How to Load Full Account Object in a Before Operation Rule for Web Services Connector (Get Object)

ywomiloju · October 6, 2025, 8:44pm

I’m configuring a Web Services connector in SailPoint Identity Security Cloud to integrate with the Delinea Platform. The connector uses the Get Platform Users API endpoint, which returns all users. This endpoint supports filtering via a filter query parameter, which can be used to narrow results by username.

In my configuration, I’ve chosen to use the user’s UUID as the native identifier (nativeIdentity) since it is the unique key used across other Delinea API endpoints.

I’m now writing a Before Operation Rule for the Get Object operation. My goal is to dynamically modify the request to include a filter using the username, but to do that, I need to load the full account object (or at least retrieve the username) based on the UUID that SailPoint is using to initiate the request.

Question:
In the context of a Before Operation Rule for the Get Object operation, how can I programmatically retrieve the full account object (or its attributes) using the nativeIdentity (UUID) that SailPoint is passing in? The resulting URL should look like this /identity/api/entities/platformusers?filter=username

Any guidance or code examples would be greatly appreciated!

iamnithesh · October 6, 2025, 9:43pm

You can apply the filter in the UI itself. Use

/identity/api/entities/platformusers?filter=$getObject.nativeIdentity$

in the context URL

ywomiloju · October 7, 2025, 12:45pm

The account’s nativeIdentity is uuid, and the filter only accepts account’s name, so I need something like

/identity/api/entities/platformusers?filter=$getObject.name$

but $getObject.name$ does not work.

RAKRHEEM · October 7, 2025, 1:23pm

Hi Yusuf,

Could you please let us know at what operation you want the username ?

ywomiloju · October 7, 2025, 3:06pm

My goal is to be able to Aggregate an Account using the UI. This will be done after Remove an Entitlement tied to the account.

To clarify:

The API doesn’t support a call that’ll get the Account by AccountID (which is the nativeIdentifier), but it does support a call to get All Accounts and filter by Account Name (which is an attribute on the Account).

One thing I am considering is, to make an SailPoint API call GET /accounts/{id} from within the Rule.

sunnyajmera · October 7, 2025, 7:25pm

I think your approach should work.

jsosa · October 7, 2025, 7:37pm

Hi Yusuf. I do not know if it is the best answer, but you can call the isc api inside your WS Before Provisioing Rule. Besides being discouraged, you will have to put id/secret in your code (or in source), and should be visible to anyone with admin level.

iamnithesh · October 10, 2025, 1:23pm

If you store the credentials as attributes in the source you can add these to the encrypted list.

jsosa · October 13, 2025, 12:40pm

Hi Yusuf, I deal with this problem last week and find a workaround. I found that attributes in provisioning policy are added to plan only when their values are modified.

So, what I did is to concatenate all attributes I needed, with some random number at the end, like forcing value to change always. This worked for me, now this fake attribute is always present in my rule, so I can use any identrity attribute.

This is my provisioning policy:

{
    "name": "update account",
    "description": null,
    "usageType": "UPDATE",
    "fields": [
        {
            "name": "ISCATTRIBUTES",
            "transform": {
                "attributes": {
                    "values": [
                        {
                            "type": "firstValid",
                            "attributes": {
                                "values": [
                                    {
                                        "type": "identityAttribute",
                                        "attributes": {
                                            "name": "displayName"
                                        }
                                    },
                                    {
                                        "type": "static",
                                        "attributes": {
                                            "value": "NULL"
                                        }
                                    }
                                ]
                            }
                        },
                        "-",
                        {
                            "type": "firstValid",
                            "attributes": {
                                "values": [
                                    {
                                        "type": "identityAttribute",
                                        "attributes": {
                                            "name": "identificationNumber"
                                        }
                                    },
                                    {
                                        "type": "static",
                                        "attributes": {
                                            "value": "NULL"
                                        }
                                    }
                                ]
                            }
                        },
                        "-",
                        {
                            "type": "firstValid",
                            "attributes": {
                                "values": [
                                    {
                                        "type": "identityAttribute",
                                        "attributes": {
                                            "name": "personalEmail"
                                        }
                                    },
                                    {
                                        "type": "static",
                                        "attributes": {
                                            "value": "NULL"
                                        }
                                    }
                                ]
                            }
                        },
                        "-",
                        {
                            "type": "firstValid",
                            "attributes": {
                                "values": [
                                    {
                                        "type": "identityAttribute",
                                        "attributes": {
                                            "name": "email"
                                        }
                                    },
                                    {
                                        "type": "static",
                                        "attributes": {
                                            "value": "NULL"
                                        }
                                    }
                                ]
                            }
                        },
                        "-",
                        {
                            "type": "firstValid",
                            "attributes": {
                                "values": [
                                    {
                                        "type": "identityAttribute",
                                        "attributes": {
                                            "name": "uid"
                                        }
                                    },
                                    {
                                        "type": "static",
                                        "attributes": {
                                            "value": "NULL"
                                        }
                                    }
                                ]
                            }
                        },
                        "-",
                        {
                            "attributes": {
                                "length": "1"
                            },
                            "type": "randomNumeric"
                        }
                    ]
                },
                "type": "concat"
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

In my case, some attribtes can come empty, so I wrapped them in a firstValid transform.

In your rule, simply get this attribute value, parse values between delimiters (“-”) and use it.

Topic		Replies	Views
WebService Before Operation Rule, IdentityService IIQ Discussion and Questions webservice-connector , identityiq , provisioning	13	1241	December 31, 2023
IDN Rule utilities not accessible in WebService Connector ISC Discussion and Questions	7	1989	July 19, 2023
SailPoint: BeforeOperationRule: getNativeIdentity() IIQ Discussion and Questions webservice-connector , rules , aggregation , identityiq	8	190	April 1, 2025
IDN - Remove Entitlement - BeforeRule WebService - IdentityAttribute ISC Discussion and Questions webservice-connector , rules , identity-security-cloud	9	414	April 22, 2024
Account lookup from web services connector rule ISC Discussion and Questions webservice-connector , rules , identity-security-cloud	6	141	February 2, 2025

How to Load Full Account Object in a Before Operation Rule for Web Services Connector (Get Object)

Related topics