I am working on creating a powershell script to create roles

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

I am getting this error below when running this script and it seems that the payload i am presenting is not working?

Invoke-RestMethod : {"messages":[{"localeOrigin":"DEFAULT","text":"The request could not be parsed.","locale":"en-US"},{"localeOrigin":"REQUEST","text":"The request could not be 
parsed.","locale":"en-US"}],"trackingId":"feda25d4ab0444c0ae779ecd5ff5089a","detailCode":"400.0 Bad request syntax"}
At C:\Users\admin_sdoll\Desktop\Sailpoint SB testing.ps1:85 char:1
+ Invoke-RestMethod -Method Post -Uri $fullUrl -Headers @{ Authorizatio ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
C:\Users\admin_sdoll\Desktop\Sailpoint SB testing.ps1 : Failed to create role {"messages":[{"localeOrigin":"DEFAULT","text":"The request could not be 
parsed.","locale":"en-US"},{"localeOrigin":"REQUEST","text":"The request could not be parsed.","locale":"en-US"}],"trackingId":"2ee6ce2823d8456ab209d40a1cd6f8c8","detailCode":"400.0 
Bad request syntax"}
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Sailpoint SB testing.ps1
2

Hi @sean_doll ,

Can you try the same request body that you are using in powershell script from some other tool like Postman.

Also, if possible, please share the request body that you are using. Please omit any sensitive data.

3

I tried this in post man with this body.

{
  "name": "All Riverside-2280 Market St Staff",
  "description": "All Riverside-2280 Market St Staff",
  "owner": {
    "type": "IDENTITY",
    "id": "Group ID",
    "name": "SailPoint Services"
  },
  "entitlements": [
    {
      "type": "ENTITLEMENT",
      "name": "OU=Query Based Groups,OU=Company Groups,OU=User Accounts,DC=smactest,DC=com"
    }
  ],
  "membership": {
    "type": "STANDARD",
    "criteria": {
      "operation": "AND",
      "children": [
        {
          "operation": "EQUALS",
          "key": {
            "type": "IDENTITY",
            "property": "employmentStatus"
            
          },
          "stringValue": "Active",
          "children": [
            {
              "operation": "CONTAINS",
              "key": {
                "type": "ACCOUNT",
                "property": "distinguishedName",
				 "sourceId":  "smactest ID"
              },
              "stringValue": "Riverside-2280 Market St"
            }
          ]
        }
      ]
   }
}
}


error 

{
    "messages": [
        {
            "localeOrigin": "DEFAULT",
            "text": "A call from this server to another component has failed.",
            "locale": "en-US"
        },
        {
            "localeOrigin": "REQUEST",
            "text": "A call from this server to another component has failed.",
            "locale": "en-US"
        }
    ],
    "trackingId": "5e632d640ed34d3d801631d4f2161107",
    "detailCode": "500.1 Downstream error"
}
4

Is this for IIQ for IdentityNow ?

5

Yes this is for Identity now

6

Here I do not see the ID of entitlement. According to error it seems to be missing attribute. Please go through the link and see if it helps.

7

Do you want to change the tag ? it’s tagged to identityiq.

8

I can get this post to work and create a role with an entitlement it is just when I add the membership Criteria is where I get a 400 bad request error.

This post works great

 {

    "name": "All Riverside-2280 Market St Staff",

    "description": "All Riverside-2280 Market St Staff",
    "owner": {
      "type": "IDENTITY",
      "id": "3add856765d2467b90a41f8cfb81e0cc",
      "name": "SailPoint Services"
    },
    "entitlements": [
      {
        "id": "39689387d8ae414995edfeaa4d69b36f",
        "type": "ENTITLEMENT",
        "name": "Users_IN_Riverside-2280 Market St"
      }
    ],
    "accessProfiles": [],
    "membership": null

 }

This is when I get the errors now I am getting closer though

[
  {

    "name": "All Riverside-2280 Market St Staff",

    "description": "All Riverside-2280 Market St Staff",
    "owner": {
      "type": "IDENTITY",
      "id": "3add856765d2467b90a41f8cfb81e0cc",
      "name": "SailPoint Services"
    },
    "entitlements": [
      {
        "id": "2c918082809fc7570180aa4428565394",
        "type": "ENTITLEMENT",
        "name": "Users_IN_Riverside-2280 Market St"
      }
    ],
    "accessProfiles": [],
    "membership": {
      "type": "STANDARD",
      "criteria": {
        "operation": "OR",
        "key": null,
        "stringValue": null,
        "children": [
          {
            "operation": "AND",
            "key": null,
            "stringValue": null,
            "children": [
              {
                "operation": "EQUALS",
                "key": {
                  "type": "IDENTITY",
                  "property": "attribute.location",
                  "sourceId": null
                },
                "stringValue": "Users_IN_Riverside-2280 Market St",
                "children": null
              },
              {
                "operation": "EQUALS",
                "key": {
                  "type": "IDENTITY",
                  "property": "attribute.cloudLifecycleState",
                  "sourceId": null
                },
                "stringValue": "Active",
                "children": null
              }
            ]
          }
        ]
      },
      "identities": null
    },
    "legacyMembershipInfo": null,
    "enabled": true,
    "requestable": false,
    "accessRequestConfig": {
      "commentsRequired": null,
      "denialCommentsRequired": null,
      "approvalSchemes": []
    },
    "revocationRequestConfig": {
      "approvalSchemes": []
    },
    "segments": [],
    "dimensional": null,
    "dimensionRefs": null
  }
]
9

Why are you keeping your Key as null when you want to add two conditions?

Can you try to use base and then children condition as AND operation because from your current condition also you want to have two criteria with “and” condition.

Thanks

10

Try using below sample for membership else try for identity List once and see that is allowing you to create.

"membership":{
    "type": "STANDARD",
    "criteria": {
        "operation": "AND",
        "key": {
            "type": "IDENTITY",
            "property": "attribute.location",
            "sourceId": null
        },
        "stringValue": "Users_IN_Riverside-2280 Market St",
        "children": [
            {
                "operation": "EQUALS",
                "key": {
                    "type": "IDENTITY",
                    "property": "attribute.cloudLifecycleState",
                    "sourceId": null
                },
                "stringValue": "Active",
                "children": null
            }
        ]
    },
    "identities": null
}
11

Creating the membership criteria is tricky. I recommend you create this role through the UI first, then use the API to get the details of that role. That will give you the scaffolding of how the membership criteria should look, which will make it easier to convert this to powershell.

12

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.