Provisioning using Web Service Connector and APIs: How to Add Entitlements with Individual API Calls

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello Sailpoint Community,

I’m working on implementing provisioning using APIs with a Web Service Connector. I’ve set up my connector with the following configuration:

  • Account Aggregation: Using a GET API to retrieve user information, which includes a “security_profile” mapped to a String Entitlement.

Account Schema:

image
image1018×584 21.4 KB

image
image976×532 21.3 KB

  • Group Aggregation: Retrieving role ID and role name, with one entitlement type = group, where application_role_id== Entitlement ID and application_role_name== Entitlement Name. The application_role_id is also mapped as a group Entitlement in the Account schema.

image
image1038×498 17.8 KB

  • Create Account: Using an Access Profile (AP) that bundles “security_profile”, “Entitlement 1”, and “Entitlement 2”.

  • In the before operation rule, I can retrieve the “security_profile” value from the provisioning plan which is required to create the account.

Provisioning plan attributes from the before provisioning log:

attributes=[{op=Add, name=application_role_name, value=[Entitlement 1, Entitlement 2]}, {op=Add, name=security_profile, value=etmf_document_user__c}

However, I’m struggling with the Add Entitlement part. In the same provisioning plan request, I receive Entitlement 1 and Entitlement 2 values under “application_role_name”. I want to use these values to make individual API calls for each entitlement.

Question: How can I achieve this in my scenario? Is there a way to iterate over the entitlements in the provisioning plan and make separate API calls for each one?

Any guidance or examples would be greatly appreciated.

1 Like
2

Hi,

Is it mandatory to add the entitlement values in create HTTP operation?

You create account first without sending entitlements, then add “Add Entitlement” HTTP operation to make API calls to assign permissions.

If you do it then add entitlement HTTP operation will be called two times after account creation.

-Abhinov

3

So, here is how I want to do:

I have an Access Profile (AP) that includes a single “security_profile” and multiple “application_role_id” entitlements.

The provisioning plan also reflects this differentiation:

attributes=[{op=Add, name=application_role_name, value=[Entitlement 1, Entitlement 2]}, {op=Add, name=security_profile, value=etmf_document_user__c}

For the “Create Account” operation, I only need to use the “security_profile” value, as it’s mandatory for the API call.

After Account creation, for the “Add Entitlement” operation, I want to retrieve the “application_role_name” values and make separate API calls for each value. If there are multiple values, I want to iterate over them and make individual API calls.

4

Check this out:

Use $plan in the body. I am not sure about the keywords under $plan.

Can you post the Provisioning Plan XML entirety?

5

Hi @sita_ram ,

From your source config, can you provide the response information mapping for the entitlements?

6

I don’t have any mapping defined, I added logs in the before operation rule and after operation rule to check if the Http operation is executed - multiple times or single time.