How to Configure Entitlement Removal for Composite Key in SaaS Connector During Manager Certification?

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

I’m integrating SailPoint Identity Security Cloud (ISC) with a SaaS application that uses composite keys for entitlements, and I need guidance on configuring entitlement removal during Manager certification campaigns.

Use Case:
Each user in the SaaS app has one or more roleProducts , which are combinations of a role and a product. A sample response from the app’s GET /user/{userId}/role-products endpoint looks like this:

{
  "items": [
    {
      "role": { "id": 1, "name": "Preparer" },
      "product": { "id": "A", "name": "Account" }
    }
  ],
  "totalItems": 1
}

My Approach So Far:

  • I created an entitlement type called roleProduct with the following attributes:
    • id = <roleId>:<productId> (e.g., 1:A)
    • name = <roleName> <productName> (e.g., Preparer Account)
    • roleId and productId as separate attributes
  • In the account schema, I defined a multi-valued entitlement attribute roleProducts.
  • I’ll use a customizer:
    • afterAccountRead to populate roleProducts with roleId:productId values.
    • afterEntitlementRead to populate the roleProduct entitlement metadata.

The Challenge:
When a manager revokes a roleProduct entitlement during a certification campaign, I want the connector to call the following API:

DELETE /user/{userId}/role-products?roleId=<roleId>&productId=<productId>

I’ve created an HTTP Operation named “Remove User RoleProduct” , but I’m unsure how to configure the context URL so that it parses the roleId and productId from the entitlement ID (roleId:productId ).

Specific Questions:

  1. How can I extract roleId and productId from the entitlement ID (1:A) in the context URL or request body?
  2. Is there a way to use a customizer or transform to split the ID before the HTTP Operation executes?
  3. I noticed there’s no beforeEntitlementRemove hook in the customizer—what’s the recommended way to handle this kind of transformation before the entitlement is removed?

Any guidance or examples would be greatly appreciated!

2

Hi Yusuf,

This is an excellent and challenging problem with SaaS Web Service Connector in ISC. Your approach is spot on.

Maybe there is a built-in way to handle this without needing a customizer.

Try modifying the URL as below to split the incoming entitlement ID assuming plan.roleProduct contains the composite key (“1:A”): -

/user/$plan.nativeIdentity$/role-products?roleId=$.split($plan.roleProduct$, ":")[0]$&productId=$.split($plan.roleProduct$, ":")[1]$

Perhaps the key is not in plan.roleProduct, this is usually the account attribute you marked as entitlement. You can find it potentially in logs by enabling debug.

Let us know if the split actually worked :wink:

Good luck

1 Like
3

I ended up replacing the SaaS connector with Web Services connector. Then I wrote a BeforeOperationRule that changed the endpoint’s full URL.

1 Like
4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.