API \search not working in Production. Any other endpoints?

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi all,
The client needs to know what identities have to much access. To achieve this I have written a PS script that uses the endpoint \v2024\roles to get all roles and their accessProfiles, and the \search endpoint to get all identities with their roles and accessProfiles.
I then create two arrays of expected access and assigned access, then comparing the difference to provide two deltas.

This is working perfectly in sandbox and takes around a minute to run.

This is NOT working at all in Production due to an error with the \search endpoint. This has been raised with Sailpoint and is currently sitting with the engineers to fix.

So, the longwinded ask, is, does anyone know how to get easily get each identitiesā€™ roles and accessProfiles without using the search endpoint? The client is looking for an answer as I said that I could deliver this quickly.
Thanks

2

Hi @phil_awlings you can use this api list-historical-identities | SailPoint Developer Community
to list all the identities and store it in an array and then you can use this api list-identity-access-items | SailPoint Developer Community to get list of each identities access items

1 Like
3

HIi @amankumargupta ,

I looked at that endpoint, and I can get either roles, or accessProfiles, but not in the same call. ?type=roles&type=accessProfiles doesnā€™t work.

Also, I can only get the details of one identity per api call, so that works out at 7000+ api calls

Something to think about
Thanks

4

Hi Phil,

Can you check on this API and see if it works on your scenario?

Thanks.

5

Hi @kdfreeman,

That API brings back the roles on the identity, but not the accessProfiles.

But thank you for the suggestion

6

ā€¦and this error is in all versions of the search endpoint? And Iā€™m guessing you canā€™t even interactively download an identity report to ā€œInclude Access Detailsā€? i.e. Data availability / accessibility is severely / negatively impacted. #SomeoneElsesComputer

From a service availability perspective:
If itā€™s a production issueā€¦itā€™s P1, getting that fixed by SailPoint would likely be the quickestā€¦unless thereā€™s some other reason/need that says P1 resolution isnā€™t even fast enough.

7

The data in production isnā€™t ā€˜correlatedā€™ properly. Probably not the correct word, but basically each identity seems to have every entitlement associated with it when you search for it using \search. The amount of data being brought back is huge and crashing the API call.
Iā€™ve tried pagination, which works for a few iterations, but then the ā€œsort = {field = ā€œidā€; order = ā€œascā€ }ā€ function fails and the returned data is repeated

Its not really a P1 problem, but we are pushing Sailpoint to resolve it.

My current idea is to use \search to just bring back all identity.ID which takes around 10s and just survives, then loop through each one, again using \search to pull back the access.type & access.Name attributes. Itā€™s still +3500 API calls which is not a great idea and going to take a lot processing. Not sure if Powershell is up to the task

8

I was implementing search, storing thousands of identity data in list and looping that list to process each identity. There was no issue for me and it was not taking that much time. Can you try with python scripting?

9

If I canā€™t get it to work with PS, Iā€™ll give python a go over the weekend.

NB. Will probably have to get my son to help me with that as my python is so rusty its going to take more than a can of WD40 to get it working again.

Thanks for the idea

Edit:
This is my queryFilter:

    "queryResultFilter": {
        "includes": [
            "id",
            "displayName",
            "access.name",
            "access.type"
        ]
    }

if anyone knows how to exclude access.type:entitlement that would might solve the problem, as its the stupid number of entitlements being returned that is the problem

10

(Regarding Python or PS) Itā€™s not a matter of the programming language (in this case)ā€¦itā€™s the API, regardless of the language you decide to use to interact with the APIs.

11

I mostly fixed the pagination problem, and get at 98% accuracy return. Just going to wait for Sailpoint to come back to me