Mark Entitlements Non Requestable

Dharani_01 · December 19, 2023, 4:44pm

Hi Everyone,

We are currently working on a workflow to designate entitlements as requestable only when the Group Type is equal to “Security.” We already have a workflow in place that makes all entitlements requestable, utilizing the following API: https://{URL}/beta/bulk-update.

The existing API call looks like this:
{ “entitlementIds”: [ “2c91808a7624751a01762f19d665220d” ], “jsonPatch”: [ { “op”: “replace”, “path”: “/requestable”, “value”: false } ] }

In addition to the current functionality, we have new requirements. If the attribute “GroupType” is equal to “Security,” we need to mark it as requestable. On the other hand, if the “GroupType” is “Distribution,” we should mark it as non-requestable.

We are reaching out for any guidance, suggestions, or insights on how to implement this logic effectively. If anyone has experience with a similar implementation or has valuable input, we would greatly appreciate your assistance.

Thank you in advance for your help.
Bhavadharani

BhimaMS1 · January 24, 2024, 6:31am

@Dharani_01 Have you got any lead on this ? I have a similar requirement to handle. Please let me know.

Regards,
Bhima

mcheek · January 24, 2024, 2:44pm

Caveat - I don’t have workflow enabled in my tenants, which is what I assumed you meant with your use of the term “workflow” in your question. However, I have another solution you can use as a one-off update script.

Can I assume this is for an Active Directory source?

If so, it will require a bit of filtering on the client side because none of the APIs currently allow for filtering entitlements based on source-specific attributes, such as GroupType for Active Directory.

That said, this can be accomplished using something like the PowerShell SDK

Here’s what you’ll need to do

Find the source Id of the source for which you’d like to search entitlements. This assumes your AD source name is called “Active Directory”

$source_id = (get-sources -filters 'name eq "Active Directory"').id

Then, you need to get all the entitlements in that source that are security groups. Assuming you have more than 250 entitlements in that source, you need to use the Invoke-Paginate cmdlet to paginate through all the results. Set the limit argument to a number that is greater than the total number of entitlements in that source

$security_groups = Invoke-Paginate -function "Get-BetaEntitlements" -increment 250 -limit 10000 -initialoffset 0 -parameters @{"Filters"= "source.id eq `"$($source_id)`""} | where-object {$_.attributes.GroupType -eq "Security"}

Since the update-entitlements-in-bulk API endpoint has a limit of 50, we’re going to do an old fashioned loop action. First, we need to build the patch body, which will be the same for each entitlement

$patch_operation = Initialize-JsonPatchOperation -Op "add" -Path "/requestable" -Value $true

And now our loop

foreach($security_group in $security_groups){
    Update-BetaEntitlement -Id $security_group.id -JsonPatchOperation $patch_operation
}

Ok, let’s put it all together

$source_id = (get-sources -filters 'name eq "Active Directory"').id
$security_groups = Invoke-Paginate -function "Get-BetaEntitlements" -increment 250 -limit 10000 -initialoffset 0 -parameters @{"Filters"= "source.id eq `"$($source_id)`""} | where-object {$_.attributes.GroupType -eq "Security"}

$patch_operation = Initialize-JsonPatchOperation -Op "add" -Path "/requestable" -Value $true

foreach($security_group in $security_groups){
    Update-BetaEntitlement -Id $security_group.id -JsonPatchOperation $patch_operation
}

jsosa · January 24, 2024, 4:14pm

Hi @Dharani_01 Do you need to do it via workflow? I have a similar task made in Java which uses different IDN APIs which final goal is to make bulk entitlement requestable. You have the API get-entitlement | SailPoint Developer Community which you can examine to compare the group type.

I think this can be done via workflow too, you can call the get entitlement list API, filtered with source.id (for the source you want to check). Then, you may have a Loop operator on which each loop input is the entitlement id returned by last call. Then, you can call the Get Entitlement API, and just after that box, put a String comparator. If the type is Security, then simply call the entitlement PATCH call. You should do nothing in the else, just end the flow, because by default entitlements are non requestable.

system · March 24, 2024, 4:15pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Making Specific Entitlements Requestable in Bulk Using the PowerShell SDK ISC Show and Tell identity-security-cloud , powershell-sdk	0	215	January 24, 2024
Workflow - HTTP GET Request Action ISC Discussion and Questions workflows , identity-security-cloud	8	291	April 20, 2024
Mark only entitlement as requestable where groupType is Security ISC Discussion and Questions workflows , apis , identity-security-cloud , entitlements	2	179	March 3, 2024
Designing IDN Workflow ISC Discussion and Questions workflows , aggregation , identity-security-cloud , provisioning , entitlements	4	220	March 3, 2024
PATCH /beta/entitlements:id fails on entitlements without "current representation" ISC Discussion and Questions apis , identity-security-cloud , entitlements	10	261	April 26, 2024

Mark Entitlements Non Requestable

Related Topics