Create Bulk Access Requests in ISC

Identity Security Cloud (ISC) ISC Community Knowledge Base
, , ,
1

Thanks to @dernc and @ethompson whose posts helped in creating the PowerShell script.

Below is the modified PowerShell Script which you can use to create Access Request in Bulk.

#sandbox
$ClientID = "XXXXXXXXXXXXXXXXXXXXXXXXX"
$SecretID = "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY"
$pair = "$($ClientID):$($SecretID)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($pair))
$BasicAuth1 = "Basic $encodedCreds"

#Get credentials and encrypt them
$tokenParam = @{
               URI = 'https://my-tenant.api.identitynow.com/oauth/token'
               Body="grant_type=client_credentials"
               Headers = @{'Authorization' = "$BasicAuth1";"Content-Type"='application/x-www-form-urlencoded;application/json;charset=UTF-8'}
               Method = 'POST'
               
}
$tokenResponse = Invoke-RestMethod @tokenParam
$token = $tokenResponse.access_token
$users = @()
$entitlementId = "" 

foreach ($user in $users) {
    $body = @{
        requestedFor   = @(
            $user
        )
        requestType    = "GRANT_ACCESS"
        requestedItems = @(
            [PSCustomObject]@{
                type    = "ENTITLEMENT"
                id      = $entitlementId
                comment = "Assining entitlement to the users as per request from Karan"
            }
        )
    }
    (ConvertTo-Json $body -depth 5)
    
    $params = @{
        method      = "POST"
        uri         = "https://my-tenant.api.identitynow.com/v3/access-requests"
        body        = (ConvertTo-Json $body -Depth 5)
        headers     = @{'Authorization' = "Bearer $token"}
        ContentType = "application/json"
    }
    try {
        $response = Invoke-RestMethod @params
        $response
    }
    catch {
        Write-Host $response
        Write-Host $_.Exception.Message  -ForegroundColor Red
        Write-Host $_.Exception.ItemName  -ForegroundColor Red
    }
}
8 Likes
2

Thanks for sharing @karan_1984. This script could be really useful to perform bulk access request for let’s say 250 summer interns are informed to joining and we haven’t got RBAC set for them. Saves a lot of time.

Where do you think it’s best to save and run such script?

3

Hi @TheOneAMSheriff its up to you where you want to save. Would be good if it is executed by the person who knows how to use PowerShell script as you need to enter Identity ID and entitlement ID manually in this script.

Also, do note that you will enter the PAT information as well in this script.

1 Like
4

Can we provide CSV path as reference for list of users ?

6 
#sandbox
$ClientID = "XXXXXXXXXXXXXXXXXXXXXXXXX"
$SecretID = "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY"
$pair = "$($ClientID):$($SecretID)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($pair))
$BasicAuth1 = "Basic $encodedCreds"

#Get credentials and encrypt them
$tokenParam = @{
               URI = 'https://my-tenant.api.identitynow.com/oauth/token'
               Body="grant_type=client_credentials"
               Headers = @{'Authorization' = "$BasicAuth1";"Content-Type"='application/x-www-form-urlencoded;application/json;charset=UTF-8'}
               Method = 'POST'
               
}
$tokenResponse = Invoke-RestMethod @tokenParam
$token = $tokenResponse.access_token
$users = Get-Content "D:\Add-Users.txt"
$entitlementId = "" 

foreach ($user in $users) {
    $body = @{
        requestedFor   = $user.split(':')
        requestType    = "GRANT_ACCESS"
        requestedItems = @(
            [PSCustomObject]@{
                type    = "ENTITLEMENT"
                id      = $entitlementId
                comment = "Assining entitlement to the users as per request from Karan"
            }
        )
    }
    (ConvertTo-Json $body -depth 5)
    
    $params = @{
        method      = "POST"
        uri         = "https://my-tenant.api.identitynow.com/v3/access-requests"
        body        = (ConvertTo-Json $body -Depth 5)
        headers     = @{'Authorization' = "Bearer $token"}
        ContentType = "application/json"
    }
    try {
        $response = Invoke-RestMethod @params
        $response
    }
    catch {
        Write-Host $response
        Write-Host $_.Exception.Message  -ForegroundColor Red
        Write-Host $_.Exception.ItemName  -ForegroundColor Red
    }
}

# Combined the data for CSV export
$CombinedData = @()

foreach ($user in $body.requestedFor) {
    foreach ($item in $body.requestedItems) {
        $flattenedData += [PSCustomObject]@{
            RequestedFor    = $user
            RequestType     = $body.requestType
            ItemType        = $item.type
            ItemId          = $item.id
            ItemComment     = $item.comment
        }
    }
}
 $CombinedData| Export-Csv "C:\Users\Usersadded.csv" -Append -NoTypeInformation
1 Like
7

Thank you for your Patience.

I have updated the script with input from text file and output to an csv file.

8

Hello @karan_1984

The script you have shared above is very useful to perform bulk access request, I’ll have to take it and give it a try on my next task at work. Great collaboration within the community

1 Like
9

Appreciate your efforts in automating this.

You can add more than one user ID in API call itself, requested for is an array.

Document says some limitations like maximum 10 identities and 25 entitlements, but I have submitted for 100’s of users, these limits can change any time, we need to know.

For removal only 1 identity can be requested at a time, this might be updated in future.

So, look at your requirement to make use of APIs itself or you need some custom scripts.

1 Like