I have created a new role that is now available in the request center. This role in turn will provide access to privileged AD accounts. These privileged AD accounts already are assigned to many old identities but of course those identities (a few hundred) do not have the new role. What is the recommended way to assign the new role to those old existing accounts in bulk?
Hi,
Is possible for you to add a membership criteria into your role ?
Hi @spetursson
You can do it like this. If an identity has the entitlement(TestGroup3 in my case) that user will automatically get the Role. If you already have assignment criteria then add this in OR condition with existing assignment rule.
Hi @spetursson
However, because old identities will get role through assignment logic, the above approach only allows you to acknowledge the role—not approve or revoke them during access review.
If the idea is to have the role only by request but want to bulk load existing users you can use the /v3/access-requests API to add those users to the role.
Below is part of an example PowerShell script. This could be used in combination with or without the PowerShell SDK once you know all the user’s ids.
$tenant = ""
$token = ""
$users = @()
$roleId = ""
foreach ($user in $users) {
$body = @{
requestedFor = @(
$user
)
requestType = "GRANT_ACCESS"
requestedItems = @(
[PSCustomObject]@{
type = "ROLE"
id = $roleId
comment = "Adding role to existing users"
}
)
}
(ConvertTo-Json $body -depth 5)
$params = @{
method = "POST"
uri = "https://$($tenant).api.identitynow.com/v3/access-requests"
body = (ConvertTo-Json $body -Depth 5)
headers = @{Authorization = "Bearer $token" }
ContentType = "application/json"
}
try {
$response = Invoke-RestMethod @params
$response
}
catch {
Write-Host $response
Write-Host $_.Exception.Message -ForegroundColor Red
Write-Host $_.Exception.ItemName -ForegroundColor Red
}
}
Good point. That should work.
That’s a bit unfortunate. Being able to revoke those later down the road is one of the main reasons for why I am trying to bring those old identities into the role.
Great, I was hoping there was API for this. Will this approach allow for those roles to be revoked later or will they be limited to only “acknowledge” only?
Hi @spetursson
I thought so & I also won’t advise using an assignment strategy in this particular situation because these users didn’t get the access through assignment.
The above solution from @ethompson will work because he is using access request API. You can revoke or approve the roles granted through access request during certification.
Thank you. I will focus on the API approach then.
Hi @spetursson,
If users already have AD account before onboard them into SailPoint then if you try to add role to those users then you will get errors saying that “object already exists”.
So, Better to avoid adding roles for already existing AD accounts.
Thanks,
Siva.K
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.