Beta, v3 & v2024 API (Access Profile List)

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi,

I am amending a script previously using the v2 APIs. Part of the logic was acquiring access profiles via the list access profile APIs in V2 that would allow me to access the approval scheme for each access profile, in order to match against a user identity ID, this would in turn allow for export of a clean list to show access profiles a specified identity was in the approval cycle for to approve/deny, after switching the v2 APIs in the script to use beta, v3 and v2024 it looks like the default response for the access request config, returns a null/blank approval scheme:

    "requestable": true,
    "accessRequestConfig": {
        "commentsRequired": false,
        "denialCommentsRequired": false,
        "approvalSchemes": []

Is this expected?

2

As per the documentation it should include the approval scheme if present.

1 Like
3

@cbowhill I had a look at this API call. Unfortunately, it doesn’t return the Id of an individual approver (APP_OWNER, OWNER, SOURCE_OWNER, MANAGER).

It only returns Id of the specific approver if the approverType is GOVERNANCE_GROUP.

Hope you might be able to change the script accordingly to get your desired output.

Thanks

4

Hi @cbowhill, Please provide the endpoint you are utilising; however, the expected format for making an HTTP GET request is as follows:

  {
    "id": "2c91808a7190d06e01719938fcd20792",
    "name": "Employee-database-read-write",
    "description": "Collection of entitlements to read/write the employee database",
    "created": "2021-03-01T22:32:58.104Z",
    "modified": "2021-03-02T20:22:28.104Z",
    "enabled": true,
    "owner": {
      "type": "IDENTITY",
      "id": "2c9180a46faadee4016fb4e018c20639",
      "name": "support"
    },
    "source": {
      "id": "2c91809773dee3610173fdb0b6061ef4",
      "type": "SOURCE",
      "name": "ODS-AD-SOURCE"
    },
    "entitlements": [
      {
        "type": "ENTITLEMENT",
        "id": "2c91809773dee32014e13e122092014e",
        "name": "CN=entitlement.490efde5,OU=OrgCo,OU=ServiceDept,DC=HQAD,DC=local"
      }
    ],
    "requestable": true,
    "accessRequestConfig": {
      "commentsRequired": true,
      "denialCommentsRequired": true,
      "approvalSchemes": [
        {
          "approverType": "GOVERNANCE_GROUP",
          "approverId": "46c79819-a69f-49a2-becb-12c971ae66c6"
        }
      ]
    },
    "revocationRequestConfig": {
      "approvalSchemes": [
        {
          "approverType": "GOVERNANCE_GROUP",
          "approverId": "46c79819-a69f-49a2-becb-12c971ae66c6"
        }
      ]
    },
    "segments": [
      "f7b1b8a3-5fed-4fd4-ad29-82014e137e19",
      "29cb6c06-1da8-43ea-8be4-b3125f248f2a"
    ],
    "provisioningCriteria": {
      "operation": "OR",
      "children": [
        {
          "operation": "AND",
          "children": [
            {
              "attribute": "dn",
              "operation": "CONTAINS",
              "value": "useast"
            },
            {
              "attribute": "manager",
              "operation": "CONTAINS",
              "value": "Scott.Clark"
            }
          ]
        },
        {
          "operation": "AND",
          "children": [
            {
              "attribute": "dn",
              "operation": "EQUALS",
              "value": "Gibson"
            },
            {
              "attribute": "telephoneNumber",
              "operation": "CONTAINS",
              "value": "512"
            }
          ]
        }
      ]
    }
  }
5

All good, thanks for the comments.

I can work with the governance group ID - will amend the script accordingly.

Thanks for the replies.

1 Like
6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.