/portalAPI/ApprovalRequest/*

38 min. readlast update: 06.06.2025

This article will encompass all portalAPI calls that are related to /portalAPI/ApprovalRequest/* endpoints

 

Be sure to input the instance your organization exists on for each call. This is indicated with the "INSTANCE" text in each endpoint. Linked here is a KB to find your instance: 

Locating Your Organization's Instance | ThreatLocker Help Center

 

For more information on use cases and examples of processing Application Control Approval Requests through API, see this KB article:

Processing Application Control Approval Requests through API | ThreatLocker Help Center

 

ApprovalRequestAuthorizeForPermitById

 

In order to use this API, your organization needs the "Cyber Hero Management" product enabled. In addition, only Approval Requests related to an Application Control Approval Request that have an "execute" action type are able to be authorized to permit since the Cyber Hero Team only processes Application Control Approval Requests with the "execute" action type.

 

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApprovalRequest/ApprovalRequestAuthorizeForPermitById

  • Method: POST
  • Description: This API is used in relation to when an Application Control Approval Request is evaluated by the Cyber Hero Management Team and the Approval Request is then escalated at their discretion for further investigation to a ThreatLocker customer administrator in the organization. Inside the email that is sent containing the escalation details, there is a button titled "Authorize Cyber Heroes to Permit." When clicking this button, this API is called to designate the Approval Request as ok to permit, per any additional instructions specified in the message. If there is need to authorize to permit an Approval Request from a different organization than the currently logged in/managed organization, utilize the managedOrganizationId header as described below.
  • Required Body/Parameters
    • Valid APIKey/Authorization Token in header
    • Field
      • approvalRequestId: This field determines which Approval Request will be authorized to permit by the Cyber Hero Team.
        • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
    • Required body
{
"approvalRequestId": "00000000-0000-0000-0000-000000000000",
}
  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
    • Field
      • message: This field determines what message/instructions will be displayed to the Cyber Hero Team in the "Ticket Details -> Comments" section of the Approval Request.
        • Expects: Any text input
    • Optional body
{
"approvalRequestId": "00000000-0000-0000-0000-000000000000",
"message": "<String>"
}
  • Permissions Needed for User
    • Approve for Entire Organization
    • Approve for Group
    • Approve for Single Computer
    • Approve for Single Computer Application Only

 

ApprovalRequestGetFileDownloadDetailsById

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApprovalRequest/ApprovalRequestGetFileDownloadDetailsById

  • Method: GET
  • Description: This API is used to get the file download details for a requested file when clicking on an Application Control Approval Request in the Response Center of the ThreatLocker Portal. This API returns the filename and the fileUrl which can be used to download the file directly. Be sure to get the full filename in the URL when using this API to download the file. If looking to get the file download details from an Approval Request in a different organization than the currently logged in/managed organization, utilize the managedOrganizationId header as described below.
  • Required Body/Parameters
    • Valid APIKey/Authorization Token in header
    • approvalRequestId: This field determines what file information will be returned based on what was requested in the supplied Approval Request.
      • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
  • Permissions Needed for User
    • Approve for Entire Organization
    • Approve for Group
    • Approve for Single Computer
    • Approve for Single Computer Application Only
    • View Approvals

 

ApprovalRequestGetPermitApplicationById

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApprovalRequest/ApprovalRequestGetPermitApplicationById

  • Method: GET
  • Description: This API is used when clicking on an Application Control Approval Request in the Response Center of the ThreatLocker Portal. This API gets all the information related to the request itself, including all the id values and the formatted json field needed to utilize the ApprovalRequestPermitApplication endpoint. If looking to view an Approval Request from a different organization than the currently logged in/managed organization, utilize the managedOrganizationId header as described below.
    • statusId: This is one of the fields returned by this API and is used to determine the status of the request. Listed below are the Integer values that will be displayed and the corresponding status of each value.
      • Pending = 1
      • Ignored = 10
      • Approved = 4
      • Self-Approved = 16
      • Not Learned = 6
      • Added to Application = 12
      • Escalated from the Cyber Heroes = 13
  • Required Body/Parameters
    • Valid APIKey/Authorization Token in header
    • approvalRequestId: <GUID> in format "00000000-0000-0000-0000-000000000000"
  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
  • Permissions Needed for User
    • Approve for Entire Organization
    • Approve for Group
    • Approve for Single Computer
    • Approve for Single Computer Application Only
    • View Approvals

 

ApprovalRequestGetByParameters

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApprovalRequest/ApprovalRequestGetByParameters

  • Method: POST
  • Description: This API is used on the Approval tab in the Response Center page in the ThreatLocker Portal to display all the Approval Requests in an organization. By default in the Portal, this API will get a list of all the pending requests, including requests from Application Control, Elevation Control, and Storage Control. If looking to view Approval Requests only for a different organization than the currently logged in/managed organization, utilize the managedOrganizationId header as described below. Various fields are described below that can be changed to search and sort like you can on the Response Center page itself in the Portal.
  • Required Body/Parameters
    • Fields
      • statusId: This field is used to determine the status of the requests you want to view. This field expects one of the following Integer values to be entered.
        • Pending = 1
        • Ignored = 10
        • Approved = 4
        • Self-Approved = 16
        • Not Learned = 6
        • Added to Application = 12
        • Escalated from the Cyber Heroes = 13
      • pageNumber and pageSize: This value determines how many Approval Requests will be returned as if the response was on the Response Center page. However, this field does not follow the same conventions of the pageNumber and pageSize values as the Portal does (pageSize in the Portal is 25, 50, or 100). Any valid integer can be entered and it will return in the selected formatting. For instance, if there are 5 requests to be returned but “pageNumber” : 1 and “pageSize” : 2, 2 entries will be returned per page and the first two requests will be shown.
        • Expects: An Integer value
    • Required body
{
"statusId": <Integer>,
"pageNumber": <Integer>,
"pageSize": <Integer>
}
  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
    • Fields
      • searchText: This field allows you to search through the list of your Approval Requests by inputting text/details you want to search for. This can be used to search based on a partial or full hostname, a partial or full username, or a partial or full file path. Anything that can be searched using the search bar on the Approval tab of the Response Center page can be entered into this field and returned.
        • Expects: Any text input
      • showChildOrganizations: This field will determine whether the requests from all child organizations will be returned or not. When set to true, all requests from all child organizations, including grandchild organizations, will be returned. When set to false, just the requests from the currently managed organization will be returned, typically this will be the parent organization.
        • Expects: true or false
      • orderBy: This field will order the requests that are shown based on the isAscending field (defaults to true) and the text entered below. This field expects the text from one of the below options to be entered exactly as they appear. From the options below, the username corresponds to the Hostname/Username column in the ThreatLocker Portal and the actiondate corresponds to the Last Updated column in the ThreatLocker Portal.
        • username
        • devicetype
        • actiontype
        • path
        • actiondate
        • datetime
      • isAscending: This field determines the order the requests are returned/shown. When isAscending is true, the requests will be returned in decreasing order, from high to low, based on the orderBy field utilized. When isAscending is false, the requests will be returned in increasing order, from low to high, based on the orderBy field utilized.
        • Expects: true or false
    • Optional body
{
"statusId": <Integer>,
"searchText": "<String>",
"showChildOrganizations": <Boolean>,
"orderBy": "<String>",
"isAscending": <Boolean>,
"pageSize": <Integer>,
"pageNumber": <Integer>
}
  • Permissions Needed for User
    • Approve for Entire Organization
    • Approve for Group
    • Approve for Single Computer
    • Approve for Single Computer Application Only
    • View Approvals
    • Elevation Administrator (User)

 

ApprovalRequestGetCount

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApprovalRequest/ApprovalRequestGetCount

  • Method: GET
  • Description: This API is used when initially clicking on the Response Center page in the ThreatLocker Portal to get the number of Approval Requests with a status of "Pending" for the organization. Note that this API will only get the count of Approval Requests that have a status of "Pending" and return it as an Integer. If looking to get the "Pending" Approval Request count from only a different organization than the currently logged in/managed organization, utilize the managedOrganizationId header as described below.
  • Required Body/Parameters
    • Valid APIKey/Authorization Token in header
    • includeChildOrganizations: This field determines whether the "Pending" Approval Request count from child organizations, including grandchild organizations, will be included in the count of requests that is returned.
      • Expects: true or false
  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
  • Permissions Needed for User
    • Approve for Entire Organization
    • Approve for Group
    • Approve for Single Computer
    • Approve for Single Computer Application Only
    • View Approvals
    • Elevation Administrator (User)

 

ApprovalRequestPermitApplication

https://portalapi.INSTANCE.threatlocker.com/portalapi/ApprovalRequest/ApprovalRequestPermitApplication

  • Method: POST
  • Description: This API is used on the Response Center page in the ThreatLocker Portal when processing an Application Control Approval Request with either the Execute or Elevate action types. This API is used when clicking the Approve button in the Approval Request in the Portal. If looking to process an Approval Request from a different organization than the currently logged in/managed organization, utilize the managedOrganizationId header as described below. Only the applicable fields need to be entered when applying a matching, existing, or new application. Example: If using an existing application, any fields related to a matching application and a new application can be removed, leaving and entering corresponding values into the "useMatchingApplication" and "exisitingApplication" blocks/fields.
  • Required Body/Parameters
    • Valid APIKey/Authorization Token in header
    • Fields
      • approvalRequest: The following fields are required to be entered for processing the request:
        • approvalRequestId: This field expects the approvalRequestId of the Approval Request that will be processed when this call is completed. To get the approvalRequestId, use the ApprovalRequestGetByParameters API endpoint listed above.
          • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
        • comments: This field will populate any text entered into the Comments text box in the Ticket Details tab of the Approval Request in the ThreatLocker Portal and is optional to include altogether if no changes are desired. This can be used to provide additional context for why this Approval Request was permitted.
          • Note: If there is any text associated with the Comments before calling this API and different text or "" is provided, it will overwrite anything previously existing.
          • Expects: Any text input
        • json: This field can be imported/copied over from the API endpoint listed above (ApprovalRequestGetPermitApplicationById).
          • Expects: The complete, formatted JSON text
        • requestorEmailAddress: This field will populate any text entered into the Requestor Email Address text box in the Tickets Details tab of the Approval Request in the ThreatLocker Portal and is optional to include altogether if no changes are desired. This can be used to add or change the requestor's email address so that the requestor can be notified when their request is approved. 
          • Note: If there is any text associated with the Requestor Email Address before calling this API and different text or "" is provided, it will overwrite anything previously existing.
          • Expects: Any text input
        • ticketApprovalManager: This field will populate any text entered into the Approving Manager text box in the Tickets Details tab of the Approval Request in the ThreatLocker Portal and is optional to include altogether if no changes are desired. This can be used to add or change the approving manager related to the request itself for tracking/documentation purposes.
          • Note: If there is any text associated with the Approving Manager before calling this API and different text or "" is provided, it will overwrite anything previously existing.
          • Expects: Any text input
        • ticketId: This field will populate any text entered into the Ticket text box in the Tickets Details tab of the Approval Request in the ThreatLocker Portal and is optional to include altogether if no changes are desired. This can be used to add or change a ticket number related to the ThreatLocker Approval Request that is being processed.
          • Note: If there is any text associated with the Ticket Details before calling this API and different text or "" is provided, it will overwrite anything previously existing. 
          • Expects: Any text input
      • computerId: This field expects the computerId of the computer that requested access to the file/application.
        • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
      • computerGroupId: This field expects the computerGroupId where the computer that requested access to the file/application exists.
        • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
      • fileDetails: The following field is required to be entered for processing this request:
        • fullPath: This field expects the full path of the requested file. When you enter your file path, be sure to use \\ for the existing slashes in the path as shown in this example path: "c:\\program files (x86)\\microsoft\\edge\\application\\131.0.2903.99\\identity_helper.exe"
          • Expects: Text of the full filepath 
      • matchingApplications: Before utilizing the fields below, it is recommended to utilize the ApplicationGetMatchingList and ApplicationGetByParameters API, documentation link below. To find potential matching applications, use the file information from the request being processed and pass it into the ApplicationGetMatchingList API. To find existing applications that can be added to, use the ApplicationGetByParameters API. Ensure the corresponding OS Type and managedOrganizationId are used so accurate results are shown. The following fields must be entered when processing the request when using either a matching, existing, or new application. However, only the fields related to how the request will be processed are required to be entered. For example, when using a matching application, only the fields useMatchingApplications and matchingApplication (plus all other sub-fields listed under matchingApplication) are necessary.

/portalAPI/Application/* | ThreatLocker Help Center

        • useMatchingApplications: This field specifies whether a matching application will be used or not when processing the Approval Request. If looking to use a matching application, set this to true; Otherwise, set it to false.
          • Expects: true or false
        • matchingApplication: The following fields are used when applying a matching application (ensure the field useMatchingApplications is set to true) and are used to determine which application will be used when processing the request:
          • applicationName: This field specifies the new policy name that will be applied with the matching application.
            • Expects: Any text input
          • applicationId: This field specifies the matching application that will be used when processing the request.
            • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
          • organizationId: This field specifies the organization where the matching application that will be used when processing the request exists.
            • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
          • osType: This field is used to specify the OS Type of the matching application being used. This field expects one of the following Integer values to be entered that correspond to the application being used:
            • Windows = 1
            • MAC = 2
            • Linux = 3
            • Windows XP = 5
        • useExistingApplication: This field determines whether an existing application will be used when processing the Approval Request. If you want to use an existing application, set this to true; otherwise, set it to false.
          • Expects: true or false
        • existingApplication: The following fields are used when applying an already existing application (ensure the field useExistingApplication is set to true) and are used to determine which application will be used when processing the request:
          • applicationName: This field specifies the new policy name that will be attached to the existing application when not using an existing policy.
            • Expects: Any text input
          • applicationId: This field specifies the existing application that will be used when processing the request.
            • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
          • organizationId: This field specifies the organization where the existing application that will be used when processing the request exists.
            • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
          • osType: This field is used to specify the OS Type of the existing application being used. This field expects one of the following Integer values to be entered that correspond to the application being used:
            • Windows = 1
            • MAC = 2
            • Linux = 3
            • Windows XP = 5
        • useNewApplication: This field determines whether a new application will be created when processing the request. If you want to create a new application, set this to true; otherwise, set it to false.
          • Expects: true or false
        • newApplicationName: This field is used when creating a new application. Ensure that the useNewApplication field is set to true. Any name can be entered and the applicationId will be automatically generated once this API is called.
          • Expects: Any text input
      • organizationId: This field expects the organizationId where the computer that requested access to the file/application exists.
        • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
      • organizationIds: This field(s) expects the organizationId(s) of any parent organizations effectively "above" where the Approval Request originated from. For instance, if the request is from a child organization, one organizationId is expected. But if the request is from a grandchild organization, there will be two organizationIds expected.
        • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
      • osType: This field is used to specify the OS Type of the requesting computer. This field expects one of the corresponding Integer values to be entered.
        • Windows = 1
        • MAC = 2
        • Linux = 3
        • Windows XP = 5
      • policyConditions: The following fields are used to apply the policy conditions when processing the Approval Request. This is where application rules can be applied and where a Maintenance Mode can be used through the Approval Request. To determine if there is an existing policy associated with the desired application, utilize the PolicyGetForViewPoliciesByApplicationId API, as documented below.

PolicyGetForViewPoliciesByApplicationId

        • useExistingPolicy: This field determines whether an existing policy will be used or not when processing the Approval Request. If looking to use an existing policy, set this to true; Otherwise, set it to false. Note: If no existing policy is affecting the requesting computer and this field is set to true, one will not be created, and only the application definition will be updated.
          • Expects: true or false
        • manualOptions: This field is used to specify the conditions for the application definition rule(s) that will be created when adding to a new or existing application through the request. The following fields can be combined to create custom rules like the ones that can be created in the ThreatLocker Portal Approval Request window. The example shown in the body below will create a hash rule and a path + certificate rule in an application. For more information on creating secure custom rules in your organization, review this KB article and/or contact the Cyber Hero team for assistance. 

Creating Custom Rules | ThreatLocker Help Center

          • fullPath: This field expects either the full or partial file path of the requested file to be entered to create a custom rule using this and other fields. Be sure to use \\ instead of a single \ for the existing slashes in the path. Wildcards can be used in this field like they can in the ThreatLocker Portal, as shown in this example: 
            c:\\users\\*\\downloads\\steamsetup.exe.
            • Expects: Full file path or partial path with wildcards
          • processPath: This field expects either the full or partial process path of the associated process path to be entered to create a custom rule using this and other fields. Be sure to use \\ instead of a single \ for the existing slashes in the path. Wildcards can be used in this field like they can in the ThreatLocker Portal, as shown in this example: 
            c:\\program files (x86)\\mozilla * service\\update\\updater.exe.
            • Expects: Full process path or partial process path with wildcards
          • cert: This field expects either the full or partial certificate path or the full SHA of the certificate to be entered to create a custom rule using this and other fields. Wildcards should not be used in this field since this field checks for a certificate path that "contains" what is in the entered certificate. This effectively adds a wildcard already on either side of the certificate of what you enter.
            • Expects: Full certificate path or partial certificate path without wildcards OR full SHA of the certificate
          • hash: This field expects the full hash to be entered to create a rule using this field. This field is used when creating a rule based on either the ThreatLocker hash or the SHA256 hash. When creating a hash rule, only the hash should be used in the rule. No other fields should be applied with the hash rule when using this field. When permitting a hash value, it effectively permits the one file requested. A separate rule utilizing a selection of the other fields covered in this section can be created to allow for future proofing related to the requested file. Wildcards should not be used with this field, only full hash values.
            • Expects: Full ThreatLocker hash or SHA256 hash 
          • createdBy: This field expects either the full or partial created by process path of the associated created by process path to be entered to create a custom rule using this and other fields. Be sure to use \\ instead of a single \ for the existing slashes in the path. Wildcards can be used in this field like they can in the ThreatLocker Portal, as shown in this example: 
            c:\\program files (x86)\\microsoft\\edgeupdate\\*\\setup.exe.
            • Expects: Full created by process path or partial created by process path with wildcards
        • ruleId: This field is used when looking to enable a Maintenance Mode when processing an Approval Request. This field expects one of the following Integer values to be entered
          • 0 = No Maintenance Mode activated, manual rules
          • 1 = Enable Installation Mode for one hour
          • 2 = Enable Learning Mode for one hour
          • 3 = Enable Monitor Mode for one hour
      • policyLevel: The following fields are only necessary when creating a new policy through the Approval Request. These fields indicate where a new policy will be created. Only one of the following fields should be set to true in order to create a policy at the desired level.
        • toEntireOrganization: This field will set the new policy at the entire organization level, specifically, it will create the new policy at the entire organization where the requesting computer exists.
          • Expects: true or false
        • toComputerGroup: This field will indicate that the new policy will be created at the computer group level, specifically at the computer group specified below in selectedComputerGroup.
        • selectedComputerGroup: The fields below determine the computer group that the new policy will apply to when creating a computer group policy. 
          • computerGroupId: This field expects the computerGroupId where the new policy will be created to be entered. Any computer group returned using the ComputerGroupGetForPermitApplication API endpoint can be used with this field. For accurate results, be sure to use the corresponding managedOrganizationId (the organization where the request originated from) as indicated in the documentation linked below.
             
             
            • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
          • organizationId: This field expects the organizationId where the computer group that will have the new policy created at exists to be entered.
            • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
          • osType: This field indicates the OS Type of the computer group where the new policy will be applied. This field should match the requesting computer's OS Type. This field expects one of the Integers below:
            • Windows = 1
            • MAC = 2
            • Linux = 3
            • Windows XP = 5
        • toComputer: This field will set the new policy at the computer level. Specifically, it will create the new policy on the individual computer where the Approval Request originated.
          • Expects: true or false
      • ringfenceActionId: This field determines whether Ringfencing will be enabled or not when creating a new policy through the Approval Request. This field expects the Integer value of either 0 or 1. The value of 0 will not enable Ringfencing. The value of 1 will enable Ringfencing with the new policy and will use the settings below in the "ringfencingOptions"/"networkExclusions" field to configure the policy.
        • Expects: Integer value 0 or 1
    • Required body:
{
    "approvalRequest": {
        "approvalRequestId": "00000000-0000-0000-0000-000000000000",
        "comments": "<String>",
        "json": "<String>",
        "requestorEmailAddress": "<String>",
        "ticketApprovalManager": "<String>",
        "ticketId": "<String>"
    },
    "computerId": "00000000-0000-0000-0000-000000000000",
    "computerGroupId": "00000000-0000-0000-0000-000000000000",
    "fileDetails": {
        "fullPath": "<String>"
    },
    "matchingApplications": {
        "useMatchingApplication": <Boolean>,
        "matchingApplication": {
            "applicationName": "<String>",
            "applicationId": "00000000-0000-0000-0000-000000000000",
            "organizationId": "00000000-0000-0000-0000-000000000000",
            "osType": <Integer>
        },
        "useExistingApplication": <Boolean>,
        "existingApplication": {
            "applicationName": "<String>",
            "applicationId": "00000000-0000-0000-0000-000000000000",
            "organizationId": "00000000-0000-0000-0000-000000000000",
            "osType": <Integer>
            },
        "useNewApplication": <Boolean>,
        "newApplicationName": "<String>"
    },
    "organizationId": "00000000-0000-0000-0000-000000000000",
    "organizationIds": [
        "00000000-0000-0000-0000-000000000000",
        "00000000-0000-0000-0000-000000000000"
    ],
    "osType": <Integer>,
    "policyConditions": {
        "useExistingPolicy": <Boolean>,
        "manualOptions": [
            {
                "hash": "<String>"  
            },
  {
      "fullPath": "<String>",
      "cert": "<String>"
  }
        ],
        "ruleId": <Integer>
    },
    "policyLevel": {
        "toEntireOrganization": <Boolean>,
        "toComputerGroup": <Boolean>,
        "selectedComputerGroup": {
            "computerGroupId": "00000000-0000-0000-0000-000000000000",
            "organizationId": "00000000-0000-0000-0000-000000000000",
            "osType": <Integer>
        },
        "toComputer": <Boolean>
    }
    "ringfenceActionId": <Integer>
}
  • Optional Body/Parameters
    • In header: "managedOrganizationId": <GUID> in format "00000000-0000-0000-0000-000000000000"
    • Fields
      • elevationExpiration: This field determines what the expiration of Elevation will be on a newly created policy. When this field is used and Elevation expires before the new permit policy does, two policies are created in the ThreatLocker Portal. One policy will be created with Elevation enabled, with the expiration specified in this field. The other policy will be created with no Elevation to permit the application once Elevation expires. This field only affects the expiration of Elevation and does not affect the expiration of the policy as a whole. The overall policy expiration configuration is completed with the policyExpirationDate field. This field expects an Integer and indicates the amount of time in hours from when this API is called that Elevation will be enabled on the policy. When this field is set to 0 and Elevation is set to be enabled, Elevation will never expire on the newly created policy.
        • Expects: Any Integer value
      • elevationStatus: This field determines whether Elevation will be applied when a new policy is created through the Approval Request. This field expects one of the corresponding Integer values to be entered.
        • Do not Elevate = 0
        • Elevate = 1
        • Silent Elevation = 2
      • networkExclusions: This field determines the exclusions that will be added in regard to Internet Ringfencing, specifically exclusions applied in the Exclusions tab of the Portal Approval Request window. One, multiple, or no exclusions can be added. As demonstrated in the "Optional body" section, each exclusion requires each of the fields listed below:
        • tagPrefixTypeId: This field specifies what type of exclusion will be added, either a domain, IPv4, or IPv6. This field expects one of the following Integer values to be entered, corresponding to the type of exclusion desired.
          • Domain = 1
          • IPv4 = 2
          • IPv6 = 3
        • value: This field determines the domain, IPv4, or IPv6 value that is applied to the Ringfencing policy.
          • Expects: Either an IPv4 or IPv6 address (in correct CIDR notation) or a valid domain
      • policyExpirationDate: This field determines if a new policy that will be created from the Approval Request will expire. This expects a time entered in UTC in format "YYYY-MM-DDTHH:MM:SSZ", where YYYY is the year, the first MM is the month, DD is the day, HH are the hours, the second MM is the minutes, and SS are the seconds. The T must be included to designate the time and should not be changed or removed.
        • Expects expiration date and time in format: "YYYY-MM-DDTHH:MM:SSZ"
      • ringfencingOptions: This field is used to specify the conditions when Ringfencing will be applied to a new policy that will be created. The following fields can be combined to add the desired amount of Ringfencing and initial exclusions, like what can be created in the ThreatLocker Portal Approval Request window.
        • restrictApplication: This field determines whether Application Ringfencing will apply to the policy or not. If this Ringfencing is desired, set this field to true; Otherwise, set this field to false.
          • Expects: true or false
        • restrictApplicationSpawning: This field determines what type of Application Ringfencing will apply to the policy. Set this field to true to specify that all application interaction will be blocked except for the ones listed below in the field "rfAssociatedApplicationPolicy". Otherwise, set this field to false to specify that all application interactions will be allowed besides the ones listed below in the field "rfAssociatedApplicationPolicy". 
          • Expects: true or false
        • restrictFileAccess: This field determines whether File Ringfencing will apply to the policy or not. When File Ringfencing is applied, any monitored file path in Storage Control and any path exclusions set up in the field "rfFilePolicy" with the action of 'Deny' will have their file interaction blocked. If this Ringfencing is desired, set this field to true; Otherwise, set this field to false.
          • Expects: true or false
        • restrictNetworkAccess: This field determines whether Internet Ringfencing will apply to the policy or not. Any internet/network interaction not specifically listed within the exclusions in the field "networkExclusions" will have the interaction blocked. If this Ringfencing is desired, set this field to true; Otherwise, set this field to false.
          • Expects: true or false
        • restrictRegistryAccess: This field determines whether Registry Ringfencing will apply to the policy or not. Any registry interaction not specifically listed within the exclusions in the field "rfRegistryPolicy" will have the interaction blocked. If this Ringfencing is desired, set this field to true; Otherwise, set this field to false.
          • Expects: true or false
        • rfAssociatedApplicationPolicy: This field determines the applications/exclusions that will either be blocked from interacting or allowed to interact, depending on the "restrictApplicationSpawning" field. One, multiple, or no exclusions can be added. As demonstrated in the "Optional body" section, each application/exclusion requires each of the fields listed below:
          • applicationId: This field specifies the application that will be affected by the Ringfencing.
            • Expects: <GUID> in format "00000000-0000-0000-0000-000000000000"
        • rfFilePolicy: This field determines the exclusions that will be added in regard to File Ringfencing. One, multiple, or no exclusions can be added. As demonstrated in the "Optional body" section, each exclusion requires each of the fields listed below:
          • action: This field determines the action that will be taken on the specified path below. This field expects the Integer value of either 1 or 2. The value of 1 will permit the file interaction with the file path. The value of 2 will deny/block the file interaction with the file path.
            • Expects: Integer value 1 or 2
          • path: This field determines the file path that will be affected by the Ringfencing action taken. Be sure to use \\ instead of a single \ for the existing slashes in the path. Wildcards can be used in this field like they can in the ThreatLocker Portal, as shown in this example: c:\\users\\*\\documents\\*
            • Expects: Full file path or partial path with wildcards
          • permission: This field determines whether the action of permit or deny will affect read, write, or both read and write actions taken on the specified file path. This field expects the Integer value of either 1 or 2. If the action is set to permit, Integer value 1 specifies that read actions will be permitted, and Integer value 2 specifies that read and write actions will be permitted. If the action is set to deny, Integer value 1 specifies that write actions will be denied, and Integer value 2 specifies that read and write actions will be denied.
            • Expects: Integer value 1 or 2
        • rfRegistryPolicy: This field determines the exclusions that will be added in regard to Registry Ringfencing. One, multiple, or no exclusions can be added. As demonstrated in the "Optional body" section, each exclusion requires each of the fields listed below:
          • action: This field determines the action that will be taken on the specified path below. This field expects the Integer value of either 1 or 2. The value of 1 will permit the Registry interaction with the path. The value of 2 will deny/block the Registry interaction with the path.
            • Expects: Integer value 1 or 2
          • path: This field determines the Registry path that will be affected by the Ringfencing action taken. Be sure to use \\ instead of a single \ for the existing slashes in the path. Wildcards can be used in this field like they can in the ThreatLocker Portal, as shown in this example: \\registry\\user\\software\\threatlocker\\*
            • Expects: Full file path or partial path with wildcards
    • Optional body
{
    "approvalRequest": {
        "approvalRequestId": "00000000-0000-0000-0000-000000000000",
        "comments": "<String>",
        "json": "<String>",
        "requestorEmailAddress": "<String>",
        "ticketApprovalManager": "<String>",
        "ticketId": "<String>"
    },
    "computerId": "00000000-0000-0000-0000-000000000000",
    "computerGroupId": "00000000-0000-0000-0000-000000000000",
    "elevationExpiration": <Integer>,
    "elevationStatus": <Integer>,
    "fileDetails": {
        "fullPath": "<String>"
    },
    "matchingApplications": {
        "useMatchingApplication": <Boolean>,
        "matchingApplication": {
            "applicationName": "<String>",
            "applicationId": "00000000-0000-0000-0000-000000000000",
            "organizationId": "00000000-0000-0000-0000-000000000000",
            "osType": <Integer>
        },
        "useExistingApplication": <Boolean>,
        "existingApplication": {
            "applicationName": "<String>",
            "applicationId": "00000000-0000-0000-0000-000000000000",
            "organizationId": "00000000-0000-0000-0000-000000000000",
            "osType": <Integer>
            },
        "useNewApplication": <Boolean>,
        "newApplicationName": "<String>"
    },
    "networkExclusions": [
        {
           "tagPrefixTypeId": <Integer>,
 "value": "<String>"
        }
    ],
    "organizationId": "00000000-0000-0000-0000-000000000000",
    "organizationIds": [
        "00000000-0000-0000-0000-000000000000",
        "00000000-0000-0000-0000-000000000000"
    ],
    "osType": <Integer>,
    "policyConditions": {
        "useExistingPolicy": <Boolean>,
        "manualOptions": [
            {
                "hash": "<String>"  
            },
            {
                "fullPath": "<String>",
                "cert": "<String>"
            }
        ],
        "ruleId": <Integer>
    },
    "policyExpirationDate": "YYYY-MM-DDTHH:MM:SSZ",
    "policyLevel": {
        "toEntireOrganization": <Boolean>,
        "toComputerGroup": <Boolean>,
        "selectedComputerGroup": {
            "computerGroupId": "00000000-0000-0000-0000-000000000000",
            "organizationId": "00000000-0000-0000-0000-000000000000",
            "osType": <Integer>
        },
        "toComputer": <Boolean>
    },
    "ringfenceActionId": <Integer>,
    "ringfencingOptions": {
        "restrictApplication": <Boolean>,
        "restrictApplicationSpawning": <Boolean>,
        "restrictFileAccess": <Boolean>,
        "restrictNetworkAccess": <Boolean>,
        "restrictRegistryAccess": <Boolean>,
        "rfAssociatedApplicationPolicy": [
            {
                "applicationId": "00000000-0000-0000-0000-000000000000"
            }
        ],
        "rfFilePolicy": [
            {
                "action": <Integer>,
                "path": "<String>",
                "permission": <Integer>
            },
            {
                "action": <Integer>,
                "path": "<String>",
                "permission": <Integer>
            }
        ],
        "rfRegistryPolicy": [
            {
                "action": <Integer>,
                "path": "<String>"
            },
            {
                "action": <Integer>,
                "path": "<String>"
            }
        ]
    }
}
  • Permissions Needed for User
    • Approve for Entire Organization
    • Approve for Group
    • Approve for Single Computer
    • Approve for Single Computer Application Only
Was this article helpful?