Entitlement Aggregation Issue with Group Aggregation HTTP Operation

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Entitlement Aggregation Issue with Group Aggregation HTTP Operation

Hello Sailpoint Community,

I’m experiencing an issue with entitlement aggregation using a Group Aggregation HTTP operation. Despite configuring the operation correctly, I’m not seeing any entitlements scanned.

Here’s my setup:

  • I have a Group Aggregation HTTP operation that fetches entitlements from an API, which returns a JSON response like this:
{
    "responseStatus": "SUCCESS",
    "queryDescribe": {
        ...
    },
    "responseDetails": {
        ...
    },
    "data": [
        {
            "id": "0AR000000000101",
            "name__v": "Author"
        },
        {
            "id": "0AR000000000102",
            "name__v": "External Inspector"
        }
    ]
}
  • In my Account Schema, I have added group_id and group_name as attributes, with group_name being of type “group” and an entitlement.
  • I have an entitlement type “group” with attributes group_id and group_name, both of type String and added as entitlements.
  • In my Group Aggregation HTTP operation, I have configured the API as follows:
    • Response Information: $.data[*]
    • Response Mapping:
      • group_id = id
      • group_name = name__v

However, when I run the entitlement aggregation, I don’t see any entitlements scanned. Can someone please help me identify where I’m going wrong? I’ve double-checked my configuration, but I’m still stuck.

Any assistance would be greatly appreciated.

3

Hi @sita_ram

I see your configuration looks good. Only thing is you do not have to add group_id in your account schema if all your API requires group_name. Coming to entitlement schema make sure you make group_name as entitlement Id.

I would recommend you to read below resolved post, please follow the steps provided. Do not go by the heading of the topic.

Duplicate Entitlements from Account Aggregation and Group Aggregation - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

As if you make the configuration as suggested in the post then this issue will be resolved.

2 Likes
4

In addition to Shekhars notes, check your Context URL for your Group Aggregation, just in case it has been copied incorrectly from a different endpoint.

5

I would like to add couple of suggestions here.

  1. As Shekhar mentioned yes you need to remove either group_id or group_name from your account schema. This depends on what you are seeing when you get any account details. Will the account have group_id or group_name.
  2. Once you identify and remove the required attribute from account schema you need to move to entitilement schema and update that attribute which you have in account schema as entitlement id. and the other attribute can be entitlement name. I believe when you fetch an account you will see group_id instead of group_name. This way when you have configured correctly you will see the name under entitlement section in the user account in ISC.
  3. Add a AfterOperationRule if you have configured everything correctly to see what you are getting from the endpoint. This will help you to identify how you are getting the data from the endpoint and this might help you to correct response mappings.

If you are still not able to get the entitlements can you post your entitlement aggregation operation.

6

Thanks for all your replies.

The suggested changes worked!

1 Like