Group, Entitlement and Access Profile is removed after account aggregation

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , , ,
1

Hi All,

I am using a webservice connector and I noticed that the group, entitlement and the access profile is being removed to the user after I perform an account aggregation. This is the flow of my testing:

  1. Request an access profile via access request
  2. Once approved, the user will be added to the requested group in the access profile. I confirmed that the user was added to the group in the Target Application.
  3. I checked the identity’s cube that the group attribute is populated, the entitlement was added and the access profile was also added.
  4. I performed an account aggregation and noticed that the group, entitlement and access profile were removed.
  5. I checked the Target Application and saw that the user is still part of the group.
  6. I performed an account aggregation again to see if it will re-attached the group, however, it is still not populated.

Account schema:

image
image1361×104 1.46 KB

Entitlement schema:

image
image1644×362 16.6 KB

2

Hi Jasmine,

It sounds like the ‘group’ account attribute is not being mapped correctly during the account aggregation. Can you show what your account aggregation operation looks like?

Depending on the API you are working with, you may need to hit another endpoint to grab the groups a user is a part of during the aggregation.

Thanks,

Liam

3

Hi @liamkokeeffe! Here’s the account aggregation operation:

image
image691×453 15.7 KB

image
image1228×553 22.3 KB

Group aggregation in case you need it also:

image
image944×459 16 KB

image
image1241×440 13.3 KB

4

It looks like on your account aggregation you do not have a field mapping for the ‘groups’ attribute on the account. This is why on account aggregations, your reference to the group on the account gets blanked.

If your API’s /users endpoint returns the groups a user is a part of then add that mapping in your current ‘Response Mapping’ fields. If the /users endpoint does not return this data, then you will need to configure an additional ‘child’ account aggregation endpoint that hits another endpoint (eg. ‘/<user-id>/groups’) that returns the groups a user is in.

Documentation on multiple independent endpoints can be found here - Multiple Independent Endpoints

Example Account Aggregation setup with multiple endpoints - Aggregation

Thanks,

Liam

1 Like
5

Hi @liamkokeeffe! The API does not return the group attribute. The only available API for that is for getting the list of users in a specified group. The problem with this is that I would need to enumerate all the groups and need to add additional “child” endpoint for each. In our prod instance, there are at least 20 groups.

6

Fernando wrote a great post on how to deal with this particular API architecture with a web services source. You can check it out here - Reverse entitlement aggregation for Web Services connector

You will need to modify the entitlement schema and setup a web services after operation rule in order to get this configured correctly.

Thanks,

Liam

1 Like
7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.