search

darrenjrobinson / powershell_module_identitynow

SailPoint IdentityNow PowerShell Module
https://blog.darrenjrobinson.com/sailpoint-identitynow/
MIT License
47 stars 15 forks source link

Search Entitlements gives weird results #12

Closed rantingdemon closed 4 years ago

rantingdemon commented 4 years ago

Hi,

I think I may have found a bug. Search-IdentityNow Entitlements seems to give strange results.

If i run:

Search-IdentityNowEntitlements -query "source.name:'<obfuscated name of AD source>'" | convertto-json

then I get

{
  "_type": "entitlement",
  "attribute": "daUserType",
  "description": null,
  "displayName": "STAFF",
  "id": "2c9180846db6fc03016dca02a4c74317",
  "identityCount": 22278,
  "modified": "2019-10-14T11:23:53Z",      
  "name": "STAFF",
  "org": "company-stg",
  "pod": "stg01-eucentral1",
  "privileged": false,
  "source": {
    "id": "2c9180846cdedb5e016cf14a253d3977",
    "name": "<obfuscated name of HR authoritative source>"
  },
  "synced": "2020-02-24T04:32:55.51Z",       
  "tags": null,
  "type": "entitlement",
  "value": "STAFF"
}

I can repro this in other scenarios too. The Entitlements do not seem to correspond to the Source specified in the search query. Is this just me? Am I being stupid? :)

rantingdemon commented 4 years ago

I have this code, which is supposed to write all entitlements, in a folder named source.

But the results have been very weird, I get entitlements in the Source Folder that does not relate to the Source.

Note, this assumes there is a git repo - the script uses this getting the root folder to operate on.

#NB: Change your $orgName variable to the tenant you are working with.  This must be the same as your current branch.
$orgName = "company-stg"
try{

    Set-IdentityNowOrg -orgName $orgName
    Get-IdentityNowOrgConfig 
}
catch{
    write-host "Unable to set IDN organisation" -ForegroundColor Red
    throw $_
}
write-host "Set IDN Tenant to $orgName" -ForegroundColor Green
#get the repo root folder, and quit if it cannot get it.
$repoRootFolderLinuxVersion = git rev-parse --show-toplevel
if(!$repoRootFolderLinuxVersion){
    write-host "Could not get the repo root folder.  Are you in the correct current working folder, for the repo?" -ForegroundColor Red
    break
}
#changing / to \, for Windows...
$repoRootfolder = ""
for($i = 0; $i -le $repoRootFolderLinuxVersion.Length;$i++){

    if($repoRootFolderLinuxVersion[$i] -eq "/"){$curChar = "\"}
    else {$curChar = $repoRootFolderLinuxVersion[$i]}
    $repoRootfolder = $repoRootFolder + $curChar

}

#remove all Entitlement files first
try{
    Write-Host "Removing all current entitlements..." -ForegroundColor Green
    remove-item ($repoRootfolder + "\entitlements\") -Recurse

}
catch{
    Write-Host "Could not clean up Entitlements.  Exiting...."
    catch $_
} 

$identityNowSources = Get-IdentityNowSource
ForEach ($source in $identityNowSources){
    $Sourcefolder  = Get-item ($repoRootfolder + "\entitlements\" + $source.name  ) -ErrorAction SilentlyContinue
    if(!($Sourcefolder)){
        $Sourcefolder = (New-Item -path ($repoRootFolder + "\entitlements\" + $source.Name) -ItemType "Directory")
    }
    $query = ("source.name: '" + $source.name + "'")
    write-host ("Executing Entitlements query: " + $query)
    $entitlements  = Search-IdentityNowEntitlements -query $query
    foreach($ent in $entitlements){
        $ent | convertto-json | out-file -FilePath ($Sourcefolder.FullName + "\" + $ent.displayName + ".json")
    }
}
darrenjrobinson commented 4 years ago

Try using the externalId of the Source rather than the name.

Example:

$identityNowSources = Get-IdentityNowSource
ForEach ($source in $identityNowSources){
    $query = ("source.id:$($source.externalId)")
    $entitlements  = Search-IdentityNowEntitlements -query $query -Verbose
    "Source: $($source.name) Entitlements: $($entitlements.count)" 
}
rantingdemon commented 4 years ago

Thanks Darren. That did the job.

rantingdemon commented 4 years ago

I added a pull request for this module, by adding a line to show how to use the External ID too.