Hi Guys- Have a question on SNOW catalog integration with IDN. Customer has form implemented in the service now and want to use same form to submit the request to provision the users into AD group through SailPoint
It seems IDN does not support form based request submit out of the box. It required SNOW form side, they need to call the IDN workflow API to trigger the provisioning
Please advise if anyone has better idea where customer should not need to change much at their end?
Try using the access requests api to submit the requests:
We have custom catalog items and workflows we created in ServiceNow that submit the provisioning requests to IDN on the backend using the access requests api.
I understand better what you mean now, you want a method of submitting the SailPoint for ServiceNow catalog item from another catalog item in ServiceNow. That is technically possible, but I’d question why it’s necessary when you can just do the same approval workflow in the original catalog item.
If someone is absolutely insistent they need to do it this way, you can just use the ServiceNow CartJS API to “order” the SailPoint catalog item, but you have to look up both the identity Id of the user and the Id of the role/access profile/entitlement you’re requesting
Below is an example script that I use to submit that catalog item request for multiple users. In this case, it’s two users requesting the same access profile, but it can vary
var user_access_object = [{
"username": "aallen3",
"group": "secwv10usersprod"
},
{
"username": "afriden",
"group": "secwv10usersprod"
}
];
var api_calls = 0;
for (var i = 0; i < user_access_object.length; i++) {
if (api_calls >= 100) {
gs.log('Rate limit exceeded... taking a break...');
gs.sleep(2000);
api_calls = 0;
}
var identity_id = getIdentityId(user_access_object[i].username);
api_calls++;
var ap_id = getAPId(user_access_object[i].group);
api_calls++;
var user_gr = getUserGr(user_access_object[i].username);
if (identity_id && ap_id) {
gs.log('Submitting Access Request for ' +
user_access_object[i].username + ' (' + identity_id + ') ' +
'And Access Object ' + user_access_object[i].group + ' (' + ap_id + ')');
var cart = new sn_sc.CartJS();
var itemVariables = {};
itemVariables.u_sysid = user_gr.sys_id.toString();
itemVariables.u_username = user_access_object[i].username
itemVariables.u_access_name = user_access_object[i].group;
itemVariables.u_access_type = 'ACCESS_PROFILE';
itemVariables.u_access_id = ap_id;
itemVariables.u_access_action = 'Add';
itemVariables.u_comments = 'Required for job duties';
itemVariables.requested_for = user_gr.sys_id.toString();
itemVariables.u_identity_external_id = identity_id;
itemVariables.u_sysid = user_gr.sys_id.toString();
var cartItemAdd = {
'sysparm_id': 'eed00879dbb200106388f53a29961920', //sys_id of catalog item
'sysparm_quantity': '1',
'variables': itemVariables,
'sysparm_requested_for': user_gr.sys_id.toString()
};
var cartDetails = cart.addToCart(cartItemAdd);
cart.setRequestedFor(user_gr.sys_id.toString());
var req = cart.checkoutCart();
api_calls++;
}
if (!identity_id) {
gs.log('user access not added for ' + user_access_object[i].username);
}
if (!ap_id) {
gs.log('Access profile not found for ' + user_access_object[i].group);
}
}
function getIdentityId(username) {
var search_query = {
"indices": ["identities"],
"query": {
"query": "attributes.uid:" + username + " AND identityProfile.name:\"Mulesoft Profile\" (attributes.cloudLifecycleState:active OR attributes.cloudLifecycleState:legalHoldActive OR attributes.cloudLifecycleState:prehire)"
}
};
var rm = new sn_ws.RESTMessageV2('SailPoint', 'Search');
rm.setStringParameterNoEscape('url', gs.getProperty('chk.identitynow_api_url'));
rm.setQueryParameter('count', 'true');
rm.setRequestBody(JSON.stringify(search_query));
var response = rm.execute();
var result_count = response.getHeader('X-Total-Count');
if (result_count > 0) {
var response_body = JSON.parse(response.getBody());
return response_body[0].id;
}
}
function getAPId(ap_name) {
var search_query = {
"indices": ["accessprofiles"],
"query": {
"query": "name:\"" + ap_name + "\" AND (source.name.exact:\"Active Directory\" OR source.name.exact:\"SAP GRC AC\")"
}
};
var rm = new sn_ws.RESTMessageV2('SailPoint', 'Search');
rm.setStringParameterNoEscape('url', gs.getProperty('chk.identitynow_api_url'));
rm.setQueryParameter('count', 'true');
rm.setRequestBody(JSON.stringify(search_query));
var response = rm.execute();
var result_count = response.getHeader('X-Total-Count');
if (result_count > 0) {
var response_body = JSON.parse(response.getBody());
return response_body[0].id;
}
}
function getUserGr(username) {
var gr = new GlideRecord('sys_user');
gr.get('user_name', username);
return gr;
}
@dorisaini , assuming the targeted user is already present in Sailpoint, you could do following:
Let me know if this helps or if you need some more clarity on which APIs to use and how to use them.
Thanks,
Vaibhav
Thank you, @vdivakar and @mcheek. They need to modify the existing SNOW workflow so that they can use their existing SNOW form to submit the request to provision the existing users into AD groups via ISC.
In that case, go with what @vdivakar mentioned. We do this too with multiple catalog items in our environment
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.