moveworks · madhumitha-arbaan · Dec 4, 2025
@@ -0,0 +1,10 @@
+curl --location 'https://<YOUR_INSTANCE>/v2025/search ' \
+--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
+--header 'Accept: application/json' \
+--data-raw '
+{ 
+  "indices": ["identities"], 
+  "query": {  
+    "query": "email:{{email}}"  
+  } 
+}'
@@ -0,0 +1,3 @@
+curl --location 'https://<YOUR_INSTANCE>/v2025/sources?limit=50&offset=0&sorters=-created' \
+--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
+--header 'Accept: application/json'
@@ -0,0 +1,13 @@
+curl --location 'https://<YOUR_INSTANCE>/v2025/search?limit=50&offset=0&sorters=-created' \
+--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
+--header 'Accept: application/json' \
+--data '
+{ 
+  "indices": ["entitlements"], 
+  "query": { 
+    "query": "source.name:*{{source_name}}* AND requestable:true" 
+  }, 
+  "queryResultFilter": { 
+    "includes": ["field1","field2"...]
+  }
+}'
@@ -0,0 +1,23 @@
+curl --location 'https://<YOUR_INSTANCE>/v2025/access-requests' \
+--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
+--header 'Content-Type: application/json' \
+--data 
+'{ 
+  "requestedForWithRequestedItems": [ 
+    { 
+      "identityId": "{{identity_id}}", 
+      "requestedItems": [ 
+        { 
+          "type": "ENTITLEMENT", 
+          "id": "{{entitlement_id}}", 
+          "name": "{{entitlement_name}}", 
+          "comment": "{{comment}}", 
+          "clientMetadata": { 
+            "requestedAppName": "{{source_name}}", 
+            "requestedAppId": "{{source_id}}" 
+          } 
+        } 
+      ] 
+    } 
+  ] 
+}'
@@ -8,8 +8,10 @@ description: A plugin that allows employees to request access to applications, r
 domain:
 - IT
 - Access Management
-fidelity: IDEA
+fidelity: GUIDE
 name: Request Application Access
+difficulty_level: BEGINNER
+time_in_minutes: 10
 purple_chat_link: https://marketplace.moveworks.com/purple-chat?conversation=%7B%22messages%22%3A%5B%7B%22role%22%3A%22user%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22I+need+access+to+a+system%22%7D%5D%7D%2C%7B%22role%22%3A%22assistant%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ECertainly%2C+I+can+help+with+that.+Which+system+do+you+need+access+to%2C+and+what+permissions+are+required%3F%3C%2Fp%3E%22%7D%5D%7D%2C%7B%22role%22%3A%22user%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22Salesforce%2C+Read-Only+access%22%7D%5D%7D%2C%7B%22role%22%3A%22assistant%22%2C%22parts%22%3A%5B%7B%22reasoningSteps%22%3A%5B%7B%22status%22%3A%22success%22%2C%22richText%22%3A%22Searching+%3Cb+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ESailpoint+iNow%3C%2Fb%3E+for+Salesforce+systems...%22%7D%5D%7D%2C%7B%22richText%22%3A%22%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3EI+found+a+few+Salesforce+systems.+Which+one+do+you+need+access+to%3F%3C%2Fp%3E%3Cul+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3E%3Cli%3E%3Cb%3ESalesforce+Production%3C%2Fb%3E%3C%2Fli%3E%3Cli%3E%3Cb%3ESalesforce+Production+-+EU%3C%2Fb%3E%3C%2Fli%3E%3Cli%3E%3Cb%3ESalesforce+Sandbox%3C%2Fb%3E%3C%2Fli%3E%3C%2Ful%3E%22%7D%2C%7B%22citations%22%3A%5B%7B%22connectorName%22%3A%22sailpoint-inow%22%2C%22citationTitle%22%3A%22Salesforce+Production%22%7D%2C%7B%22connectorName%22%3A%22sailpoint-inow%22%2C%22citationTitle%22%3A%22Salesforce+Production+-+EU%22%7D%2C%7B%22connectorName%22%3A%22sailpoint-inow%22%2C%22citationTitle%22%3A%22Salesforce+Sandbox%22%7D%5D%7D%5D%7D%2C%7B%22role%22%3A%22user%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22Salesforce+Prod%22%7D%5D%7D%2C%7B%22role%22%3A%22assistant%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3EOkay%2C+I+can+request+%3Cb%3ERead-Only+access%3C%2Fb%3E+for+%3Cb%3ESalesforce+Production%3C%2Fb%3E+on+your+behalf.%3C%2Fp%3E%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3E%3Cb%3EDoes+this+look+correct%3F%3C%2Fb%3E%3C%2Fp%3E%22%7D%2C%7B%22buttons%22%3A%5B%7B%22buttonText%22%3A%22Submit%22%2C%22style%22%3A%22filled%22%7D%2C%7B%22buttonText%22%3A%22Cancel%22%2C%22style%22%3A%22outlined%22%7D%5D%7D%5D%7D%2C%7B%22role%22%3A%22user%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22Submit%22%7D%5D%7D%2C%7B%22role%22%3A%22assistant%22%2C%22parts%22%3A%5B%7B%22reasoningSteps%22%3A%5B%7B%22status%22%3A%22success%22%2C%22richText%22%3A%22Submitting+access+request+for+%3Cb+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ESalesforce+Production%3C%2Fb%3E+with+%3Cb+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ERead-Only%3C%2Fb%3E+permissions+in+%3Cb+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ESailpoint+iNow%3C%2Fb%3E...%22%7D%5D%7D%2C%7B%22richText%22%3A%22%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3EYour+request+for+Read-Only+access+to+Salesforce+Production+has+been+submitted.%3C%2Fp%3E%22%7D%5D%7D%5D%7D
 solution_tags:
 - Access Management
@@ -18,3 +20,171 @@ systems:
 - sailpoint-inow
 
 ---
+## **Introduction**
+
+The SailPoint “Request Application Access” plugin empowers employees to seamlessly request access to entitlements directly through the Moveworks AI Assistant. By simplifying the selection of access options and automatically generating requests in SailPoint iNow, it removes the need for manual forms and reduces the risk of errors. This ensures faster access provisioning, improved accuracy, and a more compliant and efficient access-management workflow.
+
+This guide will walk you through installing and configuring the plugin in **Agent Studio** in just a few minutes. Let’s get started!
+
+## **Prerequisites**
+
+- Access to Agent Studio
+
+## **What are we building?**
+
+### **Agent Design**
+
+This [purple chat](https://marketplace.moveworks.com/purple-chat?conversation=%7B%22messages%22%3A%5B%7B%22role%22%3A%22user%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22I+need+access+to+a+system%22%7D%5D%7D%2C%7B%22role%22%3A%22assistant%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ECertainly%2C+I+can+help+with+that.+Which+system+do+you+need+access+to%2C+and+what+permissions+are+required%3F%3C%2Fp%3E%22%7D%5D%7D%2C%7B%22role%22%3A%22user%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22Salesforce%2C+Read-Only+access%22%7D%5D%7D%2C%7B%22role%22%3A%22assistant%22%2C%22parts%22%3A%5B%7B%22reasoningSteps%22%3A%5B%7B%22status%22%3A%22success%22%2C%22richText%22%3A%22Searching+%3Cb+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ESailpoint+iNow%3C%2Fb%3E+for+Salesforce+systems...%22%7D%5D%7D%2C%7B%22richText%22%3A%22%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3EI+found+a+few+Salesforce+systems.+Which+one+do+you+need+access+to%3F%3C%2Fp%3E%3Cul+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3E%3Cli%3E%3Cb%3ESalesforce+Production%3C%2Fb%3E%3C%2Fli%3E%3Cli%3E%3Cb%3ESalesforce+Production+-+EU%3C%2Fb%3E%3C%2Fli%3E%3Cli%3E%3Cb%3ESalesforce+Sandbox%3C%2Fb%3E%3C%2Fli%3E%3C%2Ful%3E%22%7D%2C%7B%22citations%22%3A%5B%7B%22connectorName%22%3A%22sailpoint-inow%22%2C%22citationTitle%22%3A%22Salesforce+Production%22%7D%2C%7B%22connectorName%22%3A%22sailpoint-inow%22%2C%22citationTitle%22%3A%22Salesforce+Production+-+EU%22%7D%2C%7B%22connectorName%22%3A%22sailpoint-inow%22%2C%22citationTitle%22%3A%22Salesforce+Sandbox%22%7D%5D%7D%5D%7D%2C%7B%22role%22%3A%22user%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22Salesforce+Prod%22%7D%5D%7D%2C%7B%22role%22%3A%22assistant%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3EOkay%2C+I+can+request+%3Cb%3ERead-Only+access%3C%2Fb%3E+for+%3Cb%3ESalesforce+Production%3C%2Fb%3E+on+your+behalf.%3C%2Fp%3E%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3E%3Cb%3EDoes+this+look+correct%3F%3C%2Fb%3E%3C%2Fp%3E%22%7D%2C%7B%22buttons%22%3A%5B%7B%22buttonText%22%3A%22Submit%22%2C%22style%22%3A%22filled%22%7D%2C%7B%22buttonText%22%3A%22Cancel%22%2C%22style%22%3A%22outlined%22%7D%5D%7D%5D%7D%2C%7B%22role%22%3A%22user%22%2C%22parts%22%3A%5B%7B%22richText%22%3A%22Submit%22%7D%5D%7D%2C%7B%22role%22%3A%22assistant%22%2C%22parts%22%3A%5B%7B%22reasoningSteps%22%3A%5B%7B%22status%22%3A%22success%22%2C%22richText%22%3A%22Submitting+access+request+for+%3Cb+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ESalesforce+Production%3C%2Fb%3E+with+%3Cb+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ERead-Only%3C%2Fb%3E+permissions+in+%3Cb+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3ESailpoint+iNow%3C%2Fb%3E...%22%7D%5D%7D%2C%7B%22richText%22%3A%22%3Cp+xmlns%3D%5C%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%5C%22%3EYour+request+for+Read-Only+access+to+Salesforce+Production+has+been+submitted.%3C%2Fp%3E%22%7D%5D%7D%5D%7D) shows the experience we are going to build.
+
+## **Installation Steps**
+
+We recommend setting up **Sailpoint iNow** before installing this plugin. Please follow the [Sailpoint Connector](https://marketplace.moveworks.com/connectors/sailpoint-inow#how-to-implement) guide to configure the connection.
+
+**User Consent Authentication Benefits:**
+
+With OAuth 2.0 User Consent Authentication enabled, users can securely access their own SailPoint iNow data—such as sources and entitlements—through Moveworks without sharing credentials. By authenticating once through SailPoint’s login page, each user authorizes the bot to safely retrieve their access information and submit access requests on their behalf.
+
+This ensures strong data privacy, role-based access control, and a seamless self-service experience where users can view and request only the access they are permitted to see based on their identity and security policies.
+
+**Required SailPoint Permissions:**
+
+To enable Moveworks to retrieve source and entitlement data—and to submit access requests through SailPoint iNow—ensure your SailPoint connected app / integration configuration includes the appropriate OAuth scopes and API permissions.
+
+### **Required OAuth Scope**
+
+Your SailPoint iNow connected app must include:
+
+- **Access and manage your identity data (api)**
+
+This scope is essential for retrieving available sources and entitlements, as well as creating access request tickets through SailPoint iNow APIs.
+
+### **Required API / Object Permissions**
+
+Ensure the integration user or service account used for Moveworks has **read and request-creation access** to the following SailPoint iNow objects:
+
+- **`idn:identity:read`**
+- **`idn:entitlement:read`**
+- **`idn:sources:read`**
+- **`idn:source-schema:read`**
+- **`sp:search:read`**
+- **`idn:access-request:manage`**
+
+These permissions allow Moveworks to:
+
+- Retrieve the list of source and access items available to the user
+- Validate entitlement details
+- Submit access requests on behalf of the authenticated user
+
+**Your Instance Configuration:**
+
+All Sailpoint iNow API endpoints in this plugin use **`'YOUR_INSTANCE'`** as a placeholder. After installation, replace **`'YOUR_INSTANCE'`** in the action definitions with your actual Sailpoint iNow instance name.
+
+To find your instance name:
+
+- Log in to your Sailpoint iNow account.
+- Check the URL in your browser — the instance name appears before **`.identitynow.com`**
+
+e.g.: **`https://your_instance.identitynow.com/...`**
+
+Make sure to update this across all actions that reference the Sailpoint iNow API.
+
+Once the connector is successfully configured, follow our [plugin installation documentation](https://help.moveworks.com/docs/ai-agent-marketplace-installation) for detailed steps on how to install and activate the plugin in **Agent Studio**.
+
+## **Appendix**
+
+### **API #1: Retrieve Identity Details:**
+
+```bash
+curl --location 'https://<YOUR_INSTANCE>/v2025/search ' \
+--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
+--header 'Accept: application/json' \
+--data-raw '
+{ 
+  "indices": ["identities"], 
+  "query": {  
+    "query": "email:{{email}}"  
+  } 
+}'
+```
+
+**Requested Body Parameter:**
+
+`email` : (string) - Used to retrieve the identity id.
+
+### **API #2: Retrieve Source Details:**
+
+```bash
+curl --location 'https://<YOUR_INSTANCE>/v2025/sources?limit=50&offset=0&sorters=-created' \
+--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
+--header 'Accept: application/json'
+```
+
+**Query Parameter:**
+
+- **limit** – Specifies how many source records to return in a single response.
+- **offset** – Skips the first *N* records, allowing you to paginate through results.
+- **sorters** – Defines the sorting order of the returned records (e.g., `created` sorts by creation date in descending order).
+
+### **API #3: Retrieve Entitlements Using the Source Name:**
+
+```bash
+curl --location 'https://<YOUR_INSTANCE>/v2025/search?limit=50&offset=0&sorters=-created' \
+--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
+--header 'Accept: application/json' \
+--data '
+{ 
+  "indices": ["entitlements"], 
+  "query": { 
+    "query": "source.name:*{{source_name}}* AND requestable:true" 
+  }, 
+  "queryResultFilter": { 
+    "includes": ["field1","field2"...]
+  }
+}'
+```
+
+**Requested Body Parameter:**
+
+`source_name` : (string) - Used to retrieve entitlements using source name and using the partial search.
+`queryResultFilter` : (object) – Used to select specific fields to be returned in the API response.
+
+### **API #4: Access Request:**
+
+```bash
+curl --location 'https://<YOUR_INSTANCE>/v2025/access-requests' \
+--header 'Authorization: Bearer <YOUR_ACCESS_TOKEN>' \
+--header 'Content-Type: application/json' \
+--data 
+'{ 
+  "requestedForWithRequestedItems": [ 
+    { 
+      "identityId": "{{identity_id}}", 
+      "requestedItems": [ 
+        { 
+          "type": "ENTITLEMENT", 
+          "id": "{{entitlement_id}}", 
+          "name": "{{entitlement_name}}", 
+          "comment": "{{comment}}", 
+          "clientMetadata": { 
+            "requestedAppName": "{{source_name}}", 
+            "requestedAppId": "{{source_id}}" 
+          } 
+        } 
+      ] 
+    } 
+  ] 
+}'
+```
+
+**Requested Body Parameter:**
+
+- **`requestedForWithRequestedItems**`  – The list of identities and the access items they are requesting.
+- **`identityId**`  – The SailPoint ID of the user for whom the access request is being created.
+- **`requestedItems**`  – The collection of specific access items (entitlements, roles, etc.) being requested.
+- **`type`** – The category of access being requested (e.g., ENTITLEMENT).
+- **`id`**  – The unique identifier of the entitlement or access item being requested.
+- **`name**`  – The display name of the access item being requested.
+- **`comment**`  – The user’s justification or note explaining why the access is needed.
+- **`clientMetadata**`  – Additional contextual information passed along with the request.
+- **`requestedAppName**`  – The human-readable name of the application tied to the requested entitlement.
+- **`requestedAppId**`  – The unique SailPoint source ID of the application associated with the entitlement.