search

darrenjrobinson / powershell_module_identitynow

SailPoint IdentityNow PowerShell Module
https://blog.darrenjrobinson.com/sailpoint-identitynow/
MIT License
47 stars 15 forks source link

Issue writing access profiles via API #55

Open jiggle-1 opened 2 years ago

jiggle-1 commented 2 years ago

Hello -

Thanks again for the continued support of this modules. Its very helpful!

One issue I continue to experience is with writing access profiles via the API. We spoke about this in the past and we hoped it was related to an authentication issue. Since then, I have been able to validate that it happens to others in our group.

The creds are valid:

image

But I receive this error:

image

The profile also appear to be formatted correctly:

image

I have it stripped the script to setting as much as I can manually:

`# Get Owner for Access Profile $owner = Search-IdentityNowUserProfile -query 'ownerid'

Get Source for Access Profile

$sources = Get-IdentityNowSource

$oktaSource = $sources | Select-Object | Where-Object {$_.name -like 'Okta'}

$OktasourceID = "sourceid"

Entitlements

$entitlements = Search-IdentityNowEntitlements -query "source.name:Okta*" $e = $entitlement | Select-Object name, id | Where-Object {$_.name -like 'something'}

Access Profile Details

$accessProfile = @{} $accessProfile.add("name", "something-ENGINEERING") $accessProfile.add("description", "Can view all resources and create custom queries.") $accessProfile.add("sourceId", $oktaSourceid) $accessProfile.add("ownerId", $owner.id)

Access Profile Entitlements

$accessProfile.add("entitlements", "externalid")

Access Profile Type

$accessProfile.add("approvalSchemes", "manager") $accessProfile.add("requestCommentsRequired", $false) $accessProfile.add("deniedCommentsRequired", $false)

New-IdentityNowAccessProfile -profile ($accessProfile | convertto-json)

}`

Can you guys think of anything else I can check?

Thanks again!

darrenjrobinson commented 2 years ago

I've just gone through and created a new Access Profile based off how I've always done it and it was successful. Looking at the error and your screenshots I'm thinking the '#' in the name attribute could be causing the issue. Try with a name that doesn't have a '#' in it.

image image image image

jiggle-1 commented 2 years ago

Hey Darren -

Thank you for taking the time to look at this. I think the # was from a comment that I didn't mean to copy over. You can imagine how many things I've tried.

If I use the example to create one profile via the API with mostly static values, it gives me a similar error. I was able to get the bulk-create to work from in Dec 2020, but when I circled back to use it again in Q121, it wouldn't work.

I would still think this is some kind of auth issue but every other command that I've tested runs fine.

I believe someone commented on your old site relating to this. Of course that was many cycles ago and I cant find the page any longer. You responded by suggesting they tag an encoding or something to that effect at the end of the invoke command. Does this remind you of that

Thank you again!