Accessing ISC tenant data inside connector rules

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , ,
1

Hi! I have made this simple WS before operation rule, that uses API to get tenant data (in this case, some identity attributes values), and it actually works fine:

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
import org.json.JSONArray;
import org.json.JSONObject;

		log.info("TestWS: enter before rule");
		try {
			String https_url = "https://xxxxxxxxx.api.identitynow-demo.com/beta/identities?filters%3Dname%20eq%20%22someuserlogin%22";
			log.info("TestWS: url: " + https_url);
			URL url = new URL(https_url);
			HttpsURLConnection con = (HttpsURLConnection) url.openConnection();

			con.setRequestProperty("Authorization",
					"Bearer <I_PASTED_TOKEN_FROM_POSTMAN>");
			con.setRequestMethod("GET");
			con.setRequestProperty("Content-Type", "application/json");
			con.setRequestProperty("Accept", "application/json");
			con.setUseCaches(false);
			con.setDoInput(true);
			con.setDoOutput(true);

			log.info("TestWS: captura resposta");
			String rawResponse = "";
			if (con != null) {
				BufferedReader br = new BufferedReader(new InputStreamReader(con.getInputStream()));
				String input;
				while ((input = br.readLine()) != null) {
					rawResponse += input;
				}
				br.close();
			}
			log.info("TestWS: resposta do tenant" + rawResponse);
			
			JSONObject resultRoot = (JSONObject) new JSONArray(rawResponse).get(0);
			log.info("TestWS: obtain attributes");
			String alias = (String) resultRoot.get("alias");
			log.info("TestWS: json alias: " + alias);
		} catch (Exception e) {
			log.info("TestWS: error: " + e.getMessage());
		}

I am concient about not connecting to external systems, as established in rules guide:

image
image1100Ă—415 42.8 KB

But in this case, tenant is considered an external system? Can I use this snippet or is among prohibited code?

1 Like
2

Hi @jsosa

  • WSBO Rule is connector based, it executes in VA and is within the organization. So SailPoint doesn’t have any problem with that.
  • The restrictions applicable only for Cloud Rules. When you do the same in Cloud Rule, SailPoint API is not external system to SailPoint rite.
  • Also, if you see the below option do not call unless that is a connector’s purposes.

So I would say this is totally fine and is implemented by a lot of clients already.

I believe you are using this Rule to get the missing attributes which are mandatory for update operation ?

Thanks
Krish

5 Likes
3

Exactly! In this WS, the endpoint used to add or remove entitlements uses a body that requires some data from identity, so we need to add it to the request body.

4

You can add an additional operation to add/remove entitlements, if you need to pass the current account information only then you can use Single Account Aggregation operation and then Add Entitlement Operation.

You can get the missing attributes from operation 1 and can be used as $response.attributeName

If required you can still use WSBO Rule, but you don’t need to make any API calls.

Thanks
Krish

4 Likes
5

Thanks Krishna, I will try!

1 Like
6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.