# Identity Attribute Changed Event Trigger

The platform has introduced an event trigger within the Identity Aggregation and Refresh Flow:

Flow

When any identity attribute changes, this trigger:

  • Notifies an administrator or system to take the appropriate provisioning actions as part of the Mover workflow.
  • Notifies a system to trigger another action (e.g. trigger a certification campaign when an identity's manager had changed ).

This event trigger provides a flexible way to extend Joiner-Mover-Leaver processes. This provides more proactive governance and ensures users can quickly obtain needed access when enter your organization.


# Getting Started

# Prerequisites

  • An oAuth Client configured with Authority as ORG_ADMIN.
  • An Authoritative Source. To quickly test this service, use a Flat File Source.
  • Identity Profile using Authoritative Source with Identity Profiles mapped.

# In This Topic


# Event Context

  • Identity Attribute Changed events occur when any attributes that are aggegrated from an authoritative source differ from the current attributes for an identity during an identity refresh. See Configuring Correlation (opens new window) for more information about attributes that are updated for an Identity Profile.
  • The Identity Attribute Changed event contains any attributes of the identity as configured for the Identity Profile. For more information, see Mapping Identity Profiles (opens new window)
  • The event contains current value (the identity attribute before the identity refresh) and the new value (the identity attribute aggregated from the authoritative source and part of the identity refresh process)
  • The event can contain 1 or more identity attribute changes.

Identity Attributes

Use the following command to view the Identity Attributes Changed Trigger details:

curl --request GET --url 'https://{tenant}.api.identitynow.com/beta/triggers' --header 'authorization: Bearer {access_token}'

# Trigger type

This event trigger type is a FIRE_AND_FORGET type. When you subscribe to this event trigger with your HTTP endpoint, a response is not expected to be returned.

# Input Schema

The input schema defines what you will receive to your subscription. Here is input example provided by the trigger:

{
    "identity": {
        "id": "ee769173319b41d19ccec6cea52f237b",
        "name": "john.doe",
        "type": "IDENTITY"
    },
    "changes": [
        {
            "attribute": "department",
            "oldValue": "sales",
            "newValue": "marketing"
        },
        {
            "attribute": "manager",
            "oldValue": {
                "id": "ee769173319b41d19ccec6c235423237b",
                "name": "nice.guy",
                "type": "IDENTITY"
            },
            "newValue": {
                "id": "ee769173319b41d19ccec6c235423236c",
                "name": "mean.guy",
                "type": "IDENTITY"
            }
        },
        {
            "attribute": "email",
            "oldValue": "john.doe@hotmail.com",
            "newValue": "john.doe@gmail.com"
        }
    ]
}
  • identity - A reference to the identity that changed. This can be used for SailPoint REST API callbacks for attributes that didn't change, or further related information.
  • changes - A list of identity attribute changes.
    • attribute - The technical name of the attribute which is changing.
    • oldValue - The value of the attribute before it was changed.
    • newValue - The value of the attribute after it was changed.

# Subscribe to the Identity Attribute Changed Event Trigger

To subscribe to the Identity Attribute Changed Event Trigger, make a POST call to /beta/trigger-subscriptions with the following headers and body:

Headers:

  • Authorization: Bearer <access_token>

Body:

{
   "triggerId":"idn:identity-attributes-changed",
   "type":"HTTP",
   "httpConfig":{
      "url":"https://urlOfTheExternalService.com",
   }
}

# Testing Tools

  • webhook.site (opens new window) - This tool creates a temporary HTTP endpoint for you to verify that you are able to successfully subscribe to the Event Trigger. You can receive the event after an access request has been submitted. Copy the "unique URL" from webhook.site and use it in the url field of the POST body to /beta/trigger-subscriptions.
  • localhost.run - This tool creates an endpoint for a HTTP server running on your local machine.