Create Account API

Hi Team,

We have a requirement to create account using an API. When we use the create account API, we get a response as an ID. But this is not creating an account in the source/neither is a work item created for the same. We do not see any entry in the Provisioning Activities tab as well. We are not able to find the work item with that ID as well and not able to see any object with the id from the search as well.

The API call we tried is as below:
API- https://{tenant}.api.identitynow.com/v3/accounts
Body-

{
  "attributes": {
		"city": "Sample city",
		"displayName": "Sample User",
		"userName": "suser",
		"sAMAccountName": "suser",
		"mail": "[email protected]",
		"sourceId":"external id of source"
		}
}

Response -

{
    "id": "2c9180887ba7e1ef017bcaf97ff24aa7"
}

Can you please let me know, if this API creates an account in the target directly or would it come to SailPoint to follow the provisioning process of direct connector or does it create an workitem/task. If an workitem is created whom will it assigned?

Should the user be available in the IdentityNow as a valid Identity before trying to call this API?

Thanks in Advance,
Archana

1 Like

Hi @sgeddam003,

This isn’t documented very well, but the accounts API doesn’t provision accounts in the target source, nor does it create work items to manually do it. The accounts API will create an account directly in IDN, with a loose coupling to the sourceId that you provide in the body. This means the account will exist in IDN, but won’t show up in the target source. To track the status of the task ID that is returned, you can use the task management API.

The big caveat to using this API is that any account created through the API will be removed if an aggregation is run on the source and the account doesn’t exist in the source. Essentially, the source is the “source of truth”, and will override any changes you make via the accounts API.

Typically, you would only use the accounts API if you want to provision or update accounts on a flat file source without having to upload the flat file and run the aggregation process every time you make a change. However, you will want to make sure you are updating the flat file with every change you make with this API so that the next time you aggregate the source it won’t undo your changes.

4 Likes

Hey sgeddam003,

Did you ever figure out a good way to create a user account via API? I have a similar task to onboard a user via Jira and have jira push a request to SailPoint to create a user account and push the appropriate access requests.

I can call the end point ‘v3/accounts’ successfully and get a 200 OK and an ID back, but when I log into SP i dont see that user anywhere

@nate_ruhl, do you have the sourceId in the body of your call, together with the other attributes of the account? I just tested this in our environment, and with the sourceId in there, I can see the account being populated under the correct source.

1 Like

the sourceID i was using was 190100. This corresponds with the sourceID i see when navigating to my Jira staging instance. Maybe I am not understanding sources correctly?

identitynow.com/ui/admin#admin:connections:sources:190100

That is the sourceID for the old / cc API. What you need is the sourceId you get from getting the source from example the /beta/source API. This is a much longer ID (more like an AD guid in format).

So I called the /beta/sources API and found the GUID (ID) for our Jira Staging integration instance. If i put that GUID in as my sourceId on my create account API call, i get a 200 OK and a id returned. When I log into the admin > Identities > identity list in SailPoint, I still cannot see the newly created user

SO I am reading that the ID i receive back is not a user ID, its a task id for an account creation task. Even so, when i go into the UI to look at pending tasks, i dont see the newly created task either.

Can you share the body you are using?

Also, does the source you’re using have an Identity Profile associated with it? Otherwise, check under the source, to see if you do have an uncorrelated account entry for the account you just created

here is one of my test users i was setting up. I get an ID and a 200 back from the API.

{
    "attributes": {
"city": "KC",
"displayName": "Jane Doe",
"userName": "jadoe",
"sAMAccountName": "jaDoe",
"mail": "[email protected]",
"sourceId": "2c91808470f4dc070170f8f3065e44aa"
}
}

The SourceID here relates to our Jira Staging connection. That connection/source does have an identity profile however I do not know how well it was set up or if it requires any tweaks to be fully functioning?

The problem is here that you’re not providing the minimally required attributes for an Identity to be created, which is uid (user name), last name and work mail. You’ll have to check on what account attributes are in the schema of the source and how they are mapped to the appropriate identity attributes.

Hi @colin_mckibben

Are you saying account API works well to create identity for a flatfile but the entry should be added manually every next time we load the accounts via flat file?

If the entry is not added in flat file, whats the use of API for account creation?

Hey @joebin

I believe if you are downloading a current copy of the CSV then updating it, and re-uploading, it will contain the account added via the API.

But if you use a previous CSV that wasn’t updated since the account was added via the API then yes it will overwrite the account you added.

The specific use case above is where they are creating an account locally in identityNow for a source that pulls in data from an external source on a regular aggregation schedule, but this is not an issue for Generic CSV sources.