## Please change the $HomeDir to the path of Config file. ## Run by passing orgname as Argument and create folder to orgname in HomeDir. $org = $args[0] $HomeDir = "C:\exportdata" $configFile = "$($HomeDir)\config.json" if ((Test-Path "$($HomeDir)\$($org)\Roles.csv") -eq $true) { Remove-Item "$($HomeDir)\$($org)\Roles.csv" } if ((Test-Path "$($HomeDir)\$($org)\AccessProfiles.csv") -eq $true) { Remove-Item "$($HomeDir)\$($org)\AccessProfiles.csv" } $processedusers = @() # Get Token try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $config = Get-Content $configFile | ConvertFrom-Json $clientId = $config.clientId $clientSecret = $config.clientSecret $oAuthURI = "https://$($org).api.identitynow.com/oauth/token" $token = Invoke-RestMethod -Method Post -Uri "$($oAuthURI)?grant_type=client_credentials&client_id=$($clientID)&client_secret=$($clientSecret)" $bearerToken = $token.access_token } catch { $ErrorMessage = $_.Exception.Message $ErrorItem = $_.Exception.ItemName } $apiUrl = "https://$($org).api.identitynow.com" function getAP($bearerToken) { $limit = 250 $start = 0 $results = @() do { $apiRes = Invoke-RestMethod -Method Get -Uri "https://$($org).identitynow.com/cc/api/accessProfile/list?start=$($start)&limit=$($limit)" -Headers @{Authorization = "Bearer $($bearerToken)" } -ContentType "application/json" $len =0 if ($apiRes) { $apiItems = $apiRes.items $len = $apiItems.Length $results += $apiItems } $start +=$limit } until ($len -lt $limit) return $results } function getSources($bearerToken) { $limit = 250 $start = 0 $results = @() do { $apiRes = Invoke-RestMethod -Method Get -Uri "https://$($org).api.identitynow.com/cc/api/source/list?start=$($start)&limit=$($limit)" -Headers @{Authorization = "Bearer $($bearerToken)" } -ContentType "application/json" $len =0 if ($apiRes) { $len = $apiRes.Length $results += $apiRes } $start +=$limit } until ($len -lt $limit) return $results } function getAllEntitlements($bearerToken, $sources, $entHash) { $len = $sources.Length For($i=0; $i -lt $len; $i++) { $source = $sources[$i] $id = $source.externalId $source.name $id getEntitlements $bearerToken $id $entHash } } function getEntitlements($bearerToken, $sourceExternalID, $entHash) { $limit = 250 $start = 0 do { $start $apiRes = Invoke-RestMethod -Method Get -Uri "https://$($org).identitynow.com/cc/api/entitlement/list?start=$($start)&limit=$($limit)&CISApplicationId=$($sourceExternalID)" -Headers @{Authorization = "Bearer $($bearerToken)" } -ContentType "application/json" $len =0 if ($apiRes) { $apiItems = $apiRes.items $len = $apiItems.Length For($i=0; $i -lt $len; $i++) { $ent = $apiItems[$i] $name = $ent.displayName $id = $ent.id if(([string]::IsNullOrEmpty($entHash[$id]))) { $entHash.Add($id, $name) } } } $start +=$limit } until ($len -lt $limit) } function getSourceIdForName($sources, $srcname){ $len = $sources.Length For($i=0; $i -lt $len; $i++) { $source = $sources[$i] $name = $source.name $id = $source.id if($name -eq $srcname){ return $id } } } function getNameForID($accessProfiles, $srcID){ $len = $accessProfiles.Length For($i=0; $i -lt $len; $i++) { $source = $accessProfiles[$i] $name = $source.name $id = $source.id if($id -eq $srcID){ return $name } } } function getRoleRule($roleID) { $url = "https://$($org).identitynow.com/cc/api/role/get/?id=$($roleID)" $role = Invoke-RestMethod -Method Get -Uri $url -Headers @{Authorization = "Bearer $($bearerToken)"} $selector = $role.selector $aliaslist = $selector.complexRoleCriterion return $aliaslist } function getRoles($bearerToken) { $limit = 250 $start = 0 $results = @() do { $apiRes = Invoke-RestMethod -Method Get -Uri "https://$($org).identitynow.com/cc/api/role/list?start=$($start)&limit=$($limit)" -Headers @{Authorization = "Bearer $($bearerToken)" } -ContentType "application/json" $len =0 if ($apiRes) { $apiItems = $apiRes.items $len = $apiItems.Length $results += $apiItems } $start +=$limit } until ($len -lt $limit) return $results } $entHash = @{} $accessProfiles = getAP $bearerToken $roles = getRoles $bearerToken $sources = getSources $bearerToken getAllEntitlements $bearerToken $sources $entHash $len = $roles.Length For($i=0; $i -lt $len; $i++) { $role = $roles[$i] $name = $role.name $description = $role.description $disabled = $role.disabled $displayName = $role.displayName $requestable = $role.requestable $apIDs = $role.accessProfileIds $appNames = "" For($j=0; $j -lt $apIDs.Length; $j++) { $apName = getNameForID $accessProfiles $apIDs[$j] if(-not([string]::IsNullOrEmpty($appNames))) { $appNames = "$($appNames);$($apName)" } else { $appNames = $apName } } $aliaslist = getRoleRule $role.id $aliaslist = $aliaslist | convertto-json -Compress -depth 100 $processedusers = [PSCustomObject]@{ "name"=$name "description" =$description "disabled" = $disabled "displayName" = $displayName "requestable" = $requestable "Access Profiles" = $appNames "Rule" = $aliaslist } $processedusers | Export-Csv -NoTypeInformation -Path "$($HomeDir)\$($org)\Roles.csv" -Append } $len = $accessProfiles.Length For($i=0; $i -lt $len; $i++) { $ap = $accessProfiles[$i] $name = $ap.name $description = $ap.description $disabled = $ap.disabled $sourceName = $ap.sourceName $entIds = $ap.entitlements $appNames = "" For($j=0; $j -lt $entIds.Length; $j++) { $entName = $entHash[$entIds[$j]] if(-not([string]::IsNullOrEmpty($appNames))) { $appNames = "$($appNames);$($entName)" } else { $appNames = $entName } } $appNames $processedusers = [PSCustomObject]@{ "name"=$name "description" =$description "disabled" = $disabled "sourceName" = $sourceName "appNames" = $appNames } $processedusers | Export-Csv -NoTypeInformation -Path "$($HomeDir)\$($org)\AccessProfiles.csv" -Append }