Report to show End User Network ID & Specified Application Account ID?

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi all, I am curious as to how this can be achieved, if possible. We started with ISC last year and are still in process onboarding everything from old system to new ISC.

A feature we had in our old system was reporting that allowed us to see users that were currently provisioned for a particular app. This was referred to as an “Accounts by Service” report. Specifically there we would choose the service/app and to export as a csv. The results gave minimal but very important data, it contained:

  • All users currently provisioned with access to the specified application.
  • One column contained the users Active Directory / Network ID.
  • Another column contained the users application specific Account ID.

Other data provided in the report is not pertinent to what I am trying to replicate this for, but I would like to see if I could replicate something that gives me the same result of the three bullets above.

In our organization, majority of users have AD IDs to match many applications, even if the passwords are not synchronous. However, this is not a true statement for 100% of our user population. Our GRC and Audit space has heavily utilized these reports from our previous system in manual completeness and accuracy checks. I cannot seem to find what I am looking for when searching online.

The best workaround I have has been doing a search for accounts for a specified source and downloading the results with toggling to include access details. This gives way more information than needed, most has to be removed or filtered out. This has been a fine workaround for smaller applications. However, with the larger ones we realize the search export is not capturing all the data in the export, so not a scalable temporary solution.

It seems a lot of reporting type options are not immediately available in the gui, but maybe other options exist. I am open to ideas on how to solve for this or creative work arounds! TIA

2

Hi @thomaslove

I’m not aware of any out of the box way of doing this in ISC, but it’s definitely possible through a custom report using the APIs. I spun up a quick PS script that I think might work for you. You’ll need to update some values to match your environment, but this should at least be able to get you started!

$TenantName = "" # e.g., "mytenant"
$client_id = ""
$client_secret = "" 
$TenantUrl = "https://$TenantName.api.identitynow.com"
$tokenRequest = Invoke-RestMethod -Method Post -uri "$TenantUrl/oauth/token?grant_type=client_credentials&client_id=$($client_id)&client_secret=$($client_secret)"
$headertoken = $tokenRequest.access_token
$headers = New-Object "System.Collections.Generic.Dictionary[[String], [String]]"
$headers.add("Content-Type", "application/json")
$headers.add("Accept", "application/json")
$headers.add("Authorization", "Bearer $($headertoken)")

$ADSourceID = "" 
$sourcetoquery = ""

$offset = 0
$limit = 250
$allResultsIdentities = @()

while ($true) {
    $url = "$TenantUrl/beta/identities?offset=$offset&limit=$limit"
    $response = Invoke-RestMethod $url -Method GET -Headers $headers

    if ($response.Count -eq 0 -or $null -eq $response) {
        break
    }

    Write-Host "Fetched $($response.Count) identities at offset $offset"
    $allResultsIdentities += $response
    $offset += $limit
}

$offset = 0
$allResultsActiveDirectory = @()
while ($true) {
    $urlAD = "$TenantUrl/v2024/accounts?offset=$offset&limit=$limit&filters=sourceId eq " + '"' + $ADSourceID + '"'
    $responseAD = Invoke-RestMethod $urlAD -Method GET -Headers $headers

    if ($responseAD.Count -eq 0 -or $null -eq $responseAD) {
        break
    }

    Write-Host "Fetched $($responseAD.Count) accounts at offset $offset"
    $allResultsActiveDirectory += $responseAD
    $offset += $limit
}

$offset = 0
$allResultsAccounts = @()
while ($true) {
    $urlSource = "$TenantUrl/v2024/accounts?offset=$offset&limit=$limit&filters=sourceId eq " + '"' + $sourcetoquery + '"'
    $responseSource = Invoke-RestMethod $urlSource -Method GET -Headers $headers

    if ($responseSource.Count -eq 0 -or $null -eq $responseSource) {
        break
    }

    Write-Host "Fetched $($responseSource.Count) accounts at offset $offset"
    $allResultsAccounts += $responseSource
    $offset += $limit
}

$report = foreach ($appAccount in $allResultsAccounts) {
    $ownerId = $appAccount.identityId
    $identity = $allResultsIdentities | Where-Object { $_.id -eq $ownerId }
    $adAccount = $allResultsActiveDirectory | Where-Object { $_.identityId -eq $ownerId }
    [PSCustomObject]@{
        DisplayName      = $identity.name
        IdentityID       = $ownerId
        NetworkID        = $adAccount.nativeIdentity  
        AppAccountID     = $appAccount.nativeIdentity 
        AccountStatus    = $appAccount.state          
    }
}

$report | Export-Csv -Path "C:/temp/AppAccessReport.csv" -NoTypeInformation
Write-Host "Report generated: AppAccessReport.csv"

Let me know if you have any questions!

3

@thomaslove you can use search API to get the information about the identity from whom the users got created in target application.
Further you can save those queries and make a schedule search

below is a sample query

name:“Create Account Passed” AND created: [now-2h TO now] AND attributes.cloudAppName: “”