Add entitlement to identity via API


I have a use case where I would like to allow an team within in our organization to grant access to an entitlement via the IIQ API.

  1. The team would call the API with the Identity and the Entitlement that they want to add
  2. IIQ would add grant the Identity access to the Entitlement without asking for any approvals
  3. The team calling the API would only be allowed to add that ONE Entitlement to ANY Identity. They would not have access to add any other entitlements to any identities

Is this possible?


Yes, you could achieve this by using the IdentityIQ SCIM endpoint to launch a custom Workflow (launch-workflow | SailPoint Developer Community). This custom Workflow would receive the identity name and entitlement name as input parameters, and would perform any validation to make sure that the one entitlement being requested is valid. Once verified, the custom Workflow would construct a provisioning plan to add the entitlement to the required identity and call the LCM Provisioning Workflow to handle the provisioning. It would also pass in any parameters to skip approvals (such as “approvalScheme”=none), skip SoD Policy checking, or whatever parameters are needed to dictate the behavior of the provisioning workflow

1 Like

@paulo_urcid ,

Thanks for the reply, and sorry that my response is so late.

Since we will probably have multiple accounts trying to hit the IIQ API and launch this workflow, are you suggesting that we do some sort of mapping for authorizing which groups can be requested?

For instance, should we create a Map like this?

service account A
entitlement 1
entitlement 2

That Map would have N number of service accounts and each service account would have N number of entitlements it is authorized to grant access to. If the service account calling the API tries to add an entitlement in its Authorized list, the request is granted. If not, the request is dropped.