Retrieving identity attributes in PowerShell After Scripts for IQService

Rpalos · August 31, 2023, 9:55am

Hi All, First time here creating a PowerShell After Scripts for IQService. The script I am writing now is to invoke a POST Method API to passed values from AD to a third party application. This third party application will be the one to provision/deprovision mailbox.

I use the following below to try retrieve the values from AD application.

# Get xmlFactory object to retive application configuration
$xmlFactory = [sailpoint.Utils.xml.XmlFactory]::Instance;

# Read the environment variables
$sReader1 = $env:Application

# Retrive application configuration object

$appObject = $xmlFactory.parseXml($sReader1)

#Retrive Attributes value from AD
$adid = $appObject.sAMAccountName
$email =$appObject.email

and here is my code for invoking API POST method

#Variables need to get from identity attribute
$CreateOperation = "provisioning"
$DisableOperation = "deprovisioning"

$headers = @{
    'x-api-key' = 'sample1234'
}
$Users = @{
   "Domain"= "example"
   "Username" = "$adid"
   "EmailAddress" = "$email"
}
$UsersJsonBody = $Users | ConvertTo-Json

#Deprovisioning API Endpoint
$Deprovm365URL = "https://api-test.example.com/aiamapi/api/mailbox/deprovision"
$DeprovBody = @{"RequestedBy" = "admin1::[email protected]"
                                 "InstitutionName" = "SAMPLE"
                                 "Users" = "$UsersJsonBody"
                }
$DeprovJsonBody = $DeprovBody | ConvertTo-Json

#Provisioning API Endpoint
$Provm365URL = "https://api-test.example.com/aiamapi/api/mailbox/provision"
$ProvBody = @{
 "RequestedBy" = "admin1::[email protected]"
 "InstitutionName" = "SAMPLE"
 "Users" = "$UsersJsonBody"
 "LinkedAccountDomain"= "example"
 "LinkedAccount" = "$adid"
 "UserEmail" = "$email"
 "DisplayName"= "$displayname"}
$ProvJsonBody = $ProvBody | ConvertTo-Json

if ($DisableOperation -eq deprovisioning) {
#Invoke the API Request
Invoke-RestMethod -ContentType “application/json” -Uri $Deprovm365URL -Method Post -Header $headers -Body $DeprovJsonBody 
}
else if ($CreateOperation -eq provisioning) {
Invoke-RestMethod -ContentType “application/json” -Uri $Provm365URL -Method Post -Header $headers -Body $ProvJsonBody 		
}

I need to get the values for $CreateOperation and $DisableOperation in the identity Attribute and use it for the if-else logic so my script would know which API call to invoke.

Please advise. Thank you!

sharvari · August 31, 2023, 10:26am

If I understand your requirement correctly, I think you will need to have two separate rules, one AfterCreate rule and the other one AfterModify (For Disable operations) those will then invoke the respective APIs for third party application.

$operation = $requestObject.Operation

The request object within rule will give you information about the operation. (Create/Enable/Disable etc)

Kindly check the documentation on After Rules here. This link has detailed samples for the rules too so you can check the contents of the request and response object available in the script.

Rpalos · September 12, 2023, 2:34am

Hi Sharvari,

I tried to use the connectoraftermodify rule to invoke my de-provisioning API, but I am encountering this error
["Error(s) report back from IQService - After script return non zero exit code: 255: "].

Have any ideas for this? thank yo much

sharvari · September 12, 2023, 7:28am

It looks like your script execution is being blocked, either by a policy or firewall or antivirus on the server. Please work with your networking team to to identify the program blocking it.

Rpalos · September 19, 2023, 6:45am

Hi @sharvari

My aftermodify script is now calling my powershell script. I used before provisioning rule to add the attributes I need in the AttributeRequests. Now I can log the Request as XML object. How can I get the value from the XML object?

I tried using the requestObject.sAMAccountName syntax but it’s not working. Any advice please. thanks

Rpalos · September 19, 2023, 6:52am

by the way, I resolved the error "["Error(s) report back from IQService - After script return non zero exit code: 255: " by adding the following attributes in the Connector rule:

“attributes”: {
“ObjectOrientedScript”: “true”,
“extension”: “.ps1”,
“sourceVersion”: “1.0”,
“disabled”: “false”,
“program”: “powershell.exe”,
“timeout”: “360”
},

gauravsajwan1 · September 19, 2023, 8:11am

Hi @Rpalos,
In order to fetch desired attribute(s), refer this doc: Before and After Operations on Source Account Rule | SailPoint Developer Community

There is a function Get-AttributeValueFromAccountRequest in the After script template which helps you get the desired attribute from your account request.
Snippet from the doc below:

#if we have a non-null account request, get our value; otherwise return nothing
function Get-AttributeValueFromAccountRequest([sailpoint.Utils.objects.AccountRequest] $request, [String] $targetAttribute) {
    $value = $null;

    if ($request) {
        foreach ($attrib in $request.AttributeRequests) {
            if ($attrib.Name -eq $targetAttribute) {
                $value = $attrib.Value;
                break;
            }
        }
    } else {
        LogToFile("Account request object was null");
    }
    return $value;
}

Rpalos · September 19, 2023, 10:47am

Hi @gauravsajwan1, thank for helping.

Yes I already have this on my powershell script. But how I can get a certain attribute?

I already use the following but no luck:

$ADID = requestObject.sAMAccountName
$ADID2= requestObject.Attributes.sAMAccountName

LogToFile ($ADID and $ADID2)

can you guide me with the exact syntax to fetch single attribute like sAMAccountName?

sharvari · September 19, 2023, 11:29am

As @gauravsajwan1 mentioned you have to use the Get-AttributeValueFromAccountRequest helper function above to fetch the value of sAMAccountName.

$ ADID = Get-AttributeValueFromAccountRequest(requestObject, “sAMAccountName”)

Rpalos · September 20, 2023, 7:51am

Hi @sharvari

I used this syntax


$ ADID = Get-AttributeValueFromAccountRequest($requestObject, “sAMAccountName”)

But I got this error

Error: Item = -> Message = Cannot process argument transformation on parameter 'request' Cannot convert the "system.Object[]" value of type "System.Object[]" to type "sailpoint.utils.objects.AccountRequest"
Exiting After Modify SailPoint rule

gauravsajwan1 · September 20, 2023, 8:21am

Hi @Rpalos

Try this:
$ADID = Get-AttributeValueFromAccountRequest $requestObject "sAMAccountName"

Rpalos · September 20, 2023, 11:41am

Hi @gauravsajwan1

Thank you so much! Finally I can fetch the attributes from the accountRequest with the syntax you’ve provided.

Thank you as well @sharvari for your patience and guidance.

system · November 19, 2023, 11:41am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Passing attributes to PowerShell script IIQ Discussion and Questions identityiq	7	989	December 25, 2023
Idenity Now Active Directory After Modify Rule ISC Discussion and Questions apis , rules , identity-security-cloud , sources	3	1025	July 19, 2023
Powershell API calls ISC Discussion and Questions apis , identity-security-cloud	8	1038	August 19, 2023
Powershell script : Accessing attributes within accountRequest ISC Discussion and Questions identity-security-cloud	2	414	December 3, 2023
401 Unauthorized Error in PowerShell Calling IDN API ISC Discussion and Questions apis , identity-security-cloud	6	852	July 21, 2023

Retrieving identity attributes in PowerShell After Scripts for IQService

Related topics