What is the best way to assign roles to users in NERM?

We currently have NERM connected to IdentityNow. IdentityNow assigns groups to identities like ORG_ADMIN, for example, however, there is no possibility to customize the groups, let’s suppose we want to assign the group “Approvers_group” so that in NERM the role “Approvers” is assigned.
But, what would be the best way to do it?
Can I do it through a workflow from NERM or can I do it through API call?
Should this manual assignment from the API persist or would NERM remove it?

I hope I have explained
Greetings!

Hi Gilberto, perhaps the IdentityNow Management Connector can help with assigning those User Levels. Then treat the User Levels as entitlements, provisioning based on the aggregated NERM accounts attributes.

2 Likes

There are no roles for profiles in NERM. I think you are talking about roles for users , “User Roles”.

If you have SSO configured with IDN, then the best way is to assign group in IDN to users and create a corresponding role in NERM and map the group from IDN in NERM role, similar to what you have for ORG_ADMIN.

If you have SSO, then assigning roles via API will be overridden when the user logs in NERM.

Hi, @bishopryant

A doubt, do you know if this type of connector allows to create new user levels?
I mean, what if none of the existing ones help us because we want one called “APPROVERS”, is that possible?

Correct, thanks for the observation. I have corrected the title of the topic.

But what if I want a group of users to be approvers. The group that assigns them that role is the group “APPROVERS”, how can I make them have that group or directly the role if I can’t customize the groups in IDN and if the Role will be overwritten?

The ISC User Levels are fixed, but may be somewhat dynamic using Sub-Admin User Level, where User has the same permissions for Search and reports as Source Admins. However, they can perform the following actions only on the sources associated with the governance groups they are members of.

You may be able to associate sub-admin user levels to entitlements and grant access to certain sources based on the NERM account’s attributes, like their department or status.

2 Likes

Thanks for the reply. I will review the articles.

1 Like

@sunnyajmera @bishopryant @GilbertoOledo14

I have been trying to achieve the same use case for NERM but this doesn’t seem to work for some reason when assigning ISC user levels to identities via ISC roles.

In my case as well, the users will login to NERM with ISC as the IdP. And NERM only checks the user’s identity level as group strings to evaluate user roles on the NERM side for system users.

Documented my observation here :
Topic Link : ISC User level assigned via Roles

Please feel free to check the post and let me know of any way forward on this.

Thanks,
Arshad.

1 Like

Thats’ correct observation. I will have to reach out to SailPoint for this. @ZackTarantino-Woolson Is this a limitation of the product, can you confirm?

This saas connector can be used to manage the users in NERM - NERM Users Connector. It treats the NERM roles as entitlements which can be assigned to users.

1 Like

Sure, Thanks for that Sunny. Please do let us know if you have any response from SailPoint on my observations in the post link mentioned above.

Hi, @DerekHackbardt
Thanks, I think this solves my problem.
I will try it and hope to bookmark your reply as a solution.

Hi!
I have tested the connector, however, I can’t get it to work, currently when I test the connection or when I try to add accounts, I get the following error:

[ConnectorError] error receiving response from connector: stream client connection is broken (connector process may have crashed)

In the CLI I see the following, what could be the error?

[2024-04-26T14:01:17.500-06:00] INFO | invokeCommand :arrow_forward:︎ Command execution started : std:account:list, for connector version 1.
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ node:internal/modules/cjs/loader:1080
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ throw err;
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ ^
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ Error: Cannot find module ‘/app/connector’
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ Require stack:
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ - /usr/bin/index.js
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at Module._resolveFilename (node:internal/modules/cjs/loader:1077:15)
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at Module._load (node:internal/modules/cjs/loader:922:27)
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at Module.require (node:internal/modules/cjs/loader:1143:19)
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at Hook._require.i.require (/usr/bin/index.js:35:2011540)
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at require (node:internal/modules/cjs/helpers:121:18)
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at 99318 (/usr/bin/index.js:40:165350)
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at nccwpck_require (/usr/bin/index.js:59:331218)
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at 6144 (/usr/bin/index.js:40:157768)
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at nccwpck_require (/usr/bin/index.js:59:331218)
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ at /usr/bin/index.js:59:331546 {
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ code: ‘MODULE_NOT_FOUND’,
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ requireStack: [ ‘/usr/bin/index.js’ ]
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ }
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:
[2024-04-26T14:01:18.173-06:00] INFO | connectorMessage :arrow_forward:︎ Node.js v18.17.1
[2024-04-26T14:01:20.216-06:00] INFO | commandOutcome :arrow_forward:︎ Command failed with [ConnectorError] error receiving response from connector: stream client connection is broken (connector process may have crashed): std:account:list, for connector version 1.output_count=0 keep_alive_count=0 state_count=0. Elapsed time 2691ms

@GilbertoOledo14 I have not seen this error before. Have you tried testing the connection with an instance of the connector running locally? There is a SaaS Connectivity Postman collection that can help with this. Your payload would be something like the following:

{
“type”: “std:test-connection”,
“input”: {},
“config”: {
“bearerToken”: “<the_bearer_token>”,
“baseUrl”: “https://<tenant_name>.seczetta.com/api”
}
}

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.