IDN V3 Account APIs: Do they provision downstream to target systems as well?


I was looking into some APIs that are available for account creation, updates and delete here: Accounts | SailPoint Developer Community

I tried creating an account on an active directory source with the API, and I got a successful API response. I could also see the account on the UI after the API call, but the account gets removed after an aggregation, suggesting that the provisioning did not go downstream.

Do the APIs trigger a provisioning to the connected source if it contains an account create/modify profile mapped? Does it create a ProvisioningPlan object similar to non-API based provisioning?

If it does allow for downstream account provisioning, how do I debug provisioning issues if any? I do not see any errors at the moment on UI or on the API response.

Hi @sushant1

Since you are creating the account through the API, it is essentially a shadow/placeholder account and no provisioning plan is generated, so the account is not created on the end source. If you want to trigger a downstream account creation, you are better off using the v3 access-request APIs, which would be able to create the account in that endpoint.

Hope that helps!

@justinrhaines Thanks for the suggestion!

I’m looking for a way to create an account without having to request or provision any entitlements alongside; like creating an account without entitlements. This can be done through some plan manipulations in before-provisioning rules, but was primarily looking for simpler, no-code alternatives to it.

Access Requests via API can be a viable option if creating accounts with entitlements is the use case, but since I’m specifically looking for account creation (without the entitlements), I was exploring this API.

If there is no provisioning plan generated with the Account APIs, then perhaps that isn’t the way for me… but I wonder what the purpose of those APIs is, if it cannot provision downstream? I’m struggling to see a point to creating a placeholder account on the IDN UI.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.