I’m at my wits end with the ISC Web Services connector and I’m looking for some help. My requirement seems simple enough:
An account must be enabled before an entitlement can be assigned to it
However, as far as I can tell this is simply not possible. Here is what I have tried:
Prioritize the HTTP calls so that Enable Account always runs before Add Entitlement
It looks like ISC does not support this
Ensure Add Entitlement is a dependent operation for Enable Account, so that every time Add Entitlement is called, Enable Account runs
I can’t find any documentation or information on how to reliably tie these operations together as dependencies
Implement logic in a before operation rule to call the app and enable the account
The provisioning plan for Add Entitlement does not include the username of the account, which I need to call the enable user endpoint
Additionally, it looks like almost nothing in SailPoint actually triggers the Enable Account operation. The account is disabled and you add a role? Nope. The user does not have the source and you add it? Nope.
How is this supposed to work? It doesn’t seem that odd to have to enable an account before you can add entitlements to it, but unless I’m missing something, there’s no way to implement that here.
For #1 & #2 you are correct that these are not possible out of the box as far as I know.
For #3 , the account id should be passed in the provisioning plan in the before operation rule. I would suggest calling the enable endpoint from the before operation rule with that native identity id that is passed in.
As mentioned by Tyler, try to use the native identity (the Account ID defined in the application schema) in your enable request.
If native identity is not the right value for your enable call through a before-operation rule, another option is to leverage an ISC trigger (such as “Access Request Submitted” or “Access Request Decision”) and place the enable account operation inside a workflow. This way you can ensure the account is enabled before entitlements are assigned.
Unfortunately, String userid = provisioningPlan.getNativeIdentity(); retrieves the SailPoint Identity alias, which is akin to a display name, not the actual username for the application we are trying to call.
I think I found a workaround. It looks like the body of the operation can be configured with parameters from the application user schema:
but it feels like unnecessary complexity and SailPoint should just provide this information in the provisioning plan natively.
Also, we can re-enable the user directly in the application using this method, but the account object in SailPoint will still reflect the old LCS (disabled) until scheduled aggregation runs. Is there any way to update that to match more quickly?
I still find it odd that SailPoint does not assume the user needs to be enabled when they are reassigned to a role or source and call the “Enable Account” endpoint. That operation seems functionally useless.
Ah I see, I was assuming your identity ID and account username were the same.
Completely agree on the lack of info in the provisioning plan OOTB.
The attribute for whether the account is showing as disabled or not in the UI is called iiqdisabled. I believe if you set this value to false in the response mappings, it should set the account to enabled before an account aggregation.
As far as I can tell, the provisioning plan available in the before operation rule for Add Entitlement only contains the role name being added. No user information. This is separate from the provisioning plan which is available in the HTTP Operation configuration.
@trettkowski - That iiqdisabled attribute looks promising. We’ll play with that, thanks!