System User Roles are removed on Initial user login to NERM
What have you tried?
We have created an Identity in ISC and created a System user (NeprofileUser) in Non-Employee Risk Management (NERM) using an API.
We have provided the Role to the system user in the group_strings parameter and also added the sailpoint_identity_id during the create user api call.
What errors did you face (share screenshots)?
When User tries to login first time to ISC (using username-password flow) and then to Non-Employee Risk Management, the Role assigned to the user gets removed.
What were you expecting?
We are expecting to have the Role intact to the System User and the role should not get overwritten on the Initial Login.
In your login flow (from ISC then navigate over to NERM), that has a behind-the-scene IdP (my way of thinking about it). That overrides what you assigned statically / previously.
To add more context, the user initial login to ISC is by using username and password and then he proceeds to NERM. (The NERM system user is already created using an API and his sailpoint identity id is populated already)
Yes, thatâs understood. I mean, does the approach / model from the document not address your need? Why deviate?
And here:
Are you saying you specifically have this issue with username/password login flow (to ISC then NERM), but / AND not when SAML SSOing into ISC (then across to NERM)?
To my knowledge, your flow ought to work if the directory group specified in the role (on NERM) matches one of the userâs User Level (from ISC).
No the issue we cant say is only with username/password, but what we are trying to achieve is to create the system users using the NERM APIs along with roles like Sponsors and on the initial login for the user, any roles provided during creation must be present on the user.
Then you just need to create the neprofileuser entry (lifecycle user), and specify that Role â Directory Group (User Level) mapping. On ISC side, create customer User Levels. (Provisioning the User Levels via ISC loopback). The neprofileuser should get the roles on the fly as they âssoâ into NERM after having used username/password to log into ISC. That, or use the method mentioned in the first link.
i.e. You grant Lifecycle role via [ISC Role â Loopback connector â User Level â Directory Group â Lifecycle Role] or via [ISC Role â NERM connector â Lifecycle Role].
Correct. And so, in the OP, it was already mentioned that youâre attempting to handle this for NeprofileUser (Lifecycle Users)âŚso that is a capability from the 2nd connector.
If your âUse Identity Security Cloud Entitlements for Rolesâ toggle is already On, at the time of adding the NERM Users source. Then you need to toggle that off, then re-toggle that on.
You need to specify the PROVISIONING feature flag on the source. (fine prints) By default, itâs just an empty arrayâŚand thatâs not what you want. ## Most people missed this step.
Essentially, the behaviour mentioned in the OP is the outcome of the toggle. It behaves as a âIf ISC didnât provisioning the role to this user, zap itâ-toggle. Thatâs why you have this warning:
From what you described, it sounds like the role assigned during the API-based system user creation is getting overridden when the user logs in and the identity gets synced with ISC.
In many cases, during the first login, ISC/NERM may re-evaluate and align the userâs roles based on identity attributes or mappings, which can overwrite what was initially set via API.
You might want to check if there are any role mappings, default assignments, or sync logic that gets triggered on first login which could be resetting the roles.
Also, just to confirm â are these roles being managed purely in NERM, or is there any linkage with ISC roles or identity attributes that might be influencing this behavior?
Just to clarify the whole flow and summarize (somewhat) what is said above.
By default NERM is setup to have ISC as the identity provider (IDP), which enables any user in ISC to login to NERM. This also means that this setting will automatically update any role assignment in NERM. Mainly this is done so that ISC admins are treated as NERM admins and as such, can setup both systems properly.
If you want to change that behaviour and manually apply this access (and keep it that way), you will have to toggle this switch, see this screenshot posted above:
If you do neither, NERM will continue itâs default behaviour, if you do only one of the two suggestions (connector / toggle) the system will not have proper access management either.
We also validated the approach as below which also works fine:
SailPoint IIQ as frontend for requesting and granting access to NERM entitlements (IIQ using NERM APIs to provision system user account and the requested NERM entitlement (also known as lifecycle role in NERM).
Create an identity in ISC using automated flow from IIQ as a post processing operation of the success of above step.
Configure source âSailPoint Non Employee Management Usersâ and perform account aggregation.
Enabled toggle - âISC Cloud Role Assignment Management using entitlementsâ.
System user logged in to NERM module and verified that access remain intact.
In short, your current solution / architecture has been based on the [mis-]understanding that the NERM User connector doesnât do Lifecycle Role provisioning?
This requires you to have an additional firewall rule outbound to NERM.
And from NERMâs perspective, youâve created a line of sight requirement / dependency between NERM and IIQ, AND NERM and ISCâŚas opposed to just between NERM and ISC. (Maybe I donât have the full context)
