A user is required with the following scopes to perform necessary operations:
© SailPoint Technologies, Inc. All Rights Reserved.
@DocsTeam, Under “Enable/Disable” operation, the scope mentioned is idn:accounts-provisioning:manage
But looks like no such scope exists on ISC :
Hi Arshad! Thank you for your input. We’ve created a Jira issue to track the effort and we’ll update the comment thread when it’s been addressed: CONDOCS-4073
Hi @Arshad, you can use the scope as idn:account-provisioning:manage. There is a typo in this document page which will be corrected soon as mentioned in the above comment. Thanks!
Hello @Arshad!
Thanks for bringing this to our attention. The typo in the Required Permissions topic has been corrected.
-Josh
Is this list still correct - we are able to aggregate entitlements, but receive this error when aggregating accounts.
[ConnectorError] 403 [Possible Suggestion] Ensure that configuration parameters is correct and service account is having required permissions. ERR_BAD_REQUEST, Request failed with status code 403, {“detailCode”:“403 Forbidden”,“trackingId”:“2cdfd5fed8904284ba63034942c527e1”,“messages”:[{“locale”:“und”,“localeOrigin”:“REQUEST”,“text”:“The server understood the request but refuses to authorize it.”},{“locale”:“en-US”,“localeOrigin”:“DEFAULT”,“text”:“The server understood the request but refuses to authorize it.”}],“causes”:} (requestId: da6c02a201744ffdb5c87cee513b6461)
@rmccoy-unum Yes it is, I was able to use that.
For aggregation, ensure you’re using all the recommended scopes assigned to your PAT from the documentation and then retry account aggregation:
@DocsTeam @ryan_mccall @joshb488 @dinesh_mishra
From this documentation, I see the below mentioned scopes do not exist on the ISC tenant when creating a PAT:
If these are no longer required, can you please help in getting rid of them from this document to avoid confusion. On the contrary, if you believe these are grammatically incorrect scopes, request you to provide the correct one’s and get it updated on the documentation.
Thanks,
Arshad.
Hi Arshad! Thanks for your input. I’ve created a Jira issue to track the investigation on this, and I’ll update the comment thread when it’s been addressed: CONDOCS-6165.
When I asked the question, it was because we couldn’t get the access to work - this ended up being an issue with network whitelisting. Apparently the ISC Governance connector requires access to our tenant FROM our tenant. We had to add an IP range to our network whitelist to get this functionality working - the list of rights was correct.
I am not able to get the account aggregation to work after adding all the required permissions, here are the list of scopes I have added to in my API Key:
“scope”: [
“idn:identity:read”,
“idn:sources:manage”,
“idn:accounts-state:manage”,
“idn:workgroup:manage”,
“idn:access-profile:manage”,
“idn:entitlement:manage”,
“sp:scopes:default”,
“idn:accounts:manage”,
“idn:role-checked:read”,
“idn:role-unchecked:read”,
“idn:role-checked:manage”,
“idn:sources:read”,
“idn:accounts:read”,
“sp:workflow:manage”,
“idn:identity:manage”,
“sp:search:read”,
“idn:access-request-approvals:manage”,
“idn:role-unchecked:manage”,
“idn:account-provisioning:manage”,
“idn:source-connector:manage”,
“idn:campaign:manage”,
“sp:auth-user:manage”,
“idn:workgroup:read”
]
Note: I am not using PAT.
Any idea what could be wrong?
So, tried the same scope/permission but with PAT and that worked.
