Sp-config Rules Exported

Identity Security Cloud (ISC) ISC Discussion and Questions
1

When running the sp-config API to export “Rules” it appears to export both cloud and connector based rules. What I’m trying to understand is where the API gets the list of rules from?

V1 /cc/api/rule/list provides an extensive list of rules and most of these are not included in the sp-config export.
BETA /connector-rules provides just those that are connector specific but we’re seeing 2 here that appear to be standard delivered (i.e. WebServiceBeforeOperationRule, WebServiceAfterOperationRule) that aren’t included in the sp-config export.

My best guess is there’s some kind of filtering logic buried inside this that decides what to export, but we need to confirm this behavior for a client we’re working with.

3

Hello @edmarks,

V1 API List /cc/api/rule/list - This will return all the rules (including templated and OOTB rules configured in the tenant)

BETA /connector-rules This will provide back any rules standard delivered and any connector rules written by the client and created via the /connector-rules APIs.

The sp-config API will export only Cloud and Connector rules developed by the client. No templated or OOTB rules will show up in these results.

4

@tyler_mairose Do you know of an equivalent API and/or filtering criteria for the existing API’s to generate the same list of rules contained in sp_config.

Use Case - Extract a list of the rules for documentation, comparison, etc. (i.e. how can I get the list without sp_config?) For this particular use case we need to have each rule in a separate file and are looking for an API call to get the list and then iterate through that list with calls to sp_config with the filter for the individual rule.

5

@edmarks

I want to avoid having you use the V1 API if we can accomplish this another way.

Will you be running this multiple times for documentation / comparison or will this be a one time event for your client?

6

With multiple clients this is something we’ll be doing on a regular basis. Totally agree on trying to avoid the V1 API if possible.

7

My recommendation would be to use the sp-config call and a scripting language of your choice.

If you call the sp-config with the body below it will export all custom client rules out of IDN.

POST https://{{sailpoint-org}}/beta/sp-config/export

{
  "description": "Export Rules from tenant X",
  "excludeTypes": [
  ],
  "includeTypes": [
    "RULE"
  ],
  "objectOptions": {
    "RULE": {
      "includedIds": [
      ],
      "includedNames": [
      ]
    }
  }
}

I would then poll the following URL every 15-30 seconds until you get a response status: "COMPLETE" that the export is completed and the results are ready for download.
GET https://{{sailpoint-org}}/beta/sp-config/export/{exportId}

{
    "jobId": "d5ac33ca-d2bf-437c-9d90-4764781950f5",
    "status": "COMPLETE",
    "type": "EXPORT",
    "message": null,
    "description": "Export Rules from tenant X",
    "expiration": "2022-08-10T16:08:35Z",
    "created": "2022-08-03T16:08:35.614Z",
    "modified": "2022-08-03T16:08:37.119Z",
    "completed": "2022-08-03T16:08:37.115Z"
}

Once the export is complete you can call the download API and loop through each result under the objects key. In each result returned, the object field will contain the rule that you can then save to a file in your script.

GET https://{{sailpoint-org}}/beta/sp-config/export/{exportId}/download

{
    "version": 1,
    "timestamp": "2022-08-03T16:08:36.838579Z",
    "tenant": "X",
    "description": "Export Rules from tenant X",
    "options": {
        "excludeTypes": [],
        "includeTypes": [
            "RULE"
        ],
        "objectOptions": {
            "RULE": {
                "includedIds": [],
                "includedNames": []
            }
        }
    },
    "objects": [
        {
            "version": 1,
            "self": {
                "name": "ConnectorRuleBeforeEntitlement",
                "id": "012c5f6d6c8c4a0f842465a7f6bd7359",
                "type": "RULE"
            },
            "object": {
                "description": "This rule is used for AfterOperation on Webservices Airtable",
                "type": "WebServiceBeforeOperationRule",
                "signature": {
                    "input": [],
                    "output": null
                },
                "sourceCode": {
                    "version": "1.0",
                    "script": "log.info(\"Entering : Before operation rule : Going to print out provisioning plan attribute\");\r\n\r\nString oldResponseMap = (String) oldResponseMap;\r\nlog.info(\"OLD RESPONSE MAP: \" + oldResponseMap);\r\n\r\nMap body = requestEndPoint.getBody();\r\nString jsonBody = (String) body.get(\"jsonBody\");\r\n\r\nlog.info(\"BEFORE OPERATION JSON BODY: \" + jsonBody);"
                },
                "attributes": {
                    "sourceVersion": "1.0"
                },
                "id": "012c5f6d6c8c4a0f842465a7f6bd7359",
                "name": "ConnectorRuleBeforeEntitlement",
                "created": "2022-08-02T17:18:49.506Z",
                "modified": "2022-08-02T20:17:55.024Z"
            },
            "jwsHeader": "eyJhbGciOiJFUzI1NiJ9",
            "jwsSignature": "kTcdLUevOD6AcU6vz8EKOpbpAoeI4tegq-UF6dGbcK_jW3JxuTSTVqo1fSaJZfrgXCIxK3H2I7TzDIyi7a30Hw"
        },
        {
            "version": 1,
            "self": {
                "name": "ConnectorRuleBeforeAirtable",
                "id": "048eb3d55c5a4758bd07dccb87741c78",
                "type": "RULE"
            },
            "object": {
                "description": "This rule is used for BeforeOperation on Webservices Airtable",
                "type": "WebServiceBeforeOperationRule",
                "signature": {
                    "input": [],
                    "output": null
                },
                "sourceCode": {
                    "version": "1.0",
                    "script": "Map body = requestEndPoint.getBody();\r\nString jsonBody = (String) body.get(\"jsonBody\");\r\nlog.info(\"Rule - Show Request Body\");\r\nlog.info(\"Rule - \" + jsonBody);"
                },
                "attributes": {
                    "sourceVersion": "1.0"
                },
                "id": "048eb3d55c5a4758bd07dccb87741c78",
                "name": "ConnectorRuleBeforeAirtable",
                "created": "2022-06-10T18:59:44.443Z",
                "modified": "2022-06-10T19:29:28.154Z"
            },
            "jwsHeader": "eyJhbGciOiJFUzI1NiJ9",
            "jwsSignature": "DKHaTIrHuw0qj-Yz1ZoWdXiYDYtI1MbMIqZVHAFRBmwlaZq91NPBEGI1sUYAU-M1o5KM3EKNwPIUzYzsdDityA"
        }
    ]
}
1 Like
8

Hi @tyler_mairose ,

I tried doing whatever has been explained regarding sp-config API. But still, that does not fetch me all the OOTB cloud rules and the beanshell code present on the tenant for rules such as “Get Manager LDAP DN”, “Create Unique Account ID”, “Create Password” etc.

Is there a better way of getting such OOTB connector rules as the V1 “/cc/api/rule/list” might reach end of life without notice. Is there any plan for a beta or v3 API alternative for the same?

Appreciate your response.
Thanks.

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.