How To Call an Endpoint to Check if a User has an Access

You can use the following endpoint to check if a user has an UMRS Grant for a particular resource by sending it the tenantId, and then filtering via the roleName and ResourceId:

POST [URI]/_api/auth/admin/tenants/{tenantId}/umrs-grants/check

For a more detailed example, see the Check an Individual Grant for Access section of the Quick Start guide.

How To Integrate an App with the Request Approval Workflow

Approval Workflow: The information needed to handle access requests. Different requests templates may share the same workflow or may define different workflows.

An Approval Workflow has the following parts:

• Approval group - the group of users managing the resource who have permission to either invite someone to have access to a resource or to approve a request that a user made for themself
• Approval email template - the handlebar base email template sent to a user when a request is approved
• Rejection email template - the handlebar based email template sent to a user when a request is rejected
• approveIn - the max number of days available for an approver to approve

To integrate a Workflow with your app, first create an Approval Group, an Approval email template, and a Rejection email template in the Auth UI. There are default approval and rejection email templates available in the Auth UI. When you create an Access Request Template you can set it to send email templates in response to a request approval or rejection.

After you have your request template set up, call the following endpoint with the TenantId and the RequestableAccessId to make requests:

POST .../_api/auth/admin/tenants/{tenantId}/access-requests

{
"id": 0,
"status": "pending",
"requestorNotes": "string",
"createdAt": "2019-08-24T14:15:22Z",
"approvedAt": "2019-08-24T14:15:22Z",
"resourceId": "string",
"expiresAt": "2019-08-24T14:15:22Z",
"requestDescription": "string",
"confirmationToken": "string",
"confirmationTokenExpiration": "2019-08-24T14:15:22Z",
"resourceUrl": "string",
"isInvite": true,
"requestedByUserId": 0,
"requestedForUserId": 0,
"requestableAccessId": 0,
"tenantId": 0
}

Your Approval Group will be able to receive email notifications of an access request, and can approve or reject requests either through the email link or through the Auth User Portal.

How To Notify a User of Expiring Access

Users can see whether their access is expiring in the Auth User Portal, which can also notify them of expiring access. To request an extension, the User can view their accesses, find the access that is expiring, and click Extend. The extension can then be approved or rejected, if necessary.

In order for the user to request an extension, you can create a Resource Extension template in Auth UI. For instructions on how to do this, view the Create a New Access Request Template instructions.

You can also send a new invitation to the User instead of granting an extension. This would give the User a new Grant for the resource.

## The Invitation Process 1. The inviter selects an invitation template which uses the UMRS role that he wants to grant to a user for a resource. (Note: the inviter must be an approver (ie. in the approval group) for the workflow of the template.) 2. The inviter chooses a user to invite. 3. The inviter specifies the resourceId and grant expiration date (or none if access will not expire). 4. The inviter sends the invitation. 5. The invitee receive invitation email describing what resource he is being invited to access. 6. The invitee clicks the acceptence button in email. (The invitation will expire after a set amount time as describe by the template. If the invitation is expired the invitation will need to be reissued.) **OR** The user could accept and invitation via the Invitations dashboard in the Auth User Portal. 7. Grant is created to give the invited user the role on the resource.

How To Revoke a User’s Access

Revoking a User’s access to a resource is currently unsupported in the Auth UI. You can, however, revoke access by sending the TenantId and the id of the existing UMRS Grant to the following endpoint to remove access from a user:

` DELETE [URI]/_api/auth/admin/tenants/{tenantId}/umrs-grants/user-assignment/{id}`