User Import in NERM

We have a requirement where we are creating Non - Employees as People profile. We want to import all the employees also in NERM so that we can assign employees as manager to Non - Employees. We also want that managers can login into NERM portal to manage non - employee lifecycle.

How can we achieve importing employees so that they can even login into the NERM portal also?

see if this helps. You will have to create profile for employee first with all the attributes an then you can import all the employees in NERM.

Non-Employee Data import to NERM system from a third party Vendor - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community Forum

You can use the /user api to create user records along with the ‘group_strings’ value for them that maps to the roles they should have when they login via SSO. You can do this via a webservices connector from IIQ or ISC too!

POST:/api/user

{
  "user": {
    "type": "NeprofileUser",
    "name": "John.Smith",
    "email": "[email protected]",
    "status": "Active",
    "login": "John.Smith",
    "group_strings": "Sponsors"
  }
}

Hi @DerekHackbardt,

In my client’s scenario, I have both NERM instance and a IdentityNow instance. The way SailPoint had setup the SSO by default is that IdentityNow has been setup as Identity Provider for NERM.

So the directory group related attribute in NERM roles needs to be mapped with “Groups” inside SSO settings of NERM.

The way it is working is that, the user capabilities on IdentityNow (Example: ORG_ADMIN, CERT_ADMIN, REPORT_ADMIN) are directly mapped to “Groups” in NERM. In that case, there isn’t any capability in IdentityNow to create a custom capability/user level matrix called “Sponsor” right? So, how do we do it?

What I’ve also seen is, if you create a user using /api/user in NERM as mentioned above with "group_strings": "Sponsors", it will be validated on the target SSO system during the daily refresh on NERM system and if not found, the "Sponsor" related role on NERM is automatically removed.

Any insights here would be really helpful.

If you are using an IdP, the groups need to be provided by the IdP in the assertion. If you are using ISC local accounts, then you need to directly assign users to roles in NERM (via API) then those should be retained when logging in – except for users with ORG_ADMIN, they will always just have the ORG_ADMIN group sent across. This was recently fixed to work this way - prior to a week or so ago users roles in NERM were getting cleared if they were an ISC local user.

In the local user case, you would create the user without any group_strings, then use the /api/user_role api to assign the user to a role, then logging in with that local ISC user should retain the role in NERM.

Thanks for the response @DerekHackbardt.

In my case, we would not create local users in NERM, instead the system users in NERM would always come in via SSO.

So if I understand it correctly, for any user coming into NERM via SSO (where IdentityNow is the IdP), I can still use the /api/user_role API to assign the roles present in NERM and those would not get cleared off as per the latest fix. Is that right?

Or please correct me if I misunderstood it.

Thanks,
Arshad.

If the users are coming through an SSO connection, the user_role method should work if your IdP is NOT sending anything in the groups assertion attribute. Information in the groups assertion will always be treated as authoritative and overwrite any direct role assignments to users.

Hello.

Recently we started NERM implementation and I found your insights very helpful, since we’ve also face some difficulties.
In our case we use ISC as Idp, but even when an ISC ORG_Admin signs in NERM, he does not have admin permissions within NERM (Admin option is not available at all).
Do you happen to know how we can overcome this? Or is it something that Sailpoint services can assist with?
Our first goal is to configure a different Idp but in order to do that we need to access authentication settings, thus admin rights in NERM are needed.

Let me try this once more and see if it gets cleared up as part of daily refresh and will get back to you.

Also @DerekHackbardt, on a side note, If I’m creating users in “System” > “Users” section, using a CSV import, how can I enable login capability into NERM system for such users?

All users into NERM must login through the SSO connection. So you can pre-create them in NERM, but they need to authenticate through SSO.

Hi, everyone

I have been testing the import of users in NERM.
I see that when I import users in a profile type, it does not let me edit their attributes in NERM unlike the profiles I created from a workflow.
Is there any way to edit these attributes?

I dont think you can edit the users in NERM. If you have to edit, then you might have to use the API endpoint.

Users can only be modified via the API.

@GilbertoOledo14
System users once imported via a CSV feed can only be updated from UI for now.
You might have to leverage REST APIs to update them as there is no other way currently. The restriction comes from the fact that the system users must come into NERM system via an SSO IDP and the IDP must take care of the change in attribute values of such users.

Hi, @Arshad

My question was more directed to users of a profile type. To run some bulk upload, for example from Providers.

@GilbertoOledo14 , in that case, you should configure permissions on each attributes for you to be able to see them on info tab. Navigate yourself to Templates > Attributes > Select each attribute you’re using on user profile and under permissions tab of each attribute, set the permission as “Edit” for the role that your NERM user account is mapped to and then you’ll be able to edit the field values.

yes, I have done it but for profiles imported in bulk from a csv the editing seems to be available only through the API.

@GilbertoOledo1, Can you elaborate in detail or share screenshot of what exactly you mean by editing attributes? Me, along with multiple others on this post seem to be missing the context of your query.

Of course, I have a profile type called “Proveedores”. I have a workflow that helps me to create profiles for “Proveedores”.
When I create a profile from the workflow it allows me to view and edit its attributes:
Screenshot:

image1556×830 50.3 KB

However, when I use the “Import” option (To make a bulk upload), it allows me to create profiles by loading information from a CSV but does not allow me to edit its attributes:
Screenshot:

image1576×275 22.3 KB

image1612×717 45.4 KB

I hope I have made myself clear

Got it @GilbertoOledo14 , I understand your question now. Basically, when you create a profile from workflow, the requestor becomes the default owner of the profile. That is why you’re able to edit the profile attributes.

However, when you import a user using “Import” button, there is no contributor on the profile by default. What you must do is :

1. Click on a profile where you’re unable to edit the attributes
2. Navigate to “Contributors” tab and under “Add Contributor” search field, search for your user and select it. Now you should be a contributor on the profile
3. Now go back to the “Info” tab and you should see you’ll be able to edit the attributes.

Hope this helps.

Thanks,
Arshad.