Supported Operations

This section describes the various supported operations of Web Services. For certain operations, the Body must be updated accordingly with operation specific configuration parameters. For more information, refer to Operation-Specific Configuration Parameters.

Perform a test to confirm the connection to SailPoint.

The Web Services Connector supports aggregation using one of the following two mechanisms:

  • Parent-Child Configuration

  • Multiple Independent Endpoints

For more information on multiple independent endpoints, refer to Multiple Independent Endpoints.

Configuration for Multiple Endpoints

Perform the following to obtain the properties of account/group/Get Object from multiple endpoints:

  1. The basic attribute is obtained from the first endpoint and is then used for aggregating the data from the rest of the endpoints.

    For example, during the aggregation of Jive some attributes are obtained from first endpoint (Mapped Schema Attribute) using the following URL:

    https://myDomain.jive.com/api/core/v3/people

  2. Account Aggregation - 1

    1. As displayed in the following screenshot under Operations, enter the name of the operation as "Account Aggregation -1", select Account Aggregation from the Operation Type drop-down list. Select Add New Operation.

      For more information on adding a new operation, refer to Connector Operation Configuration.

    2. Enter the Context URL and select the method from the HTTP Method drop-down list.

    3. Mapped schema attributes.

  3. Account Aggregation - 2

    1. To aggregate an additional attribute from another endpoint, use the id attribute from the previous response. Add these attributes in Schema Attribute of Response Attribute Mapping and response as follows:

      ResponseThe following context URL contains id which aggregates all the groups connected to that account:

      https://myDomain.jive.com/api/core/v3/people/$response.id$/securityGroups

    2. Mapped Schema Attribute

    3. In the above example, Account Aggregation -1 is the Parent Endpoint and Account Aggregation -2 is its Child Endpoint.
      As a result, "Account Aggregation -1" is listed as the Parent Endpoint Name in its child endpoints as shown below:

The Web Services Connector supports delta aggregation. This features only aggregates accounts that have changed since the last execution.

Delta Aggregation Configuration Example

Web Services , at first, creates an account on the managed system and then adds entitlements one by one. If GetObject is configured, the connector will invoke the GetObject endpoint with the respective identity attribute. The identity attribute can be aggregated through the provisioning plan or the response returned by the managed system.

If the GetObject operation is present, Web Services invokes GetObject operation using identity attribute, or it directly updates the resource object in provisioning plan (provisioning result).

Note
If the managed system supports a single/ separate endpoint for creating an account and adding an entitlement, use the createAccountWithEntReq attribute.

The following is an example for updating the Body in a Create Account operation in Dropbox. For aggregating attributes through the Provisioning Plan, the Body must be updated in the following manner. This aggregates the attribute details through the Provisioning Form and updates the endpoint.

  • (For JSON) In the following Body,

    • $plan represents the Provisioning Plan that is passed to provision method

    • $plan.member_surname – The connector checks for member__surname in the attribute request and updates the body after it is found.

  • (For XML) To create account for XML payload:

    To Get Object for XML payload

Create Account Scenarios

Entitlements GetObject Description of the Scenario

No

No

  • The Create Account operation executes.

  • If the Create Account operation response contains the required attributes and the identity attribute, it creates the account object and displays the account link under the identity which triggered the account creation.

No

Yes

  • The Create Account operation executes.

  • If the Create Account operation response contains the identity attribute, or the request (plan) contains the identity attribute, the GetObject triggers using the respective identity attribute.

Yes

No

  • When createAccountWithEntReq is set to false, the Create Account operation executes without entitlement attributes.

  • All the entitlement attributes execute using the Add Entitlement operation. For example, if there are four entitlements, the Add Entitlement operation executes four times.

Yes

Yes

  • When createAccountWithEntReq is set to false, the Create Account operation executes without entitlement attributes.

  • All the entitlement attributes execute using the Add Entitlement operation. For example, if there are four entitlements, the Add Entitlement operation executes four times.

  • The GetObject operation executes in order to update the complete account object (including entitlement attributes) if the GetObject response returns entitlement attributes.

Yes

No

  • When createAccountWithEntReq is set to true, the Create Account operation executes with entitlement attributes.

  • If the Create Account operation response contains the required attributes and the identity attribute, it creates the account object and displays the account link under the identity which triggered the account creation.

Yes

Yes

  • When createAccountWithEntReq is set to true, the Create Account operation executes with entitlement attributes.

  • If the Create Account operation response contains the identity attribute, or the request (plan) contains the identity attribute, the GetObject triggers using the respective identity attribute.

Set the getObject endpoint for the enable/ disable operation using the POST method. The complete object receives an update, not a single attribute. So, the first endpoint getObject operation aggregates the whole account. Later, the endpoint updates the payload with all the required attributes using the response of the first endpoint.

Perform the following steps to the Get Object for Enable operation with PUT method:

  1. Configure the first endpoint to getObject - Enable.

  2. Configure the first endpoint response as shown in the following figure:

    This endpoint retrieves the getObject for the account to be provisioned.

  3. Configure the second endpoint Body for Enable as shown in the following figure:

    Note
    You may need to update a few attributes for performing enable/ disable operation.

    Similar steps are to be performed for Disable operation.

The following is an example of the Body entry for Add Entitlement:

On a similar basis as above example the Body entry must be updated for Remove Entitlement.

The following is an example of the Body entry for Update Account:

The following is an example of the Body entry for Delete Account:

The following is an example of the Body entry for Change Password:

You can create, modify, and delete group objects on the managed system. Create new provisioning operations by adding the schema to the application XML file. The available options are derived from the group objects schema. To enable provisioning you must add featureString="PROVISIONING" to the schema in the application XML. For example:

<Schema displayAttribute="name" featuresString="PROVISIONING" identityAttribute="sys_id" instanceAttribute="" nativeObjectType="group" objectType="group">

Once the new operations are added to the application XML, you can configure them on the Connector Operations page.

For example, the source UI shows the following as available Operations:

  • Create-<schema name>

    For example:

    Create-group or Create-role

  • Update-<schema name>

    For example:

    Update-group or Update-role

  • Delete-<schema name>

    For example:

    Delete-group or Delete-role