IDN + Transforms + VS Code + Snippets = Lightning Speed #IDN101

Hiya Folks

Happy New Year!!!  

I have written a few posts before on how to write nested transforms and about a few new transform types available. But it still look like a tedious task when writing a transform – especially a complex one. It is as powerful as its confusing sometimes. I still don’t have full grip on the capabilities or the possibilities I can achieve without the need of rules. 

I love VS Code and especially its features and plugins. I use it extensively and also advocate the same to all my colleagues and clients for doing JSON and CSV files with IDN (and java coding obviously).

Few years ago one of my good mate Thomas Bui had shown me an interesting way to not need to remember syntax of each transforms while writing it. So credits to him.

Here I have built a package and hopefully show you how to deploy it in VS code and using the Snippet feature quickly write transforms with less errors.

It’s pretty simple. View the video I have made in VS Code (Works on Windows / Mac) . Please click on the gif to enlarge it. The embedded one is not rendering properly for some reason.

You will see how quickly I wrote a firstValid transform and replaced few lines with accountAttributes transforms (nested) and created a “Get New Dept” Transforms in couple of sec.

Steps are as below

  1. Open “Configure User Snippets” in VS Code Preferences
  2. Click on “New Global Snippets File”
  3. Call it say “transforms”
  4. In the file opened, replace the entire content with below code snippet
  5. Save and close the file 
  6. Now start typing the name of the transform (e.g. firstValid) and it will show up.
  7. Press Enter and it will show you the code

That’s it

Hopefully this was helpful and makes it easy for you to write transforms for IDN. Feel free to expand the snippet by adding your own shortcuts of complex transforms or code which you use often and feel free to share it below or the article

Cheers!!!

 

How to upload Connector Rules into IDN via API

So I did a post couple of days ago that now we are allowed to upload some rule types via API

Here is a quick guide on how to do so. In this example, I will take a very basic BuildMap rule

Previously we would submit the rule like above to ES team to upload. Now you just need to take the code and upload yourself.

Now the real trick – You need to escape the actual java code else you will not be able to upload it and postman will show errors.

So head down to https://www.freeformatter.com/java-dotnet-escape.html and paste the code part of above. There are other such websites or can be some easier local method in your editor.

You will get some output like

Rest is then easy as per the API links

You should get a 201 Created and see a similar output

That is it. You should be able to see and use this rule now on your source. 

Please remember to follow the IDN Rule Guide on what is allowed and what is not.

And if you want you can reverse the process by getting existing rules via API, unescape it via the URL above and get the neat looking java code.

Find Multiple Accounts for Sources Redux – Excel Hack


So after doing the last post on how to find multiple accounts from a single source via API, I was asked by few people and one my clients to see if there is an easy way to do this.

I thought of my trusted Excel to find an easier way to do so. Here are the steps

  • Generate Identities Report via Admin -> Identities -> Identity List UI and download CSV

  • Open the CSV in Excel and look at Column “Source Accounts” ( Column P when I generated it). You will see some data like this. In this example I have a duplicate ServiceNow account for this user. He also has 1 x Workday, 1 x IDN cube and 1 x Okta account.
  • Then on another column (Column S in my instance) I created a new header called “ServiceNow [source]” and applied the following formula

Where

  • P2 = The column containing the “Source Accounts” value
  • $S$1 = Column Header “ServiceNow [source]”
  • LOWER() = Used to lowercase both strings as SUBSTITUTE is case sensitive

This will give me count of number of times “ServiceNow [source]” repeats in that line of text.

Done.

You can filter and find the rows you are interested in and give you all the users who have multiple accounts for a single source. You can expand this to other sources like I did above and create multiple columns.

 

Find Multiple Accounts from Sources #IDN101

Currently there is no easy way in our default search UI to find all identities who have more than one accounts from a single source. There are other ways like doing account link search or via accounts CSV etc. 

But there is a way to do find them (not pretty but still helpful) via search aggregation API. I found this somewhat easier if the result is small. If its a large set, you can always parse it to you liking. I am no coder 🙂 

Here is the call

The result will be something like this

Here you can see multiple accounts for a user from Azure AD

Similarly another user having duplicate accounts in Google Suite and Active Directory.

You can’t filter to get particular sources only but at least this will give you all users with more than one account from all sources.

Hope this helps!!! 

How to Integrate ServiceNow ServiceDesk with IdentityNow

There has been a surge recently in integrating SNOW (ServiceNow) with IDN (IdentityNow) to generate tickets during provisioning or certification events. Many use-cases come to mind: For example, on an identity joiner event you might want to create SD ticket to give laptop and phones to an employee. Or give / remove an application access which is not directly integrated with IDN. Below I will show you how to get up and running in less than 30 min with the integration

Notes

  • This integration is fast changing and the guide is correct as of 30th April 2021
  • This integration is an additional license cost to IDN. Please talk to your CSM about it.
  • This assume you already have a SNOW tenant in your company
  • The guide doesn’t go in-depth into advance scenarios requiring Velocity or rules.

Prerequisite

  • SailPoint for Service Desk Installed on SNOW tenant

  • SNOW Governance connector installed on IDN and users correlated between IDN and SNOW connector
  • Configure at least one virtual appliance cluster.
  • Configure at least one source to generate manual tasks for Provisioning.
  • Be familiar with Apache Velocity scripting.
  • Know the authentication option (Basic or OAuth2) to use for IdentityNow to authenticate into ServiceNow. For token generation and OAuth Client setup on the ServiceNow instance, see Create an endpoint for clients to access the instance.
  • Have the permissions requirements for a service account: A Service Desk Administrator must be assigned the x_sap_sdim.admin role.

Gather Information

  • Create a source which is going to be used for provisioning and has entitlements a user can request. In this example a flat file source with 3 entitlements.

  • Create an Access Profile and Requestable Role for this source

  • To set an integration source owner, select an org admin user and get their identity ID via API call {{api-url}}/v3/search 2c91808673a16fb20173b8523ecd0021
  • Get the Cluster ID of your VA via API Call {{api-url}}/beta/managed-clusters 2c918088737cf45e0173b8fb6727040d
  • Get the id for the provision source (Say flat file) created via {{api-url}}/beta/sources/ : 2c91808578daf04e0178dcb83b1a0173
  • Get the id for the SNOW governance source which correlates users between SNOW and IDN via {{api-url}}/beta/sources/ : 2c91808478daf0580178dcff779001b4
  • Get the SNOW Application sys_id from SNOW. 8053xxxedbffb300exxxxxxxdbxxxxcx123

 

Integration

Use the following API to create the integration: https://developer.sailpoint.com/apis/beta/#operation/createServiceDeskIntegration

Please populate the payload (attached separately) and replace the parameters with value

Parameter

Value

<ownerId>

2c91808673a16fb20173b8523ecd0021

<clusterId>

2c918088737cf45e0173b8fb6727040d

<Provision_Source_ID>

2c91808578daf04e0178dcb83b1a0173

<SNOW_Sys_ID>

8053xxxedbffb300exxxxxxxdbxxxxcx123

<SNOW_URL>

https://XXXX.service-now.com/

<requesterSource>

2c91808478daf0580178dcff779001b4

<username>

SNOW user

<password>

User Password

 

 

Integration Testing

  • For the provision source, create some Entitlements and create Access Profile and requestable role.
  • Request for a SNOW correlated user for the source

  • In Account Activity a pending request will show for the request with REQ Ticket Number

  • In SNOW “Service Catalog -> Requests” the ticket number shows up

  • Click on RITM and you will see the description of request

  • Once the ticket is closed, the Access Request in IDN will close after interval checks. This frequency can be configured as well (See Configuring a Schedule for Status Checks section in SDIM Integration API Reference Guide)

That should be it. You should be able to create provisioning tickets for the source now.

Hope that helped!!!