创建 privilegedRoleAssignmentRequest
命名空间:microsoft.graph
重要
Microsoft Graph版本下的 /beta API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
注意
2021 年 5 月 31 日,已弃用适用于 Azure Active Directory (Azure AD) 角色的 Privileged Identity Management (PIM) API 版本,并停止返回数据。 使用新的 角色管理 API。
创建 privilegedroleassignmentrequest 对象。
权限
要调用此 API,需要以下权限之一。要了解详细信息,包括如何选择权限的信息,请参阅权限。
| 权限类型 |
权限(从最低特权到最高特权) |
| 委派(工作或学校帐户) |
PrivilegedAccess.ReadWrite.AzureAD |
| 委派(个人 Microsoft 帐户) |
不支持。 |
| 应用程序 |
不支持。 |
HTTP 请求
POST /privilegedRoleAssignmentRequests
| 名称 |
说明 |
| Authorization |
Bearer {token}。必需。 |
请求正文
在请求正文中,提供 privilegedroleassignmentrequest 对象的 JSON 表示形式。
| 属性 |
类型 |
说明 |
| roleId |
字符串 |
角色的 ID。 此为必需属性。 |
| type |
字符串 |
表示角色分配上的操作类型。 值可以是 AdminAdd:管理员将用户添加到角色;UserAdd:用户添加角色分配。 必填。 |
| assignmentState |
字符串 |
分配的状态。 如果该值Eligible是管理员直接分配Active的,也可以是针对符合条件的分配Active激活的,或者由用户在符合条件的分配上激活。 可取值为:NotStarted、Completed、RequestedApproval、Scheduled、Approved、ApprovalDenied、ApprovalAborted、Cancelling、Cancelled、Revoked、RequestExpired。 必填。 |
| reason |
String |
出于审核和评审目的,需要为角色分配请求提供原因。 |
| schedule |
governanceSchedule |
角色分配请求的计划。 |
响应
如果成功,此方法在响应正文中返回 201 Created 响应代码和 privilegedRoleAssignmentRequest 对象。
错误代码
此 API 返回标准 HTTP 错误代码。 此外,它可以返回下表中列出的错误代码。
| 错误代码 |
错误消息 |
| 400 BadRequest |
RoleAssignmentRequest 属性为 NULL |
| 400 BadRequest |
无法反序列化 roleAssignmentRequest 对象。 |
| 400 BadRequest |
需要 RoleId。 |
| 400 BadRequest |
必须指定计划开始日期,并且应大于 Now。 |
| 400 BadRequest |
此用户、角色和计划类型已存在计划。 |
| 400 BadRequest |
此用户、角色和审批类型已存在挂起的审批。 |
| 400 BadRequest |
请求者原因缺失。 |
| 400 BadRequest |
请求者原因应小于 500 个字符。 |
| 400 BadRequest |
提升持续时间必须介于 0.5 和 {from setting}之间。 |
| 400 BadRequest |
计划激活与请求之间存在重叠。 |
| 400 BadRequest |
角色已激活。 |
| 400 BadRequest |
GenericElevateUserToRoleAssignments:需要滴答信息,并且在激活过程中不提供。 |
| 400 BadRequest |
计划激活与请求之间存在重叠。 |
| 403 未授权 |
提升需要多重身份验证。 |
| 403 未授权 |
不允许代表提升。 |
示例
请求
下面展示了示例请求。
POST https://graph.microsoft.com/beta/privilegedRoleAssignmentRequests
Content-type: application/json
{
"duration": "2",
"reason": "Activate the role for business purpose",
"ticketNumber": "234",
"ticketSystem": "system",
"schedule": {
"startDateTime": "2018-02-08T02:35:17.903Z"
},
"type": "UserAdd",
"assignmentState": "Active",
"roleId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var privilegedRoleAssignmentRequest = new PrivilegedRoleAssignmentRequestObject
{
Duration = "2",
Reason = "Activate the role for business purpose",
TicketNumber = "234",
TicketSystem = "system",
Schedule = new GovernanceSchedule
{
StartDateTime = DateTimeOffset.Parse("2018-02-08T02:35:17.903Z")
},
Type = "UserAdd",
AssignmentState = "Active",
RoleId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
};
await graphClient.PrivilegedRoleAssignmentRequests
.Request()
.AddAsync(privilegedRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const privilegedRoleAssignmentRequest = {
duration: '2',
reason: 'Activate the role for business purpose',
ticketNumber: '234',
ticketSystem: 'system',
schedule: {
startDateTime: '2018-02-08T02:35:17.903Z'
},
type: 'UserAdd',
assignmentState: 'Active',
roleId: '88d8e3e3-8f55-4a1e-953a-9b9898b8876b'
};
await client.api('/privilegedRoleAssignmentRequests')
.version('beta')
.post(privilegedRoleAssignmentRequest);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/privilegedRoleAssignmentRequests"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphPrivilegedRoleAssignmentRequest *privilegedRoleAssignmentRequest = [[MSGraphPrivilegedRoleAssignmentRequest alloc] init];
[privilegedRoleAssignmentRequest setDuration:@"2"];
[privilegedRoleAssignmentRequest setReason:@"Activate the role for business purpose"];
[privilegedRoleAssignmentRequest setTicketNumber:@"234"];
[privilegedRoleAssignmentRequest setTicketSystem:@"system"];
MSGraphGovernanceSchedule *schedule = [[MSGraphGovernanceSchedule alloc] init];
[schedule setStartDateTime: "2018-02-08T02:35:17.903Z"];
[privilegedRoleAssignmentRequest setSchedule:schedule];
[privilegedRoleAssignmentRequest setType:@"UserAdd"];
[privilegedRoleAssignmentRequest setAssignmentState:@"Active"];
[privilegedRoleAssignmentRequest setRoleId:@"88d8e3e3-8f55-4a1e-953a-9b9898b8876b"];
NSError *error;
NSData *privilegedRoleAssignmentRequestData = [privilegedRoleAssignmentRequest getSerializedDataWithError:&error];
[urlRequest setHTTPBody:privilegedRoleAssignmentRequestData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
PrivilegedRoleAssignmentRequest privilegedRoleAssignmentRequest = new PrivilegedRoleAssignmentRequest();
privilegedRoleAssignmentRequest.duration = "2";
privilegedRoleAssignmentRequest.reason = "Activate the role for business purpose";
privilegedRoleAssignmentRequest.ticketNumber = "234";
privilegedRoleAssignmentRequest.ticketSystem = "system";
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.startDateTime = OffsetDateTimeSerializer.deserialize("2018-02-08T02:35:17.903Z");
privilegedRoleAssignmentRequest.schedule = schedule;
privilegedRoleAssignmentRequest.type = "UserAdd";
privilegedRoleAssignmentRequest.assignmentState = "Active";
privilegedRoleAssignmentRequest.roleId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b";
graphClient.privilegedRoleAssignmentRequests()
.buildRequest()
.post(privilegedRoleAssignmentRequest);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewPrivilegedRoleAssignmentRequest()
duration := "2"
requestBody.SetDuration(&duration)
reason := "Activate the role for business purpose"
requestBody.SetReason(&reason)
ticketNumber := "234"
requestBody.SetTicketNumber(&ticketNumber)
ticketSystem := "system"
requestBody.SetTicketSystem(&ticketSystem)
schedule := msgraphsdk.NewGovernanceSchedule()
requestBody.SetSchedule(schedule)
startDateTime, err := time.Parse(time.RFC3339, "2018-02-08T02:35:17.903Z")
schedule.SetStartDateTime(&startDateTime)
type := "UserAdd"
requestBody.SetType(&type)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
roleId := "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
requestBody.SetRoleId(&roleId)
result, err := graphClient.PrivilegedRoleAssignmentRequests().Post(requestBody)
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
Duration = "2"
Reason = "Activate the role for business purpose"
TicketNumber = "234"
TicketSystem = "system"
Schedule = @{
StartDateTime = [System.DateTime]::Parse("2018-02-08T02:35:17.903Z")
}
Type = "UserAdd"
AssignmentState = "Active"
RoleId = "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}
New-MgPrivilegedRoleAssignmentRequest -BodyParameter $params
响应
这是一个示例响应。注意:为提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#privilegedRoleAssignmentRequests/$entity",
"schedule": {
"type": "activation",
"startDateTime": "2018-02-08T02:35:17.903Z",
"endDateTime": null,
"duration" : null
},
"id": "e13ef8a0-c1cb-4d03-aaae-9cd1c8ede2d1",
"type": "UserAdd",
"assignmentState": "Active",
"requestedDateTime": "2018-02-08T02:35:42.9137335Z",
"status": "NotStarted",
"duration": "2",
"reason": "Activate the role for business purpose",
"ticketNumber": "234",
"ticketSystem": "system",
"userId": "Self",
"roleId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}