Hi,
I am wondering if the user Identity (IdN native identity record) could be disabled via Workflow process in IdentityNow.
Amy Workflow JSON fragment of code for that or a WF sample will be very useful if someone could help with that.
I am trying to have simple WF
IF Identity attribute eq ‘AAA’ THEN <= as a sample: IF Identity LCM status = “AAA”
Identity DISABLE
ELSE
identity ENABLE
Thanks in advance
So, am I correct the Identity itself (not the linked accounts) disabling is not possible to automate, right? @colin_mckibben, @kevin_chang ?
Hi Dmitri,
Disabling identities is currently not an available action in workflows, and there is no beta/v3 API for doing this either. The UI item you referenced is powered by a private API that requires a different GUID for identities than our v3 APIs use. Engineering is working on a v3 API collection for identities that will eventually support enable/disable operations. This is a valid use case, and one we will eventually support.
Here are the relevant API calls you need to do this.
CAUTION: /cc APIs weren’t designed for public use, and SailPoint offers no guarantees that they won’t change without notice. Please use with caution.
Start by getting the old ID of the user, using the user’s email address as a search key.
GET https://{tenant}.api.identitynow.com/cc/api/user/list?filters=[{"property":"email","operation":"EQ","value":"[email protected]"}]
This will return the following body:
{
"total": 1,
"items": [
{
"id": "3498063",
"name": "Amanda Ross",
"displayName": "Amanda.Ross",
"alias": "Amanda.Ross",
"email": "[email protected]",
"status": "ACTIVE",
"enabled": false,
"pending": false,
"externalId": "2c9180837dfe6949017e208e26b27b28",
"processingDetails": null
}
]
}
Next, send a POST request to disable the identity.
POST https://{tenant}.api.identitynow.com/cc/api/user/enabled
This POST request uses form data. Please refer to the following cURL call to see how to use the form data. You can import cURL into postman as well.
curl --location --request POST 'https://{devrel}.api.identitynow.com/cc/api/user/enabled' \
--header 'Authorization: Bearer {access_token} \
--form 'ids="3498063"' \
--form 'enabled="false"'
Hi Colin,
Thank you for giving the clear clarification of the topic status. We’re waiting the time when the identity status as enabling/disabling could be managed via API and WF.
Hi @colin_mckibben, I saw that this topic was created in aApril. I need to disable an identity through an integration via API.
Has anything been developed in this regard yet?
You can create webservice source(loopback connector using idn api) and achieve it using as standard connector.
@raibom Please see the accepted solution. I updated it with the steps to accomplish this via API.
@colin_mckibben , thank you a lot for the details, I have never had enough time to trace IDN UI the needed API call cc v1 for that. I will try to add that very useful feature to our tenant identity API management automation we are using.
BTW, we have a very useful API GET […]/roles/:id/assigned-identities in the Beta collection API .
Could we hope to have in the future the same for /access-profiles/:id/assigned-identities, either it does exist but I did overlook it?
And for entitlements API something like GET /entitlements/:id/accounts?
There is talk about adding this functionality to access profiles and entitlements. If you don’t mind, can you please share this request in our ideas portal? This way our product team can track user interest in these features.
Thanks for the answer. I ended up doing it in another way, using the set lifecycle api and creating a lifecycle with “Disabled” status
Hi @raibom,
Does it make an identity ‘Disabled’ and ‘grey’ in the IDN identity list (https://[tenant].identitynow.com/ui/admin#admin:identities:users)?
I would advise others to use your approach. Identity status should ideally be set by lifecycle states rather than direct API calls. It fits better into the identity governance processes that SailPoint has created.