How to Add entitlement to identity via API with custom workflow

Hello folks,
I am new to IdentityIQ and would like to validate if there is an example of a workflow I can use to add an entitlement to an identity via API.
I have read in another post (Add entitlement to identity via API) that this is possible through the execution of a custom workflow and I would like to validate if anyone in the community has an example from which they can guide me to achieve this goal.
Thanks.

Hi @charlieferdinand,

You’re on the right track! Adding entitlements to an identity via API in SailPoint IdentityIQ does typically involve a custom workflow. The core idea is that you’ll use an API call to trigger a custom workflow in IdentityIQ, and that workflow will then construct and execute a provisioning plan to add the entitlement.

1. The “Why” behind Custom Workflows for API-driven Entitlement Addition

Directly adding an entitlement to an identity via a simple API call is generally not how IdentityIQ works for complex provisioning. IdentityIQ’s strength lies in its governance and lifecycle management features. When you provision access, you usually want to:

  • Enforce Policies: Check for Separation of Duties (SoD) violations or other organizational policies.
  • Trigger Approvals: If the entitlement requires approval, send it through an approval workflow.
  • Audit and Track: Log the request, approval, and provisioning status for auditing purposes.
  • Handle Provisioning Logic: Execute the correct connector operations to add the entitlement on the target system (e.g., add a user to an Active Directory group, assign a role in an application).

You can use an API call like the one mentioned below to add an entitlement by calling the SCIM API LaunchedWorkflows

Method Type : POST
Sample Endpoint URL : http://localhost:8080/identityiq/scim/v2/LaunchedWorkflows
Sample Body:

{
  "urn:ietf:params:scim:schemas:sailpoint:1.0:LaunchedWorkflow": {
    "workflowName": "LCM Provisioning",
  "input": [
    {
      "key": "plan",
      "value": "<ProvisioningPlan>\n  <AccountRequest application=\"Active Directory\" op=\"Modify\">\n      <AttributeRequest name=\"memberOf\" op=\"Add\" value=\"CN=All_Employees,OU=DemoGroups,DC=test,DC=demo,DC=com\">\n  </AttributeRequest> \n  </AccountRequest>\n </ProvisioningPlan> \n",
      "type": "application/xml"
    },
     {
      "key": "identityName",
      "value": "1000101"
    }
  ]
  }
}
1 Like

I’m just curious; is there a reason that you are posting AI created answers, especially when they aren’t answering the question?

The forums are more for answers from experience users have to specific questions. The poster can use AI themselves to get AI answers.

Hi @LarryG ,

If you look at my previous topic answers, for example, " Custom Report for Orphan Accounts" people questioned me in a similar way. However, I have tested thoroughly and provided accurate information with screenshots and working code, even when others provided incorrect answers or information and questioned my responses.

I will provide a complete document for this topic as well, drawing on my own knowledge and experience, and including working code."

Hi @LarryG @charlieferdinand

My Sincere apologies, as my 1st response does not answer the question or ask. I will provide the complete document with test screenshot and working code which will be more accurate to the topic.

But going forward will make sure to provide the accurate information.

Hi Larry,

My apologies because I didn’t know that this space is just for this. (The forums are more for answers from experience users have to specific questions. The poster can use AI themselves to get AI answers.)
I will avoid further misuse of this forum and will try to investigate further any IdentityIQ issues and prevent you from having to read this type of post.

You used the forum correctly. You asked a question looking for an answer. That’s what the forums are for. My only question was in someone posting an AI answer rather than one that they had experience with.

I’m sorry I ever questioned the answer provided.

No one should be deterred from using the forum.

You can create plan and pass to Provisioner Workflow or call the Provisioner API to execute this Plan:

 <ProvisioningPlan>
      <AccountRequest application="LDAP" op="Modify">
        <Attributes>
          <Map>
            <entry key="attachmentConfigList"/>
            <entry key="attachments"/>
            <entry key="flow" value="AccessRequest"/>
            <entry key="id" value="c0a8017397281e60819728dbe09700a7"/>
            <entry key="interface" value="LCM"/>
            <entry key="operation" value="EntitlementAdd"/>
          </Map>
        </Attributes>
        <AttributeRequest assignmentId="90ff013086234610b5e7150a72196a80" displayValue="LdapEnt" name="group" op="Add" value="dept">
          <Attributes>
            <Map>
              <entry key="assignment" value="true"/>
            </Map>
          </Attributes>
        </AttributeRequest>
      </AccountRequest>
    </ProvisioningPlan>