Call Powershell script into ISC to extract an site role attribute

jasmedina · September 16, 2024, 3:17pm

Hi All!

We need to extract the site roles from an on-prem application and use it as an entitlement, however, there is no API endpoint available to extract that particular attribute. As a workaround, the app owner suggested that they can create a powershell script to define the site roles and have ISC extract it. Is this possible? If so, could you share the high level steps on how to achieve it.

Thank you!

Anshu_Kunal · September 16, 2024, 3:21pm

@jasmedina
Use powershell script to extract both accounts and entitlements from on-prem application as a csv file, then create source as delimited type on ISC.

Thanks

jasmedina · September 16, 2024, 3:28pm

Hi @Anshu_Kunal! If I am understanding it correctly, the powershell script should be stored as a csv file and use that file to upload in the Delimited Type source? Is that correct?

Anshu_Kunal · September 16, 2024, 3:40pm

Correct, you can schedule powershell script to run daily and extract the file as csv. Use the same csv as for delimited source for aggregation on ISC.

Thanks

gourab · September 16, 2024, 3:40pm

Hi @jasmedina ,
Adding to @Anshu_Kunal’s point ,

Create a powershell script that can communicate to on-prem target application.
The ps script will extract the accounts and access information of the identities from onprem and generates a csv.
After that configure your delimited source (having same schema as the headers of csv generated).
User fileupload utility to aggregate that csv file to ISC directly. File Upload Utility
Once aggregation is done move that csv to archive folder.
Schedule that ps script to do the same job daily/weekly as per requirement.

jasmedina · September 16, 2024, 3:48pm

Thank you, Anshu! We will try this

jasmedina · September 16, 2024, 4:04pm

Hi @gourab and @Anshu_Kunal! Would this also work for python script?

Anshu_Kunal · September 16, 2024, 4:05pm

ISC will read from csv files, so as long as you are able to create file in csv format using python or powershell script would be fine.

gourab · September 16, 2024, 4:06pm

Hi @jasmedina ,
Python can be also used if you can connect to your target system , but we need java installed for fileupload utility.

neil_mcglennon · September 19, 2024, 11:28am

Right, you can use whatever you want. File Upload Utility is just one of many tools you can use - or build!

jasmedina · September 25, 2024, 1:41pm

Hi Gourab! Just a question regarding:

The ps script will extract the accounts and access information of the identities from onprem and generates a csv.

Does this mean that the powershell script should generate the csv that lists all the roles I need? Currently we have the script to print all the roles

    # Define the available site role
    site_roles = [
        "Creator",
        "Explorer",
        "ExplorerCanPublish",
        "Viewer",
        "Unlicensed"      
    ]
    return site_roles
 
if __name__ == "__main__":
    # List all available site roles
    roles = get_site_roles()
    print("Available Site Roles:")
    for role in roles:
        print(role)

gourab · September 25, 2024, 1:57pm

Hi @jasmedina ,
The PowerShell or Python script must extract all user account information, including access details, and generate a CSV file for use in account aggregation within ISC.
If you have an script that generates access information only that you can use for entitlement aggregation.

More info on Delimited connector: Integrating SailPoint with Delimited File Source

jasmedina · September 25, 2024, 3:02pm

Hi @gourab we were able to extract all user accounts information via the web service connector. We would need these site roles to assign as an access profile to user during provisioning and access requests. Do we still need to include the accounts information in the script or just the site roles name would be enough? Sorry for the questions as this is my 1st time implementing this

gourab · September 25, 2024, 3:22pm

Hi @jasmedina
If the source has already been implemented via the Web Service connector, there is no need to generate CSV files. The generation of CSV files for account aggregation is only necessary for delimited sources.

In your Web Service connector configuration, follow these steps:

Navigate to the Account schema and ensure that the schema is correct. Identify the attributes that define access and entitlements, and mark them as entitlements.
In the source configuration, add all related operations, such as account aggregation and entitlement aggregation.
Aggregate the accounts. As you have marked the entitlements in step 1, all entitlements will appear in the entitlements tab.
Mark the entitlements as requestable. They will then be available for access requests through the request center.

Find here for more details: Integrating SailPoint with Web Services

jasmedina · September 25, 2024, 4:02pm

Thanks @gourab! This solves it

system · November 24, 2024, 4:03pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ISC PowerShell Task Manager Community Tools identity-security-cloud , community-developed	2	302	October 16, 2024
CSV Delimited Source Multiple Multi-Valued Entitlements ISC Discussion and Questions aggregation , identity-security-cloud , entitlements	5	116	September 21, 2024
Access Profiles from Delimited Source ISC Discussion and Questions identity-security-cloud , provisioning , access-profiles , access-requests	9	54	October 7, 2024
AD Account Create ISC Discussion and Questions identity-security-cloud , provisioning	5	67	November 12, 2024
Converting Legacy CSV Entitlement Provisioning into ISC Roles Community Blog identity-security-cloud	0	81	October 4, 2024

Call Powershell script into ISC to extract an site role attribute

Related topics