Campaign creation API not including specific source

Hello,

I’m using an API call to create a certification campaign. However certain sources aren’t being included despite IDs for their entitlements being included in the list of IDs in the accessConstraints section of the body of the api call. Some sources are working fine so I’m confident this is an issue with IdentityNow. Are there specific requirements that a source in IdentityNow has to meet in order to be included in a certification campaign?

This is the body of the API call were using in our script. I know the $entitlementsList variable is definitely being populated correctly so I’m stumped as to why were only seeing entitlements from specific sources on our certification campaigns.

$body = "{
     `"name`": `"$($certificationName)`",
      `"description`": `"$($certificationName)`",
     `"deadline`": `"$($certificationDueDate)`",
     `"type`": `"SEARCH`",
     `"emailNotificationEnabled`": true,
   `"autoRevokeAllowed`": false,
     `"searchCampaignInfo`": {
      `"type`":`"IDENTITY`",
      `"description`":`"$($certificationName)`",
      `"reviewer`": {
            `"type`":`"IDENTITY`",
            `"id`": `"$($liaisonSailPointID)`",
             `"name`": `"$($lisiaonDisplayName)`"
          },    
      `"query`":`"$($identityQuery)`",
       `"accessConstraints`": [{`"ids`": [$($entitlementList)], 
  			`"type`": `"ENTITLEMENT`", 
   			`"operator`": `"SELECTED`"}]
   }
   }"

Welcome to the developer community Conner,

I don’t have a ton of experience with cert campaigns, but I can take a crack at it.

Being an identity certification, the campaign will only certify the identities that are returned in your query. The accessConstraints will further limit the campaign to only certify access items on each identity that match an access item you have provided in the constraint. I would imagine that if there is an entitlement you put in the constraint that doesn’t exist on any of the identities in the query, then it won’t appear in the certification. Are you certain that each entitlement you provided exists on at least one identity in your query?

Thanks for the help Colin. I double checked and verified that one of the entitlements present on an identity in the campaign has an ID that is being passed into the body of this API call. So I don’t think that’s the issue.

One interesting thing I found was another source that had the same issue but only in our DEV environment. I compared it to our prod environment and found that the account ID/name attribute in the account schema had a type of group and the entitlement attribute had a type of string. In our DEV environment it was reversed though. I changed DEV to match prod and that fixed the issue for that specific source and I began to see that source appear in certification campaigns in our DEV environment.

I tried the same thing for this source since it had a very similar setup and set the account ID/Name to have a type of group and the entitlement to have a type of string. That didn’t fix the problem on this source though.

Was able to figure this out with the help of support. A bunch of identities were in an error state. Identities in error states don’t play very well with campaigns. Clearing up the error state fixed the issue.

1 Like