How to change attribute "nativeIdentity" on a users Identity using Postman?

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hey All,

Hoping someone can assist here - I am going to make it long story short, but if I need to go into more details I can elaborate.

I am attempting to use either the PUT or PATCH within the APIs under Account and focusing on Update Account.

Is it possible to update someone’s “nativeIdentity” attribute using one of these calls?

I had found a previous discussion on here what it was saying in the PUT Update Account - you could use the example below for a rule (the rule being beforeProvisioningRule):


[
    {
        "op": "replace",
        "path": "/beforeProvisioningRule",
        "value": {
            "type": "RULE",
            "id":"<rule id>",
            "name": "<rule name>"
        }
    }
]

Can this same call be used for attributes and specifically the “nativeIdentity” attribute?

I have attempted that format in a multitude of ways, but getting the error of it not being parsed correctly - please see my horrible example below. NOTE: The ID and Name are fake… just to clarify.


[
    {
        "op": "replace",
        "path": "/nativeIdentity",
        "value": {
            "type": "attributes",
            "id": "12345678912345567",
            "name": "John Doe"
        }
    }
]

Attempting to update the last name of a user because they had a name change and a new hire is coming in with the same name as the old name of the user that had the name change - causing a clash beings the original users SailPoint identity did not update.

Just trying to manually update on the back end if possible - all other source data updated for them.

Thanks!!

2

Hey Shane!

You’re on the right track, but there are some questions we have to address before we can proceed.

First, we need to identify your source type for the source on which this account you’re trying to update is. Accounts can only be updated via the API if they are accounts on a Delimited File source type; any other source type cannot have accounts updated via the Method with the API. Additionally, the Method can only target two fields for Accounts: identityId and manuallyCorrelated, so we can count that method out for this use case.

If your source type is Delimited File, then you can use the API to manage the account information. If your source type is not Delimited File, then you will have to update the information in the source and trigger Account Aggregation for Identity Security Cloud to aggregate the changes.

Can you confirm the source type before we proceed?

1 Like
3

If you change nativeIdentity on an identity in a Delimited File source, wouldn’t the new value be overwritten as soon as another CSV-file is aggregated, given that the new nativeIdentity value has not been added to the CSV manually?

4

Hey Brennen,

So the source we are attempting to target would be our SailPoint source… if that makes sense - so when going into an Identity and under Accounts tab, it would be the SailPoint account in our setup. In other words, their identity itself but it exists as an account on the Accounts tab. Idk if this helps, but our Authoritative Source (IdentityProfile) is Workday which drives said data into SailPoint.

That being said, from what it sounds like, this setup is NOT a Delimited File and I would not be able to utilize the PUT and PATCH methods. I would need to focus on getting it corrected from the Authoritative Source in the case. Am I on the right track?

And THANK YOU so much for your response and guidance!

5

Hey @Shane_Graver, that makes sense, absolutely. I appreciate your patience with my response; I was out last Thursday and Friday. With that information you provided, I want to clarify some important points below:

  1. The SailPoint Account will be assigned to every single user that has an Identity in Identity Security Cloud. This is because the Identity within Identity Security Cloud itself is considered to be an account. The attributes of this “account” are inherited from the Identity Attributes for that identity. If you are trying to change information for the account for SailPoint itself, you will have to change the attributes of the Identity. In order to do that, you will need to update the account information on the accounts used for the identity attribute mappings.
  2. The nativeIdentity attribute for accounts is the property within the source Account Schema that has been designated as the Account ID. This is a unique attribute between all accounts on that source.

Example

As an example, Active Directory’s default Account ID is the DN or DistinguishedName property. For HR sources such as Workday or others, the AccountID can be configured to be the user’s unique Employee ID.

You can change the Account ID on any given source by configuring the schema. This is probably not the direction you want to go in, but this is just extra information. You will see which attribute in your schema for any given source is the Account ID by seeing the tag next to the property name, like below:

image

The SailPoint source account works a little different since it isn’t an account from an actual source, but is an account for SailPoint Identity Security Cloud itself. The nativeIdentity property for this account would be the identity’s uid attribute.

Direction

The following two points will sum everything up and provide direction for what you’re trying to achieve:

  1. You cannot use any API endpoints or methods to adjust the nativeIdentity attribute on sources that are not a Delimited File source type. So, let’s proceed to point 2.
  2. If you’re trying to update the nativeIdentity attribute for a user’s SailPoint account, that means you are trying to update that user’s uid attribute in their Identity. In order to do that, you will have to identify which attribute and which transform (if applicable) are being used in the Identity Attribute Mapping configuration for that identity’s Identity Profile. Once Identified, you will have to find the source which attribute is being used as the identity’s uid and update that attribute as needed within the source itself, rather than the identity. The changes to that account attribute will then reflect in the Identity.

:construction: Warning :construction:

Updating a user’s SailPoint Username (uid identity attribute) may have unintended confusion for affected users. Make sure the users affected by these changes are aware of their new username.

6

Hey Brennen,

This is both very useful information and has actually assisted us in determining the root cause and a fix, of sorts. Going to do some more investigating on our end and talking to our CSM in regards to why the issue we are fixing is happening.

That being said, we greatly appreciate your responses and information. You have greatly helped us! Thanks!!

  • Shane