Bulk role assignments and select account via api

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello,

I would like to create a Powershell script to do bulk assignments to roles.

I am able to retrieve all the details needed:

  • role id
  • grant_access
  • identity details
  • account details

I try different payload but i did not find the correct one until now.

Api : create-access-request | SailPoint Developer Community

The last payload looks like this :

{
    "requestedFor" : ["3fbcf6be5aa74c00b01540a4dd67873d"],
    "requestType" : "GRANT_ACCESS",
    "requestedItems" : [
        {
                "id" : "28b7ec479d234a779ff1818916c42b4d",
                "type" : "ROLE",
                "accountSelection" : [
                {
                        "sourceId" : "e966d4cb5db04c618ffc4e4255da4ae5",
                        "accounts" :
                        [
                                {
                                        "accountUuid" : "{059b1b975de1471cb5d638220297aaad}",
                                    "nativeIdentity" : "ad_bello"
                                }
                        ]
                }
        ]
        }
        ]
}

The request has been send but i still have to manually select the account.

Thank you in advance for your recommendations.
David

2

Please try to utilize the following doc:

3

Hi @Duquenned,
Despite specifying accountSelection, you’re prompted to manually select the account, looks like the API isn’t resolving the account automatically.
The nativeIdentity is typically the key identifier for an account on a source system, and accountUuid may not always be required.
Can give a try by removing the “accountUuid” and see if that works:

{
“requestedFor” : [“3fbcf6be5aa74c00b01540a4dd67873d”],
“requestType” : “GRANT_ACCESS”,
“requestedItems” : [
{
“id” : “28b7ec479d234a779ff1818916c42b4d”,
“type” : “ROLE”,
“accountSelection” : [
{
“sourceId” : “e966d4cb5db04c618ffc4e4255da4ae5”,
“accounts” :
[
{
“nativeIdentity” : “ad_bello”
}
]
}
]
}
]
}

4

No sorry, it doesn’t change anything

5 
{
    "requestedFor" : ["3fbcf6be5aa74c00b01540a4dd67873d"],
    "requestType" : "GRANT_ACCESS",
    "requestedItems" : [
        {
                "id" : "28b7ec479d234a779ff1818916c42b4d",
                "type" : "ROLE",
                "accountSelection" : [
                {
                        "sourceId" : "e966d4cb5db04c618ffc4e4255da4ae5",
                        "accounts" :
                        [
                                {
                                    "nativeIdentity" : "ad_bello"
                                }
                        ]
                }
        ]
        }
        ]
}
6

Can you try below code and see if that works.

{
    "requestedFor": "3fbcf6be5aa74c00b01540a4dd67873d",
    "requestType": "GRANT_ACCESS",
    "clientMetadata": {
        "requestedAppId": "e966d4cb5db04c618ffc4e4255da4ae5",
        "requestedAppName": "<application Name>"
    },
    "requestedItems": [
        {
            "clientMetadata": {
                "requestedAppId": "e966d4cb5db04c618ffc4e4255da4ae5",
                "requestedAppName": "<application Name>"
            },
            "comment": "Automated role assignment for ad_bello",
            "id": "28b7ec479d234a779ff1818916c42b4d",
            "type": "ROLE",
            "nativeIdentity": "CN=ad_bello,OU=Users,DC=yourdomain,DC=com"
        }
    ],
    "requestedForWithRequestedItems": [
        {
            "identityId": "3fbcf6be5aa74c00b01540a4dd67873d",
            "requestedItems": [
                {
                    "clientMetadata": {
                        "requestedAppId": "e966d4cb5db04c618ffc4e4255da4ae5",
                        "requestedAppName": "<application Name>"
                    },
                    "id": "28b7ec479d234a779ff1818916c42b4d",
                    "type": "ROLE",
                    "comment": "Automated role assignment for ad_bello",
                    "accountSelection": [
                        {
                            "sourceId": "e966d4cb5db04c618ffc4e4255da4ae5",
                            "accounts": [
                                {
                                    "accountUuid": "059b1b975de1471cb5d638220297aaad",
                                    "nativeIdentity": "CN=ad_bello,OU=Users,DC=yourdomain,DC=com"
                                }
                            ]
                        }
                    ]
                }
            ]
        }
    ]
}
7

Some corrections to @nithyamn13 JSON. Try this one as well if it works.

{
    "requestedFor": [
        "3fbcf6be5aa74c00b01540a4dd67873d"
    ],
    "requestType": "GRANT_ACCESS",
    "requestedItems": [
        {
            "id": "28b7ec479d234a779ff1818916c42b4d",
            "type": "ROLE",
            "comment": "Automated role assignment for ad_bello"
        }
    ],
    "requestedForWithRequestedItems": [
        {
            "identityId": "3fbcf6be5aa74c00b01540a4dd67873d",
            "requestedItems": [
                {
                    "id": "28b7ec479d234a779ff1818916c42b4d",
                    "type": "ROLE",
                    "comment": "Automated role assignment for ad_bello",
                    "accountSelection": [
                        {
                            "sourceId": "e966d4cb5db04c618ffc4e4255da4ae5",
                            "accounts": [
                                {
                                    "accountUuid": "059b1b975de1471cb5d638220297aaad",
                                    "nativeIdentity": "CN=ad_bello,OU=Users,DC=yourdomain,DC=com"
                                }
                            ]
                        }
                    ]
                }
            ]
        }
    ]
}
8

Hi David,

Recently we provisioned 1000+ roles via access requests using PowerShell script

`# Configuration
$BaseUrl = “https://xyz-sb.api.identitynow.com/v3/access-requests
$BearerToken = “Bearer Token Here”

Define the path to your CSV file

$CsvPath = “CSV File Path Here”
$AccessRequests = Import-Csv -Path $CsvPath

Logging

$SuccessLog = “C:\Users\access_success.log” # Place Correct path Here
$FailedLog = “C:\Users\Downloads\access_failed.log” # Place Correct path Here
if (Test-Path $SuccessLog) { Remove-Item $SuccessLog }
if (Test-Path $FailedLog) { Remove-Item $FailedLog }

Parameters

$DelayBetweenRequests = 2 # seconds
$MaxRetries = 3

Group requests by IdentityId

$GroupedRequests = $AccessRequests | Group-Object -Property IdentityId

foreach ($group in $GroupedRequests) {
$IdentityId = $group.Name
$RequestedItems = @()

foreach ($entry in $group.Group) {
    $RequestedItems += @{
        type = "ROLE"
        id = $entry.RoleId
        comment = $entry.Comments
        removeDate = $entry.RemoveDate
    }
}

$JsonBody = @{
    requestedFor = @($IdentityId)
    requestType = "GRANT_ACCESS"
    requestedItems = $RequestedItems
} | ConvertTo-Json -Depth 5

$Success = $false
$Attempt = 0

while (-not $Success -and $Attempt -lt $MaxRetries) {
    try {
        $Response = Invoke-RestMethod -Uri $BaseUrl -Method Post -Headers @{
            Authorization = "Bearer $BearerToken"
            "Content-Type" = "application/json"
        } -Body $JsonBody

        Write-Host "Success: $IdentityId → $($RequestedItems.Count) roles"
        Add-Content -Path $SuccessLog -Value "$IdentityId,Success,$($RequestedItems.Count) roles"
        $Success = $true
    } catch {
        $Attempt++
        $ErrorMessage = $_.Exception.Message
        Write-Host " Attempt $Attempt failed for $IdentityId"
        if ($Attempt -eq $MaxRetries) {
            Add-Content -Path $FailedLog -Value "$IdentityId,Failed,$ErrorMessage"
        } else {
            Start-Sleep -Seconds 3
        }
    }
}

Start-Sleep -Seconds $DelayBetweenRequests

}

Write-Host " All requests processed. Check logs for details.`

you can modify this script to accept to accept client id and client secret

your input file need to have these fields - IdentityId RoleId Comments RemoveDate

Please let me know if you need any help

9

Hello, thank you but it doesn’t solve my problem with identities having multiple accounts in a source. But thank you for the advice.

Kind regards,
David

10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.