POST /api/system/refreshIdentities

This API has a number of features that can be controlled in the request body. Here are the replacements for the following capabilities.

You can also process identities under an identity profile using sync-identity-profile | SailPoint Developer Community, but this will only process identities who’s attributes actually changed. If you need to guarantee identity processing, regardless of whether the attributes changed or not, then use start-identity-processing | SailPoint Developer Community.

4 Likes

Hi @colin_mckibben,

As I went through the documentation, there is a pagination of 250 records per call that we need to handle.

But is there a way to promote attributes in bulk for all the identities in the tenant with a single API call?

Can you tell me more about your use case for promoting attributes in all identities? Usually, you would only run these tasks on a filtered list of identities that need it.

Hi @colin_mckibben we have a similar use case where we are using this API to do calculations on a termination date we are receiving from our source connector, we need it to run all of our identities so they evaluated multiple time a day.

2 Likes

There are a couple of options you can consider.

Assuming the termination date is an identity attribute, you can use the identity attributes changed trigger to be notified when the termination date of an identity has changed. You can then process that single identity. This can also be done via Workflows quite easily, and would be more efficient than processing all identities. You would only need to process the identities that actually change.

If you need to process all identities for a particular source, then you can use the search API to get all of the identities and then run each identity through the process identity endpoint. Here is the search query you would run to get the IDs for all identities for a single source

POST /v3/search

{
    "indices": [
        "identities"
    ],
    "query": {
        "query": "source.id:446f3264e5da4e40ac150aa79ffebc6c"
    },
    "queryResultFilter": {
        "includes": [
            "id"
        ]
    }
}

“Usually, you would only run these tasks on a filtered list of identities that need it.”

IF you want to go to that much trouble as an administrator. Being able to just run the 'refresh-identities" command saves valuable administrator time. Can you provide an example of how you can accomplish the same action as the deprecated ‘Refresh Identities’ command using this ‘start-identity-processing’. Most of the time I really do not want to have to manufacture a filtered list of identities for this.

Depending on the the reason for why you need to refresh identities, there are a few options. However, I encourage you to read this document on identity processing. IdentityNow has several layers of identity processing that may not require you to manually invoke the processing.

However, going forward, there will no longer be a single API to refresh all identities in the system. This type of behavior can be achieved through a script that calls several endpoints, but it is recommended to follow the approach in the above doc before resorting to a script.

So given the limit of the 250, we can just do a script that will fetch all the identities and send the start-identity-processing in chunks of 250 … not so big of a deal to script, so if someone needs to refresh all can be done this way …

However, it will be likely less efficient and more costly, it might be better if the option to refresh all is also offered and is optimized for that.

If processing all identities is required, is there any reason not to use the sync-identity-profile | SailPoint Developer Community API mentioned at the bottom of the original post for each identity profile in the tenant? Does this provide all of the same processing functionality behind the scenes as the start-identity-processing | SailPoint Developer Community API?

If you use the search API to find identities, then that limit is 10,000 before you need to start paginating.

Agreed. Manually refreshing identities is not the ideal approach. However, it may be worth reading the updated identity processing documentation. There have been some changes to how IDN processes identities that may not require you to manually process them anymore.

Hi @colin_mckibben, I noticed that using /beta/identities/process to process an identity results in a different behavior that clicking the process button on an identity in the identity page (which triggers the endpoint ...identitynow.com//mentos/v3/identities/process. Clicking the process button through the UI results in direct processing, whereas using the API to process an identity did not. Either the API is actually not working or the task takes way longer than desired.

Can you confirm if this different behavior is done purposefully? If so, is there a way how we can call the API to have it work in the same way?

Kind regards,
Angelo

PM said that the API and the UI button should have the same behavior. If you are noticing otherwise, please open a support ticket so they can investigate your tenant. It’s possible this is a bug, but it could also be an environment specific issue.