One of our clients asked this question, Is IdentityNow capable of managing/governance the IDN admin roles and approval flow?
I think there is no such feature IdentityNow having, are we expecting this in future. Because I know IIQ has the feature to manage own rights/capabilities via IdentityIQ Loopback Connector.
Please share your thoughts/ideas or do we have any alternative way to achieve this.
There is no simple OOB feature that supports this (which is a little weird), but you can achieve this by setting up a Web Services source that communicates with IDN REST API - there’s endpoints for seeing which admin roles a user has that you could use for account & entitlement aggregation and there’s also endpoints for assigning these admin roles. Just need to set up the right API calls per operation and it should work.
Haven’t gotten it to fully work since it’s not a priority(and I’ve gone through a couple of iterations due to data issues) but I can share some more details if needed.
There are no public/documented endpoints for assigning these admin roles however, so there’s some risk that the source would break is something changes.
@M_rtenH - Sounds good! If possible share some more details, I would like to try that out in the developement environment.
For account aggregation, I ended up using the search endpoint (think there was another one available, I can’t recall exactly which one or why I went for search):
POST to <api_url>/v3/search with the body
You can discover the schema following that and configure your account schema depending on what you need. Following that, you’ll need to map the response to the schema. The trickiest part is mapping the entitlements correctly (e.g getting the admin permissions out of the json response).
I did that by mapping the entitlement schema attribute to this attribute path in the response:
$.accounts[?(@.source.name == "IdentityNow")].entitlementAttributes.assignedGroups
You’ll need to add paging as well since the search endpoint returns 250 results at a time.
Entitlement aggregation I did through the search endpoint as well, with this query:
That’s as far as I’ve gotten for now - single account aggregation operation and account modify operation are still to be added.
For account modify operation, I’d change the admin permissions on an identity while recording network activity to see which endpoint is called for that.
One thing to note (that if I recall correctly I hadn’t figured out) is that the api call to change the permissions will expect a specific IDN account ID (not the ID for the identity, but the ID for the identities IdentityNow account) but I think that should be exposed in the search results. If not, you might need a secondary account aggregation operation to aggregate additional data from a different endpoint.
Let me know if that makes any sense - should be a good starting point I think.
Thank you so much for the starting point, I will try it it out.
Ah, that’s brilliant. Almost as if it should be a built-in part of the product