The Web services connector create account

Hello Developer,

I have a requirement to create the User account from sailpoint into the end application which is a web service application.
I have successfully connected to the application also able to pull the user details from it.

The requirement to the end application is to only create the account from sailpoint no group/role management,

I have a create the create account operation and also the provisioning policy to pass the required attribute in the body of the API.

My question is now How I should call the API to create the user account.

Please let me know if required additional information

Hi @RiyazuddinM

Open application and Go to Configuration → Settings → Click on ‘Add Operation’ → Choose operation type as ‘Create Account’ → Enter details of context url, Method → header and body. Sample details are as below. You can find more details on connector documents - link

hi @Arpitha1 ,

Thanks for providing the information,

I have already configured the create account operation and included the body as well as per the provisioning policy attribute which are required. but after configuring that how to test it.

how to push the data from sailpoint to end application.
like to test that accounts are getting created.

Thanks
Md Riyazuddin

You can test it through Manage Accounts Quicklink (You can see it under Manage Access).

If you are not able to see your application while requesting, then settings → Lifecycle Manager → Under Configure, add your application to ‘Applications that support account only requests’ option.

1 Like

Hi @Arpitha1

I did add the application to the list


)

but when I am going to the manage account under manage access quicklink and selecting the any user for testing the operation but unable to click on the request account option

I am missing any step while configuring it.

also, later after testing the create account operation API. I want to configure it to automate process only to assign to the user who are direct employee.
not assigning to contractor or trainee.

I really appreciate your input in my configuration.

Thanks
Md Riyazuddin

Sorry,

I was that I made a mistake in configure under the lifecycle manager.

I have updated that and tried again but still the same
unable to make a request to create a account in the end application.

Thank
Md Riyazuddin

I saw the you are using spadmin to request the additional accounts, OOTB spadmin doesn’t have Manage Accounts for others. Try enabling that in quicklink populations and check it

1 Like

@RiyazuddinM As per your screenshot, ‘Request Account’ is in disabled state in Manage Accounts Page. So, you need to enable one more configuration.

Go to Global Settings → Quicklink Populations → If you have customized quicklink populations for spadmin then choose it, else go to Everyone → Quicklinks tab → Choose Manage Accounts → Enable the options.
Sample snapshot is as below.

1 Like

Hello @Arpitha1,

thanks for your input, I will try to configure and test it out.

also wanted to know on, how I can configure it for automate process to joiner, when new employee is creating from HR source then it should include in the joiner process.

Thanks, team, for input, I really appreciate your guidance

Thanks
Md Riyazuddin

@RiyazuddinM

Since there are no groups or access configurations to support a role-based approach, you’ll need to either add a new step or modify the existing step for birthright account creation in your joiner workflow.

Alternatively, there is another indirect role-based approach, please refer to this link for guidance.

Hello @Arpitha1 ,

In the current setup, the joiner is configured by rapid setup and with default configuration not much customization is made our there.

in this case what will be the best approach for adding the assign the new application to the user.
by creating a dumpy role and provisioning it.

or can we customize the default rapid setup joiner workflow with this requirement.

Thanks for your input.

Thanks, and regards,
Md Riyazuddin

Hi @RiyazuddinM you can create a copy of ‘Rapid Setup - Joiner’ workflow and add a step after ‘Build Plan’, in that step you can modify the plan to add account request for your application.

Also, make sure to change the workflow in rapid setup configuration as below.

1 Like

Thanks @Arpitha1 ,

Sure, I will try to configure it and test.

Thanks, and regards,
Md Riyazuddin

Hi @Arpitha1 ,

I am trying to test the create operation but getting native identity error.

please check and tell me if I am missing anything.

account aggegration
get object operation is same like account aggregation
create operation

Thanks
Md Riyazuddin

@RiyazuddinM
The account might have already created, even if you are encountering above warning. Please verify this by performing an aggregation or by calling the get operation API.

Now, let’s work on resolving the issue. The Identity Attribute (Native Identity) is required for a plan. For web service applications, the ‘id’ is typically generated in the target system and returned in the response API. If this applies to your API, try using Response Attribute Mapping for the create account operation.

Eg: Let’s say your identity attribute is ‘id’ , and API is returning payload as

{
"id" : "xxxxxxxxxxxxxxxxxxxxxxxxx"
}

then Response Attribute Mapping for your create account operation is as below

Alternately, You can use After Provisioning Rule too. But above method is the best approach

Hi @RiyazuddinM ,

Print the provisioning plan in the “beforeoperation” rule and verify whether the native identity is included in the plan. According to the screenshot, the username represents the Native Identity. Ensure that the plan contains the native identity.

You can use the following rule to print the plan:


  log.error("provisioningPlan::::"+provisioningPlan);
  Map requestMap = requestEndPoint.getBody();
  
  log.error("requestEndPoint "+requestMap);

  String jsonBody = (String)requestMap.get("jsonBody");  
  
  log.error("jsonBody "+jsonBody);

Hello @Arpitha1 & @Arun-Kumar ,

Below is the response from for account aggregation

employeeID, is auto generated at the application.

Q: should I have to consider the employeeID as nativeIdentity if yes then how.

also,
the api response for create account contain only the message.

in case of failure will the response as below.

Please team, guide me over here. how to fix it.

Thanks
Md Riyazuddin.

Hi @RiyazuddinM

  1. Do you have GET Api for single user ?
  2. What’s your identity attribute? Is it ‘employeeNumber’ ?

Hello @Arpitha1 ,

No, I don’t have the get API for single user.

This is the body while create api.

[
    {
        //job number mandatory 
        "JobNumber" : "3344556677",
        //firstname mandatory
        "FirstName": "Md",
        //lastname mandatory
        "LastName" : "Areeb",
        //usernamr mandatory
        "UserName" : "[email protected]",
        //isdeletd mandatory should be false to keep, true to delete
        "IsDeleted" : true,
        // isactive mandatory should be true if user account is active, else false 
        "IsActive" :false,
        // phone number optional
        "PhoneNumber" : "1234567890",
        //job title optional
        "JobTitle" : "IAM Engineer",
        //departmentCodeToDelete optional
        //departmentUser optional
        "departmentUser":[{
            //departmentCode optional
            "DepartmentCode" :"12345" ,
            //departmentNameArabic mandatory
            //"DepartmentNameArabic" : "IT Dept77",
            //departmentNameEnglish mandatory
            "DepartmentNameEngiish" : "IT Dept77",
            //isdepartmentManager mandatory
            "IsDepartmentManager": true,
            //isDeleted mandatory
            "IsDeleted" : false 
            //parentDepartmentCode optional
            //parentIsDeleted optional 
            //ParentDepartmentNameArabix optional
            //ParentDepartmentNameEnglish optional
         }
         ]
    }
]

what I am passing in sailpoint is

[
    {
        "JobNumber" : "$plan.Job Number$",
        "FirstName": "$plan.Firstname$",
        "LastName" : "$plan.Lastname$",
        "UserName" : "$plan.nativeIdentity$",
        "IsDeleted" : false,
        "IsActive" :true,
        "PhoneNumber" : "$plan.PhoneNumber$",
        "JobTitle" : "$plan.JobTitle$",
        "departmentUser":[{
            "DepartmentCode" :"$plan.Department Code$" ,
            "DepartmentNameEnglish" : "$plan.Department Name$",
            "IsDepartmentManager": true,
            "IsDeleted" : false 
         }
         ]
    }
]

what is identity attribute? is it “employeenumber”

I didn’t get the about identity attibute.
can you please guide me

the employee id is auto generate at end application side.
I am just pushing the username as email in the end application.

please

Thanks
Md Riyazuddin

Hi @RiyazuddinM

Identity attribute is a unique attribute for the target accounts. Example, For AD distinguishedName will be the identity attribute. Likewise, you should define identity attribute for your application. You can open your application → Configuration → Schema. Smaple screenshot is as below.

Similarly, Can you please share the screenshot ?

Also, can you let me know what are the operation you would require for this application other than aggregations and create account operation?
In your case, if employeeId is the identity attribute, you should get the value of it from response payload of Create operation. However, since your API is not returning that information, we need to identify alternate option.