IDN account permissions


I’ve recently discovered you can run a certification campaign against IDN assignedGroups attribute (think ORG_ADMIN, CERT_ADMIN etc) since these can be found in search via (indices: ENTITLEMENTS).
I’ve done a test campaign and can confirm these are revoked automatically if triggered.

That got me thinking - why can we not turn these entitlements into access profiles that could then leverage other available parts of the product like approval flows & roles?

I dug around in the UI and there’s no way to include any of these entitlements in an access profile since the source “IdentityNow” is not visible/accessible via UI.

You can create an access profile like this via the beta API (haven’t tested v2) after you fetch the entitlement info via search endpoint but as I discovered, this causes to display a blank page as will now return a 500 (I assume because v2 endpoints can’t see/interact with the “IdentityNow” source and get a NULL on the source ID for the newly created access profile).

Should I post this in the ideas portal and has anyone else thought of a solution? It’s a little silly having to use an external ticketing system to manage IDN admin permissions.

1 Like

You can create an IdentityNow source which uses a WebServices connector (this is what we call a "LoopBack Connector). The connector uses the IDN REST APIs to aggregate identities as accounts and the “assignedGroups” as the entitlements (basically, IDN aggregates from itself). Once IDN is represented as a source with accounts and entitlements, then you can create Access Profiles around them, just like with any other source.


Thanks Paulo, I’ll give this a try.