in: query
          required: true
          description: The action to perform
          schema:
            type: string
            enum:
              - remediate
              - allow
              - escalate
      requestBody:
        description: Action details
        content:
          application/json:
            schema:
              type: object
              properties:
                comment:
                  type: string
                exceptionDuration:
                  type: string
      responses:
        '200':
          description: Violation action completed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Violation'

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: OAuth 2.0 access token with governance scopes

  parameters:
    CertificationId:
      name: certificationId
      in: path
      required: true
      description: The certification campaign identifier
      schema:
        type: string
    QueryFilter:
      name: _queryFilter
      in: query
      description: CREST query filter expression
      schema:
        type: string
    PageSize:
      name: _pageSize
      in: query
      description: Number of results per page
      schema:
        type: integer
        minimum: 1
    PagedResultsOffset:
      name: _pagedResultsOffset
      in: query
      description: Pagination offset
      schema:
        type: integer
        minimum: 0
    SortKeys:
      name: _sortKeys
      in: query
      description: Sort fields
      schema:
        type: string

  schemas:
    Certification:
      type: object
      description: An access certification campaign
      properties:
        _id:
          type: string
          readOnly: true
        name:
          type: string
          description: Campaign name
        description:
          type: string
          description: Campaign description
        type:
          type: string
          description: Certification type
          enum:
            - identity
            - roleDefinition
            - roleMembership
            - entitlementOwner
        status:
          type: string
          description: Campaign status
          enum:
            - draft
            - active
            - closed
            - expired
            - cancelled
        stages:
          type: array
          description: Review stages with deadlines and reviewers
          items:
            type: object
            properties:
              name:
                type: string
              deadline:
                type: string
                format: date-time
              reviewers:
                type: array
                items:
                  type: string
        entitlementFilter:
          type: object
          description: Filter to select which entitlements to include
        createdDate:
          type: string
          format: date-time
          readOnly: true
        closedDate:
          type: string
          format: date-time
          readOnly: true

    CertificationList:
      type: object
      properties:
        result:
          type: array
          items:
            $ref: '#/components/schemas/Certification'
        resultCount:
          type: integer
        totalPagedResults:
          type: integer

    CertificationItem:
      type: object
      description: An individual item within a certification campaign
      properties:
        _id:
          type: string
        userId:
          type: string
          description: User being reviewed
        userName:
          type: string
        entitlementName:
          type: string
          description: Entitlement under review
        applicationName:
          type: string
          description: Application the entitlement belongs to
        decision:
          type: string
          description: Current review decision
          enum:
            - certify
            - revoke
            - exception
            - abstain
            - pending
        comment:
          type: string
        reviewer:
          type: string
          description: Assigned reviewer
        reviewDate:
          type: string
          format: date-time

    CertificationItemList:
      type: object
      properties:
        result:
          type: array
          items:
            $ref: '#/components/schemas/CertificationItem'
        resultCount:
          type: integer
        totalPagedResults:
          type: integer

    AccessRequest:
      type: object
      description: An access request
      properties:
        _id:
          type: string
          readOnly: true
        requestType:
          type: string
          description: Type of request
          enum:
            - grant
            - revoke
        userId:
          type: string
          description: User requesting or being requested for
        resourceType:
          type: string
          description: Type of resource requested
          enum:
            - application
            - entitlement
            - role
        resourceId:
          type: string
          description: Identifier of the requested resource
        justification:
          type: string
          description: Business justification
        status:
          type: string
          description: Request status
          enum:
            - pending
            - approved
            - denied
            - cancelled
            - fulfilled
            - failed
        approver:
          type: string
        createdDate:
          type: string
          format: date-time
          readOnly: true

    AccessRequestList:
      type: object
      properties:
        result:
          type: array
          items:
            $ref: '#/components/schemas/AccessRequest'
        resultCount:
          type: integer
        totalPagedResults:
          type: integer

    Entitlement:
      type: object
      description: An entitlement from an onboarded application
      properties:
        _id:
          type: string
        name:
          type: string
          description: Entitlement name
        description:
          type: string
        applicationName:
          type: string
          description: Source application
        applicationId:
          type: string
        type:
          type: string
          description: Entitlement type (e.g., group, permission, role)
        owner:
          type: string
          description: Entitlement owner
        riskLevel:
          type: string
          enum:
            - low
            - medium
            - high
            - critical

    EntitlementList:
      type: object
      properties:
        result:
          type: array
          items:
            $ref: '#/components/schemas/Entitlement'
        resultCount:
          type: integer
        totalPagedResults:
          type: integer

    GovernanceRole:
      type: object
      description: A governance role
      properties:
        _id:
          type: string
        name:
          type: string
        description:
          type: string
        owner:
          type: string
        members:
          type: array
          items:
            type: string
        entitlements:
          type: array
          items:
            type: string

    GovernanceRoleList:
      type: object
      properties:
        result:
          type: array
          items:
            $ref: '#/components/schemas/GovernanceRole'
        resultCount:
          type: integer

    Violation:
      type: object
      description: A segregation of duties or compliance policy violation
      properties:
        _id:
          type: string
        policyName:
          type: string
          description: Name of the violated policy
        userId:
          type: string
          description: User in violation
        userName:
          type: string
        conflictingEntitlements:
          type: array
          description: Entitlements that conflict
          items:
            type: string
        status:
          type: string
          enum:
            - active
            - remediated
            - exception
        severity:
          type: string
          enum:
            - low
            - medium
            - high
            - critical
        detectedDate:
          type: string
          format: date-time

    ViolationList:
      type: object
      properties:
        result:
          type: array
          items:
            $ref: '#/components/schemas/Violation'
        resultCount:
          type: integer
        totalPagedResults:
          type: integer

    PatchOperations:
      type: array
      items:
        type: object
        required:
          - operation
          - field
        properties:
          operation:
            type: string
            enum:
              - add
              - remove
              - replace
          field:
            type: string
          value: {}

    ErrorResponse:
      type: object
      properties:
        code:
          type: integer
        reason:
          type: string
        message:
          type: string