Non-Admins can manage Lifecycle state

Identity Security Cloud (ISC) ISC Community Knowledge Base
,
1

Non-Admins can manage Lifecycle state

Summary

Non-admins in Sailpoint like the Service desk should be able to manage the Lifecycle States of individuals without getting Admin permissions

Solution Overview

  • Create a Sailpoint id and generate a Personal Token that will be used for api access
  • Create a form for requesting a user for LCS change
  • Create a workflow for
    • Launch the form
    • Read form data
    • Use Sailpoint api to set the requested LCS state
  • Assign the form to a specific group of users

Create an api account for access to SailPoint api

  • Sailpoint requires a person account to access the api, so a Global account cannot be used
  • Some sailpoint processes require the all-scope access to work via api so all scope should be given to the account
  • Admin rights will be given to the account.
  1. Login to Entra or AD and create an account called Sailpointapi. You can create an account via a file connector, in that case the account becomes a local account. It is best to create the account in a directory that has security governance controls in place.
  2. Aggregate the account to SailPoint via the source connector. There must be an identity Profile created to sync the account with Sailpoint.
  3. Go to Identities and look for the Sailpointapi account. Reset the Password. You should get an email to reset the password.
  4. Login locally (myTenant.identitynow.com/login/login?prompt=true) with the SailPoint api account.
  5. On the top right side, click on the down arrow and select Preferences
  6. Click Personal Access tokens
  7. Click New Token
  8. Token is for SailPoint workflows to access ISC api
  9. Scope is all
    image
    image758Ă—811 93.1 KB

Click Create

Copy the Secret and ClientID

Sign out

Give the account admin access to SailPoint. Go to Identities, look for sailpointapi, set user level and enable Admin.

Create a Form for requesting user for LCS

Go to the Admin/Global/Forms menu

Click New Form

  • Name: Change Lifecycle State
  • Description: Allow request to change Lifecycle state

Click Continue to Builder

image
image875Ă—547 31.9 KB

Click add section

image
image875Ă—917 117 KB

Click Apply

Click Add, select Field

  • Label: Select User
  • Mark as required

image
image873Ă—819 93.3 KB

  • Maximum selection 1
  • Predefined Option Type
  • Predefined Values: Identities
  • Click apply

image
image875Ă—573 92.8 KB

Click Add, select Field

  • Label: Select Lifecycle State
  • Mark as required

image
image875Ă—666 78.1 KB

  • Maximum selection 1
  • Predefined Option Type
  • Predefined Values: static
  • Click add option and add the different states available

image
image875Ă—620 84.7 KB

Click Save for the form

Get the different states from api

Get the id of the mail Identity profile of the users

Using Postman call List Identity states for the main Identity Profile of the users-- /identity-profiles/:identity-profile-id/lifecycle-states

You will see a list, look for the states and id

“Active”—Id: “caf3748fbe194947b43ab5e8665ffd40”

“Inactive”—Id: “aa26855312224e3aaaff7eb3936cbee4”

Write this down

Create Workflow to get LCS request and process

Go to Workflows

Click New Workflow

Name: Change Lifecycle State

image
image875Ă—516 23.4 KB

Click Continue to builder

Select Interactive trigger

Click create launcher

image
image875Ă—197 27.8 KB

Select Interactive Form from Action

Rename the form to “Select User and LCS form

Select the Form just created and enter the title

image
image875Ă—303 53.8 KB

Select Define Variable from Operator list

Rename it to Translate LCS selection to ID values

Click create new variable

Name: ReplaceLCSwithID

Click editor

Click Add

Under data select attribute

Click Choose variable

Click apply

image
image686Ă—473 40.5 KB

Click Operator, replace

Add the id

Click Apply

image
image683Ă—406 44.8 KB

Click Add, Operator, replace and repeat for all the states and their ids

Click Save

Add HTTP request card from Actions

Authentication type: Oauth 2

Token url: https://myTenant.api.identitynow.com/oauth/token

Enter clienitid and secret from Sailpointapi

Credential location: header

image
image541Ă—813 90.7 KB

Request url
https://myTenant.identitynow.com/v3/identities/{{\$.interactiveForm.formData.selectUser}}/set-lifecycle-state

Method is Post

Content-type:: Json

Request Body: {“lifecycleStateId”:“{{$.defineVariable.replaceLCSwithID}}”}

image
image564Ă—784 99.6 KB

Click Save

Add the End-Step success from Operators

Test the Workflow

Click test Workflow

Select user and the Lifecycle state

Enable the Workflow once satisfied with the test results

image
image506Ă—777 64.2 KB

Give Launcher access to users

Create a Role called Change Lifecycle state

Add the access Change Lifecycle State

Define the assignments by adding the users you want

image
image875Ă—691 77.4 KB

Enable the Role

1 Like