Add provisioningCriteria in AccessProfile actives

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello,

I need to add provisioning criteria in Access Profiles already activated,

I know it needs to be a Patch for /access-profiles/:id,

but I didn’t find the value part:

“op”: {
“value”: “add”
},
“path”: {
“value”: “/provisioningCriteria”
},
“value”: { ???

Can someone help me?

Tks

2

Provisioning criteria for access profiles can be configured in the UI, even if they are activated. Here is a screenshot from my tenant showing the menu it resides in. Do you have a hard requirement to do this via API?

image
image2560×988 171 KB

3

Hello Colin,

I’m setting up an automation in java to make the calls and change a list of more than 300 AccessProfiles. That’s why I prefer to do it via API.

Tks.

Regards

4

Try the replace action to entirely replace the contents of provisioningCriteria. For example, I have the following access profile:

{
    "description": "Access to employees",
    "enabled": true,
    "requestable": true,
    "owner": {
        "type": "IDENTITY",
        "id": "2c9180867624cbd7017642d8c8c81f67",
        "name": "colin.mckibben"
    },
    "source": {
        "type": "SOURCE",
        "id": "2c9180887671ff8c01767b4671fb7d5e",
        "name": "Employees"
    },
    "entitlements": [
        {
            "type": "ENTITLEMENT",
            "id": "2c9180877677453d01767b4b08f63386",
            "name": "DevRel"
        }
    ],
    "accessRequestConfig": {
        "commentsRequired": false,
        "denialCommentsRequired": false,
        "approvalSchemes": []
    },
    "revocationRequestConfig": {
        "commentsRequired": false,
        "denialCommentsRequired": false,
        "approvalSchemes": []
    },
    "segments": [],
    "provisioningCriteria": {
        "operation": "AND",
        "attribute": null,
        "value": null,
        "children": [
            {
                "operation": "OR",
                "attribute": null,
                "value": null,
                "children": [
                    {
                        "operation": "EQUALS",
                        "attribute": "name",
                        "value": "phil",
                        "children": null
                    }
                ]
            }
        ]
    },
    "id": "2c91808a7643763f01767b59d9d907cf",
    "name": "Employee Source",
    "created": "2020-12-19T14:14:14.746Z",
    "modified": "2022-06-21T18:38:52.583Z"
}

To update the provisioningCriteria to add another child, I use the following PATCH body:

[
  {
    "op": "replace",
    "path": "/provisioningCriteria",
    "value": {
        "operation": "AND",
        "attribute": null,
        "value": null,
        "children": [
            {
                "operation": "OR",
                "attribute": null,
                "value": null,
                "children": [
                    {
                        "operation": "EQUALS",
                        "attribute": "name",
                        "value": "phil",
                        "children": null
                    },
                    {
                        "operation": "CONTAINS",
                        "attribute": "e-mail",
                        "value": "sailpoint.com",
                        "children": null
                    }
                ]
            }
        ]
    }
  }
]

And now my AP has another criteria:

image
image1184×863 75 KB