创建 assignmentPolicies

命名空间:microsoft.graph

权利管理Microsoft Entra创建新的 accessPackageAssignmentPolicy 对象。 请求包含对包含此策略的 accessPackage 的引用,该策略必须已经存在。

此 API 可用于以下国家级云部署

全局服务 美国政府 L4 美国政府 L5 (DOD) 由世纪互联运营的中国

权限

为此 API 选择标记为最低特权的权限。 只有在应用需要它时,才使用更高的特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型。 要了解有关这些权限的详细信息,请参阅 权限参考

权限类型 最低特权权限 更高特权权限
委派(工作或学校帐户) EntitlementManagement.ReadWrite.All 不可用。
委派(个人 Microsoft 帐户) 不支持。 不支持。
应用程序 EntitlementManagement.ReadWrite.All 不可用。

提示

在具有工作或学校帐户的委托方案中,还必须通过以下选项之一为已登录用户分配具有支持的角色权限的管理员角色:

在仅限应用的情况下,可为调用应用分配上述受支持的角色之一,而不是 EntitlementManagement.ReadWrite.All 应用程序权限。 访问包管理员角色的特权低于EntitlementManagement.ReadWrite.All应用程序权限。

有关详细信息,请参阅 权利管理中的委派和角色 以及如何 在权利管理中将访问管理委托给访问包管理员

HTTP 请求

POST /identityGovernance/entitlementManagement/assignmentPolicies

请求标头

名称 说明
Authorization 持有者 {token}。 必填。 详细了解 身份验证和授权
Content-Type application/json. 必需。

请求正文

在请求正文中,提供 accessPackageAssignmentPolicy 对象的 JSON 表示形式。

创建 accessPackageAssignmentPolicy 时,可以指定以下属性。

属性 类型 说明
说明 String 策略说明。
displayName String 策略的显示名称。
allowedTargetScope allowedTargetScope 允许通过此策略向谁分配访问包。 可取值包括:notSpecifiedspecificDirectoryUsersspecificConnectedOrganizationUsersspecificDirectoryServicePrincipalsallMemberUsersallDirectoryUsersallDirectoryServicePrincipalsallConfiguredConnectedOrganizationUsersallExternalUsersunknownFutureValue。 可选。
呼气 expirationPattern 在此策略中创建的工作分配的到期日期。
requestApprovalSettings accessPackageAssignmentApprovalSettings 指定通过此策略批准访问包分配请求的设置。 例如,如果新请求需要审批。
requestorSettings accessPackageAssignmentRequestorSettings 提供其他设置,以选择谁可以通过此策略创建访问包分配请求,以及他们可以在其请求中包含哪些内容。
reviewSettings accessPackageAssignmentReviewSettings 通过此策略对分配进行访问评审的设置。
specificAllowedTargets subjectSet 集合 可以通过此策略从访问包分配访问权限的主体。
automaticRequestSettings accessPackageAutomaticRequestSettings 此属性仅适用于自动分配策略;如果不存在,则这是基于请求的策略。
accessPackage accessPackage 对将包含策略的访问包的引用,该策略必须已存在。
问题 accessPackageQuestion 集合 向请求者提出的问题。

响应

如果成功,此方法在 201 Created 响应正文中返回响应代码和 accessPackageAssignmentPolicy 对象。

示例

示例 1:创建直接分配策略

当访问包分配请求仅由管理员而不是用户自己创建时,直接分配策略很有用。

请求

以下示例显示了创建访问包分配策略的请求。 在此策略中,用户无法请求,无需审批,也没有访问评审。

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentPolicies
Content-Type: application/json

{
  "displayName": "New Policy",
  "description": "policy for assignment",
  "allowedTargetScope": "notSpecified",
  "specificAllowedTargets": [],
  "expiration": {
      "endDateTime": null,
      "duration": null,
      "type": "noExpiration"
  },
  "requestorSettings": {
      "enableTargetsToSelfAddAccess": false,
      "enableTargetsToSelfUpdateAccess": false,
      "enableTargetsToSelfRemoveAccess": false,
      "allowCustomAssignmentSchedule": true,
      "enableOnBehalfRequestorsToAddAccess": false,
      "enableOnBehalfRequestorsToUpdateAccess": false,
      "enableOnBehalfRequestorsToRemoveAccess": false,
      "onBehalfRequestors": []
  },
  "requestApprovalSettings": {
      "isApprovalRequiredForAdd": false,
      "isApprovalRequiredForUpdate": false,
      "stages": []
  },
  "accessPackage": {
      "id": "a2e1ca1e-4e56-47d2-9daa-e2ba8d12a82b"
  }
}

响应

注意:为了提高可读性,可能缩短了此处显示的响应对象。

HTTP/1.1 201 Created
Content-Type: application/json

{
  "id": "87e1c7f7-c7f7-87e1-f7c7-e187f7c7e187",
  "displayName": "New policy",
  "description": "policy for assignment"
}

示例 2:为其他组织中的用户创建策略以请求

以下示例演示了一个更复杂的策略,其中包含两个阶段的审批和定期访问评审。

请求

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentPolicies
Content-Type: application/json

{
    "displayName": "policy for external access requests",
    "description": "policy for users from connected organizations to request access, with two stages of approval.",
    "allowedTargetScope": "allConfiguredConnectedOrganizationUsers",
    "specificAllowedTargets": [],
    "expiration": {
        "type": "noExpiration"
    },
    "requestorSettings": {
        "enableTargetsToSelfAddAccess": true,
        "enableTargetsToSelfUpdateAccess": true,
        "enableTargetsToSelfRemoveAccess": true,
        "allowCustomAssignmentSchedule": false,
        "enableOnBehalfRequestorsToAddAccess": false,
        "enableOnBehalfRequestorsToUpdateAccess": false,
        "enableOnBehalfRequestorsToRemoveAccess": false,
        "onBehalfRequestors": []
    },
    "requestApprovalSettings": {
        "isApprovalRequiredForAdd": true,
        "isApprovalRequiredForUpdate": false,
        "stages": [
            {
                "durationBeforeAutomaticDenial": "P14D",
                "isApproverJustificationRequired": false,
                "isEscalationEnabled": false,
                "durationBeforeEscalation": "PT0S",
                "primaryApprovers": [
                    {
                        "@odata.type": "#microsoft.graph.internalSponsors"
                    }
                ],
                "fallbackPrimaryApprovers": [
                    {
                        "@odata.type": "#microsoft.graph.singleUser",
                        "userId": "7deff43e-1f17-44ef-9e5f-d516b0ba11d4"
                    },
                    {
                        "@odata.type": "#microsoft.graph.groupMembers",
                        "groupId": "1623f912-5e86-41c2-af47-39dd67582b66"
                    }
                ],
                "escalationApprovers": [],
                "fallbackEscalationApprovers": []
            },
            {
                "durationBeforeAutomaticDenial": "P14D",
                "isApproverJustificationRequired": false,
                "isEscalationEnabled": false,
                "durationBeforeEscalation": "PT0S",
                "primaryApprovers": [],
                "fallbackPrimaryApprovers": [
                    {
                        "@odata.type": "#microsoft.graph.singleUser",
                        "userId": "46184453-e63b-4f20-86c2-c557ed5d5df9"
                    },
                    {
                        "@odata.type": "#microsoft.graph.groupMembers",
                        "groupId": "1623f912-5e86-41c2-af47-39dd67582b66"
                    }
                ],
                "escalationApprovers": [],
                "fallbackEscalationApprovers": []
            }
        ]
    },
    "reviewSettings": {
        "isEnabled": true,
        "expirationBehavior": "keepAccess",
        "isRecommendationEnabled": true,
        "isReviewerJustificationRequired": true,
        "isSelfReview": false,
        "schedule": {
            "startDateTime": "2022-07-02T06:59:59.998Z",
            "expiration": {
                "duration": "P14D",
                "type": "afterDuration"
            },
            "recurrence": {
                "pattern": {
                    "type": "absoluteMonthly",
                    "interval": 3,
                    "month": 0,
                    "dayOfMonth": 0,
                    "daysOfWeek": []
                },
                "range": {
                    "type": "noEnd",
                    "numberOfOccurrences": 0
                }
            }
        },
        "primaryReviewers": [
            {
                "@odata.type": "#microsoft.graph.groupMembers",
                "groupId": "1623f912-5e86-41c2-af47-39dd67582b66"
            }
        ],
        "fallbackReviewers": []
    },
    "accessPackage": {
        "id": "a2e1ca1e-4e56-47d2-9daa-e2ba8d12a82b"
    }
}

响应

注意:为了提高可读性,可能缩短了此处显示的响应对象。

HTTP/1.1 201 Created
Content-Type: application/json

{
  "id": "9d8f2361-39be-482e-b267-34ad6baef4d3",
    "displayName": "policy for external access requests",
    "description": "policy for users from connected organizations to request access, with two stages of approval."
}

示例 3:创建基于成员身份规则自动创建分配的策略

以下示例显示了自动为销售部门中的用户创建分配的策略。

请求

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentPolicies
Content-Type: application/json

{
    "displayName": "Sales department users",
    "description": "All users from sales department",
    "allowedTargetScope": "specificDirectoryUsers",
    "specificAllowedTargets": [
        {
            "@odata.type": "#microsoft.graph.attributeRuleMembers",
            "description": "Membership rule for all users from sales department",
            "membershipRule": "(user.department -eq \"Sales\")"
        }
    ],
    "automaticRequestSettings": {
        "requestAccessForAllowedTargets": true,
        "removeAccessWhenTargetLeavesAllowedTargets": true,
        "gracePeriodBeforeAccessRemoval": "P7D"
    },
    "accessPackage": {
        "id": "8a36831e-1527-4b2b-aff2-81259a8d8e76"
    }
}

响应

注意:为了提高可读性,可能缩短了此处显示的响应对象。

HTTP/1.1 201 Created
Content-Type: application/json

{
    "id": "962493bb-be02-4aeb-a233-a205bbfe1d8d",
    "displayName": "Sales department users",
    "description": "All users from sales department"
}

示例 4:创建一个策略,要求请求者在请求访问权限时回答问题,以便向审批者提供其他信息。

以下示例显示了自动为销售部门中的用户创建分配的策略。

请求

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentPolicies
Content-Type: application/json

{
    "displayName": "A Policy With Questions",
    "description": "",
    "allowedTargetScope": "allMemberUsers",
    "expiration": {
        "type": "noExpiration"
    },
    "requestorSettings": {
        "enableTargetsToSelfAddAccess": "true",
        "enableTargetsToSelfUpdateAccess": "true",
        "enableTargetsToSelfRemoveAccess": "true"
    },
    "requestApprovalSettings": {
        "isApprovalRequiredForAdd": "true",
        "isApprovalRequiredForUpdate": "true",
        "stages": [
            {
                "durationBeforeAutomaticDenial": "P7D",
                "isApproverJustificationRequired": "false",
                "isEscalationEnabled": "false",
                "fallbackPrimaryApprovers": [],
                "escalationApprovers": [],
                "fallbackEscalationApprovers": [],
                "primaryApprovers": [
                    {
                        "@odata.type": "#microsoft.graph.singleUser",
                        "userId": "08a551cb-575a-4343-b914-f6e42798bd20"
                    }
                ]
            }
        ]
    },
    "questions": [
        {
            "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",
            "sequence": "1",
            "isRequired": "true",
            "isAnswerEditable": "true",
            "text": "What country are you working from?",
            "isMultipleSelectionAllowed": "false",
            "choices": [
                {
                    "@odata.type": "microsoft.graph.accessPackageAnswerChoice",
                    "actualValue": "KE",
                    "text": "Kenya"
                },
                {
                    "@odata.type": "microsoft.graph.accessPackageAnswerChoice",
                    "actualValue": "US",
                    "text": "United States"
                },
                {
                    "@odata.type": "microsoft.graph.accessPackageAnswerChoice",
                    "actualValue": "GY",
                    "text": "Guyana"
                },
                {
                    "@odata.type": "microsoft.graph.accessPackageAnswerChoice",
                    "actualValue": "BD",
                    "text": "Bangladesh"
                },
                {
                    "@odata.type": "microsoft.graph.accessPackageAnswerChoice",
                    "actualValue": "JP",
                    "text": "Japan"
                }
            ]
        },
        {
            "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
            "sequence": "2",
            "isRequired": "true",
            "isAnswerEditable": "true",
            "text": "What do you do for work?",
            "localizations": [
                {
                    "languageCode": "fr-CA",
                    "text": "Que fais-tu comme travail?"
                }
            ],
            "isSingleLineQuestion": "false",
            "regexPattern": "[a-zA-Z]+[a-zA-Z\\s]*"
        }
    ],
    "accessPackage": {
        "id": "977c7ff4-ef8f-4910-9d31-49048ddf3120"
    }
}

响应

注意:为了提高可读性,可能缩短了此处显示的响应对象。

HTTP/1.1 201 Created
Content-Type: application/json

{
    "id": "24e5711e-92f0-41e2-912d-9f4e005f36cc",
    "displayName": "A Policy With Questions",
    "allowedTargetScope": "allMemberUsers",
    "createdDateTime": "2022-09-30T20:32:07.1949218Z",
    "modifiedDateTime": "2022-09-30T20:32:07.4173893Z",
}

示例 5:创建策略并指定触发预定义访问包自定义扩展的阶段

在以下示例中,预定义 的 accessPackageCustomWorkflowExtension 对象通过创建或批准访问包分配请求触发。 customExtension 属性中的标识符对应于 accessPackageCustomWorkflowExtension 对象的 ID。

请求

以下示例显示了一个请求。

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentPolicies/
Content-type: application/json

{
    "displayName": "customExtensionStageSettings policy",
    "description": "policy with specified stages for custom extension assignment",
    "allowedTargetScope": "notSpecified",
    "specificAllowedTargets": [],
    "expiration": {
        "endDateTime": null,
        "duration": null,
        "type": "noExpiration"
    },
    "requestorSettings": {
        "enableTargetsToSelfAddAccess": false,
        "enableTargetsToSelfUpdateAccess": false,
        "enableTargetsToSelfRemoveAccess": false,
        "allowCustomAssignmentSchedule": true,
        "enableOnBehalfRequestorsToAddAccess": false,
        "enableOnBehalfRequestorsToUpdateAccess": false,
        "enableOnBehalfRequestorsToRemoveAccess": false,
        "onBehalfRequestors": []
    },
    "requestApprovalSettings": {
        "isApprovalRequiredForAdd": false,
        "isApprovalRequiredForUpdate": false,
        "stages": []
    },
    "accessPackage": {
        "id": "5ad1eb64-15f7-4614-b419-05d11ee266bf"
    },
    "customExtensionStageSettings": [
        {
            "stage": "assignmentRequestCreated",
            "customExtension": {
                "@odata.type": "#microsoft.graph.accessPackageAssignmentRequestWorkflowExtension",
                "id": "bebe7873-1f0d-4db9-b6c3-01f7ebfe8476"
            }
        }
    ]
}

响应

以下示例显示了相应的响应。 默认情况下,不返回 customExtensionStageSettings 对象。 若要检索此对象,请将 GET accessPackageAssignmentPolicy 方法与 一起使用 $expand。 有关详细信息,请参阅 示例 2:检索策略的自定义扩展阶段设置

注意:为了提高可读性,可能缩短了此处显示的响应对象。

HTTP/1.1 201 Created
Content-type: application/json

{
  "id": "d0324cbb-24a2-4edb-acca-fee5384c6a5e",
  "displayName": "customExtensionStageSettings policy",
  "description": "policy with specified stages for custom extension assignment",
  "canExtend": false,
  "durationInDays": 0,
  "expirationDateTime": null,
  "accessPackageId": "5ad1eb64-15f7-4614-b419-05d11ee266bf",
  "accessReviewSettings": null,
  "questions": [],
  "requestorSettings": {
    "scopeType": "AllExistingDirectorySubjects",
    "acceptRequests": true,
    "allowedRequestors": []
  },
  "requestApprovalSettings": {
    "isApprovalRequired": false,
    "isApprovalRequiredForExtension": false,
    "isRequestorJustificationRequired": false,
    "approvalMode": "NoApproval",
    "approvalStages": []
  },
  "customExtensionStageSettings": [
        {
            "stage": "assignmentRequestCreated",
            "customExtension": {
                "@odata.type": "#microsoft.graph.accessPackageAssignmentRequestWorkflowExtension",
                "id": "bebe7873-1f0d-4db9-b6c3-01f7ebfe8476"
            }
        }
    ]
}