Update: Oct 2019. Access Profiles can be easily managed using the SailPoint IdentityNow PowerShell Module.
Managing SailPoint IdentityNow Access Profiles is easy enough to do using the SailPoint IdentityNow Portal. But what if you have the requirement to update, report on, or create numerous Access Profiles? That’s where the SailPoint IdentityNow API comes into play. The Access Profiles API is documented here but doesn’t go into a lot of detail. In this post I’ll detail interfacing with it using PowerShell primarily to create and update Access Profiles.
You will need to Authenticate to the IdentityNow API. Both v2 and v3 authentication methods work. I detail the v2 method here and the v3 method here. Personally I’m using the v3 method. Just make sure you change your Headers for the requests to whatever method you use and the naming of your variables.
For reference my v3token variable is $v3Token so my Authentication Header is then @{Authorization = “$($v3Token.token_type) $($v3Token.access_token)”}
The Access Profiles API URI is
https://$($yourOrgName).api.identitynow.com/v2/access-profiles
If you know the ID of the Access Profile you can return just that Access Profile via it’s ID (where $accessProfileID is the ID that looks like 2c91808466a64e330112a96902ff1f69)
https://$($yourOrgName).api.identitynow.com/v2/access-profiles/$($accessProfileID)
The following script will return Access Profiles from your SailPoint IdentityNow Tenant. Update;
To update an Access Profile the API URI is;
https://$($orgName).api.identitynow.com/v2/access-profiles/$($accessProfileID)
The following will update an existing Access Profile to make Request Comments Required and Denied Comments Required equal False.
Update;
In order to create an Access Profile, there are a number of configuration items that you will need to provide. The key items are;
Here is an example Search Request JSON Object required for the Search User call. Update it for a unique attribute for an Identity to query and return.
Update for your criteria. e.g if you copy the JSON below;
Finally, now that we have the prerequisite information to create an Access Profile we can create it. Modify for your environment based off information retrieved from the processes above. Namely;
For Approvers you can provide the order for approval. For the approval by the Access Profile Owner and then the Manager use the following when creating the Access Profile in Line 19 above.
Other options are:
Whilst the creation of an Access Profile via API does require some configuration, if you have multiple to create and you know the criteria it is possible to automate the task. I hope this helps others.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
View Comments