Hi all,
I have a regular end user. This identity should be able to see and update all roles, but only specific sources, and no other full admin related tasks.
A look at User Level Matrix - SailPoint Identity Services allow us to see that you should be able to assign multiple user levels to an identity.
We want to assign the role admin and source subadmin user levels, but then get this error:
API used (from UI, on page ui/a/admin/identities/all-identities):
Request URL: …/oathkeeper/auth-user-v3/auth-users/5ee3a303bb274e21944f09d73e71353f
Request Method: PATCH
Status Code: 400 Bad Request
body:
[{"op":"replace","path":"/capabilities","value":["ROLE_ADMIN","SOURCE_SUBADMIN"]}]
response:
{
"messages": [
{
"localeOrigin": "DEFAULT",
"text": "Illegal attempt to modify \"capabilities\" field.",
"locale": "en-US"
},
{
"localeOrigin": "REQUEST",
"text": "Illegal attempt to modify \"capabilities\" field.",
"locale": "en-US"
}
],
"detailCode": "400.1.1 Illegal update attempt",
"trackingId": "8dce7374ac6444aba426725023c2b5ee"
}
Adding them one by one using the older API (also used in the UI at /ui/admin#admin:identities:users:5ee3a303bb274e21944f09d73e71353f) gives us more interesting information:
API: /cc/api/user/updatePermissions
Form data: ids=1047698&isAdmin=1&adminType=SOURCE_SUBADMIN
Response:
{
"msg_template": "HTTP Error 400 when communicating with URI https://se01-useast1-mice.acct03.sailpoint.com/api/v1/identities/5ee3a303bb274e21944f09d73e71353f : {\"errorName\":\"IllegalArgumentException\",\"errorMessage\":\"An Identity cannot be a SOURCE_SUBADMIN if they are a ROLE_ADMIN or SOURCE_ADMIN\",\"trackingId\":\"73e2450d174143428d9e62456f3a7877\"}",
"slpt_error_code": "SLPT-1009",
"formatted_msg": "(SLPT-1009) HTTP Error 400 when communicating with URI https://se01-useast1-mice.acct03.sailpoint.com/api/v1/identities/5ee3a303bb274e21944f09d73e71353f : {\"errorName\":\"IllegalArgumentException\",\"errorMessage\":\"An Identity cannot be a SOURCE_SUBADMIN if they are a ROLE_ADMIN or SOURCE_ADMIN\",\"trackingId\":\"73e2450d174143428d9e62456f3a7877\"}",
"exception_id": "18DA310F0B8",
"error_code": 1009,
"exception_class": "com.sailpoint.mantisclient.HttpResponseException",
"exception_detail": {
"file": "BaseRestClient.java",
"method": "execute",
"line_number": 771,
"class": "com.sailpoint.mantisclient.BaseRestClient"
},
"http_response_code": 400,
"timestamp": "2024-02-13 15:23:32.920",
"exception_message": "HTTP Error 400 when communicating with URI https://se01-useast1-mice.acct03.sailpoint.com/api/v1/identities/5ee3a303bb274e21944f09d73e71353f : {\"errorName\":\"IllegalArgumentException\",\"errorMessage\":\"An Identity cannot be a SOURCE_SUBADMIN if they are a ROLE_ADMIN or SOURCE_ADMIN\",\"trackingId\":\"73e2450d174143428d9e62456f3a7877\"}"
}
Specifically, this contains the error message An Identity cannot be a SOURCE_SUBADMIN if they are a ROLE_ADMIN or SOURCE_ADMIN.
I understand it would be weird if an identity is both source admin and source subadmin, but why can’t an identity be both role admin and source subadmin?
I don’t think this is a logical constraint and I also did not see this constraint mentioned in the documentation. There is is only mentioned that you can have combined user levels.
Kind regards,
Angelo