Access Manager API (2026.1.0.0)

Returns a list of all agent groups known to AM.

Gets a possibly filtered list of all locations known to AM.

The list can optionally be filtered using a combination of query parameters. Omitted filters are not applied. The following query parameters are supported:

module: If set, only locations of the given module are returned. Required, if location is set.

onlyVisibleInSsp: If set to true, only locations that are visible in the AM Self Service Portal (SSP) are returned.
Setting this filter to false has the same effect as omitting it: all locations are returned regardless of their visibility in the SSP.
This filter is ignored if location is set.

location: Load only the given location. If set, module must also be specified and onlyVisibleInSsp is ignored.

A successful request will return a (possibly empty) unordered list of location objects.
Each location object contains a system generated location identifier (id), a module, a location (e.g., folder path or site URL), a type (e.g., RightsFolder or ManagedSite) and the fields requests_enabled and supplementary_permissions.

requests_enabled is only set for locations of type RightsFolder, ManagedFolderCollection, ManagedSite or ManagedSiteCollection.
On location object of other types, it will always be null.
requests_enabled indicates, whether permissions on this location can be requested using the SSP.
It has no impact on the request API resource.
As modules like ThirdParty and Profile are not explicitly supported, possibility of being requestable can be decided by their SSP visibility (see above): if a resource object is not visible in SSP, you may judge this as not requestable – even though it is possible via this API function.

supplementary_permissions indicates whether the locations logic to grant permissions is set to "Supplementary Permissions" or "Exclusive Permissions". false in this case means the locations logic to grant permissions is set to "Exclusive-Permissions" which is the default for all types. The only type that supports "Supplementary Permissions" is 3rd party item (ThirdPartyItem).

Adds a new location.

The required format of the request model varies based on the location type:

ResourceGroup:

{
  "type": "ResourceGroup",
  "module": "FolderManagement",
  "location": "ResourceGroupName",
  "description": "string",
  "self_service_description": "string"
}

FolderCollection:

{
  "type": "FolderCollection",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder",
  "resource_group_id": "Zm0tcmdpZC0x",
  "display_name": "string",
  "description": "string",
  "self_service_description": "string",
  "enable_rights_management": true,
  "agent_group_name": "Default",
  "domain_mode": "MultiDomain",
  "organizational_unit": "OU=ou,DC=domain,DC=tld",
  "local_ad_group_naming_pattern": "lg_{0}_{1:00000000}_{2}",
  "global_ad_group_naming_pattern": "gg_{0}_{1:00000000}_{2}",
  "admin_group": "DOMAIN\\group.name",
  "browse_group": "DOMAIN\\group.name",
  "enable_access_groups": true,
  "enable_new_folder_requests_on_folder_collection": true,
  "deviation_strategy": "IdentifyAndCorrect",
  "always_take_ownership": false,
  "audit_ownership_changes": false,
  "enable_realtime_permissions": true
}

If any other location type is provided, the API will respond with a 400 Bad Request response.

Returns details of the location identified by the provided locationId.

This requires an HTTP GET query including the locationId is sent to /locations.

Removes the location identified by the provided locationId.

This requires an HTTP DELETE query including the locationId is sent to /locations.

Only locations of type ResourceGroup, ManagedFolderCollection and FolderCollection support deletion. If any other location type is provided, the API will respond with a 400 Bad Request response.

Updates the properties of the particular location.

The location must already exist in the system.
It cannot be used to create a new location.

the JSON object is required to contain the type of the location to update and additional required properties in the request body. The locationId is required to be passed in the URL.
The type of the location cannot be changed.
If any property is null or not provided in the request,
it will be removed from AM.

The required format of the request model varies based on the location type:

ResourceGroup:

{
  "type": "ResourceGroup",
  "location": "ResourceGroupName",
  "description": "string",
  "self_service_description": "string"
}

FolderCollection or ManagedFolderCollection:

{
  "type": "FolderCollection",
  "display_name": "string",
  "description": "string",
  "self_service_description": "string",
  "enable_rights_management": true,
  "agent_group_name": "Default",
  "domain_mode": "MultiDomain",
  "organizational_unit": "OU=ou,DC=domain,DC=tld",
  "local_ad_group_naming_pattern": "lg_{0}_{1:00000000}_{2}",
  "global_ad_group_naming_pattern": "gg_{0}_{1:00000000}_{2}",
  "admin_group": "DOMAIN\\group.name",
  "browse_group": "DOMAIN\\group.name",
  "enable_access_groups": true,
  "enable_new_folder_requests_on_folder_collection": true,
  "deviation_strategy": "IdentifyAndCorrect",
  "always_take_ownership": false,
  "audit_ownership_changes": false,
  "enable_realtime_permissions": true
}

If any other location type is provided, the API will respond with a 400 Bad Request response.

Gets the owners of the location identified by the provided locationId.

This requires an HTTP GET query including the locationId is sent to /locations and the part /owners behind the id.

Only locations of type FolderCollection, ManagedFolderCollection, Folder, RightsFolder, SiteCollection, ManagedSiteCollection, Site, ManagedSite and ThirdPartyItem support owners. If the provided locationId belongs to a ResourceGroup, a ThirdPartyItemCollection, a UserProfile, a ManagedUserProfile, or an OrgProfile, the API will respond with a 400 Bad Request response.

Replaces the owners of the location identified by locationId with the provided list of owners.

Only locations of type FolderCollection, ManagedFolderCollection, Folder, RightsFolder, SiteCollection, ManagedSiteCollection, Site, ManagedSite and ThirdPartyItem support owners. If the provided locationId belongs to a ResourceGroup, a ThirdPartyItemCollection, a UserProfile, a ManagedUserProfile, or an OrgProfile, the API will respond with a 400 Bad Request response.

If the location is managed, i.e. it is a ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, or ThirdPartyItem, the provided list of owners must contain at least one entry. Otherwise, the API will respond with a 409 Conflict response.

Gets the responsibles of the location identified by the provided locationId.

Only locations of type ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem, UserProfile, ManagedUserProfile and OrgProfile support responsibles. If the provided locationId belongs to a FolderCollection, a Folder, a SiteCollection or a Site, the API will respond with a 409 Conflict response. If it belongs to any other location type, the API will respond with a 400 Bad Request response.

Replaces the responsibles of the location identified by locationId with the provided list of responsibles.

Only locations of type ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem, UserProfile, ManagedUserProfile and OrgProfile support responsibles. If the provided locationId belongs to a FolderCollection, a Folder, a SiteCollection or a Site, the API will respond with a 409 Conflict response. If it belongs to any other location type, the API will respond with a 400 Bad Request response.

Unless the location is a UserProfile, ManagedUserProfile or OrgProfile, the provided list of responsibles must contain at least one entry. Otherwise, the API will respond with a 409 Conflict response.

If the location is a UserProfile and has a member synchronization group configured, the API will respond with a 409 Conflict response.

Gets the effective permissions on the location identified by the provided locationId.

Only locations of type ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem, UserProfile, ManagedUserProfile and OrgProfile support effective permissions.
If the provided locationId belongs to a FolderCollection, a Folder, a SiteCollection, or a Site, the API will respond with a 409 Conflict response.
If it belongs to any other location type, the API will respond with a 400 Bad Request response.

This method only returns effective permissions on the location.
To get direct permissions, use permissions Get API.

Note that profiles only have direct members, so effective and direct permissions should be identical.
Since they have AM users as members, their target_system_account_name field will always be null.

Gets the permission set on the location identified by the provided locationId.

The permissions in this set are those that must be used when working with permissions on this location.
For example, when creating a permission assign request.

Only locations of type ManagedFolderCollection, RightsFolder, ManagedSiteCollection, ManagedSite, ThirdPartyItem, UserProfile, ManagedUserProfile and OrgProfile have a permission set.

Removes the location identified by the provided locationId.

Only locations of type RightsFolder, ManagedSite, ManagedFolderCollection, ManagedSiteCollection and ThirdPartyItem support removal of permission management.
If the provided locationId is not managed, the API will respond with a 404 Not Found response.
If it belongs to any unsupported location type, the API will respond with a 400 Bad Request response.

mode must be one of RetainGroupRemoveMembers, RetainGroupKeepMembers, DeleteAccessManagerGroups or DeleteInTargetSystem, where DeleteAccessManagerGroups is only supported by RightsFolder, ManagedSite, ManagedFolderCollection and ManagedSiteCollection and RetainGroupRemoveMembers and DeleteInTargetSystem are only supported by ThirdPartyItem.
If the mode is not supported by the location type, the API will respond with a 400 Bad Request response.

Adds a new managed location.

The required format of the request model varies based on the location type:

OrgProfile:

{
  "type": "OrgProfile",
  "module": "Profile",
  "location": "ProfileName",
  "cluster_path": "/",
  "description": "Description",
  "self_service_description": "Self Service Description",
  "responsible_account_names": ["DOMAIN\\john.doe", "DOMAIN\\jane.doe"],
}

UserProfile:

{
  "type": "UserProfile",
  "module": "Profile",
  "location": "ProfileName",
  "cluster_path": "/",
  "description": "Description",
  "self_service_description": "Self Service Description",
  "responsible_account_names": ["DOMAIN\\john.doe", "DOMAIN\\jane.doe"],
  "member_sync_group_name": "DOMAIN\\group.name",
  "use_profile_permission_groups": false,
  "self_service_enabled": true
}

RightsFolder:

{
  "type": "RightsFolder",
  "module": "FolderManagement",
  "location": "\\\\server\\share\\folder",
  "container_id": "Zm0tZl9pZC0x",
  "owner_account_names": ["DOMAIN\\john.doe", "DOMAIN\\jane.doe"],
  "responsible_account_names": ["DOMAIN\\john.doe", "DOMAIN\\jane.doe"],
  "self_service_enabled": true,
  "data_protection_classification_name": "topSecret",
  "inherit_rights": true
}

Gets a list of permissions filtered by user_id or location.

This method only returns individual (direct) permissions or permissions via profiles on a location.
To get the effective permissions on a location, use Locations API effective-permissions.

Adds new privileges to a user or a profile on a certain location.

The request body must be a JSON object containing the module, location, subject_type, user_id, the permission to grant, and optional start (valid_from) and expiration (valid_through) dates.

If the supplied location uses supplementary permissions, and the supplied user_id already has different permissions on the location, the supplied permission is added to the user's permissions and the start (valid_from) and expiration (valid_through) dates are replaced on all of the user's permissions on the location.

Gets the permission details of the provided permissionId.

Removes the permission identified by permissionId.

Updates the access rights (permission) or also start (valid_from) and expiry (valid_through) dates of a user or a profile to access a particular location.

The permission must already exist in the system.
It cannot be used to create new permissions.
The request body must be a JSON object containing the permission to update and optional start (valid_from) and expiry (valid_through) dates.
The permissionId must be passed in the URL.
If the start (valid_from) or expiry (valid_through) date is null or not provided in the request, it will be removed from AM.

If the location uses supplementary permissions, the permission parameter must contain the value *.
Only valid_from and valid_through are updated on all permissions of the user on the location.

Adds a new request for a new managed location below a certain managed or unmanaged parent location.

The JSON representation of a new location request object is defined below:

{
  "module": "FolderManagement or SharePoint",
  "location": "\\\\server\\share\\folder or http://host/path",
  "user_subject_type": "User", // Determines the type of user_id. Must always be User.
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "new_location_name": "subfolder or subsite",
  "site_template": "STS#0", // only required if module is SharePoint
  "permission": "read or write or design", // optional
  "comment": "string"
}

If the field permission is omitted, the user will not be permitted on the new location, but the location will still be created.

The field site_template is only required if module is SharePoint.
Available site templates can be requested from SharePoint, e.g. via the REST API like this:

URL: http://{sharepoint-server}/{site-collection}/{site}/_api/web/GetAvailableWebTemplates(lcid=1033,doincludecrosslanguage=true) Method GET Query Parameters: $select=Name, $filter=IsHidden eq false and IsRootWebOnly eq false Example: http://{sharepoint-server}/{site-collection}/{site}/_api/web/GetAvailableWebTemplates(lcid=1033,doincludecrosslanguage=true)?$select=Name&$filter=IsHidden eq false and IsRootWebOnly eq false

Adds a new request for permission assignments on a location (e.g., a folder) and for membership assignment in a user profile.

These requests only work for locations that use the exclusive permission grant logic.
For those locations that use the supplementary permission grant logic,
the "Permission-Update-Request" must be used.

The JSON representation of a permission assignment request object is defined below:

{
  "module": "FolderManagement or SharePoint or ThirdParty or Profile",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName or ManagedUserProfileName",
  "user_subject_type": "User or Profile", // Determines the type of user_id. Can be User or Profile.
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname or account.name@domain.tld or ProfileName",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "permission": "read or write or design or owner or member or visitor or profilemembership", // See permission set of location
  "valid_from": "YYYY-MM-DD", // optional date
  "valid_through": "YYYY-MM-DD", // optional date
  "comment": "string"
}

• module must be one of [FolderManagement, SharePoint, ThirdParty, Profile]
• location must be a location matching the module, or the name of a managed user profile if Profile is selected as module.
• user_subject_type determines the type of user_id. Can be User or Profile.
• user_id must be the Active Directory user sAMAccountName or group name with NetBIOS domain name prefix or the Microsoft Entra user principal name or the ProfileName of the user or group or profile that should be granted the permission.
• requestor_subject_type determines the type of requestor_id. Must always be User.
• requestor_id must be the Active Directory user sAMAccountName with NetBIOS domain name prefix of the user requesting the permission for the aforementioned user or group.
• permission must be a valid permission from the permission set of the location (always use the english named value).
• valid_from is an optional start date. It is only processed if module is Profile. It must be a date before valid_through.
• valid_through is an optional expiration date. It must be a date in the future.
• comment is optional and can be any text.

Adds a new permission removal request for a user on a certain location.

These requests only work for locations that use the exclusive permission grant logic.
For those locations that use the supplementary permission grant logic, the "Permission-Update-Request" must be used.

The JSON representation of a permission removal request object is defined below:

{
  "module": "FolderManagement or SharePoint or ThirdParty",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName",
  "user_subject_type": "User", // Determines the type of user_id. Must always be User.
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "comment": "string"
}

Adds a new request for permission updates on a 3rd party item that uses the supplementary permission logic.

The JSON representation of a permission update request object is defined below:

{
  "module": "ThirdParty",
  "location": "ItemCollectionName/ItemName",
  "user_subject_type": "User", // Determines the type of user_id. Must always be User.
  "user_id": "DOMAIN\\account.name or DOMAIN\\groupname",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "permissions": [
    "permission01",
    "permission02"
  ], // See permission set of location
  "valid_through": "YYYY-MM-DD", // optional date
  "comment": "string"
}

• module must be ThirdParty.
• location must be 3rd party item location (ItemCollectionName/ItemName).
• user_subject_type determines the type of user_id. Must always be User.
• user_id must be the active directory user sAMAccountName or group name with NetBIOS domain name prefix of the user or group that should be granted the permission.
• requestor_subject_type determines the type of requestor_id. Must always be User.
• requestor_id must be the active directory user sAMAccountName with NetBIOS domain name prefix of the user requesting the permission for the aforementioned user or group.
• permissions must be an array of valid permission from the permission set of the location or can be an empty array to remove permissions.
• valid_through is an optional expiration date. It must be a date in the future.
• comment is optional and can be any text.

Adds a new request for the responsible role for a user on a certain location.

The JSON representation of a responsible role assignment request object is defined below:

{
  "module": "FolderManagement or SharePoint or ThirdParty",
  "location": "\\\\server\\share\\folder or http://host/path or ItemCollectionName/ItemName",
  "user_subject_type": "User", // Determines the type of user_id. Must always be User.
  "user_id": "DOMAIN\\account.name",
  "requestor_subject_type": "User", // Determines the type of requestor_id. Must always be User.
  "requestor_id": "DOMAIN\\account.name",
  "comment": "string"
}

Schedules a job that renews the access settings.

This method works differently depending on the value of field offset_minutes:

• If the value of offset_minutes is greater than 0, it schedules the renew access settings job after the input provided time (minutes).
• If the value of offset_minutes is not provided or is equal to 0, it schedules the renew access settings job immediately if it is not already scheduled.

The job being scheduled and the required format of path depend on the supplied module:

Returns a list of all scripts that are enabled and have API execution permitted. Use this endpoint to discover available scripts and their IDs before executing them.

Example Request:

GET /api/v1/scripts

Example Response:

[
  {
    "id": 1,
    "path": "/reports/",
    "name": "Generate-AuditReport",
    "description": "Creates an audit report for the specified date range",
    "use_windows_power_shell": false
  },
  {
    "id": 2,
    "path": "/maintenance/",
    "name": "Cleanup-TempFiles",
    "description": "Removes temporary files older than 30 days",
    "use_windows_power_shell": true
  }
]

Returns detailed information about a single script. The script must have API execution permitted and must not be disabled.

Example Request:

GET /api/v1/scripts/42

Example Response:

{
  "id": 42,
  "path": "/automation/",
  "name": "Sync-ADGroups",
  "description": "Synchronizes Active Directory group memberships",
  "use_windows_power_shell": false
}

Identifies the script via the {scriptId} route parameter and then either executes it directly on the SelfServicePortal or schedules it on an agent group, controlled by the schedule_on_agent property.

Mode 1: Direct Execution on SelfServicePortal (schedule_on_agent: false, default)

Executes the script synchronously on the SelfServicePortal server and returns the complete execution result. Returns 200 OK with the execution result.

Mode 2: Scheduled Execution on Agent Group (schedule_on_agent: true)

Schedules the script for execution on an agent group. The execution can be delayed by specifying offset_minutes. Returns 202 Accepted with no body.

Script Identification: The script is identified exclusively by the {scriptId} route parameter. The script_id and path properties in the request body are ignored by this endpoint. To identify a script by path, use POST /api/v1/scripts/execute instead.

Request Body Properties:

Example: Direct execution

POST /api/v1/scripts/42/execute

{
  "parameters": {
    "TargetOU": "OU=Users,DC=example,DC=com",
    "DryRun": false
  }
}

Example: Schedule on agent group (immediate)

POST /api/v1/scripts/42/execute

{
  "schedule_on_agent": true,
  "parameters": {
    "TargetOU": "OU=Users,DC=example,DC=com"
  }
}

Example: Schedule on agent group (delayed by 2 hours)

POST /api/v1/scripts/42/execute

{
  "schedule_on_agent": true,
  "offset_minutes": 120,
  "parameters": { "Mode": "Full" },
  "additional_info": "Nightly maintenance run",
  "agent_group_name": "Maintenance-Agents"
}

Example Response (Direct execution — Success):

{
  "script_id": 42,
  "name": "Sync-ADGroups",
  "description": "Synchronizes Active Directory group memberships",
  "use_windows_power_shell": false,
  "has_error": false,
  "error": null,
  "error_records": [],
  "ps_object_infos": []
}

Example Response (Scheduled on agent):

HTTP/1.1 202 Accepted

This endpoint supports two execution modes controlled by the schedule_on_agent property:

Mode 1: Direct Execution on SelfServicePortal (schedule_on_agent: false, default)

Executes the script synchronously on the SelfServicePortal server and returns the complete execution result, including any output objects and error information. Returns 200 OK with the execution result.

Mode 2: Scheduled Execution on Agent Group (schedule_on_agent: true)

Schedules the script for execution on an agent group. The execution can be delayed by specifying offset_minutes. Returns 202 Accepted with no body.