REST APIs for managing Governance Groups

A user recently asked if SailPoint has REST APIs for managing governance groups (AKA workgroups). We do, but they are undocumented v2 APIs. There is work being done by our engineers to bring more of our v1 and v2 APIs into v3, and workgroups is on the list. However, until workgroups makes it into v3, here are the details for managing workgroups using the v2 API:

GET /v2/workgroups (list all workgroups)

GET /v2/workgroups/{workgroupId}/members (list all members of a workgroup)

POST /v2/workgroups/{workgroupId}/members (Add and/or remove one or more members to a workgroup using their identity ID)
Body:

{
    "add": [
        "2c91808375d8e80a0175e1f88a575221"
    ],
    "remove": []
}

POST /v2/workgroups (Create a new workgroup)
Body:

{
    "name": "Test group 3",
    "description": "This is a test",
    "owner": {
        "id": "2c9180867624cbd7017642d8c8c81f67"
    }
}

PATCH /v2/workgroups/{workgroupId} (Update a workgroup)
Body:

{
    "name": "Test group 3",
    "description": "This is a test 2",
    "owner": {
        "id": "2c9180867624cbd7017642d8c8c81f67"
    }
}

GET /v2/workgroups/{workgroupId}/connections (Get a list of associations for the governance group)

POST /v2/workgroups/bulk-delete (Delete one or more workgroups)
Body:

{
    "ids": [
        "868edef1-222b-40e4-8787-b56cfd78b100"
    ]
}
6 Likes

There doesn’t seem to be an easy way to find terminated governance group members without iterating over all governance groups. Same for access profile and role owners/approvers. There has been an idea for this for over a year that hasn’t received any attention https://ideas.sailpoint.com/ideas/GOV-I-735.

Being able to keep owners/approvers updated in SailPoint is required by auditors and should be something easy to do in IdentityNow without having to build and maintain custom scripts to iterate over all objects (gov groups, roles, access profiles).

David,

The quickest way to get this working is to build scripts, as you mentioned. However, there is a strong desire to have this functionality built into IDN. I’m bringing this idea up to our product team to see if we can get traction on it.

1 Like

It looks like PM has merged this idea into GOV-I-1864 and has already started to do industry research on it. Once initial research is done, it will appear in In Discovery for broader customer feedback.

1 Like

Related to this, has anyone managed to build a loopback source in IDN to be able to:

  1. Manage Governance Group membership via IDN access request flows
  2. Run periodic certification campaigns in order to review Governance Group membership?

I can aggregate both identities (using /v3/search at the moment for this) and the entitlements (v2/workgroups) but linking the workgroups to identities is… tricky.

I could probably get it done with an after operation rule but I’m not too familiar with them.

My current approach is to

  1. Aggregate identities from v3/search
  2. Aggregate governance groups from v2/workgroups
  3. 2nd account aggregation is child to entitlement aggregation and uses the response to query v2/workgroups/$response.workgroup_id$/members

Nothing errors but none of the aggregated accounts have any entitlements listed either

I am at the same point myself. Identities and Entitlements independently aggregated, but have not come up with a method to associate the two using the operations.