addGroupMember
Add an identity to a group
addGroupToGroup
Nest one group inside another
allowDenyReview
No description
applyIntegrationTemplate
No description
approveRequestPolicyException
No description
archiveReviewCampaignDefinition
Archive (soft-delete) a definition — allowed any time (it's a template). Minted instances keep their FK and stay queryable.
archiveReviewCampaign
Archive (soft-delete) a FINISHED instance (COMPLETED/CANCELLED/FAILED) out of the lists. 409 on a live campaign — cancel it first.
assignRole
No description
cancelPolicyBreaker
No description
cancelPolicyWave
No description
cancelProvisioningOperation
No description
cancelRequest
No description
cancelReviewCampaign
Cancel a campaign. DRAFT/FAILED (with no live items)
cancelSyncRun
No description
changeMyPassword
No description
changePassword
No description
confirmLapseReview
No description
confirmPolicyWave
No description
confirmSodConstraintActivation
No description
confirmUpload
No description
createAccountSyncJob
No description
createAPIKey
No description
createCustomActionDefinition
No description
createCustomConnector
No description
createCustomIdentityAttribute
No description
createDerivedStateAttribute
No description
createDerivedStateRule
No description
createEntitySyncJob
No description
createFunction
No description
createGateway
No description
createGroup
Create a new group
createIdentity
No description
createIdpClient
No description
createPolicy
No description
createProvisioningOperation
No description
createReaction
No description
createRelationshipSyncJob
No description
createRequestComment
No description
createRequest
No description
createResource
Create a new resource
createReviewCampaignDefinition
No description
createReviewCampaign
No description
createReviewItem
Create an ad-hoc review for a single resource grant. Optionally override the policy inline (PartialPolicyDefinition) — that ALSO requires review.policy.manage. Returns the CREATED stub; the engine processes it asynchronously.
createSodConstraint
No description
createSyncJobsFromManifest
No description
deleteCustomActionDefinition
No description
deleteCustomConnector
No description
deleteCustomIdentityAttribute
No description
deleteDerivedStateAttribute
No description
deleteDerivedStateRule
No description
deleteFunction
No description
deleteGroup
Delete a group
deleteIdentity
No description
deleteIdpClient
No description
deleteIntegration
No description
deletePolicy
No description
deleteReaction
No description
deleteRequestComment
No description
deleteResource
Delete a resource (soft delete)
deleteSodConstraint
No description
deleteSyncJob
No description
deleteTenant
Delete a tenant (soft delete)
disablePolicy
No description
disableSodConstraint
No description
dismissInAppNotification
No description
editPolicyDraft
No description
editSodConstraint
No description
_empty
No description
enablePolicy
No description
enableSodConstraint
No description
enqueueAssignedResourceReconcile
No description
executeCustomAction
No description
exportCampaignEvidence
Phase 8: request an async evidence export of the campaign (review.campaign.manage). Returns the PENDING record immediately; the review-svc job streams the NDJSON to storage and notifies the requester. 409 while another export is in flight or for DRAFT/GENERATING campaigns.
extendReviewItemDueDate
Extend the current stage's due date (admin operator action, review.item.create — same pin as the service method). OPEN items only; newDueDate must be in the future. Rewrites the stage's PENDING due dates, recomputes expiresat (deliberately OVERRIDING the campaign dueat ceiling) + the wakeup, and records DUEDATEEXTENDED. Returns the updated admin item.
finalizeIntegrationDeletion
Completes a deleting integration once its revokethendelete grants have drained. force finalizes even with grants still outstanding (they are left unmanaged).
generateCampaignReviews
Launch generation. Returns immediately; the CampaignDO generates + enqueues in the background and marks the campaign ACTIVE.
greenLightDenyReview
No description
installIntegration
No description
invokeConnectorOperation
No description
keepLapseReview
No description
markInAppNotificationsRead
No description
markReviewItemSourceAddressed
Record write-once evidence that a re-applicable grant's source (policy/workflow/scheduled) was addressed (review.remediation.execute). Unblocks REVOKE_BLOCKED decisions and releases held remediation. The note is required (1..2000 chars). Durable grants → 400; re-marking → 409. Returns the updated admin item.
previewPolicyActivation
No description
previewSodConstraintActivation
No description
probeIntegrationConnection
No description
processCreatedReviewItems
Operator escape hatch: enqueue all tenant review items still in CREATED so the review engine can materialize them. Does not touch OPEN or terminal items.
processRequest
No description
publishCustomConnectorVersion
No description
publishFunction
No description
purgeIntegration
Permanently removes a never-provisioned integration and its linked resources (irreversible). Refuses if any linked resource has provisioning history.
reassignApprovalStep
No description
reconcileIntegrationManifest
No description
recordReviewDecision
Record a reviewer's decision on a step. Returns a reviewer-safe ReviewDecisionResult ({ reviewItemId, ok, status, message }) — NOT the full ReviewItem, so the policy/lineage/events/foreign-steps (H8) are never selectable on the decide response.
recordReviewDecisions
Record many reviewer decisions in one call. Authenticated-only; each item is authorized independently inside the service. Returns a per-item result; an item the actor cannot decide returns FORBIDDEN without failing the batch.
reissueGatewayEnrollmentToken
No description
remediateReviewItem
Operator 'Remediate' action (review.remediation.execute). Submits a NEEDSREMEDIATION item's revoke to prov-svc, or retries a FAILED one on the same operation — executed by the review-svc worker. Held-on-source, INPROGRESS, COMPLETED, NOT_REQUIRED, and disabled-mode grants → 409. Returns the refreshed admin item.
removeGroupFromGroup
Remove a nested group relationship
removeGroupMember
Remove an identity from a group
reorderDerivedStateRules
No description
repreviewPolicyWave
No description
requestUpload
No description
resolveSyncPendingAdoption
IGA G13 (#515): approve (adopt) or reject (flag) a parked adopt-with-review item.
resumePolicyBreaker
No description
resumePolicyWave
No description
retryProvisioningOperation
No description
retrySyncRun
No description
revokeAPIKey
No description
revokeExemption
No description
revokeGateway
No description
revokeRole
No description
rollbackFunctionLiveVersion
No description
rotateIdpClientSecret
No description
rotateIdpSigningKey
No description
runReviewCampaignDefinition
"Run" — mint a fresh DRAFT instance copying the definition's name/description/scope/policy, assigning runnumber and dueat = now + dueOffsetDays. Gated review.campaign.manage only: the minter RUNS a policy an authorized author configured (authoring stays gated at definition writes).
setIdentityAttributeDefaultResolutionPolicy
No description
setIdentityAttributes
No description
setReviewCampaignDefinitionSchedule
Set / replace / clear (null) a definition's recurrence. A SEPARATE mutation, deliberately NOT folded into updateReviewCampaignDefinition: schedule writes recompute nextrunat and deserve an explicit surface. Gated review.campaign.manage only — the schedule re-RUNS a template whose policy writes were already gated.
stagePolicyVersion
No description
testIntegrationConnection
No description
triggerSyncRun
No description
updateAccountSyncJob
No description
updateCustomActionDefinition
No description
updateCustomConnectorDraft
No description
updateCustomConnector
No description
updateDerivedStateAttribute
No description
updateDerivedStateRule
No description
updateEntitlementReviewPolicy
Set or clear an entitlement review-policy override.
updateEntitlementRiskLevel
Set an entitlement's numeric risk level (1..5).
updateEntitySyncJob
No description
updateFunctionDraft
No description
updateFunctionEgressConfig
No description
updateFunctionVersionSecrets
No description
updateFunction
No description
updateGroup
Update an existing group
updateIdentityAttribute
No description
updateIdpClient
No description
updateIntegrationEntitySchemas
No description
updateIntegration
No description
updateReaction
No description
updateRelationshipSyncJob
No description
updateRequestComment
No description
updateResourceEntitlements
Replace entitlements for a resource and kind
updateResourceProfiles
Update resource profiles (provisioning profile, sync profile)
updateResource
Update an existing resource
updateReviewCampaignDefinition
Edit the template. Affects only FUTURE runs — already-minted instances copied their own scope/policy at mint.
updateReviewCampaign
Edit a DRAFT campaign's name / user+resource scope / policy / due date before launch.
updateRole
No description
updateSettings
Update settings for the current tenant
updateTenantMfaPolicy
Update tenant MFA policy settings
updateTenant
Update an existing tenant
updateTicket
No description
upsertNotificationPolicy
No description