Collecting Role Membership Criteria / PowerShell 7 / Role Importer

Hello All,

The end goal is to pull all Roles and the related Membership Criteria for each. Along with additional information create a CSV export that is formatted for SailPoint’s Role Importer. We have had the need to bulk update Roles due to HR changing certain Membership Criteria or Entitlements for Access Profiles being removed / renamed.

Not having a great handle on role creation and having quiet a bit of them. Plus having multiple teams maintaining Roles, it would be beneficial to grab a snapshot of current state of ALL Roles, export a CSV in Role Importer format to modify Access Profiles and update Membership Criteria, use Excel to manually make the needed changes to Access Profiles and/or Membership Criteria, then use the Role Importer to update, versus manually modifying multiple Roles one at a time through the UI.

I guess I have basically three asks.

1. Is there a way that currently exists for discovering, then updating, Access Profiles and/or Membership Criteria for Bulk Roles?

2. The only place I have found in API calls to see Role Membership Criteria is /Beta/Roles, but it fails when I try to use Limit to get back all Roles. The standard call will not return all Roles in our environment. Is there a Query field that could be added to another API call to gather membership criteria? Or would the limit option being fixed in the Beta API call the only option currently?

3. The testing that I have done on reading in the Complex_Criteria with PowerShell 7 and then trying to convert into acceptable Role Importer format has come up short. I think this is due to the depth for the JSON for the fields or maybe special characters. Any assistance with understanding/nailing this down would be much appreciated. The typical criteria we have for Roles is Criteria Group 1 = IDN Attribute = A “OR” B " AND " Criteria Group 2 = IDN Attribute = X " AND " Criteria Group 3 = IDN Attribute = X " AND " Criteria Group 4 = IDN Attribute “Contains” X "

Hello TylerT,

1. Is there a way that currently exists for discovering, then updating, Access Profiles and/or Membership Criteria for Bulk Roles?

There is not currently a way to do this. We do have an import/export tool that will allow you to pull certain items from IdentityNow. Currently this tool does not have support for Access Profiles or Roles. It is in our roadmap but if you created an idea on our ideas portal here it may get pushed higher up in our backlog. https://developer-sailpoint.ideas.aha.io/

2. The only place I have found in API calls to see Role Membership Criteria is /Beta/Roles, but it fails when I try to use Limit to get back all Roles. The standard call will not return all Roles in our environment. Is there a Query field that could be added to another API call to gather membership criteria? Or would the limit option being fixed in the Beta API call the only option currently?

You have the correct endpoint on /Beta/Roles. The default limit for the call is 50 records. To get all the records you’ll have to use the limit/offset within the API. The first call getting 50 records, then calling the API again for the next 50 etc…

3. The testing that I have done on reading in the Complex_Criteria with PowerShell 7 and then trying to convert into acceptable Role Importer format has come up short. I think this is due to the depth for the JSON for the fields or maybe special characters. Any assistance with understanding/nailing this down would be much appreciated. The typical criteria we have for Roles is Criteria Group 1 = IDN Attribute = A “OR” B " AND " Criteria Group 2 = IDN Attribute = X " AND " Criteria Group 3 = IDN Attribute = X " AND " Criteria Group 4 = IDN Attribute “Contains” X "

For this one could you give an example of one or more of the response from /beta/roles that you are having trouble converting to the Role Importer format?

1. I do have a version of the I/O tool provided a while back. I will revisit some of the work I did exploring the functionality. I will look into the ides site, thanks for the suggestion.

2. Yeah, the limit option causes the API call to fail, but I will try an Offset loop to gather the information that I am looking for.

3. [ { "description": "IdentityNow Birthright Access Role - This role was created to facilitate the birthright access for each associate based on job location and title.", "owner": { "type": "IDENTITY", "id": "The Boss", "name": "Fake Source Owner" }, "accessProfiles": [ { "type": "ACCESS_PROFILE", "id": "8675309", "name": "Fake AD Access Profile" }, { "type": "ACCESS_PROFILE", "id": "2c918CFakeID", "name": "Not A Real AD Access Profile" } ], "membership": { "type": "STANDARD", "criteria": { "operation": "AND", "key": null, "stringValue": "", "children": [ { "operation": "OR", "key": null, "stringValue": "", "children": [ { "operation": "EQUALS", "key": { "type": "IDENTITY", "property": "attribute.cloudLifecycleState", "sourceId": "" }, "stringValue": "active", "children": [] }, { "operation": "EQUALS", "key": { "type": "IDENTITY", "property": "attribute.cloudLifecycleState", "sourceId": "" }, "stringValue": "loa", "children": [] } ] }, { "operation": "EQUALS", "key": { "type": "IDENTITY", "property": "attribute.jobTitle", "sourceId": "" }, "stringValue": "Sailor", "children": [] }, { "operation": "EQUALS", "key": { "type": "IDENTITY", "property": "attribute.location", "sourceId": "" }, "stringValue": "Pacific Ocean", "children": [] }, { "operation": "CONTAINS", "key": { "type": "ACCOUNT", "property": "attribute.distinguishedName", "sourceId": "Active Directory" }, "stringValue": "DC", "children": [] } ] }, "identities": null }, "legacyMembershipInfo": null, "enabled": true, "requestable": false, "accessRequestConfig": { "commentsRequired": false, "denialCommentsRequired": false, "approvalSchemes": [] }, "revocationRequestConfig": { "commentsRequired": false, "denialCommentsRequired": false, "approvalSchemes": [] }, "segments": null, "id": "alpha centauri", "name": "Fake Role Name", "created": "2021-04-01T20:11:46.794Z", "modified": "2021-04-01T20:27:04.548Z" } ]

I have modified the PII, but the format should hold true to what I am trying to digest and return the COMPLEX_CRITERIA for. I hope that I added it correctly to the form.

On a side note, I will be on PTO until 8/31/20212 and will review/respond on my return. Thanks for digging in.

Tyler,

Let me know if you have any trouble with the offset in the /Beta/Roles API

I am playing around with your complex_criteria to see if I can get something working transforming it to the Role Importer Format.

Stay Tuned

TylerT,

Here is a script I wrote to print out all the values from the criteria from a Role. You should be able to modify this in order to get what you need for the Role Importer.

function Get-Criteria {
    param (
        [PSObject[]]$child
    )
    
    $child.operation
    "   " + $child.key.type
    "   " + $child.key.property
    "   " + $child.key.sourceId
    $child.stringValue

    "----"

    if ($null -ne $child.children) {
        foreach($child in $child.children) {
            Get-Criteria $child
        }
    }
}

$roleInfo = Get-Content Role.json | ConvertFrom-Json

foreach ($info in $roleInfo.PSObject.Properties) {
    if ($info.name -eq "membership") {
        foreach($child in $info.value.criteria.children) {
            Get-Criteria $child
        }
    }
}

I appreciate the assist with extracting the data. I hope to have a fully developed solution soon. Cheers.

What was the result of your investigation?

We have requirements to be able to bulk create/edit Roles and access profiles (preferably by CSV/Spreadsheet)

You should have that ability when using the Bulk Importer SailPoint provides.

My issue was more around pulling out the Membership Criteria for existing roles, to modify and patch using the Bulk Importer. I was able to get a solution worked out to do that with PowerShell 7.

I looked through some of the work that Darren (Non-SailPoint) contributed to fill in the blanks.