We have Guidewire applications as our target. The limitation with these target applications is that there is concurrency issue which comes when there are multiple requests hitting the target. Now, there are 3 different types of entitlements and the requirement is to send these all three in a single request instead of 3 separate requests to avoid that concurrency issue. We know in create request we can send multiple entitlements but that is for same type of entitlements, in case there are different types, IDN is generating different requests. Is there any way in IDN using which we can combine these different types of entitlements into a single request for create or add/remove entitlement operations?
For example: x group, y role, z authority are the 3 different type of entitlements that when requested together can be sent in a single request in a format like below:
Note: 1 entitlement is mapped to only 1 Access Profile and there are no pre-defined combinations that can be used to group multiple of these entitlements into 1 access profile.
From your post, I assume that your requirement is specific to Create use case, where the API supports to pass all the entitlement details in a single API call.
You can check the flag “Create Account with Ent Request” to specify SailPoint that Create Endpoint handles even the granting of entitlements.
When this is checked, SailPoint only calls the Create Account API when the request is for account creation and you can specify the create account body accordingly as per your API, for eg:
{
“createUser”: {
“details”: {
“group”:$plan.group$,
“role”:$plan.role$,
“authority”: {“id”: “authority:1”},
“email”: “$plan.email$”,
“FirstName”: “$plan.firstname$”
}
}
}
You can also use Webservice BeforeOperation rule to modify your request body based on the provisioningPlan details.
We already have this flag enabled, it does work but only for single type of entitlement, let’s say we request 2 group type of entitlements and one authority and one role together. In this case, IDN can send 2 groups in the combined create request (already implemented in other integrations) and the other ones that are of different types will be added using add entitlement operations for their respective types even though we have them all in one create request as given below:
That’s strange. It shouldn’t have worked like that. I implemented an application where 3 types of entitlements are processed with only Create Account operation.
In your case, do you mean few entitlements, say group and role are processed through the create account, but the other type authority is still invoking add entitlement API?
Also, have you tried updating the total request body based on the data in provisioningPlan using webservice before operation rule.
