Web Service SaaS connector - Add Entitlement Operation

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , ,
1

Hi Everyone,

I have a requirement where I need to pass 3–4 entitlements across different attributes, and 2 entitlements of the same attribute.

Right now I am passing 3–4 entitlements across different attributes

I’m currently using the following request body in the Add Entitlement operation:

{
  "ID": "$getobject.nativeIdentity$",      
  "Role": "$plan.role$",
  "Treasurer": "$plan.treasurer$",
  "FullAdministrator": "$plan.fullAdministrator$"
}

While the Role attribute is being mapped successfully, both Treasurer and FullAdministrator are not mapping correctly. Interestingly, if I replace $plan.treasurer$ with a static value like 1, it works as expected — the value is passed successfully.

To troubleshoot, we have:

  • Defined these attributes (Treasurer, FullAdministrator) as entitlements in the Account Schema
  • Aggregated them
  • Configured them in the Access Profile

Despite this, they are still not being passed. I also attempted using $getobject.treasurer$, but it didn’t resolve the issue.

Provisioning events are triggered for each attribute under Add Entitlement, but the attributes themselves are not appearing in the final payload. Please find the event logs screenshot below for reference.

{5986A9E9-6A81-4606-8C50-77960921BC16}
{5986A9E9-6A81-4606-8C50-77960921BC16}1786×718 50 KB

and what should be the request body while passing 2 entitlements of the same attribute.

Looking forward to your guidance on this.

2

Are entitlements added as separate group objects in the Entitlement Schema?

If there are multiple group objects, each should be created individually within the Entitlement Schema. These group objects then should be marked as entitlements in the Account Schema. When different types of groups are assigned to a user, SailPoint looks for the following operations:

Add Entitlement Role
Add Entitlement FullAdministrator
Add Entitlement Treasurer

For each operation, try to structure the payload as below and see if it works:
Add Entitlement Role

{
  "ID": "$getobject.nativeIdentity$",      
  "Role": "$plan.role$",
  "Treasurer": "",
  "FullAdministrator": ""
}

Add Entitlement FullAdministrator

{
  "ID": "$getobject.nativeIdentity$",      
  "Role": "",
  "Treasurer": "",
  "FullAdministrator": "$plan.fullAdministrator$"
}

Add Entitlement Treasurer

{
  "ID": "$getobject.nativeIdentity$",      
  "Role": "",
  "Treasurer": "$plan.treasurer$",
  "FullAdministrator": ""
}

Documentation Reference: Multiple Group Objects

3

Hi @rpriya

I have created group object for Treasurer,

{
“nativeObjectType”: “Treasurer”,
“identityAttribute”: “Treasurer”,
“displayAttribute”: “Treasurer”,
“hierarchyAttribute”: null,
“includePermissions”: false,
“features”: ,
“configuration”: {},
“attributes”: [
{
“name”: “Treasurer”,
“type”: “INT”,
“schema”: null,
“description”: “Treasurer”,
“isMulti”: false,
“isEntitlement”: false,
“isGroup”: false
}
],
“id”: “e140ad6276dd4f90801e42141ba89e55”,
“name”: “Treasurer”
}

now source schema is

{
“name”: “treasurer”,
“type”: “STRING”,
“schema”: {
“type”: “CONNECTOR_SCHEMA”,
“id”: “e140ad6276dd4f90801e42141ba89e55”,
“name”: “Treasurer”
},
“description”: “Treasurer”,
“isMulti”: false,
“isEntitlement”: true,
“isGroup”: true
}

i have created Add Entitlement-Treasurer operation

{3F4AABDA-49C8-4164-8CDE-6AB69458D874}
{3F4AABDA-49C8-4164-8CDE-6AB69458D874}1303×710 20.2 KB

Body :

{
“ID”: “$getobject.nativeIdentity$”,

“Treasurer”: “$plan.treasurer$”,
“Role”: “”
}

for Role

{5534CA39-6BBE-400A-AF75-FAF00D288948}
{5534CA39-6BBE-400A-AF75-FAF00D288948}1293×741 19.5 KB

Body :

{
“ID”: “$getobject.nativeIdentity$”,
“Role”: “$plan.role$”,
“Treasurer”: “”
}

still only Role is getting passed, Treasurer is not getting passed.

could you please help to figure out.

4

After setting up the individual group objects, please ensure that you have aggregated them separately by selecting each entitlement type under the ‘Entitlement Aggregation’ section. This will also need separate operations of type Group Aggregation Treasurer etc.

Additionally, try re-adding those entitlements to the corresponding access profile

5

Hi @rpriya

I don’t have Endpoint URL for Treasurer and Role aggregation

Treasurer is attribute but i want to pass it as entitlement because its value is based on title of identity so that we have created access profile for each title and added this as entitlement.

6

Hi @rpriya

i am having one doubt id attribute type is integer and once entitlement will get create it will make it as string, so how we can convert our string value entitlement to integer.

7

Is the id attribute for entitlement or account? Please share some more details