Account creation utilizing API

Excuse me if this is not the right place. If there is somewhere I can be pointed I appreciate it. When it comes to account creation with API, can these be passed to a non-employee source? When it passes this information, does it create the account right away, or does it require an approval before it being created? Can roles be applied during or after account creation?

Hi Colton, you are in the right place! According to documentation, account creation does not provision accounts on direct connected sources, as AD. It just create the account in IDN (account should exist previously on the connected source). I actually made a test creating an account in a Non Employee source, and although it returns with an id (as if it were sucessful), account is not created in the source UI.

Independently from this answer, you can configure roles with assigment conditions that relies on account existance. For example, you should have an attribute in any source, conigured to have an static value. So, you can use the Equals condition so roles will apply when these account are created.

Julian,

Thank you for your reply! Sorry for my lack of knowledge of Sailpoint as it is new to me as well as working with API’s. So, it sounds like it will pass the information for the account to be created on AD, but doesn’t actually start to account creation process?

Ideally, what we want to be able to do is have the information about the contractors passed to SailPoint via API so the account has all the information needed and then once approved, the users account will be created. Would the create account calls be used, or something different? For the non-employee source, do you define that source in the API as well? Where can I find a template?

No worries on the roles portion, I had that explained to me by some other members of our team. Thank you for that information.

Hi @frndlycse

We all are learning so no worries :slight_smile: . In your case, do you already have the information about contractors in ISC (SailPoint)? As you mentioned that you need to pass the information about the contractors to SailPoint so what i understand that contractors are not yet in ISC yet.

So first thing you will need to have a source in place which will enable you to onboard these contractors into SailPoint which you can do depending upon the system type where you are storing the information of contractors. If there is no application storing the information, then believe you can setup a delimited based source which can let you have the contractors in ISC as actual identities and then you can setup roles with the proper approval configurations, so when someone request access for contractor it goes to correct approvals.

I hope this information helps, please let us know if you need more information.

Regards
Vikas.

Hi Colton!! As Vikas said, all learning here (it applies to everything in life). Unfortunately that is the contrary, the account create will create an account on IDN (identity will have an AD account on his side), but docuentation says that it will not trigger provisioning.

But if you want to automatically provision an AD account (create it on AD), inmediately after a user is created in the Non Employee form, you can achieve it with a Role. This role can grant some entitlement, and condition should have that lifecycle state is active and identity has a non employee account.

I usually put a fixed text (static transform) on the identity profile, so I can check the identity procedence (with an attribute called source or something like that). So then, on the role condition I simple check if this attribute has some value (could be “contractors” in this case).

All this will cause that when you create a Non Employee account, it creates an identity with active state, and “contractors” value in the “source” attribute. Then, when role is evaluated, as it matches this condition, it will grante entitlement (and create account) in AD.

Vikas,

Thank you for your reply. Currently our process is manually uploading the contractor info into SailPoint. The user account then is created/provisioned once it gets approved. What our goal is, is to automate this process more so that our team members no longer needs to manually do this. It sounds like the API will upload that info into the source we are using already? So, they are just waiting for an approval to be created? Is that correct?

Your use case sounds more applicable to the NELM APIs rather than the create account API. See below:

More documentation for overall administration:

Non-Employee sources are unique and a different source type that you’ll want to readup on.

1 Like

To add accounts to a non-employee source in Identity Security Cloud, administrators can select the non-employee source and add the accounts. They can also use the ‘Manage Non-Employees’ widget on their user dashboards to reach the list of sources and then select the non-employee source they want to add the accounts to.

Administrators can either add accounts individually or in bulk. Each non-employee source can have a maximum of 20,000 accounts. To add accounts in bulk, they must select the ‘Bulk Upload’ option and upload a CSV file. Refer to Adding Accounts for more details about how to add accounts to non-employee sources.

Hi @frndlycse

Thank you for the detailed information. As mentioned by @adunker this is a classical case of non employees management. But i have not used the API which Alex suggested but if he says, then i think worth exploring it and it could be easier approach :). .

On the other hand, technically speaking then you can still achieve it by using account create API but that will require you to setup a source in ISC and then use external system to create accounts in this source. You can setup this source as authoritative source with lower priority than employees source. This way when you onboard a contractor in contractor system, that will create Accounts in ISC which should result into identity as it is authoritative source.

After that as per recommendation from @jsosa, you can setup a birthright roles to achieve account creation in target application.

SailPoint has a very nice platform NERM that also does this automatically where you can completely control the contractors (onboarding offboarding etc) so you can also have a look at that platform but that will also need architecture discussion.

I hope this helps, if you have any queries, please let us know.

Thank You.
Regards
Vikas.

1 Like