Single request with addRemoveEntInSingleReq parameter

Hello everyone,

I’m setting up a Web Service VA Connector to integrate my application, MyApp, where entitlements are modeled as “permissions.”

Issue:
When a user requests an Access Profile that includes multiple permissions, the connector triggers one API call per permission to MyApp, each adding a single permission.

Example:

• User requests an Access Profile containing permission1 and permission2

• ISC sends an “add entitlement” operation for permission1

• ISC sends another “add entitlement” operation for permission2

However, I’d like ISC to send a single “add entitlement” operation with the full list: [“permission1”, “permission2”].

I enabled the flag addRemoveEntInSingleReq = true, but I still see as many add calls as there are entitlements in the request.

From my connector logs and monitoring, I can confirm the provisioning plan includes both entitlements (plan.permissions = [“permission1”, “permission2”]), yet each outbound “add entitlement” request only carries one permission in the body.

Has anyone successfully configured addRemoveEntInSingleReq to batch entitlements into a single request? How does this flag actually work in practice?

Hi David

Do you have multiple entitlement types as well?

Hi,

No only one entitlement type

Setting that attribute works actually

Hi @davidtrn ,

When you say different permission, are you calling different end points for each permission?

Hi Theja,

No it’s the same endpoints.
Basically if a user is requesting an access profile containing entitlement1 and entitlement2, I would like IdN to send a single request to the endpoint with both entitlement in the request.

What currently happens is IdN will send two request, one for entitlement1 and another one for entitlement2

Hope you have made below changes in the body and the endpoint you are calling accept list of permissions in an array

image1264×180 6.71 KB

The endpoint does accept a list of permissions.

My current configuration is :

Entitlement type :

image1682×456 18.6 KB

Add entitlement http operation :

image830×387 16.3 KB

But instead of having a single call with

{

    “permissions” : [“entitlement1”, “entitlement2”]

}

I have two calls :

{

    “permissions” : “entitlement1”

}

{

    “permissions” : “entitlement2”

}

Hope it’s clear

Ok, as per doc what I understood is, when you have different entitlement types and need to send single request to the target system for all the entitlement assignment then setting up addRemoveEntInSingleReq = true will work.

But here you have one entitlement type i.e permission and you are assigning two/more permissions of same entitlement type. So, this is working as expected I believe. SailPoint is creating two separate plans for each entitlement. Also, you no need to have seperate API calls for each entailment. Single API call should work for all the entitlement assignments.

Weird because the documentation is pretty clear on this flag, but the result of my testing are not the same.

image1318×328 44.4 KB

I also created a ticket to Sailpoint support to have their input

I don’t think that’s correct, the documentation refers to the multiple entitlements of same type.

See this excerpt from docs:

“The connector can send a single request for several instances of one entitlement type to the managed system”.

Ideally, setting that flag to true should have merged the two requests.

Hello all,

Just wanted to give you an update, the flag is now working as expected :

• The provisioning is sending a single api call to the endpoint and contains all the entitlements that were requested

I just removed the flag from my connector and put it back

Kind regards,