Problem Statement: We intended to filter NPAs (Non-Person Accounts) and human accounts into separate certifications so that we could target undecided human account access for revocation whereas keep access as is for NPAs. While PoCing the NPAs, we’ve found that this will not be easy to do at scale.
Details: Certifications allow you to first search for your certification targets. Our targets are the entitlements so we can run an application certification. You can apply a second level of filtering to remove accounts from the certification (NPAs or humans accounts), but the UI requires you to individually select items to remove/include. Separating NPAs and humans in this manner isn’t tenable in a large application. If we can’t separate the accounts, they must all be in the same certification the undecided access configuration to “keep” or “let admin decide” (which allows us to revoke) will apply to the NPAs and human access. Even when we configure to “let admin decide” post deadline the admin can complete the campaign by approving ALL or revoking ALL , which again defeats the original intention.
Question 1: Is there a REST API to decide on individual items meaning for NPAs approve and for human accounts revoke? We have already tried using the endpoint - “https://{tenant}.api.identitynow.com/v3/certifications/{id}/decide”. It is giving the following response:
{
“detailCode”: “404 Not found”,
“trackingId”: “7725de7acba74bdb9933452ca3448f13”,
“messages”: [
{
“locale”: “en-US”,
“localeOrigin”: “DEFAULT”,
“text”: “The server did not find a current representation for the target resource.”
}
],
“causes”:
}
Question 2: Can we use APIs to create certification campaign that will
i. Allow us to query which entitlements to include for an application (example query tags:PINGACCESS)
ii. And also allow us to refine the identities who have access to PINGACCESS entitlements, example query/filter identityprofile.name:”Users” for human accounts
iii. The above querying could be in sequence or together but the end goal is to create a cert campaign for PINGACCESS related entitlements but only human accounts.