We’ve got to create a bulk number of roles and access profiles in identityNow, but we are not supposed to use the ruby script given by Sailpoint (Bulk Access Profile and Role-Importer) as there are some restrictions on ruby for our client. Can anyone help? Is there a way to create a large number of roles or access profiles at once using a Python or PowerShell script?
Is there a way to assign a role to a user in IdentityNow only for a certain period? i.e.
valid from and valid to, etc., by using any API calls etc?
(valid from is our top priority.)
for example, there is a role : rc1, and user is john doe, we need to assing rc1 role to john doe from feb 25 to may 25 etc.
For this use case you can define a flag as Identity attribute which should be true from start date to end date and false otherwise. So now when you define your role include this identity attribute as one of the role criteria and assign the role only when this flag is true.
From UI, in your authoritative source Identity Profile, create a new attribute say assignRole and then map it to a custom transform which will return a yes/no or true/false value which can be used in role criteria.
In the transform logic you need to compare the dates and if current date falls between start and end date you return true else false. For transform you will have to use a combination of dateMath, dateTranform and dateCompare.
Thanks a lot @sharvari, I’ve written a transform and mapped it to a custom attribute. But there will be many users whose start date is less than current date and end date is greater than current date. So all the uses will satisfy this criteria their flag will be true right? So those all users will get this role. But we don’t want all users to receive this role. Only while submitting this request for this role we need. Kindly see the attached screenshot.
From your initial post that i read, I thought you needed a way to assign birthright roles for these users based on start and end dates. But if you need the role to be assigned only when requested then you would be doing a requestable role and not a birthright role. I believe for requestable roles there is an option to specify end date for access but no start date.
