Set Temporary Elevated Device Privileges Using the API

This article explains how to use the JumpCloud API to set temporary elevated device privileges for a user in your org. To perform these functions, use the Access Requests API endpoint. See the API docs. By using various API calls (GET, POST, PUT) you can create, query, modify, or revoke existing access requests. 

The access requests endpoint accepts these API calls to perform various functions: 

  • POST
    • Create an access request.
    • Revoke an existing access request by inputting its accessID.
  • GET
    • Query an existing access request by inputting its accessID.
  • PUT
    • Modify the expiration time of an existing access request by its accessID.

Prerequisites:

Considerations:

  • The following examples are presented in cURL, but you can also use an app like Postman to manage your API requests. See Configure JumpCloud API Endpoints in Postman
  • Creating an access request generates an accessID specific to that request. This $ACCESS_ID value is required for querying, updating, or revoking an existing request.

Running an Access Request Command

The following is a sample command to create an access request. This will grant the user temporary admin privileges on the specified device that will be automatically revoked at the expiry time.  

curl --location 'https://console.jumpcloud.com/api/v2/accessrequests' \
--header 'x-api-key: $JC_API_KEY' \
--header 'X-Org-Id: $JC_ORG_ID' \
--header 'Content-Type: application/json' \
--data '{
  "requestorId": "$JC_User_ID",
  "resourceId": "$JC_Device_ID",
  "resourceType": "device",
  "remarks": "",
  "expiry": "2024-05-10T13:57:45.497Z",
  "operationId": "ff487bda-e18f-42ed-9d6c-5c7cafd6adf9",
  "additionalAttributes": {
    "sudo": {
      "enabled": true,
      "withoutPassword": false
    }
  }
}'

You’ll need to enter the relevant information into the following fields to create the access request:

  • x-api-key
    • Your API key.
  • X-Org-Id
    • Your JumpCloud Organizational ID.
  • requestorId
    • The objectID of the user you’re granting temporary elevated privileges.
  • resourceId
    • The objectID of the user’s device.
  • resourceType
    • This is defined as “device” for this request.
  • expiry
    • The time in UTC when the user’s temporary elevated privileges will expire.

Successful completion of the command will create the access request and return an accessID which can be used to query, update, or revoke it ahead of expiration.

{
    "id": "$ACCESS_ID"
}

Querying an Access Request

You can use the accessID returned in the previous step to query the status of the access request. Replace the $ACCESS_ID below with the returned value.

curl --location 'https://console.jumpcloud.com/api/v2/accessrequests/$ACCESS_ID’ \
--header 'Accept: application/json' \
--header 'x-api-key: $JC_API_KEY

This will return details of the access request:

{
    "id": 16839,
    "applicationIntId": "",
    "accessId": "ACCESS_ID",
    "onBehalfOfUserId": "redacted",
    "requestorId": "$JC_User_ID",
    "tempGroupId": "",
    "resourceId": "$JC_Device_ID",
    "resourceType": "device",
    "accessState": "granted",
    "remarks": "",
    "expiry": "2024-05-10T13:57:45Z",
    "version": 0,
    "createdBy": "redacted",
    "updatedBy": "redacted",
    "operationId": "ff487bda-e18f-42ed-9d6c-5c7cafd6adf9",
    "additionalAttributes": "eyJzdWRvIjogeyJlbmFibGVkIjogdHJ1ZSwgIndpdGhvdXRQYXNzd29yZCI6IGZhbHNlfX0=",
    "duration": 148664,
    "metadata": "",
    "jobId": "ZjvjIVIlzQABNQxS",
    "companyId": "YkX0p4k4MlRDoC8n"
}

Updating an Access Request

You can also use the accessID to update an existing access request. For example, you can extend the duration of the user’s temporary admin access. This example extends the expiry 1 day past the original command from 2024-05-10 to 2024-05-11.

curl --location --request PUT 'https://console.jumpcloud.com/api/v2/accessrequests/$ACCESS_ID' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'x-api-key: $JC_API_KEY' \
--data '{
  "additionalAttributes": {},
  "expiry": "2024-05-11T19:42:30.404Z",
  "organizationObjectId": "$JC_Device_ID",
  "requestorId": "redacted",
  "remarks": "<string>"
}'

Revoking an Access Request

To revoke an access request and remove a user’s temporary admin access ahead of the expiration, use the following command. Replace the $ACCESS_ID below with the returned value in the first step after creating the access request:

curl --location --request POST 'https://console.jumpcloud.com/api/v2/accessrequests/$ACCESS_ID/revoke' \
--header 'Accept: application/json' \
--header 'x-api-key: $JC_API_KEY'

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case