A completely different ISC PowerShell Module

Hey gang!

I know there’s a whole PowerShell SDK and that the almighty @darrenjrobinson also has a (much more fleshed-out) PowerShell module, but I wanted to share mine here as well. I’ve been using/working on this for years, and it’s undergone a number of revisions as the API has matured, but it’s never made it to a public GitHub repo before now. The main benefit of this module is that it doesn’t require the SailPoint CLI or the PowerShell SDK, it makes the API calls to SailPoint directly (the downside of this, of course, is that this means I have to manually update functions when API endpoints change).

The module is also listed in the PSGallery, so it can be installed very easily with

Install-Module -Name iscUtils

Some additional notes:

  • My module uses the Microsoft.PowerShell.SecretStore module to store the tenant/credential information, and basically just wraps my most-used API endpoints in PowerShell functions. It also uses a dynamic parameter for any function that cares about a Source input, allowing you to tab-complete your source names via a dynamically-generated list pulled every time you connect to the API.
  • Function names are all in the singular rather than the plural, because that is the recommended nomenclature for PowerShell functions. The majority of the functions can still return a list of results where necessary.
  • Comment-based help has been implemented for all functions as well. Running Get-Help for specific functions should help understand what parameters are available and what they do.

Current functions include:

  • Connect-ISC - Connect to the ISC API.
  • Get-ISCAccessProfile - Retrieve a specific Access Profile or a list of Access Profiles from Identity Security Cloud.
  • Get-ISCAccount - Retrieve a specific account from Identity Security Cloud.
  • Get-ISCConnection - Retrieves information about the most recent connection to Identity Security Cloud.
  • Get-ISCConnectorRule - Retrieves connector rules from Identity Security Cloud.
  • Get-ISCEntitlement - Retrieve a specific entitlement from Identity Security Cloud.
  • Get-ISCIdentity - Retrieve a specific user from Identity Security Cloud.
  • Get-ISCIdentityAttribute - Retrieve an identity attribute from Identity Security Cloud.
  • Get-ISCIdentityAttributeList - Retrieve a list of Identity Attributes from Identity Security Cloud.
  • Get-ISCPendingTaskList - Retrieve a list of pending tasks from Identity Security Cloud.
  • Get-ISCSource - Retrieve a specific source from Identity Security Cloud.
  • Get-ISCSourceSchema - Retrieve a specific source schema from Identity Security Cloud.
  • Get-ISCTaskList - Retrieve a list of pending tasks from Identity Security Cloud.
  • Get-ISCTransform - Retrieve a specific transform from Identity Security Cloud.
  • Get-ISCWorkflow - Retrieve a specific workflow from Identity Security Cloud.
  • Get-ISCWorkflowExecution - Retrieve a specific workflow from Identity Security Cloud.
  • Get-ISCWorkflowExecutionList - Retrieve a list of executions from Identity Security Cloud for a specified workflow.
  • Invoke-ISCQuery - Run a specified query against Identity Security Cloud.
  • New-ISCTenant - Create a stored credential for a new ISC tenant.
  • Remove-ISCTenant - Remove a stored credential for an ISC tenant.
  • Set-ISCAccessProfile - Modifies an existing access profile in ISC.
  • Set-ISCEntitlement - Modifies an existing entitlement in ISC.
  • Set-ISCTaskCompleted - Modifies the status of a pending task in ISC.
  • Test-ISCConnection - Checks how old the existing Identity Security Cloud connection is.

Additional documentation (including examples) can be found in the GitHub repo’s ReadMe.

Please check it out and let me know what you think!

21 Likes

Hello! Just an update - I’ve added the ability to connect to Demo tenants (identitynow-demo.com, i.e. Ambassador DevRel tenants) and FedRamp tenants (saas.sailpointfedramp.com) by specifying the -Domain value on the Connect-ISC cmdlet. If this is not specified, it’ll use the default domain (identitynow.com).

Another update! I’ve simplified the storing of a new set of credentials. You no longer have to formulate your own Secret name for a Set-Secret call, you can simply run New-ISCTenant and pass in the tenant name (the {tenant} part in https://{tenant}.identitynow.com) along with either a ClientID and ClientSecret (which needs to be a SecureString) or a Credential Object (which you can either make by hand or with Get-Credential, using the ClientID as the username and the ClientSecret as the password in either case).

You can do something like this:

New-ISCTenant -Tenant 'devrel-ga-xxxx '-ClientID '1619...426d' -ClientSecret ('cd2c.......b178' | ConvertTo-SecureString -AsPlainText -Force)

or this:

$clientID = '1619...426d'
$clientSecret = 'cd2c.......b178' | ConvertTo-SecureString -AsPlainText -Force

$credential = [PSCredential]::New($clientID, $clientSecret)

New-ISCTenant -Tenant 'devrel-ga-xxxx ' -Credential $credential

or this:

$credential = Get-Credential

New-ISCTenant -Tenant 'devrel-ga-xxxx ' -Credential $credential
1 Like

Yet another update! (I’ll add this to the original post too, for visibility.)

I’ve published this repo to the PSGallery, which should simplify installation. You can now just do a simple

Install-Module -Name iscUtils

to install this module! This will ensure that the prerequisite modules are installed, too.