Users with More Than One Account in the Same Source only getting 20 accounts per API call

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I have followed the discussion in the post linked below. My challenge is that i am only getting 20 accounts per API call. So i find 20 accounts. Clean them up aggregate again and it shows 20 more. How can i get all of the accounts in one call rather than have to aggregate between calls?

Here is the endpoint i am hitting.
{{baseUrl}}/v3/search/aggregate?limit=250
i have tried with and without the limit parameter

Here is the body.

{
    "query": {
        "query": "2c918087827ef9fd018288891ed263f4"
    },
    "indices": [
        "identities"
    ],
    "aggregationsDsl": {
        "accounts": {
            "nested": {
                "path": "accounts"
            },
            "aggs": {
                "source_id": {
                    "terms": {
                        "field": "accounts.source.id",
                        "min_doc_count": 2,
                        "size": 1000
                    },
                    "aggs": {
                        "identities": {
                            "terms": {
                                "field": "_id",
                                "min_doc_count": 2
                            },
                            "aggs": {
                                "accounts": {
                                    "top_hits": {}
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}

in the endpoint documentation I don’t’ see anything about limit

here is the original post.

2

Hi Scott,
Although you mentioned you’ve tried with and without the limit parameter, you might want to ensure that the limit parameter is set to a higher value. Some APIs have default limits or maximum limits that can be adjusted.
You can check in the product API documentation to confirm that as well

3

thanks @DeepanshuBisht according to the API documentation, the default limit is 250.

Looking at the response closer there are more accounts being returned but they are from other sources. So maybe i am not limiting it to just that one authoritative source like i think I am.

4

The search API is different from our other APIs. It has a default limit of 10,000. It is advisable to not specify the limit parameter when using search so you can get all of the results.

5

@colin_mckibben how would i go about setting this up to run on a schedule and either output the results to a file or email/ We are find that some of our Identities are getting multiple AD accounts and need to figure out why. Rather than run this manually once a week it would be nice to have it just happen automatically.

I know that workflows can run the API on a schedule but with this one there is output the workflow would need to email to someone… Does workflows have the ability to set the output of an API call to a variable and then use that variable in the body of the email?

6

Other than using workflows, there is no other way to schedule an aggregation query in the product. Regular searches can be saved and then scheduled to run on a certain interval, but aggregations don’t have the same ability.

You can send the output of the search query in an email in Workflows, but it won’t look like JSON. It will be a serialized representation of a Golang map. This is what it will look like.

image
image990×174 23.3 KB

If your goal is to send the response body from the aggregation search as-is to a recipient, then your best option is going to be scheduling this API to run outside of ISC. There are an infinite number of possibilities, like using a third party no code tool like Workato or Power Automate or creating your own script that you run on a schedule on a machine that you have access to.