Skip to main content

SaaS Configuration

This is a guide about using the SailPoint SaaS Configuration APIs to import configurations into and export configurations from the SailPoint SaaS system. Use these APIs to get configurations in bulk in support of environmental promotion, go-live, or tenant-to-tenant configuration management processes and pipelines.

For more details around how to manage configurations, refer to SailPoint SaaS Change Management and Deployment Best Practices.

Audience​

This document is intended for technically proficient administrators, implementers, integrators or even developers. No coding experience is necessary, but being able to understand JSON data structures and make REST API web-service calls is necessary to fully understand this guide.

Supported Objects​

ObjectObject TypeExportImportBackupDeploy
Access ProfilesACCESS_PROFILEβœ…βŒβœ…βœ…
Access Request ConfigurationACCESS_REQUEST_CONFIGβœ…βŒβœ…βœ…
Attribute Sync Source ConfigurationATTR_SYNC_SOURCE_CONFIGβœ…βŒβœ…βœ…
Authentication ConfigurationAUTH_ORGβœ…βŒβœ…βœ…
Campaign FiltersCAMPAIGN_FILTERβœ…βŒβœ…βœ…
Form DefinitionsFORM_DEFINITIONβœ…βŒβœ…βœ…
Governance GroupsGOVERNANCE_GROUPβœ…βŒβœ…βœ…
Identity Object ConfigurationIDENTITY_OBJECT_CONFIGβœ…βœ…βœ…βœ…
Identity ProfilesIDENTITY_PROFILEβœ…βœ…βœ…βœ…
Lifecycle StatesLIFECYCLE_STATEβœ…βŒβœ…βœ…
Notification TemplatesNOTIFICATION_TEMPLATEβœ…βŒβœ…βœ…
Password PoliciesPASSWORD_POLICYβœ…βŒβœ…βœ…
Password Sync GroupsPASSWORD_SYNC_GROUPβœ…βŒβœ…βœ…
Public Identities ConfigurationPUBLIC_IDENTITIES_CONFIGβœ…βŒβœ…βœ…
RolesROLEβœ…βŒβœ…βœ…
RulesRULEβœ…βœ…βœ…βœ…
SegmentsSEGMENT❌❌❌❌
Separation of Duties PoliciesSOD_POLICYβœ…βŒβœ…βœ…
Service Desk IntegrationsSERVICE_DESK_INTEGRATIONβœ…βŒβœ…βœ…
SourcesSOURCEβœ…βœ…βœ…βœ…
TagsTAG❌❌❌❌
TransformsTRANSFORMβœ…βœ…βœ…βœ…
Event Trigger SubscriptionsTRIGGER_SUBSCRIPTIONβœ…βœ…βœ…βœ…
WorkflowsWORKFLOWβœ…βŒβœ…βœ…
tip

The available supported objects are also available via REST API! See List Configuration Objects in the API Reference section of this document.

Rule Import and Export - Rules can be exported from one tenant and imported into another. Cloud rules have already been reviewed and installed in other tenants, and connector rules do not require a rule review. During the import and export process, rules cannot be changed in the migration process because these are validated by the usage of jwsHeader and jwsSignature in the object.

Exporting Configurations​

Prerequisites​

  • You must have tenant administrator credentials (ORG_ADMIN).
  • You must have an understanding of which objects you want to export.

Process​

img

  1. Start Export - Start the export process by configuring a JSON payload for the export options. This payload will be sent to POST /beta/sp-config/export.
  2. Response with Export Status - An export status will be given in response. This contains a jobId and a status to be used to subsequently monitor the process. Initially, this may have a status of NOT_STARTED.
  3. Get Export Status - Using the jobId from the previous status, call GET /beta/sp-config/export/{id} where the {id} is the jobId.
  4. Response with Export Status - An export status will be given in response. This contains a jobId and a status to be used to subsequently monitor the process. After a period of time, the process status should move to either COMPLETE or FAILED. Depending on the amount of objects being exported, this could take awhile. It may be ncessary to iterate over steps 3 and 4 until the status reflects a completion. If it takes too long, the export process may expire.
  5. Get Export Results - Once the status is COMPLETE, download the export results by calling GET /beta/sp-config/export/{id}/download where the {id} is the jobId.
  6. Response with Export Results - In response, the export process will produce a set of JSON objects you can download as an export result set. These will reflect the objects that were selected in the export options earlier.

Importing Configurations​

Prerequisites​

  • Need to have credentials as a tenant administrator (ORG_ADMIN)
  • Prepare any objects to be imported into the system, as well as import options.

Process​

img

  1. Start Import - Start the import process by configuring a JSON payload for the import options. This will then be sent to POST /beta/sp-config/import.
  2. Response with Import Status - An import status will be given in response. This contains a jobId and a status to be used to subsequently monitor the process. Initially this might have a status of NOT_STARTED.
  3. Get Import Status - Using the jobId from the previous status, call GET /beta/sp-config/import/{id} where the {id} is the jobId.
  4. Response with Import Status - An import status will be given in response. This contains a jobId and a status to be used to subsequently monitor the process. After a period of time, the process status will move to either COMPLETE or FAILED. Depending on the amount of objects being imported, this could take awhile. It may be necessary to iterate over steps 3 and 4 until the status reflects a completion. If it takes too long, the import process may expire.
  5. Get Import Results - Once the status is COMPLETE, download the import results by calling GET /beta/sp-config/import/{id}/download where the {id} is the jobId.
  6. Response with Import Results - In response, the import process should produce listing of object that successfully imported, as well as any errors, warnings, or information about the import process. This result set will reflect the objects that were selected to be imported earlier.

API Reference Guide​

DescriptionREST API Endpoint
List Config ObjectsGET /beta/sp-config/config-objects
Export ObjectsPOST /beta/sp-config/export
Export StatusGET /beta/sp-config/export/{id}
Export ResultsGET /beta/sp-config/export/{id}/download
Import ObjectsPOST /beta/sp-config/import
Import StatusGET /beta/sp-config/import/{id}
Import ResultsGET /beta/sp-config/import/{id}/download

List Configuration Objects​

Description

This endpoint gets the list of object configurations known to the tenant export/import service. Object configurations containing "importUrl" and "exportUrl" are available for export/import.

GET /beta/sp-config/config-objects
Authorization: Bearer {token}

Export Objects​

Description

This endpoint exports selected objects from the tenant to a JSON configuration file.

POST /beta/sp-config/export
Authorization: Bearer {token}
Content-Type: application/json

{
  "description": "Export from Neil's SailPoint tenant",
  "excludeTypes": [
    "TRIGGER_SUBSCRIPTION"
  ],
  "includeTypes": [
    "SOURCE",
    "RULE",
    "TRANSFORM"
  ],
  "objectOptions": {
    "SOURCE": {
      "includedIds": [
      ],
      "includedNames": [
        "Active Directory"
      ]
    },
    "RULE": {
      "includedIds": [
      ],
      "includedNames": [
        "JDBCProvisioning Rule Adapter"
      ]
    },
    "TRANSFORM": {
      "includedIds": [
      ],
      "includedNames": [
          "Calculate Display Name",
        "Default Email",
        "Determine Email",
        "Account Status to Lifecycle State"
      ]
    }
  }
}
note

You can only use the includedIds and includedNames filters when you're exporting objects that also support import functionality.

Export Status​

Description

This endpoint gets the status of the export job identified by its id parameter.

This request requires one of the following security scopes:

  • sp:config:read - sp:config:manage
GET /beta/sp-config/export/{id}
Authorization: Bearer {token}

Export Results​

Description

This endpoint gets the export job's resulting export file by using the requested id and downloads it to a file.

This request requires one of the following security scopes:

  • sp:config:read - sp:config:manage
GET /beta/sp-config/export/{id}/download
Authorization: Bearer {token}

Import Objects​

Description

This endpoint imports objects from a JSON configuration file into a tenant. By default, every import job first exports all existing objects supported by sp-config as a backup before attempting the import. The import job provides a backup so the configuration's import status is available for inspection or restore if needed. You can skip the backup by setting excludeBackup to true in the import options. If a backup occurs, the ImportResult provides the backup's ID as the exportJobId.

This request requires the following security scope:

  • sp:config:manage
POST /beta/sp-config/import
Authorization: Bearer {token}
Content-Type: multipart/form-data

data: (File) data.json
tip

Import also has a β€œpreview” option you can use to see what an import will look like without actually having to import and change your tenant. Any errors discovered during reference or resource resolution will be provided. To use this, simply set query option preview to true.

Example: POST /beta/sp-config/import?preview=true

Import Status​

Description

This endpoint gets the status of the import job identified by its id parameter.

This request requires the following security scope:

  • sp:config:manage
GET /beta/sp-config/import/{id}
Authorization: Bearer {token}

Import Results​

Description

This endpoint gets the import job's resulting import file by using the requested id and downloads the file. The downloaded file will contain the import job's results, including any associated error, warning or informational messages.

This request requires the following security scope:

  • sp:config:manage
GET /beta/sp-config/import/{id}/download
Authorization: Bearer {token}