Hi Team,
I’m working with the Certification APIs in SailPoint IdentityNow (ISC) and facing a challenge around user context and audit attribution.
Current Setup:
-
I’m using a client credentials (service account) token to call:
-
Certification Decision API (
/certifications/{id}/decisions) -
Certification Sign-off API (
/certifications/{id}/sign-off)
-
-
Both APIs are working as expected from a functional perspective
Issue:
-
All actions (decisions and sign-offs) are being recorded as performed by the service account
-
However, the actual decision is made by a reviewer (human user), and I need that user to be reflected in the audit report.
Requirement:
-
Execute both decision and sign-off actions such that they are attributed to the actual reviewer
-
Maintain accurate audit/compliance records/report showing the real decision maker
Challenges Observed:
-
Client credentials flow does not include user context
-
ISC workflows do not seem to expose the reviewer’s access token or session context
-
I don’t see a supported way to impersonate a user via the Certification APIs
Questions:
-
Is there any supported way to invoke the Decision and Sign-off APIs so that actions are recorded under the reviewer’s identity instead of the service account?
-
Can user context be passed or derived in any way (e.g., via identityId, headers, or workflow context)?
-
Are Authorization Code flow or PAT tokens the only supported approaches to achieve reviewer-level attribution?
-
How are others handling this in automation scenarios (e.g., workflows, external apps) where decisions are triggered programmatically?
Need to ensure that certification decisions and sign-offs are attributed to the actual reviewer, not a technical/service identity.
Any insights or recommendations would be greatly appreciated.
Thanks in advance!