Updated Documentation for new cmdlets is here. Updated 27 Oct 2022 for v1.1.6. New cmdlets, updated cmdlets for API changes, documentation updates and bugfixes. Full details here. Updated 22 June 2021 for v1.1.4. Four new cmdlets and updates to numerous other cmdlets for API and authentication changes. Full details here. Updated 11 August 2020 for v1.1.2. New cmdlets, updates to deprecate v2 auth, documentation and example updates. Full details here. Updated 17 June 2020 for v1.1.0 with all cmdlets updated, new cmdlets, documentation and an example PowerShell Jupyter Notebook. Full details here. Updated 25 March 2020 for v1.0.7 with additional cmdlets, cmdlet updates, a bugfix and PowerShell v7 validation. Full details here. Updated 9 Jan 2020 for v1.0.6 with additional cmdlets PowerShell Core compatibility and the removal of a dependency on the PSCX Module. Full details here. Updated 26 Nov 2019 for v1.0.5 with additional cmdlets to; Store multiple Org Credentials and switch between them (courtesy of Sean McGovern) Get IdentityNow Activities (via Search) Get IdentityNow Identities (via Search) Update IdentityNow Source Generate IdentityNow Source Configuration HTML Report Generate IdentityNow Identity Profile Configuration HTML Report Create and Delete IdentityNow Sources (courtesy of Sean McGovern) Test Identity Source Connection (courtesy of Sean McGovern) New IdentityNow Source Account Schema Attribute (courtesy of Sean McGovern) Get and Update IdentityNow Attributes Get the IdentityNow Attribute List Reset an IdentityNow Source Updated 5 Nov 2019 for v1.0.4 with additional cmdlets to; Search Audit Events (v2 API) Search Events (BETA Search API) Get-IdentityNowSourceAccounts now has -attributes switch to retrieve account attributes Updated 22 Oct 2019 for v1.0.3 with additional cmdlets to; Create / Get / Remove v2 API Clients (Legacy) Create / Get / Remove v3 oAuth API Clients Updated 17 Oct 2019 for v1.0.2 with additional cmdlets to; Create / Get / Update / Remove IdentityNow Transforms Get IdentityNow Rules Get / Update Email Templates Get IdentityNow Profiles Get / Update IdentityNow Profiles Order
I’ve just published v1 of my SailPoint IdentityNow PowerShell Module. Don’t want to wait or read anymore? You can install it from the PowerShell Gallery
install-module -name SailPointIdentityNow -RequiredVersion 1.1.4
Features
- Easy command-line use, after setting default configuration options and securely saving them to the current user’s profile.
- Get an IdentityNow Organisation and Get / Update an Organisation Configuration
- Search IdentityNow Users
- Search IdentityNow Users Profiles
- Search IdentityNow Entitlements
- Search IdentityNow Identities
- Create / Get / Update / Remove IdentityNow Access Profiles
- Create / Get / Start IdentityNow Certification Campaigns
- Get IdentityNow Certification Campaign Reports (output to file or return as PSObject)
- Create / Get / Update / Remove IdentityNow Governance Groups
- Create / Get / Update / Remove IdentityNow Roles
- Get / Update / Test / Create / Remove IdentityNow Sources
- Create IdentityNow Source Account Schema Attributes
- Generate IdentityNow Sources Configuration Report
- Generate IdentityNow Identity Profiles Configuration Report
- Get Accounts from an IdentityNow Source
- Create / Update / Remove IdentityNow Source Account (Flat File / Delimited Sources)
- Get / Complete IdentityNow Tasks
- Get IdentityNow Virtual Appliance Clusters (and clients (VA’s))
- Get / Update IdentityNow Applications
- Create / Get / Update / Remove IdentityNow Transforms
- Get IdentityNow Rules
- Get / Update Email Templates
- Get IdentityNow Profiles
- Get / Update IdentityNow Profiles Order
- Get / Update Identity Attributes
- Create / Get / Remove v2 API Clients (Legacy)
- Create / Get / Remove v3 oAuth API Clients
- Search Audit Events (v2)
- Search Events (Beta) – Elasticsearch
- List / Get Account Activities
- Reset an IdentityNow Source
- …. and if they don’t fit use Invoke-IdentityNowRequest to make any other API call (examples for Get Source Schema, Get IdentityNow Identity Profiles, Get IdentityNow Identity Attributes)
Here is a quick overview of each of the cmdlets from the SailPoint IdentityNow PowerShell Module. As alluded to above they allow you to retrieve, update, create and remove IdentityNow elements.
Setting up the IdentityNow PowerShell Module Credentials and Organisation Configuration
The following cmdlets (Set-IdentityNowOrg, Set-IdentityNowCredential, Save-IdentityNowConfiguration) securely store the credentials required to operate the cmdlets in your PowerShell Profile. They will autoload each time you import the IdentityNow PowerShell module. If you are only integrating with one environment you only need to do this once per host you are using the module on.
NOTE: This module requires a v3 API ClientID and Secret that can now be generated via the IdentityNow Admin Portal and a v2 API ClientID and Secret generated via API. See this post for details on how to generate them.
Update the following example with your credentials and API keys. The credentials shown below aren’t real, but random chars in the indicative format.
$orgName = "customername-sb" Set-IdentityNowOrg -orgName $orgName # IdentityNow Admin User $adminUSR = "identityNow_admin_User" $adminPWD = 'idnAdminUserPassword' $adminCreds = [pscredential]::new($adminUSR, ($adminPWD | ConvertTo-SecureString -AsPlainText -Force)) # Customer IdentityNow Org v3 API Creds generated in IdentityNow Portal $clientIDv3 = "badbeef6-5f24-4448-ac0b-abcdefG" $clientSecretv3 = "770a71abcdef5301848d00000d8760fe0d9f632383775b315aa1234567890" $v3Creds = [pscredential]::new($clientIDv3, ($clientSecretv3 | ConvertTo-SecureString -AsPlainText -Force)) # Customer IdentityNow v2 API Client ID & Secret generated via API $clientID = 'zo7ABCDaTHjA0Rwv' # Your API Client Secret $clientSecret = '3Zm9Qod4sWhihABCdefgCX9DIfmwAZiP' $v2Creds = [pscredential]::new($clientID, ($clientSecret | ConvertTo-SecureString -AsPlainText -Force)) Set-IdentityNowCredential -AdminCredential $adminCreds -v2APIKey $v2Creds -v3APIKey $v3Creds Save-IdentityNowConfiguration
Get an IdentityNow Organisation and Get / Update an Organisation Configuration
Display the configured IdentityNow Organisation as set by “Set-IdentityNowOrg”
API endpoints for currently configured organisation – Example
Get-IdentityNowOrg Name Value ---- ----- Organisation Name customer-sb Organisation URI https://customer-sb.identitynow.com v1 Base API URI https://customer-sb.identitynow.com/api v2 Base API URI https://customer-sb.api.identitynow.com/v2 v3 / Private Base API URI https://customer-sb.api.identitynow.com/cc/api
Update an IdentityNow Organisation Setting – Example
[Reference post]
$orgConfig = Get-IdentityNowOrgConfig $approvalConfig = $orgConfig.approvalConfig # global reminders and escalation policies for access request approvals $daysBetweenReminders = 3 $daysTillEscalation = 5 $maxReminders = 10 # SailPoint user name of the identity $fallbackApprover = "darren.robinson" # Set Config options to update $approvalConfig.daysBetweenReminders = $daysBetweenReminders $approvalConfig.daysTillEscalation = $daysTillEscalation $approvalConfig.maxReminders = $maxReminders $approvalConfig.fallbackApprover = $fallbackApprover $approvalConfigBody = @{"approvalConfig" = $approvalConfig } Update-IdentityNowOrgConfig -update ($approvalConfigBody | convertto-json)
Search IdentityNow Users
Search for IdentityNow Users – Examples
[Reference post]
Search-IdentityNowUsers -query darrenjrobinson Search-IdentityNowUsers -query "@accounts(accountId:darren.robinson)" Search-IdentityNowUsers -query "@source(id:2c91808469110d6a016954d4dad138a3)" Search-IdentityNowUsers -query "@access(source.name:*Active Directory*) AND attributes.company:Kloud"
Search IdentityNow Users Profiles
Search for a user’s IdentityNow Profile from the IdentityNow Identity List – Example
[Reference post – See Profile Owner Section]
Search-IdentityNowUserProfile -query "darrenjrobinson"
Search IdentityNow Entitlements
Search for Entitlements associated with IdentityNow Sources – Example
[Reference post]
Search-IdentityNowEntitlements -query "File_Share_Sydney"
Create / Get / Update / Remove IdentityNow Access Profiles
Get all IdentityNow Access Profiles – Example
[Reference post]
Get-IdentityNowAccessProfile
Get a specific IdentityNow Access Profile – Example
Get-IdentityNowAccessProfile -profileID 2c91808369a606f00169c756f0a00017
Create an IdentityNow Access Profile – Example 1
New-IdentityNowAccessProfile -profile "{"entitlements": ["2c91808668dcf3970168dd722e7a020d","2c91808468dcf4610168dd78d2e8531e"],"description": "FS-SYDNEY-AUS-ENGINEERING","requestCommentsRequired": true,"sourceId": "39082","approvalSchemes": "manager","ownerId": "1397606","name": "Sydney Engineering","deniedCommentsRequired": true}"
Create an IdentityNow Access Profile – Example 2
# Get Owner for Access Profile $owner = Search-IdentityNowUserProfile -query "darren.robinson" # Get Source for Access Profile $sources = Get-IdentityNowSource $adSource = $sources | Select-Object | Where-Object {$_.name -like '*Active Directory*'} # Entitlements $entitlement = Search-IdentityNowEntitlements -query "FS-SYDNEY-AUS-ENGINEERING" $e = $entitlement | Select-Object | Where-Object {$_.source.name -eq 'Active Directory'} # Access Profile Details $accessProfile = @{} $accessProfile.add("name", "Sydney Engineering") $accessProfile.add("description", "FS-SYDNEY-AUS-ENGINEERING") $accessProfile.add("sourceId", $adSource.id) $accessProfile.add("ownerId", $owner.id) # Access Profile Entitlements $entitlements = @() ForEach($i in $e) {$entitlements += $i.id} $entitlementsToAdd = @{"entitlements" = $entitlements} $accessProfile.add("entitlements", $entitlementsToAdd.entitlements) # Access Profile Type $accessProfile.add("approvalSchemes", "manager") $accessProfile.add("requestCommentsRequired", $true) $accessProfile.add("deniedCommentsRequired", $true) New-IdentityNowAccessProfile -profile ($accessProfile | convertto-json)
Update an IdentityNow Access Profile – Example 1
Update-IdentityNowAccessProfile -profileID 2c91808466a64e330112a96902ff1f69 -update "{"deniedCommentsRequired": true,"requestCommentsRequired": true}"
Update an IdentityNow Access Profile – Example 2
$ap = Get-IdentityNowAccessProfile $accessProfile = $ap | Select-Object | Where-Object {$_.description -like '*Darren*'} $updateAccessProfile = @{} $updateAccessProfile.Add("requestCommentsRequired", $true) $updateAccessProfile.Add("deniedCommentsRequired", $true) Update-IdentityNowAccessProfile -profileID $accessProfile.id -update ($updateAccessProfile | convertto-JSON)
Remove an IdentityNow Access Profile – Example 1
Remove-IdentityNowAccessProfile -profileID 2c91808369a606f00169c756f0a00017
Remove an IdentityNow Access Profile – Example 2
$ExistingAPs = Get-IdentityNowAccessProfile $myAP = $ExistingAPs | Select-Object | Where-Object {$_.name -like "*My Access Profile*"} Remove-IdentityNowAccessProfile -profileID $myAP.id
Create / Get / Start IdentityNow Certification Campaigns
Get all (active and completed) IdentityNow Certification Campaigns – Example
[Reference post]
Get-IdentityNowCertCampaign -completed $false
Get a specific IdentityNow Certification Campaign – Example
Get-IdentityNowCertCampaign -campaignID 2c9180856708ae38016709f4812345c3
Create an IdentityNow Certification Campaign – Example
[Reference post]
$query = "@apps.name:'Special Application'" $campaignFilter = Search-IdentityNowUsers -query $query $entitlements = $null $e = $campaignFilter.access | where-object { $_.type -eq "ENTITLEMENT" } | Select-Object id $entitlements = $e | Select-Object -Property id -Unique $roles = $null $r = $campaignFilter.access | where-object { $_.type -eq "ROLES" } | Select-Object id $roles = $r | Select-Object -Property id -Unique $accessProfiles = $null $a = $campaignFilter.access | where-object { $_.type -eq "ACCESS_PROFILE" } | Select-Object id $accessProfiles = $a | Select-Object -Property id -Unique $inclusionList = @() $InclusionTemplate = [pscustomobject][ordered]@{ id = $null type = $null } # ROLES foreach ($role in $roles) { $incRole = $InclusionTemplate.PsObject.Copy() $incRole.id = $role.id $incRole.type = "ROLE" $inclusionList += $incRole } # ENTITLEMENTS foreach ($entitlement in $entitlements) { $incEntitlement = $InclusionTemplate.PsObject.Copy() $incEntitlement.id = $entitlement.id $incEntitlement.type = "ENTITLEMENT" $inclusionList += $incEntitlement } # ACCESS PROFILES foreach ($accessProfile in $accessProfiles) { $incAccessProfile = $InclusionTemplate.PsObject.Copy() $incAccessProfile.id = $accessProfile.id $incAccessProfile.type = "ACCESS_PROFILE" $inclusionList += $incAccessProfile } $e = $inclusionList | select-object -Property type | Where-Object { $_.type -eq "ENTITLEMENT" } $a = $inclusionList | select-object -Property type | Where-Object { $_.type -eq "ACCESS_PROFILE" } $r = $inclusionList | select-object -Property type | Where-Object { $_.type -eq "ROLE" } write-host -ForegroundColor Blue "Campaign scope covers $($r.type.count) Role(s), $($e.type.count) Entitlement(s) and $($a.type.count) Access Profile(s)." # Create Campaign $campaignOptions = @{ } $campaignOptions.Add("type", "Identity") $campaignOptions.Add("timeZone", "GMT+1000") $campaignOptions.Add("name", "Oct 2019 Special App Campaign") $campaignOptions.Add("allowAutoRevoke", $false) $campaignOptions.Add("deadline", "2019-11-1") $campaignOptions.Add("description", "Special App Oct 2019") $campaignOptions.Add("disableEmail", $true) $campaignOptions.Add("identityIdList", @()) $campaignOptions.Add("identityQueryString", $query ) $campaignOptions.Add("accessInclusionList", $inclusionList) $campaignBody = $campaignOptions | ConvertTo-Json New-IdentityNowCertCampaign -start $true -campaign $campaignBody
Get IdentityNow Certification Campaign Reports
Get all certification campaign reports from the last year and output them to a local folder – Example
[Reference post]
Get-IdentityNowCertCampaignReport -period "365" -outputPath "C:\Reports"
Get certification campaign reports for a specific campaign and return as PSObject – Example
Get-IdentityNowCertCampaign -campaignID '2c918085694a507f01694b9fcce6002f'
Create / Get / Update / Remove IdentityNow Governance Groups
Get IdentityNow Governance Groups – Example
[Reference post]
Get-IdentityNowGovernanceGroup
Get a specific IdentityNow Governance Group – Example
Get-IdentityNowGovernanceGroup -groupID 4fc249bd-46ff-405a-93b9-21372f97c352
Update an IdentityNow Governance Group to remove one member and add two members – Example
# Get Group $govGroups = Get-IdentityNowGovernanceGroup $myGroup = $govGroups | Select-Object | Where-Object { $_.description -like "*My IDN Governance Group*" } # Add $user1 = Search-IdentityNowUsers -query "@accounts(accountId:darren.robinson)" $user2 = Search-IdentityNowUsers -query "@accounts(accountId:rick.sanchez)" $user3 = Search-IdentityNowUsers -query "@accounts(accountId:morty.smith)" $add = @() $remove = @() $add += $user3.id $add += $user2.id $remove += $user1.id $update = (@{ add = $add remove = $remove }) Update-IdentityNowGovernanceGroup -groupID $myGroup.id -update ($update | convertto-json)
Create an IdentityNow Governance Group and assign an owner – Example
$GovGroupOwner = Search-IdentityNowUsers -query "@accounts(accountId:darren.robinson)" $body = @{"name" = "New IDN Module Gov Group"; "displayName" = "New Module Gov Group"; "description" = "New Module Gov Group"; "owner" = @{"displayName" = $GovGroupOwner.displayName; "emailAddress" = $GovGroupOwner.email; "id" = $GovGroupOwner.id; "name" = $GovGroupOwner.name } } New-IdentityNowGovernanceGroup -group ($body | convertto-json)
Delete an IdentityNow Governance Group – Example
Remove-IdentityNowGovernanceGroup -groupID 4fc249bd-46ff-405a-93b9-21372f97c352
Create / Get / Update / Remove IdentityNow Roles
Get IdentityNow Roles – Example
[Reference post]
Get-IdentityNowRole
Get a specific IdentityNow Role – Example
Get-IdentityNowRole -roleID 2c918084691653af01695182a78b05ec
Update an IdentityNow Role – Example
[Reference post]
$body = @{ "id" = "2c9180886cd58059016d1a4757d709a4" "name" = "Role - Special Admins"; "displayName" = "Special Admins"; "description" = "Special Admins Role"; "disabled" = $false; "owner" = "darrenjrobinson" } Update-IdentityNowRole -update ($body | convertto-json)
Create an IdentityNow Role – Example
$body = @{ "name" = "Role - Special Administrators"; "displayName" = "Special Administrators"; "description" = "Special Administrators Role"; "disabled" = $true; "owner" = "darrenjrobinson" } New-IdentityNowRole -role ($body | convertto-json)
Delete an IdentityNow Role – Example
Remove-IdentityNowRole -roleID 2c9180886cd58059016d1a5a23f609a8
Get / IdentityNow Sources
Get all IdentityNow Sources – Example
[Reference post]
Get-IdentityNowSource
Get a specific IdentityNow Source – Example
Get-IdentityNowSource -sourceID 12345
Get Accounts from an IdentityNow Source
Get accounts from an IdentityNow Source – Example
[Reference post]
Get-IdentityNowSourceAccounts -sourceID 40113
Create / Update / Remove IdentityNow Source Account (Flat File / Delimited Sources)
Create an account on an indirect IdentityNow Source – Example
[Reference post]
$account = @{"id" = 'darrenjrobinson'; "name" = 'darrenjrobinson'; "givenName" = 'Darren'; "familyName" = 'Robinson'; "displayName" = 'Darren Robinson'; "email" = 'darren.robinson@customer.com.au' } New-IdentityNowUserSourceAccount -source 36702 -account ($account | convertto-json)
Update an account on an indirect IdentityNow Source – Example
[Reference post]
$update = @{ "country" = "Australia" "department" = "Identity Architects" "organization" = "Kloud" } Update-IdentityNowUserSourceAccount -account 2c91808469110d6a016954d4dad138a3 -update ($update | ConvertTo-Json)
Delete an IdentityNow account from an indirect IdentityNow Source – Example (assumes user only has a single account on an indirect source)
[Reference post]
$user = Search-IdentityNowUsers -query "@accounts(accountId:darrenjrobinson)" $userIndirectAccounts = $user.accounts | select-object | where-object { ($_.source.type.contains("DelimitedFile")) } $account = $userIndirectAccounts.id Remove-IdentityNowUserSourceAccount -account $account
Get / Complete IdentityNow Tasks
Get IdentityNow Tasks – Example
[Reference post]
Get-IdentityNowTask
Get a specific IdentityNow Task – Example
Get-IdentityNowTask -taskID 2c918084691120d0016926a6a94251d6
Mark and IdentityNow Task as complete – Example
Complete-IdentityNowTask -taskID 2c918084691120d0016926a6a94251d6
Get IdentityNow Virtual Appliances & Clusters
Get IdentityNow Virtual Appliance Clusters – Example
[Reference post]
Get-IdentityNowVACluster
Get IdentityNow Virtual Appliances from a cluster – Example
$clusters = Get-IdentityNowVACluster foreach($va in $clusters){ "Cluster: $($va.description) VA ID: $($va.clients.id) VA Description: $($va.client.description)" }
Get / Update IdentityNow Applications
Get IdentityNow Customer Created and Managed Applications – Example
[Reference post]
Get-IdentityNowApplication
Get IdentityNow Customer default configured SailPoint Applications – Example
Get-IdentityNowApplication -org $true
Get a specific IdentityNow Applications – Example
Get-IdentityNowApplication -appID 32128
Update an IdentityNow Application – Example
$appBody = @{ "launchpadEnabled" = $false "provisionRequestEnabled" = $false "appCenterEnabled" = $false } Update-IdentityNowApplication -appID 24188 -update ($appBody | ConvertTo-Json)
Initiate Aggregation of an IdentityNow Source
Aggregate an IdentityNow Source – Example
[Reference post]
Invoke-IdentityNowAggregateSource -sourceID 12345
Aggregate an IdentityNow Source without optimization – Example
[Reference post]
Invoke-IdentityNowAggregateSource -sourceID 12345 -disableOptimization $true
Create / Get / Update / Remove IdentityNow Transforms
Get IdentityNow Transforms – Example
Get-IdentityNowTransform
Get an IdentityNow Transform – Example
Get-IdentityNowTransform -ID ToUpper
Update an IdentityNow Transform – Example
$attributes = @{value = '$firstName.$lastname@$company.com.au'} $transform = @{type = "static"; attributes = $attributes} Update-IdentityNowTransform -transform ($transform | convertto-json) -ID "Firstname.LastName"
Create an IdentityNow Transform – Example
$attributes = @{value = '$firstName.$lastname'} $transform = @{type = "static"; id = "FirstName.LastName"; attributes = $attributes} New-IdentityNowTransform -transform ($transform | convertto-json)
Delete an IdentityNow Transform – Example
Remove-IdentityNowTransform -ID "Firstname.LastName"
Get IdentityNow Rules
Get IdentityNow Rules – Example
Get-IdentityNowRule
Get an IdentityNow Rule – Example
Get-IdentityNowRule -ID 2c9170826219ab41014275b47fc40b0a
Get / Update Email Templates
Get Email Templates – Example
Get-IdentityNowEmailTemplate
Get an Email Template – Example
Get-IdentityNowEmailTemplate -ID 2c91601362431b32016275b4241b08f0
Update Email Template – Example
$templateChanges = @{} $templateChanges.add("id","2c91601362431b32016275b4241b08f0") $templateChanges.add("subject",'Access Request requires completion of Work Item ID : $workItemName') Update-IdentityNowEmailTemplate -template ($templateChanges | ConvertTo-Json)
Get IdentityNow Profiles
Get IdentityNow Identity Profiles – Example
Get-IdentityNowProfile
Get an IdentityNow Profile – Example
Get-IdentityNowProfile -ID 1033
Get / Update IdentityNow Profiles Order
Get IdentityNow Profiles Order – Example
Get-IdentityNowProfileOrder ProfileName Priority ID ----------- -------- -- IdentityNow Admins 10 1066 Cloud Identities 30 1285 Guest Identities 40 1286 Special Identities 60 1372 Non Employee Identities 70 1380 Employee Identities 80 1387
Update IdentityNow Profile Order – Example
Update-IdentityNowProfileOrder -id 1285 -priority 20
Create / Get / Remove API Management Clients (Legacy v2)
Get all v2 API Clients (listed as Legacy in the IdentityNow portal under API Management ) – Example
Get-IdentityNowAPIClient
Get a single v2 API Client – Example
Get-IdentityNowAPIClient -ID 123
Create a v2 API Client – Example
New-IdentityNowAPIClient
Remove a v2 API Client – Example
Remove-IdentityNowAPIClient -ID 123
Create / Get / Remove oAuth API Clients
Get oAuth API (v3) Clients – Example
Get-IdentityNowOAuthAPIClient
Get an oAuth API (v3) Client – Example
Get-IdentityNowOAuthAPIClient -ID '8432e57d-5f8f-dead-beef-a7bf123456a1'
Create an oAuth API Client (v3) – Example
New-IdentityNowOAuthAPIClient -description 'oAuth Client' -grantTypes 'AUTHORIZATION_CODE,CLIENT_CREDENTIALS,REFRESH_TOKEN,PASSWORD' -redirectUris 'https://localhost,https://myapp.com.au'
Remove an oAuth API Client (v3) – Example
Remove-IdentityNowOAuthAPIClient -ID '9e23deaf-48aa-dead-beef-ab6821a12ab2'
Search Audit Events (v2)
Search IdentityNow Audit Events using the v2 API Search options (except Filter) as per the v2/Audit documentation For Filter (JSON) Audit Event queries use the Search-IdentityNowEvents cmdlet
- actn (Exact match of the “action” property. Eg: -actn USER_STEP_UP_AUTH)
application (Case insensitive name of the source you’re querying for Eg: -application “Corporate AD”) - type (the audit category. Valid values are “AUTH”, “SSO”, “PROVISIONING”, “PASSWORD_CHANGE” or “SOURCE” Eg: -type AUTH)
- user (Case insensitive exact match of the UID of an identity contained in either “source” or “target” properties in the logs where source indicates the person who took the action and target indicates the person who was affected by the action. Eg: -user darren.robinson)
- days (Only return results whose timestamp is within this previous number of days; defaults to 7. Eg: -days 3)
- searchLimit (Maximum number of items to return, used for paging; defaults to 200. Maximum value of 2500. Eg. -searchlimit 50)
- since (Returns only results from days since the entered date, or date and time combination, in ISO-8601 format.) Eg. -since ‘2019-09-30T12:30:50.450Z’
Search-IdentityNowAuditEvents – Examples
Search-IdentityNowAuditEvents Search-IdentityNowAuditEvents -action USER_STEP_UP_AUTH Search-IdentityNowAuditEvents -since '2019-09-30T12:30:50.450Z' Search-IdentityNowAuditEvents -since '2019-09-30T12:30:50.450Z' -searchLimit 10 Search-IdentityNowAuditEvents -since '2019-09-30T12:30:50.450Z' -searchLimit 2501 Search-IdentityNowAuditEvents -days 1 Search-IdentityNowAuditEvents -days 1 -searchLimit 5000 Search-IdentityNowAuditEvents -days 1 -action 'AUTHENTICATION-103' Search-IdentityNowAuditEvents -type AUTH Search-IdentityNowAuditEvents -type AUTH -days 1 Search-IdentityNowAuditEvents -type AUTH -days 1 -searchLimit 5000 Search-IdentityNowAuditEvents -type AUTH -days 1 -action 'AUTHENTICATION-103' Search-IdentityNowAuditEvents -user 'customer_admin' Search-IdentityNowAuditEvents -user 'customer_admin' -searchLimit 10 Search-IdentityNowAuditEvents -user 'customer_admin' -since '2019-10-30T12:30:50.450Z' Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -searchLimit 2510 Search-IdentityNowAuditEvents -user 'customer_admin' -action 'AUTHENTICATION-103' Search-IdentityNowAuditEvents -user 'customer_admin' -type 'AUTH' Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -action 'AUTHENTICATION-103' Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -type 'AUTH' Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -type 'AUTH' -action 'AUTHENTICATION-103' Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -type 'AUTH' -action 'AUTHENTICATION-103' -searchLimit 50 Search-IdentityNowAuditEvents -user 'customer_admin' -since '2019-10-30T12:30:50.450Z' -action 'AUTHENTICATION-103' Search-IdentityNowAuditEvents -user 'customer_admin' -since '2019-10-30T12:30:50.450Z' -type 'AUTH' -action 'AUTHENTICATION-103' Search-IdentityNowAuditEvents -application 'Workday (Dev)' Search-IdentityNowAuditEvents -application 'Workday (Dev)' -days 2 Search-IdentityNowAuditEvents -application 'Workday (Dev)' -action 'SOURCE_ACCOUNT_AGGREGATION' Search-IdentityNowAuditEvents -application 'Workday (Dev)' -action 'SOURCE_ACCOUNT_AGGREGATION' -days 2 Search-IdentityNowAuditEvents -application 'Workday (Dev)' -type 'PROVISIONING' Search-IdentityNowAuditEvents -application 'Workday (Dev)' -since '2019-10-30T12:30:50.450Z' Search-IdentityNowAuditEvents -application 'Workday (Dev)' -since '2019-10-30T12:30:50.450Z' -action 'SOURCE_ACCOUNT_AGGREGATION' Search-IdentityNowAuditEvents -application 'Workday (Dev)' -since '2019-10-30T12:30:50.450Z' -action 'SOURCE_ACCOUNT_AGGREGATION' -type 'PROVISIONING'
Search Events (Beta) – Elasticsearch
Search IdentityNow Events using the new IdentityNow Search (Elasticsearch) Results defaults to 2500. If you want more or less use the -searchLimit option
Search Events – Example
$query = @{query = 'technicalName:USER_AUTHENTICATION_STEP_UP_SETUP_*'; type = 'USER_MANAGEMENT'} $queryFilter = @{query = $query} Search-IdentityNowEvents -filter ($queryFilter | convertto-json)
Search Events (Search Limit) – Example
$query = @{query = 'technicalName:USER_AUTHENTICATION_*'; type = 'USER_MANAGEMENT'} $queryFilter = @{query = $query} Search-IdentityNowEvents -filter ($queryFilter | convertto-json) -searchLimit 5500
And the ultimate flexible cmdlet Invoke-IdentityNowRequest
The cmdlet that lets you do your thing, with a little help. This cmdlet has options for v2 and v3 authentication and will provide the web request headers (with and without content-type = application/json set). You supply the URI for the request, the method (POST, GET, DELETE, PATCH) and the request will be sent, and the results sent back.
Request Methods are;
- Get
- Put
- Patch
- Delete
- Post
Header options are;
- HeadersV2 – Headersv2 Digest Auth with no Content-Type set
- HeadersV3 – Headersv3 is JWT oAuth with no Content-Type set
- Headersv2_JSON – Headersv2_JSON is Digest Auth with Content-Type set for application/json
- Headersv3_JSON – Headersv3_JSON is JWT oAuth with Content-Type set for application/json
Example 1 – Get the Schema of a Source
[Reference post]
$orgName = "customer-sb" $sourceID = "12345" Invoke-IdentityNowRequest -Method Get -Uri "https://$($orgName).api.identitynow.com/cc/api/source/getAccountSchema/$($sourceID)" -headers HeadersV3
Example 2 – List Identity Profiles
[Reference post]
$orgName = "customer-sb" Invoke-IdentityNowRequest -Method Get -Uri "https://$($orgName).identitynow.com/api/profile/list" -headers Headersv2_JSON
Example 3 – Get IdentityNow Identity Attributes
[Reference post]
$orgName = "customer-sb" Invoke-IdentityNowRequest -Method Get -Uri "https://$($orgName).api.identitynow.com/cc/api/identityAttribute/list" -headers HeadersV3
Enjoy.