When calling the v2024/source-apps/:id endpoint I am unable to add the Access Profiles to my newly created app. The response returns:
{
"detailCode": "404 Not found",
"trackingId": "64d06cf1602644ad9f592f227b1d0282",
"messages": [
{
"locale": "und",
"localeOrigin": "REQUEST",
"text": "The server did not find a current representation for the target resource."
},
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The server did not find a current representation for the target resource."
}
],
"causes": []
}
What is the correct behavior?
This endpoint should allow me to add Access Profiles to my Application.
What product feature is this related to?
This is related to the v2024 version of the source-apps/:id endpoint.
What are the steps to reproduce the issue?
The steps are executed in the following way:
Create an Application
Create Access Profiles
Add Access Profiles to the Application using the v2024/source-apps/:id endpoint with the PATCH method while constructing your json request body in the following way:
Although it would be sweet if this was possible, it seems that the documentation patch-source-app | SailPoint Developer Community is wrong and that accessProfiles is not a patchable field. You will also not see that field when calling GET v2024/source-apps/:id or GET v2024/source-apps.
There is no endpoint to add access profiles by specifying the ones you want to add.
In this post you specifically mention newly created applications, but I think you have the same issue with the already defined applications right?
There is a hidden undocumented endpoint where you can specify the access profiles you want to add to the application, but it will then remove the access profiles that were already assigned to the application. So it would be a replace operation instead of an add operation. This is impractical in many cases as you would need to first fetch the current access profiles, then add the new ones and then use this replace API. Usually you don’t want to replace, but only add or remove. But this hidden undocumented endpoint is POST /v2024/source-apps/:id/access-profiles, with as JSON body an array of id’s.
So I think that this is very strictly speaking not a bug, with the added notes that
The existing documentation is incorrect
There is documentation missing
The current APIs are not satisfying the best practices.
The truly useful APIs for application management are not available (and SailPoint would likely ask you to raise an enhancement request instead)
Just one last thing. How likely is it for this api to be changed, removed or modified in the near future? We need this feature in prod, and I am just wondering how safe would it be to use it?
If you still see a 404 Not Found, please be sure you are using the correct ID of the app in the URL. The source Apps endpoint returns a cloudAppId and an id. You will need to use id.
accessProfiles is a patchable attribute (we’re using this method currently), it’s just not returned when getting a SourceApp by ID. To get the list of access profiles, you need to use the sub-resource (i.e. /source-apps/:id/access-profiles)
Unfortunately, I am still getting the same error. I double checked if all of the id’s were correct, and they were. For our use case we are using the replace operation to add access profiles to an application, is it possible that there is a step that I skipped here?
{
"detailCode": "404 Not found",
"trackingId": "2c8fa9b79a1b4e12aba9386e74e8c219",
"messages": [
{
"locale": "und",
"localeOrigin": "REQUEST",
"text": "The server did not find a current representation for the target resource."
},
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The server did not find a current representation for the target resource."
}
],
"causes": []
}
There was also a reply in the thread that mentioned that this may possibly be a bug that causes a timing issue when adding Access Profiles to an application. However, I am still unable to add Access Profiles that were created a few days ago, so I am not sure if that is definitely the issue.
At this point, I recommend you open a support ticket and reference this post in your ticket. I am unable to reproduce, but support can investigate your tenant more closely.
Thank you for your response @colin_mckibben! It is really nice that it is possible! I did not expect that is was possible to patch this field because it is not a visible field on the object. Interestingly the PATCH API does show the list in the response. See screenshot
But then my follow up question will be. Why is this not a visible field in GET /v2024/source-apps/ and in GET /v2024/source-apps/:id
In general objects should be visible full (unless there is functionality to specify which fields to include/exclude). Some visible fields (Like created) should not be patchable, but all patchable values should be visible.
Right now if we want to get all access profiles in all applications, we can’t just list the applications and get them. We have to call a single API per application to get all of them, which means an explosion of API calls.
I think by REST API design, a response body of PATCH /objects/:id should be exactly the same as the response body of GET /objects/:id, when calling it slightly later. If I only patch the description, it will also show me the access profiles in the PATCH response. Perhaps it was forgotten to make this field visible in the GET single object and GET objects API?
