Update: Oct 2019. Global Reminders and Escalation Policies can be easily managed using the SailPoint IdentityNow PowerShell Module.
SailPoint IdentityNow Access Requests for Roles or Applications usually require approvals which are configured on the associated Role or Application. The Approval could be by the Role/Application Owner, a Governance Group or the Requestor’s Manager. However for reminders and escalation policies the configuration is only available to be retrieved and set via the API. The SailPoint Identity Now api/v2/org API is used to configure these Global Reminders and Escalation Policies.
This post details how to get the configuration of your IdentityNow Org along with updating the the Global Reminders and Escalation Policies.
The PowerShell script below uses the v3 API Authentication process detailed here.
Update the script below for;
- line 2 for your IdentityNow Orgname
- line 5 for your IdentityNow Admin ID
- line 6 for your IdentityNow Admin Password
- line 16 for your Org v3 ClientID (obtained from SailPoint)
- line 17 for your Org v3 ClientSecret (obtained from SailPoint)
Executing the script Line 35 will return the current configuration for your SailPoint IdentityNow Org.
$listOrgConfig = Invoke-RestMethod -Method GET -Uri "https://$($orgName).identitynow.com/api/v2/org" -Headers @{Authorization = "$($v3Token.token_type) $($v3Token.access_token)"}
- lines 39-43 specify the configuration values for
- daysBetweenReminders – Number of days between reminders or escalations
- daysTillEscalation – Number of days from when the request is created to when the reminder/escalation process begins
- maxReminders – Maximum number of reminders sent before starting the escalation process
- fallbackApprover – The alias of the identity that wlll review the request if no one else reviews it
- lines 46-50 build the configuration to write back to IdentityNow
and finally Line 53 updates the configuration in IdentityNow
$updateOrgConfig = Invoke-RestMethod -Method Patch -Uri "https://$($orgName).identitynow.com/api/v2/org" -Headers @{Authorization = "$($v3Token.token_type) $($v3Token.access_token)"; 'Content-Type' = 'application/json'} -Body ($approvalConfigBody | convertto-json)
The updated configuration is returned in the $updateOrgConfig variable. The following snippet shows the written config for Reminders and Escalations.
The Script
Will all the details described above, here is the script.
Summary
Using PowerShell with the v3 Authentication method and the v2 IdentityNow Org API we can quickly get the Organisation configuration. We can then quickly update the Global Reminders and Escalation Policies. With a few changes other customer configurable (the majority are read/only) configuration options on the Org can also be updated.