REST APIs for managing Governance Groups

Identity Security Cloud (ISC) ISC Show and Tell
1

A user recently asked if SailPoint has REST APIs for managing governance groups (AKA workgroups). We do, but they are undocumented v2 APIs. There is work being done by our engineers to bring more of our v1 and v2 APIs into v3, and workgroups is on the list. However, until workgroups makes it into v3, here are the details for managing workgroups using the v2 API:

GET /v2/workgroups (list all workgroups)

GET /v2/workgroups/{workgroupId}/members (list all members of a workgroup)

POST /v2/workgroups/{workgroupId}/members (Add and/or remove one or more members to a workgroup using their identity ID)
Body:

{
    "add": [
        "2c91808375d8e80a0175e1f88a575221"
    ],
    "remove": []
}

POST /v2/workgroups (Create a new workgroup)
Body:

{
    "name": "Test group 3",
    "description": "This is a test",
    "owner": {
        "id": "2c9180867624cbd7017642d8c8c81f67"
    }
}

PATCH /v2/workgroups/{workgroupId} (Update a workgroup)
Body:

{
    "name": "Test group 3",
    "description": "This is a test 2",
    "owner": {
        "id": "2c9180867624cbd7017642d8c8c81f67"
    }
}

GET /v2/workgroups/{workgroupId}/connections (Get a list of associations for the governance group)

POST /v2/workgroups/bulk-delete (Delete one or more workgroups)
Body:

{
    "ids": [
        "868edef1-222b-40e4-8787-b56cfd78b100"
    ]
}
9 Likes
3

There doesn’t seem to be an easy way to find terminated governance group members without iterating over all governance groups. Same for access profile and role owners/approvers. There has been an idea for this for over a year that hasn’t received any attention https://ideas.sailpoint.com/ideas/GOV-I-735.

Being able to keep owners/approvers updated in SailPoint is required by auditors and should be something easy to do in IdentityNow without having to build and maintain custom scripts to iterate over all objects (gov groups, roles, access profiles).

1 Like
4

David,

The quickest way to get this working is to build scripts, as you mentioned. However, there is a strong desire to have this functionality built into IDN. I’m bringing this idea up to our product team to see if we can get traction on it.

1 Like
5

It looks like PM has merged this idea into GOV-I-1864 and has already started to do industry research on it. Once initial research is done, it will appear in In Discovery for broader customer feedback.

1 Like
6

Related to this, has anyone managed to build a loopback source in IDN to be able to:

  1. Manage Governance Group membership via IDN access request flows
  2. Run periodic certification campaigns in order to review Governance Group membership?

I can aggregate both identities (using /v3/search at the moment for this) and the entitlements (v2/workgroups) but linking the workgroups to identities is… tricky.

I could probably get it done with an after operation rule but I’m not too familiar with them.

My current approach is to

  1. Aggregate identities from v3/search
  2. Aggregate governance groups from v2/workgroups
  3. 2nd account aggregation is child to entitlement aggregation and uses the response to query v2/workgroups/$response.workgroup_id$/members

Nothing errors but none of the aggregated accounts have any entitlements listed either

7

I am at the same point myself. Identities and Entitlements independently aggregated, but have not come up with a method to associate the two using the operations.

8

Hi folks, does anyone know if IDN Governance Groups are of the same object model type as Workgroup objects in IIQ (an Identity object)? We are trying to do a look up the Governance Group name in our email template but our $wg variable is not even being set.

After setting $spctx to current context and looping through work items:
#set($wg=$spctx.getObjectById($spTools.class.forName(“sailpoint.object.Identity”),$workItem.getAttribute(“workgroupId”)))
$wg.getName()

Any ideas here?

9

Have a look at this.

HTH

1 Like
10

Hi Colin, your solution to this has been very helpful! I have one question, when trying to use these endpoints I seem to be having trouble assigning the owner to the workgroup. My workgroup gets created but the owner is set to null. Have tried a combination of different setups, but to no luck. I then tried the update for the workgroup with the PATCH call, but the owner remains null. Have you run into this and have a solution?

Best,
Alex

1 Like
11

Is PATCH /v2/workgroups being deprecated? I didn’t see that one in the list. We are using it and trying to migrate to newer versions so if anyone has any info on this let me know.