Update: Oct 2019. Access Profiles can be easily managed using the SailPoint IdentityNow PowerShell Module.
Managing SailPoint IdentityNow Access Profiles is easy enough to do using the SailPoint IdentityNow Portal. But what if you have the requirement to update, report on, or create numerous Access Profiles? That’s where the SailPoint IdentityNow API comes into play. The Access Profiles API is documented here but doesn’t go into a lot of detail. In this post I’ll detail interfacing with it using PowerShell primarily to create and update Access Profiles.
Prerequisites
You will need to Authenticate to the IdentityNow API. Both v2 and v3 authentication methods work. I detail the v2 method here and the v3 method here. Personally I’m using the v3 method. Just make sure you change your Headers for the requests to whatever method you use and the naming of your variables.
For reference my v3token variable is $v3Token so my Authentication Header is then @{Authorization = “$($v3Token.token_type) $($v3Token.access_token)”}
Getting Access Profiles
The Access Profiles API URI is
https://$($yourOrgName).api.identitynow.com/v2/access-profiles
If you know the ID of the Access Profile you can return just that Access Profile via it’s ID (where $accessProfileID is the ID that looks like 2c91808466a64e330112a96902ff1f69)
https://$($yourOrgName).api.identitynow.com/v2/access-profiles/$($accessProfileID)
The following script will return Access Profiles from your SailPoint IdentityNow Tenant. Update;
- Line 2 for your IdentityNow Org name
Updating Access Profiles
To update an Access Profile the API URI is;
https://$($orgName).api.identitynow.com/v2/access-profiles/$($accessProfileID)
The following will update an existing Access Profile to make Request Comments Required and Denied Comments Required equal False.
Update;
- Line 2 for your IdentityNow Org name
- Lines 6 for the ID of the Access Profile you want to update
- Lines 9,10 for the settings to update
Preparing to create an Access Profile
In order to create an Access Profile, there are a number of configuration items that you will need to provide. The key items are;
- SourceID is the (currently) five digit ID of a source that you can get from the IdentityNow Portal when looking at the properties of a Source. Or via API as I detailed in this post.
- OwnerID is the Identity ID for the user you will make the owner. To do that you will need to query IdentityNow for the user (see below for an example)
- Entitlements
- In order to get the Entitlements ID(s) to assign to the Access Profile you will need to query the Source. This post here details querying Sources to get Entitlements whereby you can get the ExternalID of Entitlements.
Search for Owner ID Request Object
Here is an example Search Request JSON Object required for the Search User call. Update it for a unique attribute for an Identity to query and return.
Update for your criteria. e.g if you copy the JSON below;
- create a variable name
- $requestFilter = ‘JSON snippet content from below’
- Update the search criteria for your search
- $newRequestFilter = $requestFilter .Replace(“darren.robinson@customer.com.au”,”yourUser@mydomain.com”)
- Then search for the user and get the ID of the identity
- Update
- Line 2 for your Orgname
- Line 8 for the user to search for that matches the JSON object from above
Creating an Access Profile
Finally, now that we have the prerequisite information to create an Access Profile we can create it. Modify for your environment based off information retrieved from the processes above. Namely;
- Line 1 for your Orgname
- Line 2 for the SourceID associated with the Access Profile
- Line 3 for the Access Profile Owner’s ID
- Lines 7-10 for your Access Profile Details
- Line 14 for the Entitlements
- Line 19 for the Approver (see below for more details)
Access Profile Approvers
For Approvers you can provide the order for approval. For the approval by the Access Profile Owner and then the Manager use the following when creating the Access Profile in Line 19 above.
-
$accessProfile.add(“approvalSchemes”,”accessProfileOwner, manager”)
Other options are:
- SourceOwner
- appOwner
- Governance Group. See managing Governance Groups here to get the Governance Group ID (GUID format)
- workgroup: 86929844-3391-4ce2-80ef-760127e15813
Summary
Whilst the creation of an Access Profile via API does require some configuration, if you have multiple to create and you know the criteria it is possible to automate the task. I hope this helps others.