Issue with Group/Entitlements Not Reflecting in IDN Source Account

hkhandale · June 19, 2025, 2:46pm

Hi Team,

I’m currently working with a web service connector in SailPoint IdentityNow. I have two APIs from the target application:

One to collect Accounts
Another to collect Groups

I’ve successfully configured the provisioning plan and set up HTTP operations for Create Account and Get Object. Account creation works as expected.

Next, I configured the Add Entitlement operation to pass the group during account creation. On the target system, the account gets created and the group is correctly assigned—this is visible when checking directly on the target.

However, the assigned group (entitlement) is not appearing in the source account within IDN. I also tried configuring the Get Group Object HTTP operation, hoping it would help link the group to the account in IDN during aggregation and provisioning, but it still doesn’t show.

Has anyone else faced a similar issue?
How can I ensure that entitlements (groups) assigned during provisioning are correctly reflected on the source account in IDN, both during creation and aggregation?

Any suggestions or guidance would be appreciated!

User account Payload:
“payload”: {

    "getSsoUser": {
        "getSsoUserDetail": {
          
            "username": "artieanchondo",
            "email": "[email protected]",
            "createDate": "2025-06-19",
            "expirationDate": null,
            "lastLoginDate": null,
            "passwordLastModDate": null,
            "department": "Phleb-IOP Region 5",
            "firstName": "Artie",
            "lastName": "Anchondo",
            "phone": null,
            "fax": null,
            "enabled": true,
            "forceUserChangePassword": false,
            "ipRestricted": true,
            "supervisorEmail": "[email protected]",
            "note": null
        },
  
        "ssoUserServiceAccess": [
            {   
                "rpmServiceAccess": {
                    "groups": [
                        {
                            "groupName": "Accession Order Processing - Daily Receipt (RW)"
                        }
                    ]
                }
            }
        ]
    }

Account Details : getSsoUserDetail
Group : rpmServiceAccess

JackSparrow · June 19, 2025, 3:43pm

@hkhandale Did you define the schema attribute for entitlement in account schema? If that attribute holds multiple values, then mark it as multivalued as well.

vishal_kejriwal1 · June 19, 2025, 3:53pm

Single you ran the single account aggregation to check if Get-Object is reconcilling group data too with account ?

I think Get Object . is not bring back the group data , it’s only reconciling account single valued attributes.

hkhandale · June 19, 2025, 4:03pm

Yaa it is part of account schema and it is Multivalued attribute

hkhandale · June 19, 2025, 4:06pm

Yes @vishal, I’ve tried that approach, but it only retrieves single-value attributes available in the User Details payload. However, I’m looking to fetch the Group associated with the respective account.

vishal_kejriwal1 · June 19, 2025, 4:17pm

seems like you need to configure in such a way that it should give group information too ? did you check the API response in postman if api response include groups information ?

hkhandale · June 19, 2025, 4:21pm

No for Get list of user - group information not included in Payload, i can see by calling get user by ID API

vishal_kejriwal1 · June 19, 2025, 4:28pm

Then you need to use 2 account aggregation and 2 get-object one each for account and group

hkhandale · June 20, 2025, 1:58pm

In my Get List of Account API, the group information is not included in the payload. To retrieve a user’s groups, we need to call the ‘Get User by ID’ API, which returns data for only a single user—making it unsuitable for use in Account Aggregation.

Although I’ve successfully fetched all groups through Group Aggregation, I need to display the respective user’s group assignments in the Identity Access view.

Get List of User

       "payload": {
    "status": null,
    "getSsoUserDetail": [
        {
            "orgAlias": "",
            "username": "aalutest",
            "email": "[email protected]",
            "createDate": "2025-06-18",
  
        },  {
            "orgAlias": "",
            "username": "aatest",
            "email": "[email protected]",
            "createDate": "2023-08-29",
      
        },
        {
            "orgAlias": "",
            "username": "abhitest1",
            "email": "[email protected]",
            "createDate": "2025-06-18",
      
        },....]

}

Get User by ID

"payload": {
    "status": null,
    "getSsoUser": {
        "getSsoUserDetail": {
            "orgAlias": "",
            "username": "artieanchondo",
            "email": "[email protected]",
            "createDate": "2025-06-19",

        },
    
        "ssoUserServiceAccess": [
            {
            
                "rpmServiceAccess": {
                    "groups": [
                        {
                            "groupName": "Accession Order Processing - Daily Receipt (RW)"
                        }
                    ]
                }
              
            }
        ]
    }

vishal_kejriwal1 · June 20, 2025, 3:37pm

Yes you will call aggregation aggregation and account aggregation by Id in sequential.

hkhandale · June 27, 2025, 8:56am

I gone through Dual Endpoint Aggregation Approach

Due to the application exposing separate APIs for user basic details and user access (group) information, I implemented aggregation using two endpoints:

1. First Aggregation – Get List of Users API

API provides a list of users with basic details.
Sample Response:

"payload": {
  "status": null,
  "getSsoUserDetail": [
    {
      "orgAlias": "",
      "username": "aalutest",
      "email": "[email protected]",
      "createDate": "2025-06-18"
    },
    {
      "username": "aatest",
      "email": "[email protected]"
    }
    // ...more users
  ]
}

These users are used to build the account attribute in SailPoint.

2. Second Aggregation – Get User by ID API

This API returns detailed access (group) information for a specific user.
To fetch access, we call this API for each user using their username or ID from the first API response.
Sample Response:

"payload": {
  "getSsoUser": {
    "getSsoUserDetail": {
      "username": "artieanchondo",
      "email": "[email protected]"
    },
    "ssoUserServiceAccess": [
      {
        "rpmServiceAccess": {
          "groups": [
            {
              "groupName": "Accession Order Processing - Daily Receipt (RW)"
            }
          ]
        }
      }
    ]
  }
}

Important Mapping Note:

During the second aggregation, the user ID or username from the first response is used in the second API URL:

Example:
GET /getSsoUserDetail/{username}

In second Aggregation, this is typically passed as:

GET /getSsoUserDetail/$response.username$

Reference: Aggregation