0
# Privileged Identity Management
1
2
Advanced access control capabilities with time-bound assignments, approval workflows, eligibility management, and policy enforcement. PIM enables just-in-time access patterns and comprehensive governance for privileged roles in Azure.
3
4
## Capabilities
5
6
### Role Assignment Scheduling
7
8
Manage time-bound role assignments with configurable start and end times, supporting both immediate and scheduled activation patterns.
9
10
```python { .api }
11
def create(scope: str, role_assignment_schedule_request_name: str, parameters: RoleAssignmentScheduleRequest) -> RoleAssignmentScheduleRequest:
12
"""
13
Create a role assignment schedule request for time-bound access.
14
15
Parameters:
16
- scope: The scope of the role assignment
17
- role_assignment_schedule_request_name: GUID for the request name
18
- parameters: Schedule request parameters including principal, role, and timing
19
20
Returns:
21
RoleAssignmentScheduleRequest object with request details
22
"""
23
24
def cancel(scope: str, role_assignment_schedule_request_name: str) -> None:
25
"""
26
Cancel a pending role assignment schedule request.
27
28
Parameters:
29
- scope: The scope of the role assignment request
30
- role_assignment_schedule_request_name: Name of the request to cancel
31
"""
32
33
def get(scope: str, role_assignment_schedule_request_name: str) -> RoleAssignmentScheduleRequest:
34
"""
35
Get details of a role assignment schedule request.
36
37
Parameters:
38
- scope: The scope of the role assignment request
39
- role_assignment_schedule_request_name: Name of the schedule request
40
41
Returns:
42
RoleAssignmentScheduleRequest object
43
"""
44
45
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleAssignmentScheduleRequest]:
46
"""
47
List role assignment schedule requests for a scope.
48
49
Parameters:
50
- scope: The scope to list requests for
51
- filter: OData filter expression (optional)
52
53
Returns:
54
Iterator of RoleAssignmentScheduleRequest objects
55
"""
56
```
57
58
### Role Assignment Schedule Instances
59
60
Query and manage active time-bound role assignment instances that are currently effective.
61
62
```python { .api }
63
def get(scope: str, role_assignment_schedule_instance_name: str) -> RoleAssignmentScheduleInstance:
64
"""
65
Get details of an active role assignment schedule instance.
66
67
Parameters:
68
- scope: The scope of the role assignment instance
69
- role_assignment_schedule_instance_name: Name of the instance
70
71
Returns:
72
RoleAssignmentScheduleInstance object
73
"""
74
75
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleAssignmentScheduleInstance]:
76
"""
77
List active role assignment schedule instances for a scope.
78
79
Parameters:
80
- scope: The scope to list instances for
81
- filter: OData filter expression (optional)
82
83
Returns:
84
Iterator of RoleAssignmentScheduleInstance objects
85
"""
86
```
87
88
### Role Assignment Schedules
89
90
Manage the schedules that define when role assignments become active and expire.
91
92
```python { .api }
93
def get(scope: str, role_assignment_schedule_name: str) -> RoleAssignmentSchedule:
94
"""
95
Get details of a role assignment schedule.
96
97
Parameters:
98
- scope: The scope of the role assignment schedule
99
- role_assignment_schedule_name: Name of the schedule
100
101
Returns:
102
RoleAssignmentSchedule object
103
"""
104
105
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleAssignmentSchedule]:
106
"""
107
List role assignment schedules for a scope.
108
109
Parameters:
110
- scope: The scope to list schedules for
111
- filter: OData filter expression (optional)
112
113
Returns:
114
Iterator of RoleAssignmentSchedule objects
115
"""
116
```
117
118
### Role Eligibility Management
119
120
Manage role eligibility that allows principals to activate roles on-demand rather than having permanent assignments.
121
122
```python { .api }
123
def create(scope: str, role_eligibility_schedule_request_name: str, parameters: RoleEligibilityScheduleRequest) -> RoleEligibilityScheduleRequest:
124
"""
125
Create a role eligibility schedule request.
126
127
Parameters:
128
- scope: The scope of the role eligibility
129
- role_eligibility_schedule_request_name: GUID for the request name
130
- parameters: Eligibility request parameters
131
132
Returns:
133
RoleEligibilityScheduleRequest object
134
"""
135
136
def cancel(scope: str, role_eligibility_schedule_request_name: str) -> None:
137
"""
138
Cancel a pending role eligibility schedule request.
139
140
Parameters:
141
- scope: The scope of the eligibility request
142
- role_eligibility_schedule_request_name: Name of the request to cancel
143
"""
144
145
def get(scope: str, role_eligibility_schedule_request_name: str) -> RoleEligibilityScheduleRequest:
146
"""
147
Get details of a role eligibility schedule request.
148
149
Parameters:
150
- scope: The scope of the eligibility request
151
- role_eligibility_schedule_request_name: Name of the request
152
153
Returns:
154
RoleEligibilityScheduleRequest object
155
"""
156
157
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleEligibilityScheduleRequest]:
158
"""
159
List role eligibility schedule requests for a scope.
160
161
Parameters:
162
- scope: The scope to list requests for
163
- filter: OData filter expression (optional)
164
165
Returns:
166
Iterator of RoleEligibilityScheduleRequest objects
167
"""
168
```
169
170
### Role Eligibility Schedule Instances
171
172
Query active role eligibility instances that define current eligibility status for principals.
173
174
```python { .api }
175
def get(scope: str, role_eligibility_schedule_instance_name: str) -> RoleEligibilityScheduleInstance:
176
"""
177
Get details of a role eligibility schedule instance.
178
179
Parameters:
180
- scope: The scope of the eligibility instance
181
- role_eligibility_schedule_instance_name: Name of the instance
182
183
Returns:
184
RoleEligibilityScheduleInstance object
185
"""
186
187
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleEligibilityScheduleInstance]:
188
"""
189
List role eligibility schedule instances for a scope.
190
191
Parameters:
192
- scope: The scope to list instances for
193
- filter: OData filter expression (optional)
194
195
Returns:
196
Iterator of RoleEligibilityScheduleInstance objects
197
"""
198
```
199
200
### Role Eligibility Schedules
201
202
Manage the schedules that define when role eligibility is available for activation.
203
204
```python { .api }
205
def get(scope: str, role_eligibility_schedule_name: str) -> RoleEligibilitySchedule:
206
"""
207
Get details of a role eligibility schedule.
208
209
Parameters:
210
- scope: The scope of the eligibility schedule
211
- role_eligibility_schedule_name: Name of the schedule
212
213
Returns:
214
RoleEligibilitySchedule object
215
"""
216
217
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleEligibilitySchedule]:
218
"""
219
List role eligibility schedules for a scope.
220
221
Parameters:
222
- scope: The scope to list schedules for
223
- filter: OData filter expression (optional)
224
225
Returns:
226
Iterator of RoleEligibilitySchedule objects
227
"""
228
```
229
230
### Role Management Policies
231
232
Configure PIM policies that govern how role assignments and eligibility work, including approval requirements, activation duration, and MFA requirements.
233
234
```python { .api }
235
def get(scope: str, role_management_policy_name: str) -> RoleManagementPolicy:
236
"""
237
Get details of a role management policy.
238
239
Parameters:
240
- scope: The scope of the policy
241
- role_management_policy_name: Name of the policy
242
243
Returns:
244
RoleManagementPolicy object
245
"""
246
247
def update(scope: str, role_management_policy_name: str, parameters: RoleManagementPolicy) -> RoleManagementPolicy:
248
"""
249
Update a role management policy.
250
251
Parameters:
252
- scope: The scope of the policy
253
- role_management_policy_name: Name of the policy to update
254
- parameters: Updated policy parameters
255
256
Returns:
257
Updated RoleManagementPolicy object
258
"""
259
260
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleManagementPolicy]:
261
"""
262
List role management policies for a scope.
263
264
Parameters:
265
- scope: The scope to list policies for
266
- filter: OData filter expression (optional)
267
268
Returns:
269
Iterator of RoleManagementPolicy objects
270
"""
271
```
272
273
### Role Management Policy Assignments
274
275
Assign policies to specific roles to enforce governance rules for those roles.
276
277
```python { .api }
278
def create(scope: str, role_management_policy_assignment_name: str, parameters: RoleManagementPolicyAssignment) -> RoleManagementPolicyAssignment:
279
"""
280
Create a role management policy assignment.
281
282
Parameters:
283
- scope: The scope of the policy assignment
284
- role_management_policy_assignment_name: GUID for the assignment name
285
- parameters: Policy assignment parameters
286
287
Returns:
288
RoleManagementPolicyAssignment object
289
"""
290
291
def delete(scope: str, role_management_policy_assignment_name: str) -> None:
292
"""
293
Delete a role management policy assignment.
294
295
Parameters:
296
- scope: The scope of the policy assignment
297
- role_management_policy_assignment_name: Name of the assignment to delete
298
"""
299
300
def get(scope: str, role_management_policy_assignment_name: str) -> RoleManagementPolicyAssignment:
301
"""
302
Get details of a role management policy assignment.
303
304
Parameters:
305
- scope: The scope of the policy assignment
306
- role_management_policy_assignment_name: Name of the assignment
307
308
Returns:
309
RoleManagementPolicyAssignment object
310
"""
311
312
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleManagementPolicyAssignment]:
313
"""
314
List role management policy assignments for a scope.
315
316
Parameters:
317
- scope: The scope to list assignments for
318
- filter: OData filter expression (optional)
319
320
Returns:
321
Iterator of RoleManagementPolicyAssignment objects
322
"""
323
```
324
325
### Eligible Child Resources
326
327
Discover child resources that can be managed through PIM for hierarchical access control.
328
329
```python { .api }
330
def get(scope: str) -> EligibleChildResourcesListResult:
331
"""
332
Get eligible child resources for PIM management.
333
334
Parameters:
335
- scope: The parent scope to discover child resources for
336
337
Returns:
338
EligibleChildResourcesListResult with child resource information
339
"""
340
```
341
342
### Role Assignment Approval
343
344
Manage approval workflows for role assignment requests in PIM scenarios.
345
346
```python { .api }
347
def get(scope: str, role_assignment_approval_id: str) -> RoleAssignmentApproval:
348
"""
349
Get details of a role assignment approval.
350
351
Parameters:
352
- scope: The scope of the approval
353
- role_assignment_approval_id: ID of the approval
354
355
Returns:
356
RoleAssignmentApproval object
357
"""
358
359
def patch(scope: str, role_assignment_approval_id: str, parameters: RoleAssignmentApproval) -> RoleAssignmentApproval:
360
"""
361
Update a role assignment approval.
362
363
Parameters:
364
- scope: The scope of the approval
365
- role_assignment_approval_id: ID of the approval to update
366
- parameters: Updated approval parameters
367
368
Returns:
369
Updated RoleAssignmentApproval object
370
"""
371
```
372
373
### Role Assignment Approval Steps
374
375
Manage individual approval steps within multi-stage approval workflows.
376
377
```python { .api }
378
def get(scope: str, role_assignment_approval_id: str, role_assignment_approval_step_id: str) -> RoleAssignmentApprovalStep:
379
"""
380
Get details of a specific approval step.
381
382
Parameters:
383
- scope: The scope of the approval
384
- role_assignment_approval_id: ID of the parent approval
385
- role_assignment_approval_step_id: ID of the approval step
386
387
Returns:
388
RoleAssignmentApprovalStep object
389
"""
390
391
def patch(scope: str, role_assignment_approval_id: str, role_assignment_approval_step_id: str, parameters: RoleAssignmentApprovalStep) -> RoleAssignmentApprovalStep:
392
"""
393
Update an approval step (approve or deny).
394
395
Parameters:
396
- scope: The scope of the approval
397
- role_assignment_approval_id: ID of the parent approval
398
- role_assignment_approval_step_id: ID of the approval step to update
399
- parameters: Updated approval step parameters
400
401
Returns:
402
Updated RoleAssignmentApprovalStep object
403
"""
404
405
def list(scope: str, role_assignment_approval_id: str, filter: Optional[str] = None) -> Iterator[RoleAssignmentApprovalStep]:
406
"""
407
List approval steps for a role assignment approval.
408
409
Parameters:
410
- scope: The scope of the approval
411
- role_assignment_approval_id: ID of the parent approval
412
- filter: OData filter expression (optional)
413
414
Returns:
415
Iterator of RoleAssignmentApprovalStep objects
416
"""
417
```
418
419
### Scope-specific Role Assignment Approvals
420
421
Manage approvals at specific scope levels with dedicated operation groups.
422
423
```python { .api }
424
def get_scope_approval(scope: str, role_assignment_approval_id: str) -> RoleAssignmentApproval:
425
"""
426
Get scope-specific role assignment approval.
427
428
Parameters:
429
- scope: The specific scope of the approval
430
- role_assignment_approval_id: ID of the approval
431
432
Returns:
433
RoleAssignmentApproval object with scope-specific details
434
"""
435
436
def patch_scope_approval(scope: str, role_assignment_approval_id: str, parameters: RoleAssignmentApproval) -> RoleAssignmentApproval:
437
"""
438
Update scope-specific role assignment approval.
439
440
Parameters:
441
- scope: The specific scope of the approval
442
- role_assignment_approval_id: ID of the approval to update
443
- parameters: Updated approval parameters
444
445
Returns:
446
Updated RoleAssignmentApproval object
447
"""
448
449
def get_scope_approval_step(scope: str, role_assignment_approval_id: str, role_assignment_approval_step_id: str) -> RoleAssignmentApprovalStep:
450
"""
451
Get scope-specific approval step.
452
453
Parameters:
454
- scope: The specific scope of the approval
455
- role_assignment_approval_id: ID of the parent approval
456
- role_assignment_approval_step_id: ID of the approval step
457
458
Returns:
459
RoleAssignmentApprovalStep object
460
"""
461
462
def patch_scope_approval_step(scope: str, role_assignment_approval_id: str, role_assignment_approval_step_id: str, parameters: RoleAssignmentApprovalStep) -> RoleAssignmentApprovalStep:
463
"""
464
Update scope-specific approval step.
465
466
Parameters:
467
- scope: The specific scope of the approval
468
- role_assignment_approval_id: ID of the parent approval
469
- role_assignment_approval_step_id: ID of the approval step to update
470
- parameters: Updated approval step parameters
471
472
Returns:
473
Updated RoleAssignmentApprovalStep object
474
"""
475
476
def list_scope_approval_steps(scope: str, role_assignment_approval_id: str) -> Iterator[RoleAssignmentApprovalStep]:
477
"""
478
List scope-specific approval steps.
479
480
Parameters:
481
- scope: The specific scope of the approval
482
- role_assignment_approval_id: ID of the parent approval
483
484
Returns:
485
Iterator of RoleAssignmentApprovalStep objects
486
"""
487
```
488
489
### Scope-specific Role Assignment Approval Operations
490
491
Manage PIM approval workflows at specific scope levels for fine-grained governance control. These operations provide resource, subscription, and management group-level approval management for role assignments.
492
493
#### Scope Role Assignment Approval
494
495
```python { .api }
496
def get_scope_approval(scope: str, role_assignment_schedule_request_name: str) -> RoleAssignmentApproval:
497
"""
498
Get a scope-specific role assignment approval.
499
500
Parameters:
501
- scope: The scope of the approval (e.g., "/subscriptions/{id}")
502
- role_assignment_schedule_request_name: Name of the schedule request
503
504
Returns:
505
RoleAssignmentApproval object with approval details
506
"""
507
```
508
509
#### Scope Role Assignment Approval Step
510
511
```python { .api }
512
def get_scope_approval_step(scope: str, role_assignment_schedule_request_name: str, step_id: str) -> RoleAssignmentApprovalStep:
513
"""
514
Get a specific approval step for a scope-specific role assignment.
515
516
Parameters:
517
- scope: The scope of the approval
518
- role_assignment_schedule_request_name: Name of the schedule request
519
- step_id: ID of the approval step
520
521
Returns:
522
RoleAssignmentApprovalStep object with step details
523
"""
524
525
def patch_scope_approval_step(scope: str, role_assignment_schedule_request_name: str, step_id: str, properties: RoleAssignmentApprovalStep) -> RoleAssignmentApprovalStep:
526
"""
527
Update (approve/deny) a scope-specific role assignment approval step.
528
529
Parameters:
530
- scope: The scope of the approval
531
- role_assignment_schedule_request_name: Name of the schedule request
532
- step_id: ID of the approval step to update
533
- properties: Updated approval step properties (decision, justification)
534
535
Returns:
536
Updated RoleAssignmentApprovalStep object
537
"""
538
```
539
540
#### Scope Role Assignment Approval Steps
541
542
```python { .api }
543
def list_scope_approval_steps(scope: str, role_assignment_schedule_request_name: str, filter: Optional[str] = None) -> Iterator[RoleAssignmentApprovalStep]:
544
"""
545
List all approval steps for a scope-specific role assignment approval.
546
547
Parameters:
548
- scope: The scope of the approval
549
- role_assignment_schedule_request_name: Name of the schedule request
550
- filter: OData filter expression (optional)
551
552
Returns:
553
Iterator of RoleAssignmentApprovalStep objects
554
"""
555
```
556
557
## Usage Examples
558
559
### Creating a Time-bound Role Assignment
560
561
```python
562
from azure.mgmt.authorization.models import RoleAssignmentScheduleRequest
563
from datetime import datetime, timedelta
564
565
# Create a time-bound role assignment request
566
schedule_request = RoleAssignmentScheduleRequest(
567
request_type="AdminAssign",
568
principal_id="user-object-id",
569
role_definition_id="/subscriptions/sub-id/providers/Microsoft.Authorization/roleDefinitions/role-id",
570
justification="Temporary access for maintenance work",
571
schedule_info={
572
"start_date_time": datetime.utcnow(),
573
"expiration": {
574
"type": "AfterDuration",
575
"duration": "PT8H" # 8 hours duration
576
}
577
}
578
)
579
580
# Submit the request
581
request = client.role_assignment_schedule_requests.create(
582
scope="/subscriptions/your-subscription-id",
583
role_assignment_schedule_request_name="request-guid",
584
parameters=schedule_request
585
)
586
```
587
588
### Creating Role Eligibility
589
590
```python
591
from azure.mgmt.authorization.models import RoleEligibilityScheduleRequest
592
593
# Create role eligibility that allows on-demand activation
594
eligibility_request = RoleEligibilityScheduleRequest(
595
request_type="AdminAssign",
596
principal_id="user-object-id",
597
role_definition_id="/subscriptions/sub-id/providers/Microsoft.Authorization/roleDefinitions/role-id",
598
justification="Eligible for on-demand access",
599
schedule_info={
600
"start_date_time": datetime.utcnow(),
601
"expiration": {
602
"type": "AfterDuration",
603
"duration": "P30D" # 30 days eligibility
604
}
605
}
606
)
607
608
# Submit the eligibility request
609
eligibility = client.role_eligibility_schedule_requests.create(
610
scope="/subscriptions/your-subscription-id",
611
role_eligibility_schedule_request_name="eligibility-guid",
612
parameters=eligibility_request
613
)
614
```
615
616
### Configuring PIM Policy
617
618
```python
619
from azure.mgmt.authorization.models import RoleManagementPolicy
620
621
# Update a role management policy to require approval and MFA
622
policy_update = RoleManagementPolicy(
623
rules=[
624
{
625
"rule_type": "RoleManagementPolicyApprovalRule",
626
"id": "Approval_EndUser_Assignment",
627
"setting": {
628
"is_approval_required": True,
629
"is_approval_required_for_extension": True,
630
"approval_stages": [{
631
"approval_stage_time_out_in_days": 1,
632
"is_approver_justification_required": True,
633
"escalation_time_in_minutes": 0,
634
"primary_approvers": [{
635
"id": "approver-object-id",
636
"user_type": "User"
637
}]
638
}]
639
}
640
},
641
{
642
"rule_type": "RoleManagementPolicyAuthenticationContextRule",
643
"id": "AuthenticationContext_EndUser_Assignment",
644
"is_enabled": True,
645
"claim_value": "c1" # MFA requirement
646
}
647
]
648
)
649
650
# Apply the policy update
651
updated_policy = client.role_management_policies.update(
652
scope="/subscriptions/your-subscription-id",
653
role_management_policy_name="policy-name",
654
parameters=policy_update
655
)
656
```
657
658
### Activating an Eligible Role
659
660
```python
661
# Self-activate an eligible role assignment
662
activation_request = RoleAssignmentScheduleRequest(
663
request_type="SelfActivate",
664
principal_id="current-user-object-id",
665
role_definition_id="/subscriptions/sub-id/providers/Microsoft.Authorization/roleDefinitions/role-id",
666
justification="Need access to troubleshoot production issue",
667
schedule_info={
668
"start_date_time": datetime.utcnow(),
669
"expiration": {
670
"type": "AfterDuration",
671
"duration": "PT4H" # 4 hours activation
672
}
673
}
674
)
675
676
# Submit activation request
677
activation = client.role_assignment_schedule_requests.create(
678
scope="/subscriptions/your-subscription-id",
679
role_assignment_schedule_request_name="activation-guid",
680
parameters=activation_request
681
)
682
```
683
684
## Types
685
686
### PIM Request Types
687
688
```python { .api }
689
class RoleAssignmentScheduleRequestPropertiesScheduleInfo:
690
start_date_time: Optional[datetime]
691
expiration: Optional[RoleAssignmentScheduleRequestPropertiesScheduleInfoExpiration]
692
693
class RoleAssignmentScheduleRequestPropertiesScheduleInfoExpiration:
694
type: Optional[str] # "AfterDuration", "AfterDateTime", "NoExpiration"
695
end_date_time: Optional[datetime]
696
duration: Optional[str] # ISO 8601 duration format
697
698
class RoleEligibilityScheduleRequestPropertiesScheduleInfo:
699
start_date_time: Optional[datetime]
700
expiration: Optional[RoleEligibilityScheduleRequestPropertiesScheduleInfoExpiration]
701
702
class RoleEligibilityScheduleRequestPropertiesScheduleInfoExpiration:
703
type: Optional[str] # "AfterDuration", "AfterDateTime", "NoExpiration"
704
end_date_time: Optional[datetime]
705
duration: Optional[str] # ISO 8601 duration format
706
```
707
708
### PIM Schedule Types
709
710
```python { .api }
711
class RoleAssignmentScheduleInstance:
712
id: Optional[str]
713
name: Optional[str]
714
type: Optional[str]
715
scope: Optional[str]
716
role_definition_id: Optional[str]
717
principal_id: Optional[str]
718
principal_type: Optional[str]
719
role_assignment_schedule_id: Optional[str]
720
start_date_time: Optional[datetime]
721
end_date_time: Optional[datetime]
722
assignment_state: Optional[str]
723
member_type: Optional[str]
724
725
class RoleEligibilityScheduleInstance:
726
id: Optional[str]
727
name: Optional[str]
728
type: Optional[str]
729
scope: Optional[str]
730
role_definition_id: Optional[str]
731
principal_id: Optional[str]
732
principal_type: Optional[str]
733
role_eligibility_schedule_id: Optional[str]
734
start_date_time: Optional[datetime]
735
end_date_time: Optional[datetime]
736
member_type: Optional[str]
737
```
738
739
### PIM Policy Types
740
741
```python { .api }
742
class RoleManagementPolicyRule:
743
id: Optional[str]
744
rule_type: Optional[str]
745
target: Optional[RoleManagementPolicyRuleTarget]
746
747
class RoleManagementPolicyRuleTarget:
748
caller: Optional[str]
749
operations: Optional[List[str]]
750
level: Optional[str]
751
targetObjects: Optional[List[str]]
752
753
class RoleManagementPolicyAssignment:
754
id: Optional[str]
755
name: Optional[str]
756
type: Optional[str]
757
scope: Optional[str]
758
role_definition_id: Optional[str]
759
policy_id: Optional[str]
760
policy_assignment_properties: Optional[dict]
761
762
class EligibleChildResource:
763
id: Optional[str]
764
name: Optional[str]
765
type: Optional[str]
766
has_eligible_child_resources: Optional[bool]
767
```
768
769
### PIM Approval Types
770
771
```python { .api }
772
class RoleAssignmentApproval:
773
id: Optional[str]
774
name: Optional[str]
775
type: Optional[str]
776
stages: Optional[List[RoleAssignmentApprovalStep]]
777
778
class RoleAssignmentApprovalStep:
779
id: Optional[str]
780
display_name: Optional[str]
781
review_result: Optional[str]
782
status: Optional[str]
783
assigned_to_me: Optional[bool]
784
reviewers: Optional[List[RoleAssignmentApprovalStepReviewer]]
785
justification: Optional[str]
786
review_date_time: Optional[datetime]
787
788
class RoleAssignmentApprovalStepReviewer:
789
id: Optional[str]
790
display_name: Optional[str]
791
user_type: Optional[str]
792
```
793
794
## Constants
795
796
### PIM Request Types
797
798
```python { .api }
799
class RequestType:
800
ADMIN_ASSIGN = "AdminAssign"
801
ADMIN_REMOVE = "AdminRemove"
802
ADMIN_UPDATE = "AdminUpdate"
803
ADMIN_EXTEND = "AdminExtend"
804
ADMIN_RENEW = "AdminRenew"
805
SELF_ACTIVATE = "SelfActivate"
806
SELF_DEACTIVATE = "SelfDeactivate"
807
SELF_EXTEND = "SelfExtend"
808
SELF_RENEW = "SelfRenew"
809
810
class AssignmentState:
811
ELIGIBLE = "Eligible"
812
ACTIVE = "Active"
813
814
class MemberType:
815
INHERITED = "Inherited"
816
DIRECT = "Direct"
817
GROUP = "Group"
818
819
class ExpirationType:
820
AFTER_DURATION = "AfterDuration"
821
AFTER_DATE_TIME = "AfterDateTime"
822
NO_EXPIRATION = "NoExpiration"
823
```
824
825
### PIM Policy Rule Types
826
827
```python { .api }
828
class PolicyRuleType:
829
ROLE_MANAGEMENT_POLICY_APPROVAL_RULE = "RoleManagementPolicyApprovalRule"
830
ROLE_MANAGEMENT_POLICY_AUTHENTICATION_CONTEXT_RULE = "RoleManagementPolicyAuthenticationContextRule"
831
ROLE_MANAGEMENT_POLICY_ENABLEMENT_RULE = "RoleManagementPolicyEnablementRule"
832
ROLE_MANAGEMENT_POLICY_EXPIRATION_RULE = "RoleManagementPolicyExpirationRule"
833
ROLE_MANAGEMENT_POLICY_NOTIFICATION_RULE = "RoleManagementPolicyNotificationRule"
834
```
835
836
## Error Handling
837
838
Common PIM-specific exceptions:
839
840
- **BadRequestError**: Invalid schedule parameters or conflicting requests
841
- **ForbiddenError**: Insufficient privileges for PIM operations or policy violations
842
- **ConflictError**: Overlapping schedules or duplicate requests
843
- **RequestTimeoutError**: Approval timeout or schedule activation timeout
844
845
```python
846
from azure.core.exceptions import BadRequestError, ConflictError
847
848
try:
849
schedule_request = client.role_assignment_schedule_requests.create(
850
scope, request_name, parameters
851
)
852
except BadRequestError as e:
853
print(f"Invalid request parameters: {e.message}")
854
except ConflictError as e:
855
print(f"Schedule conflict: {e.message}")
856
```