I am about to embark on scripting the conversion of AD role groups into SailPoint ISC roles. I am wondering if anyone here has done this before and would be willing to share their work.
This is what I plan to do without knowing the gotchas of what I’m about to attempt to do.
Using PowerShell - Foreach loop through a list of 200 approved AD role groups to convert and perform the following:
Get AD group details
format the name of the group to match our naming scheme in ISC
Get the list of nested AD groups that make up the role group
Get the members of the role group
Create the role in ISC including identities(4) and entitlements(3) via API
I am not sure I will be able to do step 5 in one call and expect that to be the largest hurdle. Possibly requiring me to do additional API calls beforehand to convert the AD role group members to a list of identity IDs and another to convert the nested groups to a list of entitlement IDs.
Thank you for any guidance or work you have already done on this subject.
Hi @jewalker,
4 - Are you using RBAC to populate the Roles - you’ve not defined anything in your plan for each AD group
5 - Do you use VSC? You might find it easier to upload the role code that way as you won’t require the entitlements ID numbers (I’m using it to upload 30,000+ roles). Just build yourself a spreadsheet (you can download the template from VSC) then upload it when its ready.
To make sure we understand your use case, I am understanding that you want to get rid of your nested groups in AD and assign members directed into each nested group? If so, your process is good.
On step 5 when you are creating the roles, I would create the role with the appropriate entitlements, but I wouldn’t add the users to the role. I would add all of the roles then I would go back and request the role for each user.
I would do step 5 this way for two reasons:
I wouldn’t add the users directly to the role as they can’t be managed by standard processes (access request, certifications, etc.) when the move within the organization or leave.
I also wouldn’t try to add the users to the role directly after I created it as sometimes it can take up to a couple of minutes for a requestable item to show up in the catalog. So by creating all of the roles first by the time you loop back to app users, hopefully, the role will be there.
While this is not exactly what your looking for. You can see all the API calls I made into order to build out roles. This is highly customizable and can be updated for your exact use case.