WebService - Account Aggregation using multiple endpoints

Hello experts,

I need to add accounts and I have 2 different endpoints/context URLs.

  1. From the first endpoint I collect almost all the data for account creation in IDNow.
  2. From the second endpoint I update a field for this account.

The problem is that the second endpoint is: /users/ so I have to pass an employee id (/users/5001). If I put the fixed employee id, it updates the field in that account but I need it for all of them, I have tried with $getObject.nativeIdentity$ instead of the fixed value but it gives error, I think it is not possible to use it in the aggregation.

Can you think of a way to do it?

Thanks so much,
Adrián

Can you be little specific here. It seems confusing at least to me.

Are you trying to create new account?

For first point from the list

  1. From the first endpoint I collect almost all the data for account creation in IDNow. —> Not sure what you mean by data collection for account creation. Are you referring to passing plan values in body of api call?
  2. From the second endpoint I update a field for this account. → This would be more like updating the account after it has been created in first end point??

If my assumption is correct you can use $plan.nativeIdentity$ considering you are getting generated id as response of your first api call and you are doing response mapping in that end point itself.

Connector would set nativeIdentity in plan if you are doing mapping in your first api call. Map the id which you get in response to the attribute which is defined as AccountId for your source.

The current setup fails because getObject is not available during Account Aggregation, but only during a Single Account Aggregation.

I’m not sure if you can ever access nativeIdentity during Account Aggregation - the other way is via $plan but this is viable once an operation has reached the provisioning plan, which doesn’t happen during account aggregation as far as I know.

Regarding multiple endpoints - the way to do that is via parent/child endpoints which is described here Integrating SailPoint with Web Services

If I understand you correctly, your account aggregation operation needs to

  1. Aggregate all users from endpoint X
  2. Perform an API call against endpoint Y for each user aggregated from endpoint X, passing their nativeIdentity as a dynamic value.

You could probably achieve is this with an “After Operation Rule” but I only have limited experience with Provisioning Rules. But - looking at the description, you should be able to write a rule that instruct IDN to do a separate action after an operation (like account aggregation takes place).

The other options could be to see if there’s an event trigger that would be fired when your source has aggregated accounts and an external script/application that would run a single account aggregation for each user in that source but I imagine that might be quite resource intensive.

1 Like

Hello Märten Hallik,

Thank you for your answer, you understood it perfectly, you even explained it better than me :).

Indeed I think I need to create an After Operation Rule that executes the call for each of the accounts. I have checked the documentation but the example doesn’t seem too clear.

Does anyone have an example After Operation Rule?

Thanks so much.

1 Like

Hi @adrien,

Were you able to implement this via rule. I have a similar situation and would like to see the solution implemented as the Sailpoint documentation is not that clear.