I’m trying to create an API call for our ServiceNow team. What they need is the ability to make a call to Sailpoint to get a list of entitlements that exist on an account. This is the API I’ve been trying to use:
I am able to successfully run the API in postman (after acquiring the SailPoint Account ID of a user.)
ServiceNow team is able to successfully run the API in postman (after acquiring the Sailpoint Account ID of a user.)
However we can’t find a SailPoint Account ID attribute in the UI that we can reference inside ServiceNow.
For example, when someone clicks the drop down on a ServiceNow form and selects a user, we want ServiceNow to automatically make a call to SailPoint based on the user that was selected, and return a list of entitlements that user has.
The problem is that this API only works with Sailpoint Account ID and that attribute is not accessible via the UI to our ticketing system.
Do you have an attribute on both the servicenow and identitynow side that’s unique where you can find users? For me it’s a personnel ID number I have in both systems I can use to find users
If you’re wanting to query accounts, servicenow needs to also know the source ID of the account you’re searching for.
You can find identities using identity attributes like username or employee number, but to locate specific accounts, you’re going to need the source Id
We do have a unique identifier between ServiceNow and Sailpoint that allows us to find users in the systems, but my problem is that in order to get the entitlements from an identity, you need to supply the API with an account ID.
(In Sailpoint IDN, it’s literally called “id”. I can’t find any other technical name on the backend for it.)
The “id” is not something that exists as an attribute in ServiceNow so in regards to the aforementioned API, they don’t have this “id” and thus can’t run it.
Let me explain further with an example.
In the following example, we have the attribute mappings in Sailpoint.
With this, ServiceNow is getting all these values and can use them as needed (in whatever forms or API calls they need to make.) But they aren’t able to make the Entitlement API call because they don’t have the Sailpoint ID.
My hope was that I would be able to add Sailpoint Sys ID as an attribute that I could then send to ServiceNow. Then ServiceNow could use it in the Entitlement API call.
However, there doesn’t seem to be an “id” attribute in the Sailpoint UI that I can utilize in the ServiceNow Identity Mapping.
Is there a way to do this through the API or CLI?
If not… It would seem like I would need to help our SNOW team write a script with 2 calls. The first call would be to the List Identities API with an email filter. (Our only way to guarantee a unique identity) and then somehow fetch the “id” within the return of this call. Then supply that “id” as filter to the Entitlement API in order to get a list of all the entitlements that belong to that user.
You don’t need to create a custom attribute on the sys_user table to store the Identity Id, that’s easy enough to query on the fly.
Assuming you know the name of the source you’re wanting to pull the account from, you can get the entitlements with the script below. I would mention that I’ve created Outbound REST Messages in my ServiceNow instance for just about every IdentityNow API endpoint.
var email = '[email protected]'
var source_name = 'Active Directory';
var account = getUserAccount(email);
var entitlements = getAccountEntitlements(account);
function getUserAccount(email, source_name) {
var identity_search_body = {
"indices": [
"identities"
],
"query": {
"query": "email:" + email
}
};
var rm_identity_search = new sn_ws.RESTMessageV2('SailPoint', 'Search');
rm_identity_search.setStringParameter('url', gs.getProperty('chk.identitynow_api_url'));
rm_identity_search.setRequestBody(JSON.stringify(identity_search_body));
var identity_response = rm_identity_search.execute();
var identity_response_body = JSON.parse(identity_response.getBody());
var filtered_accounts = identity_response_body.accounts.filter(function (account) {
return account.source.name == source_name
});
return filtered_accounts[0].id;
}
function getAccountEntitlements(account) {
var rm_entitlements = new sn_ws.RESTMessageV2('SailPoint', 'Get Account Entitlements');
rm_entitlements.setStringParameterNoEscape('url', gs.getProperty('chk.identitynow_api_url'));
rm_entitlements.setStringParameterNoEscape('account_id', account);
var res_entitlements = rm_entitlements.execute();
var res_entitlements_body = JSON.parse(res_entitlements.getBody());
return res_entitlements_body;
}
Ok. This looks really promising. Let me look into this and get back to you. I’m assuming the code runs from the SNOW side correct? I don’t have to make like a powershell script or something and run in in the IQService?
Also, thank you for your patience with me… I come from NetIQ and did a little Sailpoint IIQ, with no experience in IDN. So I’m learning as I go. XD
