创建 roleEligibilityScheduleRequest
命名空间:microsoft.graph
在 PIM 中,通过 unifiedRoleEligibilityScheduleRequest 对象请求主体的角色资格。 此操作允许管理员和符合条件的用户添加、撤销或扩展符合条件的分配。
权限
要调用此 API,需要以下权限之一。要了解详细信息,包括如何选择权限的信息,请参阅权限。
| 权限类型 |
权限(从最低特权到最高特权) |
| 委派(工作或学校帐户) |
RoleEligibilitySchedule.ReadWrite.Directory |
| 委派(个人 Microsoft 帐户) |
不支持 |
| Application |
RoleAssignmentSchedule.ReadWrite.Directory |
HTTP 请求
POST /roleManagement/directory/roleEligibilityScheduleRequests
| 名称 |
说明 |
| Authorization |
Bearer {token}。必需。 |
| Content-Type |
application/json. Required. |
请求正文
在请求正文中,提供 unifiedRoleEligibilityScheduleRequest 对象的 JSON 表示形式。
创建 unifiedRoleEligibilityScheduleRequest 时,可以指定以下属性。
| 属性 |
类型 |
说明 |
| action |
unifiedRoleScheduleRequestActions |
表示角色资格请求的操作类型。可能的值是:adminAssign、、adminUpdate、adminRemove、selfActivate、adminExtend``selfDeactivate、adminRenew、selfExtend。 selfRenew``unknownFutureValue
adminAssign:让管理员将符合条件的角色分配给主体。adminRemove:让管理员从主体中删除符合条件的角色。-
adminUpdate:让管理员更改现有角色可变性。 adminExtend:让管理员延长即将过期的角色可质性。adminRenew:让管理员续订过期的可质性。selfActivate:让用户激活其分配。selfDeactivate:让用户停用其活动分配。selfExtend:让用户请求延长其即将到期的分配。SelfRenew:用户请求续订其过期的分配。
|
| appScopeId |
String |
当角色资格限定到应用时,特定于应用的范围的标识符。 角色资格的范围决定了主体有资格访问的资源集。 应用范围是仅由此应用程序定义和理解的范围。 用于 / 租户范围的应用范围。 使用 directoryScopeId 将范围限制为特定目录对象,例如管理单元。 需要 directoryScopeId 或 appScopeId 。 |
| directoryScopeId |
String |
表示角色资格范围的目录对象的标识符。 角色资格的范围决定了向主体授予访问权限的资源集。 目录范围是存储在多个应用程序理解的目录中的共享范围。 用于 / 租户范围。 使用 appScopeId 将范围限制为仅限应用程序。 需要 directoryScopeId 或 appScopeId 。 |
| isValidationOnly |
Boolean |
确定调用是验证还是实际调用。 仅当要在实际提交请求之前检查激活是否受 MFA 等其他规则约束时,才设置此属性。 可选。 |
| 理由 |
String |
用户和管理员在创建 统一RoleEligibilityScheduleRequest 对象时提供的消息。 操作 为 { a0 时为 adminRemove可选。 此属性是必需的还是可选的,也取决于 Azure AD 角色的设置。 |
| principalId |
String |
已授予角色资格的主体的标识符。 必需项。 |
| roleDefinitionId |
String |
分配给主体的 unifiedRoleDefinition 对象的标识符。 必需项。 |
| scheduleInfo |
requestSchedule |
角色资格的期限。 操作 为 { a0 时为 adminRemove可选。 资格期限取决于 Azure AD 角色的设置。 |
| ticketInfo |
ticketInfo |
与角色资格请求链接的票证详细信息,包括票证编号和票证系统的详细信息。 可选 |
响应
如果成功,此方法在响应正文中返回 201 Created 响应代码和 unifiedRoleEligibilityScheduleRequest 对象。
示例
示例 1:管理员分配角色资格计划请求
请求
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests
Content-Type: application/json
{
"action": "adminAssign",
"justification": "Assign Attribute Assignment Admin eligibility to restricted user",
"roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
"directoryScopeId": "/",
"principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
"scheduleInfo": {
"startDateTime": "2022-04-10T00:00:00Z",
"expiration": {
"type": "afterDateTime",
"endDateTime": "2024-04-10T00:00:00Z"
}
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var unifiedRoleEligibilityScheduleRequest = new UnifiedRoleEligibilityScheduleRequestObject
{
Action = UnifiedRoleScheduleRequestActions.AdminAssign,
Justification = "Assign Attribute Assignment Admin eligibility to restricted user",
RoleDefinitionId = "8424c6f0-a189-499e-bbd0-26c1753c96d4",
DirectoryScopeId = "/",
PrincipalId = "071cc716-8147-4397-a5ba-b2105951cc0b",
ScheduleInfo = new RequestSchedule
{
StartDateTime = DateTimeOffset.Parse("2022-04-10T00:00:00Z"),
Expiration = new ExpirationPattern
{
Type = ExpirationPatternType.AfterDateTime,
EndDateTime = DateTimeOffset.Parse("2024-04-10T00:00:00Z")
}
}
};
await graphClient.RoleManagement.Directory.RoleEligibilityScheduleRequests
.Request()
.AddAsync(unifiedRoleEligibilityScheduleRequest);
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleEligibilityScheduleRequest = {
action: 'adminAssign',
justification: 'Assign Attribute Assignment Admin eligibility to restricted user',
roleDefinitionId: '8424c6f0-a189-499e-bbd0-26c1753c96d4',
directoryScopeId: '/',
principalId: '071cc716-8147-4397-a5ba-b2105951cc0b',
scheduleInfo: {
startDateTime: '2022-04-10T00:00:00Z',
expiration: {
type: 'afterDateTime',
endDateTime: '2024-04-10T00:00:00Z'
}
}
};
await client.api('/roleManagement/directory/roleEligibilityScheduleRequests')
.post(unifiedRoleEligibilityScheduleRequest);
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/roleManagement/directory/roleEligibilityScheduleRequests"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphUnifiedRoleEligibilityScheduleRequest *unifiedRoleEligibilityScheduleRequest = [[MSGraphUnifiedRoleEligibilityScheduleRequest alloc] init];
[unifiedRoleEligibilityScheduleRequest setAction: [MSGraphUnifiedRoleScheduleRequestActions adminAssign]];
[unifiedRoleEligibilityScheduleRequest setJustification:@"Assign Attribute Assignment Admin eligibility to restricted user"];
[unifiedRoleEligibilityScheduleRequest setRoleDefinitionId:@"8424c6f0-a189-499e-bbd0-26c1753c96d4"];
[unifiedRoleEligibilityScheduleRequest setDirectoryScopeId:@"/"];
[unifiedRoleEligibilityScheduleRequest setPrincipalId:@"071cc716-8147-4397-a5ba-b2105951cc0b"];
MSGraphRequestSchedule *scheduleInfo = [[MSGraphRequestSchedule alloc] init];
[scheduleInfo setStartDateTime: "2022-04-10T00:00:00Z"];
MSGraphExpirationPattern *expiration = [[MSGraphExpirationPattern alloc] init];
[expiration setType: [MSGraphExpirationPatternType afterDateTime]];
[expiration setEndDateTime: "2024-04-10T00:00:00Z"];
[scheduleInfo setExpiration:expiration];
[unifiedRoleEligibilityScheduleRequest setScheduleInfo:scheduleInfo];
NSError *error;
NSData *unifiedRoleEligibilityScheduleRequestData = [unifiedRoleEligibilityScheduleRequest getSerializedDataWithError:&error];
[urlRequest setHTTPBody:unifiedRoleEligibilityScheduleRequestData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
UnifiedRoleEligibilityScheduleRequest unifiedRoleEligibilityScheduleRequest = new UnifiedRoleEligibilityScheduleRequest();
unifiedRoleEligibilityScheduleRequest.action = UnifiedRoleScheduleRequestActions.ADMIN_ASSIGN;
unifiedRoleEligibilityScheduleRequest.justification = "Assign Attribute Assignment Admin eligibility to restricted user";
unifiedRoleEligibilityScheduleRequest.roleDefinitionId = "8424c6f0-a189-499e-bbd0-26c1753c96d4";
unifiedRoleEligibilityScheduleRequest.directoryScopeId = "/";
unifiedRoleEligibilityScheduleRequest.principalId = "071cc716-8147-4397-a5ba-b2105951cc0b";
RequestSchedule scheduleInfo = new RequestSchedule();
scheduleInfo.startDateTime = OffsetDateTimeSerializer.deserialize("2022-04-10T00:00:00Z");
ExpirationPattern expiration = new ExpirationPattern();
expiration.type = ExpirationPatternType.AFTER_DATE_TIME;
expiration.endDateTime = OffsetDateTimeSerializer.deserialize("2024-04-10T00:00:00Z");
scheduleInfo.expiration = expiration;
unifiedRoleEligibilityScheduleRequest.scheduleInfo = scheduleInfo;
graphClient.roleManagement().directory().roleEligibilityScheduleRequests()
.buildRequest()
.post(unifiedRoleEligibilityScheduleRequest);
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewUnifiedRoleEligibilityScheduleRequest()
action := "adminAssign"
requestBody.SetAction(&action)
justification := "Assign Attribute Assignment Admin eligibility to restricted user"
requestBody.SetJustification(&justification)
roleDefinitionId := "8424c6f0-a189-499e-bbd0-26c1753c96d4"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
directoryScopeId := "/"
requestBody.SetDirectoryScopeId(&directoryScopeId)
principalId := "071cc716-8147-4397-a5ba-b2105951cc0b"
requestBody.SetPrincipalId(&principalId)
scheduleInfo := msgraphsdk.NewRequestSchedule()
requestBody.SetScheduleInfo(scheduleInfo)
startDateTime, err := time.Parse(time.RFC3339, "2022-04-10T00:00:00Z")
scheduleInfo.SetStartDateTime(&startDateTime)
expiration := msgraphsdk.NewExpirationPattern()
scheduleInfo.SetExpiration(expiration)
type := "afterDateTime"
expiration.SetType(&type)
endDateTime, err := time.Parse(time.RFC3339, "2024-04-10T00:00:00Z")
expiration.SetEndDateTime(&endDateTime)
result, err := graphClient.RoleManagement().Directory().RoleEligibilityScheduleRequests().Post(requestBody)
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
Import-Module Microsoft.Graph.DeviceManagement.Enrolment
$params = @{
Action = "adminAssign"
Justification = "Assign Attribute Assignment Admin eligibility to restricted user"
RoleDefinitionId = "8424c6f0-a189-499e-bbd0-26c1753c96d4"
DirectoryScopeId = "/"
PrincipalId = "071cc716-8147-4397-a5ba-b2105951cc0b"
ScheduleInfo = @{
StartDateTime = [System.DateTime]::Parse("2022-04-10T00:00:00Z")
Expiration = @{
Type = "afterDateTime"
EndDateTime = [System.DateTime]::Parse("2024-04-10T00:00:00Z")
}
}
}
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
响应
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 201 Created
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
"id": "50877283-9d40-433c-bab8-7986dc10458a",
"status": "Provisioned",
"createdDateTime": "2022-04-12T09:05:39.7594064Z",
"completedDateTime": "2022-04-12T09:05:41.8532931Z",
"approvalId": null,
"customData": null,
"action": "adminAssign",
"principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
"roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
"directoryScopeId": "/",
"appScopeId": null,
"isValidationOnly": false,
"targetScheduleId": "50877283-9d40-433c-bab8-7986dc10458a",
"justification": "Assign Attribute Assignment Admin eligibility to restricted user",
"createdBy": {
"application": null,
"device": null,
"user": {
"displayName": null,
"id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
}
},
"scheduleInfo": {
"startDateTime": "2022-04-12T09:05:41.8532931Z",
"recurrence": null,
"expiration": {
"type": "afterDateTime",
"endDateTime": "2024-04-10T00:00:00Z",
"duration": null
}
},
"ticketInfo": {
"ticketNumber": null,
"ticketSystem": null
}
}
示例 2:管理员删除现有角色资格计划请求
在以下请求中,管理员会创建一个请求,以撤销 ID 为 ID 071cc716-8147-4397-a5ba-b2105951cc0b 角色 8424c6f0-a189-499e-bbd0-26c1753c96d4的主体的资格。
请求
POST https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests
Content-Type: application/json
{
"action": "adminRemove",
"roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
"directoryScopeId": "/",
"principalId": "071cc716-8147-4397-a5ba-b2105951cc0b"
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var unifiedRoleEligibilityScheduleRequest = new UnifiedRoleEligibilityScheduleRequestObject
{
Action = "adminRemove",
RoleDefinitionId = "8424c6f0-a189-499e-bbd0-26c1753c96d4",
DirectoryScopeId = "/",
PrincipalId = "071cc716-8147-4397-a5ba-b2105951cc0b"
};
await graphClient.RoleManagement.Directory.RoleEligibilityScheduleRequests
.Request()
.AddAsync(unifiedRoleEligibilityScheduleRequest);
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleEligibilityScheduleRequest = {
action: 'adminRemove',
roleDefinitionId: '8424c6f0-a189-499e-bbd0-26c1753c96d4',
directoryScopeId: '/',
principalId: '071cc716-8147-4397-a5ba-b2105951cc0b'
};
await client.api('/roleManagement/directory/roleEligibilityScheduleRequests')
.version('beta')
.post(unifiedRoleEligibilityScheduleRequest);
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/roleManagement/directory/roleEligibilityScheduleRequests"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphUnifiedRoleEligibilityScheduleRequest *unifiedRoleEligibilityScheduleRequest = [[MSGraphUnifiedRoleEligibilityScheduleRequest alloc] init];
[unifiedRoleEligibilityScheduleRequest setAction:@"adminRemove"];
[unifiedRoleEligibilityScheduleRequest setRoleDefinitionId:@"8424c6f0-a189-499e-bbd0-26c1753c96d4"];
[unifiedRoleEligibilityScheduleRequest setDirectoryScopeId:@"/"];
[unifiedRoleEligibilityScheduleRequest setPrincipalId:@"071cc716-8147-4397-a5ba-b2105951cc0b"];
NSError *error;
NSData *unifiedRoleEligibilityScheduleRequestData = [unifiedRoleEligibilityScheduleRequest getSerializedDataWithError:&error];
[urlRequest setHTTPBody:unifiedRoleEligibilityScheduleRequestData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
UnifiedRoleEligibilityScheduleRequest unifiedRoleEligibilityScheduleRequest = new UnifiedRoleEligibilityScheduleRequest();
unifiedRoleEligibilityScheduleRequest.action = "adminRemove";
unifiedRoleEligibilityScheduleRequest.roleDefinitionId = "8424c6f0-a189-499e-bbd0-26c1753c96d4";
unifiedRoleEligibilityScheduleRequest.directoryScopeId = "/";
unifiedRoleEligibilityScheduleRequest.principalId = "071cc716-8147-4397-a5ba-b2105951cc0b";
graphClient.roleManagement().directory().roleEligibilityScheduleRequests()
.buildRequest()
.post(unifiedRoleEligibilityScheduleRequest);
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewUnifiedRoleEligibilityScheduleRequest()
action := "adminRemove"
requestBody.SetAction(&action)
roleDefinitionId := "8424c6f0-a189-499e-bbd0-26c1753c96d4"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
directoryScopeId := "/"
requestBody.SetDirectoryScopeId(&directoryScopeId)
principalId := "071cc716-8147-4397-a5ba-b2105951cc0b"
requestBody.SetPrincipalId(&principalId)
result, err := graphClient.RoleManagement().Directory().RoleEligibilityScheduleRequests().Post(requestBody)
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
Import-Module Microsoft.Graph.DeviceManagement.Enrolment
$params = @{
Action = "adminRemove"
RoleDefinitionId = "8424c6f0-a189-499e-bbd0-26c1753c96d4"
DirectoryScopeId = "/"
PrincipalId = "071cc716-8147-4397-a5ba-b2105951cc0b"
}
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params
有关如何将 SDK 添加 到项目并 创建 authProvider 实例的 详细信息,请参阅 SDK 文档。
响应
下面展示了示例响应。 响应对象显示主体的先前角色资格。Revoked 主体将不再看到其以前符合条件的角色。
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 201 Created
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
"id": "f341269e-c926-41fa-a905-cef3b01b2a67",
"status": "Revoked",
"createdDateTime": "2022-04-12T09:12:15.6859992Z",
"completedDateTime": null,
"approvalId": null,
"customData": null,
"action": "adminRemove",
"principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
"roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
"directoryScopeId": "/",
"appScopeId": null,
"isValidationOnly": false,
"targetScheduleId": null,
"justification": null,
"scheduleInfo": null,
"createdBy": {
"application": null,
"device": null,
"user": {
"displayName": null,
"id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
}
},
"ticketInfo": {
"ticketNumber": null,
"ticketSystem": null
}
}