Multidimensional Entitlement Management

Swegmann · December 19, 2023, 2:44pm

Hey Team!

We have a rather annoying configuration of Entitlements in an application that we are integrating via the web-service connector.

The app’s entitlements are structured multidimensionally, where 1 Role can be provisioned to multiple Companies (companyId) for a user.

So for example a user json blob can look like the following:

Test User John
Role 1
 -companyId:50
Role 1
 -companyId:60
Role 1
 -companyId:70
Role 2
 -companyId:70

And so forth.

Is this use-case even supported in IdentityNow?

I’m able to aggregate the roles independently, however they don’t seem to correlate with user-aggregated roles, as these are getting bundled in a list inside IDN (see picture):

How an entitlement looks like independently:

If possible, we’d like to aggregate everything as separate entitlements for each companyId. A role json blob can look like the following:

{
"roleId": "role 1",
"description": "Hi mom"
"roleDetailInformations": [ 
  {
  "companyId": "12"
  },
  {
  "companyId": "13"
  },
  {
  "companyId": "14"
  }
  ]
}

If possible it could be viable to somehow be able to aggregate all the companyIds for each role as separate entitlements on the source in IDN. Meaning now if we have about 10 roles aggregated, and there are 10 companyIds in total that each role can be connected to for a certain user, we’d end up with a total of 100 separate entitlements in IDN.

An end result somewhat like this after aggregating entitlements:

Entitlements
Id     Name
1      Role 1
2      Role 1
3      Role 1
4      Role 1
1      Role 2
2      Role 2

I’m sure some of you guys must’ve had the same use-case previously, and would appreciate all the help!

Seb

Carlatto · January 10, 2024, 1:59am

We have a system which handles entitlements very similar to this, unfortunately you can’t do it natively with Web Services, you will need to program some Web Service Operation Rules.

During Account Aggregation we use an After Operation Rule which takes in the Role ID and concatenates it with the Company ID with a delimiter between, like roleID::companyId. (ex. 1::50 for Role1 - CompanyID 50).

We have a separate After Operation Rule for Entitlement Aggregation, but has the same logic.

Then we have 2 Before Operation Rules, one used before Add Entitlement, and one used before Remove Entitlement. These Before Operation Rules take the contatenated string (ex. 1::50) and separates them back to the original json version, and then updates the Add/Remove Entitlement Body with that original json.

Swegmann · January 10, 2024, 7:59am

Hello Carl!

Thanks for the answer!
Would it perhaps be possible if you could share your Operation Rules here?

Thanks

Carlatto · January 10, 2024, 5:48pm

Unfortunately I can’t share the Rules, but here is one that is similar to what we used for the Entitlement Aggregation After Operation Rule. We were able to set the Response Mapping on the HTTP Operation to separate the two fields (Role and Name), so we could use the processedResponseObject. If you can’t get the Response Mappings to work, then you will likely need to use the rawResponseObject and extract the information you need.

import java.util.*;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Iterator;
List finallist = new ArrayList();
Map updatedMapInfo = new HashMap();
Map newmap = new HashMap();
if (processedResponseObject != null){
    //loop through the processedResponseObject
    for (Map iterateMap : processedResponseObject) {
        if (iterateMap != null ) {
            Set keySet = iterateMap.keySet();
            for (String s : keySet) {
                if (s.equals("value")) {
                    //Gets original role ID which was assigned to 'role' in Response Mapping of HTTP Operation
                    String role = (String) iterateMap.get("role");
                    //Gets original companyId which was assigned to 'name' in Response Mapping of HTTP Operation
                    String companyId = (String) iterateMap.get("name");
                    //concatenate the newRole ID
                    String newRole = role + ":" + companyId;
                    //concatenate the new roleName
                    String roleName = "Role:" + role + " - CompanyId: " +companyId;
                    //Add newRole and roleName to a Map
                    newmap.put("role", newRole);
                    newmap.put("name", roleName);
                    //Add Map to finallist Array
                    finallist.add(newmap);
                    //reset Map
                    newmap = new HashMap();
                }
            }
        }
    }
    //update Map with the finallist Array
    updatedMapInfo.put("data", finallist);
}
return updatedMapInfo;

system · March 10, 2024, 5:48pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Webservices \| Parent Endpoint to aggregate multiple TYPEs of Entitlements ISC Discussion and Questions webservice-connector , identity-security-cloud	3	228	March 20, 2024
Web Services Connector: Entitlement Endpoint as Parent, Account Endpoint as Child ISC Discussion and Questions webservice-connector , aggregation	7	952	July 19, 2023
Web Services - Entitlement Types ISC Discussion and Questions webservice-connector , aggregation , identity-security-cloud , entitlements	4	511	September 25, 2023
Manage governance groups inside an IdentityNow LoopBack connector ISC Discussion and Questions aggregation , identity-security-cloud , provisioning	5	938	July 18, 2023
Reverse entitlement aggregation for Web Services connector ISC Show and Tell webservice-connector , identity-security-cloud	20	1615	April 1, 2024

Multidimensional Entitlement Management

Related Topics