Hi Identity experts,
I am creating new Lifecycle states to an Identity Profile using the create-lifecycle-state API. It looks fine in the resultant identity profile json. However when we test the LCS (manually changing the LCS to the new one created from Admin > Identities > Identity List > target identity), the LCS is updated but the corresponding account operations is never triggered. The only way I can make it work is by creating a new LCS from UI.
I further turned on the developer tool from Chrome and I saw that the LCS creation from Admin > Identities > Identity Profile > Provisioning calls another api (/cc/api/profile/update/:some_id) to create the LCS.
The question is how can we create a usable lifecycle state from API? If create-lifecycle-state is not the right one, which API should I use to achieve the same result as I did from UI?
create-lifecycle-state | SailPoint Developer Community
Ronald
Can you please share an example of a request body you used with the v3 API? Also, what account operation did you expect to happen?
Hi Colin
Here is the request and body. I want to disable the accounts when the LCS is “Terminated”
POST: {{baseURL}}/v3/identity-profiles/{{profile_id}}lifecycle-states
{
"enabled": false,
"technicalName": "terminated",
"description": null,
"emailNotificationOption": {
"notifyManagers": false,
"notifyAllAdmins": false,
"notifySpecificUsers": false,
"emailAddressList": []
},
"accountActions": [
{
"action": "DISABLE",
"sourceIds": [
"4bf09d7a3341445992ed55e013aa993c",
"a5d981372aa74925bc116a64347c8d6a",
"659646fbf43e47a4b682f074a0180f90",
"22a3ddef2caf400db84e9624013a29f6",
"1e9753ff8e394145874df0623eaab304",
"f3c21b79fd844e5b8ef2bb84140e8a1b",
"80f17926fe18436b9481bc1b9274a4bf",
"1719b75ff3a9411ebd7573052c200927"
]
}
],
"accessProfileIds": [],
"name": "Terminated"
}
I see that enabled is set to false. Have you tried setting it to true? You can do that via API or in the UI.
Hi Colin
Yes, we tried the following ways and they not working if the LCS is created from API. The request body above is just an example of the format and all the other attributes we used.
- Create LCS with enabled set to false via API, then enable it with API
- Create LCS with enabled set to false via API, then enable it with UI
- Create LCS with enabled set to true via API
I created a lifecycle state using the beta API, and it appears in the UI as follows:
{
"enabled": true,
"technicalName": "nomore",
"description": null,
"identityCount": 0,
"emailNotificationOption": {
"notifyManagers": false,
"notifyAllAdmins": false,
"notifySpecificUsers": false,
"emailAddressList": []
},
"accountActions": [
{
"action": "DISABLE",
"sourceIds": [
"2c9180887671ff8c01767b4671fb7d5e"
]
}
],
"accessProfileIds": [],
"id": "14a385653ed64e17862a15d820b59911",
"name": "NoMore",
"created": "2023-02-17T14:47:25.213Z",
"modified": null
}
I manually set the lifecycle state of an identity.
This results in a pending action on the Employees account for that identity. It’s a flat file source, so I’m not sure how the disable actually works, but something got triggered.
Are you observing the same, or are you not even seeing the status for the accounts change to pending?
Thank you Colin, may I know which beta API are you using to create the lifecycle state? I do not see any POST method to create lifecycle state in beta api. There are only GET and PATCH requests as I can see in the developer page. Is the create api not public to use? Also, are you able to test with an AD source?
I tested the creation (POST) with the endpoint /beta/identity-profiles/:profile_id/lifecycle-states and the request you used
Identity Profile
Manually setting the identity’s state to the new state just created
Same results as before (i.e. just updated the state but not triggering any account operation)
It’s actually a v3 API. create-lifecycle-state | SailPoint Developer Community
I don’t have an AD source that I can test with. At this point, it looks like a bug. Can you please open a support ticket so they can investigate further?
