Is there an API we can run that will export all the Access Profiles with their approval workflow: (Manager, Governance group, etc.)
I know we can probably get this information using the IO tool export, but I was wondering if there was an easier way with an API. Our auditors would like to see the history of our approval workflows and we would like to to have schedule a job to pull this on a regular basis.
Welcome to the community Kathryn,
You can pull the access profile details, which include the current approval/revocation steps, using the list access profiles endpoint. You’ll probably need to write a script to paginate through all of the profiles if you have more than 250. One thing to note is that this does not account for any event triggers you have setup to add additional approval steps to access requests. The two triggers in question are Access Request Dynamic Approval | SailPoint Developer Community and Access Request Preapproval | SailPoint Developer Community.
Hi @colin_mckibben , just wanna check.
Can we get a list of all access profiles associated with a source using the Search query?
Yes, the source name and ID are included in the access profile data model in search. Searchable Fields - SailPoint Identity Services
Your query would look like this:
source.name:"Active Directory"
Hi @colin_mckibben , thanks for that information.
I tried to use the list of access profiles API for a source as you mentioned in the post.
I could only see the Approval Scheme, but it doesn’t show the approver id or details.
Is there a way we can see the approver id as well for the access profile using the same API or is there a different API that provides me with the list of access profiles for a source along with the approver details
That looks like a bug. Can you please submit a support ticket for it?
As a workaround, you can get the owner ID by looking at the owner property in the response object. It will tell you who owns the access profile. In this case, jordan.violet owns this particular access profile.
{
"id": "2c91808a7643763f01767b59d9d907cf",
"name": "Employee Source",
"description": "Access to employees",
"created": "2020-12-19T14:14:14.746Z",
"modified": "2023-05-22T18:29:10.0754Z",
"enabled": true,
"owner": {
"type": "IDENTITY",
"id": "2c91808375d8e80a0175e1f88a575221",
"name": "jordan.violet"
},
"source": {
"id": "2c9180887671ff8c01767b4671fb7d5e",
"type": "SOURCE",
"name": "Employees"
},
"entitlements": [
{
"id": "2c9180877677453d01767b4b08f63386",
"type": "ENTITLEMENT",
"name": "DevRel"
}
],
"requestable": true,
"accessRequestConfig": {
"commentsRequired": false,
"denialCommentsRequired": false,
"approvalSchemes": [
{
"approverType": "SOURCE_OWNER",
"approverId": null
},
{
"approverType": "OWNER",
"approverId": null
}
]
},
"revocationRequestConfig": {
"approvalSchemes": []
},
"segments": [],
"provisioningCriteria": {
"operation": "AND",
"attribute": null,
"value": null,
"children": [
{
"operation": "OR",
"attribute": null,
"value": null,
"children": [
{
"operation": "EQUALS",
"attribute": "name",
"value": "phil",
"children": null
},
{
"operation": "CONTAINS",
"attribute": "e-mail",
"value": "sailpoint.com",
"children": null
}
]
}
]
}
}
Hi @colin_mckibben , is there a way we can get the approvers name instead of the id’s using the API for each access profile?
The name is included in the owner object, along with the id. If you need more information, you can use the get public identities endpoint.
GET https://{tenant}.api.identitynow.com/v3/public-identities?filters=id eq '2c91808375d8e80a0175e1f88a575221'
Hi @colin_mckibben , I am thinking of a situation in which Governance Group is the approver.
With this API, I could see the governance group ID and not the names of the members.
I would like to check if we can get the names of the approvers as well in the same API
You can lookup governance group details using this API: REST APIs for managing Governance Groups
Please note they are v2 APIs. There are v3 APIs being worked on, but they are not yet available.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
