POST /api/source/reset/

To reset all entitlements on a source, use reset-source-entitlements | SailPoint Developer Community.

To reset all accounts on a source, use delete-accounts-async | SailPoint Developer Community

In order to allow users enough time to migrate off of the private API and onto the new public endpoints, SailPoint is allocating additional resources to ensure that /api/source/reset remains operational until June 14th, 2024.

Please subscribe to this topic to receive an update when the new endpoints are available.

2 Likes

What is the replacement API for resetting sources? We use this with Skip Accounts, Skip Entitlements and full resets at times.

3 Likes

Iā€™m asking engineering now what the replacement is. Iā€™ll keep you updated when I get an answer.

@RArroyo I updated the topic to include the various methods you can use to reset a source. Let us know if you have any questions or concerns.

1 Like

To me this looks like a major step back. The suggested alternatives donā€™t come close to the current functionality.

Number of steps
An API call is really easy to use, it literally is sending only one request, which can be done both by computer and human. The alternatives all require multiple (manual) steps which takes more time.

Fine-grained reset
The deprecated API could reset only accounts or only entitlements. This is very useful both while developing and while in production, where removing the accounts might have a big impact on resources that are dependent on that data (birthright roles, provisioning, identity attributes, sync to other sources). The suggested approaches all canā€™t do this and will also remove the accounts

Keeping references intact
The deprecated API could perform the reset without having to delete the source. The suggested approaches all delete the source. This breaks different kinds of references. References to account correlation, account sync, provisioning policies, account schemas. But also references added by us. If a new source id is used, our workflows or other (IdentityNow/external) objects that refer to the source will also break.

Proper replacement API
A true replacement would look like an API endpoint like POST /v3/sources/:id/reset-entitlements and POST /v3/sources/:id/reset-accounts
Or perhaps something like /v3/sources/:id/reset, where we can specify what to include/exclude (accounts, entitlement types) in the body. The API would then simply remove the entitlements and/or accounts, but keep the source id, keep the references to the other source related objects, and will not break any other source references we have made.

I would suggest to look for a suitable replacement for the API and communicate the replacement (just linking to the v3/sources API documentation is insufficient) before deprecating the API, instead of first deprecating the API and then look around for alternatives, which might not exist.

Please donā€™t deprecate this API!

15 Likes

This is not a good option. I have to say this is VERY disappointing. We donā€™t want to DELETE the source. This was used in instances where SailPoint was not aggregating the changes correctly or was not automating the import of entitlements correctly. This needs to be properly replaced. This option is not good.

8 Likes

@angelo_mekenkamp and @RArroyo, can I get you to each provide a list of exactly what you need to reset in a source? For example, is it just accounts and entitlements? I ask because source reset supports more than just account resets, and the engineering team needs to know what functionality to prioritize.

Hi @colin_mckibben my 2 cents, first reset for accounts and entitlements, as this then gives feature parity to the existing API. Then additional reset functionality would be icing on the cake. :slight_smile:

Thanks for listening to community feedback.

2 Likes

I will certainly ask engineering to bring account and entitlement reset over to v3.

Iā€™m not very familiar with this reset API. Can you elaborate on other types of reset options available?

Thank you for involving us @colin_mckibben! Resetting entitlements and resetting accounts indeed has priority, but there is indeed more to consider when talking about resetting a source.

Reset entitlements:
With reset entitlements I understand ā€˜remove the entitlement from the knowledge space of IdentityNow, ignoring audit logsā€™. An entitlement aggregation might result in bringing these entitlements back, where they might obtain a new id (the big number generated by IdentityNow).

Will it be possible to reset particular entitlement types? For example ServiceNow has entitlements of type ā€˜groupā€™ and entitlements of type ā€˜roleā€™, can we reset only the entitlements of a particular type while keeping the other entitlements?

Please ensure that it is clear in the documentation what will happen when access profiles are already defined for this source. Will they end up as empty access profiles, that keep the information like owner, approval flow, role and segmentation mapping? Will they be removed automatically if it would not contain any entitlements anymore?

Reset accounts
Resetting accounts in my opinion would be similar to applying the API DELETE /cc/api/account/remove/id, but then in bulk, so that we donā€™t have to perform this API 100k+ times. Right now the current reset accounts API refuses the request when the source happens to have accounts belonging to an identity who happens to be the source owner for other sources, even when the account you want to remove is not the authoritative account. It would be great if this new API would not have this design flaw.

Reset (manual) correlation
As far as I see, once an account is correlated to an identity, it stays correlated to that identity, even when the correlation criteria changes or when the account attributes changed significantly. I believe this is a nice desired effect, but it can happen (both when onboarding a source and making many configuration changes) or in production, that we need to keep the accounts, but reset the current correlation between account and identity, to ensure that the accounts might switch identity. This could happen in 3 different scopes:
1: Retry correlation of all uncorrelated accounts
2: Retry correlation of all uncorrelated and manually correlated accounts
3: Retry correlation of all accounts.

One could say ā€œjust reset the accounts and aggregate the accounts againā€ and while this will achieve the desired effect, this operation might be too drastic and have undesired consequences. For example accounts that were already correlated correctly would (when using the reset accounts option) be removed from the identity before getting placed back to the identity, which can have a bad effect on dependencies such as transforms referring to the account attribute, birthright roles with membership criteria dependent on account attributes/entitlements and workflows getting triggered again. Also the account ids would reset if we remove the accounts.

Reset session related attributes
The integration might rely on obtaining an access token from the application using client id&secret or name+password. That access token is now used by the source (I believe it can be found encrypted in the json connectorAttributes), until it expires and requires another access token. One would expect that resetting a source means that this access token is removed as well, and that the integration needs to request a new access token using the saved credentials. Also other session related such as cookies should be reset.

Reset Delta Aggregation information
If we perform delta aggregation, the source might ā€˜rememberā€™ when the aggregation was successful for the last time, to ensure it can ask the application for all changes (Creates, Updates and Deletions) since a specific moment. Resetting a source would also mean we need to forget about this timestamp.

Reset custom selected attributes
Since IdentityNow offers custom rules where we can read and write data to the source (using key value pairs in the source json connectorAttributes), it could be that resetting a source means resetting some of those attributes values, either by resetting it to a default value, setting the value as null, or by simply removing the key value pair. Of course we could remove those ourselves, but since the connectorAttributes consists of many key value pairs, some added by IdentityNow (dependent on the connector), some added by us, it can be chaotic quickly in that json file (especially if we want to export the source and import it to a different IdentityNow environment or duplicate the source). Sometimes we would want to specify which custom attributes should be part of a reset.

Source internal name
Suppose we are not paying attention when we create a source in production for AD and we call it Active Distractory, we load the accounts, entitlements, setup everything and realize the typo in the source name, so we fix it by renaming the source. We are not going to remove the source again anymore since many dependencies are already active and the source name is corrected right? But if we now check the json, we will find the element accountCorrelationConfig still referring to the error:

"accountCorrelationConfig": {
    "type": "ACCOUNT_CORRELATION_CONFIG",
    "id": "2c9104857befdff9067c017aab3b00d5",
    "name": "Active Distractory [source] Account Correlation"
}

Changing the account correlation will not have an effect on this name. Also, several current and future audit logs refer to the source by this typo. It would be great if we can reset this ā€œinternally used nameā€

Select elements to reset
Right now the API offers ways to skip elements of the reset. Like ?skip=accounts.
I am not sure if it would be better to have an API where we can say ā€œreset the source, except for accounts and correlation and delta aggregation informationā€ or if it would be better to have an API where we can say ā€œreset the source, but only regarding entitlements and session related attributesā€. AKA provide an inclusion list or an exclusion list. I guess it is most important as long as it is documented properly.

Desires v.s. expectations
I understand I am asking more than what is already being offered on the cc/api API and that it is not realistic to expect all of this to exist on the new API before the old one gets deprecated, but I nevertheless want to point out to the engineering team that this would be very useful for us to have. Perhaps the new APIs could be designed whilst keeping these future functionalities in the back of the mind.

8 Likes

@angelo_mekenkamp this is excellent. Iā€™ll relay this to product.

1 Like

Yes, please email me. Thank you.

Hello, has there been any update on whether this one will be migrated in lieu of the new planned process?

As of now, there are no plans to make a direct, public replacement available due to competing priorities in engineering. This does not mean it wonā€™t be available in the future, it just wonā€™t be available by March 31st. If the recommended approach above will not work for you and it will cause serious disruption to your business, please message @developer_relations_team and your customer success manager with your concerns and we will do what we can.

Going to leave my +1 on this as being a necessity to have another method to accomplish. I donā€™t feel like deleting a source is an option unless youā€™re doing it directly after initial setup of the source, when there are no attached Access Profiles associated with the source. Once there are access profiles and roles then deleting that source I believe would cause issues, possibly creating orphaned access profiles.

Iā€™m trying to reset 4 sources I have just setup right now, struggling for the past 4 hours to find a window where there arenā€™t any ā€œbackground identity tasksā€ running, to accomplish any of thisā€¦using the source/reset api or the above steps to reset the source. Iā€™ve tried both, to no avail. This is causing major delays in the project I am working on, so a better way to accomplish this would be much appreciated.

1 Like

My +1 ā€¦
Deleting the source is not really an ā€œoptionā€ and is really just a cop-out answer for poor assessment, planning, etc. If thatā€™s the ā€œbestā€ recommendation, then leave the API as-is.

Deleting a source impacts WAY more than the source including Access Profiles, Roles, Certifications, etc. and I definitely wouldnā€™t want to be going to the Change Advisory Board (CAB) with a change noting weā€™re going to delete/recreate something simply because the vendor took away the previous ā€œpurgeā€ options.

4 Likes

My +1 as well.

Really? This seems like a huge step backwards.

If reset is part of aggregation that is not a fast way configuration testing. There is the peek option for sample. But peek wonā€™t validate downstream testing/references. Are there priority scenarios we should enable testing configuration for?

Hi @colin_mckibben,

Deleting the source is also causing issues such as source references still existing in the tenant and entitlements are not being deleted.

When we checked the entitlements related to the deleted source on the UI, we have observed that source display name got automatically updated to ā€œTerminate-{Source Name}-1706181341608ā€.

Appreciate if you can help us delete the source permanently.

Thank you.
Shanmukh

2 Likes

I wanted to add to the request for a replacement of this API. I think this would be a big miss to no longer have.

1 Like