sailpoint package

Submodules

sailpoint.api module

class sailpoint.api.IDNApi(secret=None, client_id=None, tenant=None)

Bases: object

get_api_config()

r(endpoint, method='GET', params=[], payload=None, headers={}, files=None, api='v3')

r - Request something from the API

• Will only return top 250 max

• You can pass offset and limit manually as part of the endpoint string to overcome this

sailpoint.api.set_disableOrderingCheck(api, source_id)

sets disableOrderingCheck attribute on a connector

see: https://support.sailpoint.com/csm?id=kb_article_view&sys_kb_id=30af1be4972c6d14d7557f1ef053afd8

sailpoint.idnscripts module

class sailpoint.idnscripts.SODChecker(idn, report_only=True)

Bases: object

Checks SOD violations and resolves violations by removing violating access items

fix_violation(sod_policy, violator)

get_violators(sod_policy)

Gets the violators of a spcified sod_policy

Parameters:

sod_policy (dict - the SOD policy to find violations for)

process()

process_sod(sod)

Processes the SOD to remove violations

Processes a SOD and find violators and remove their violating access

Parameters:

• sod (The SOD to process)

• Results

• --------------------

• None (returns)

remove_access(violator, access, reason)

Removes access from an SOD violator.

This function removes the specified access from a violator based on the provided reason. If the system is in ‘report only’ mode, it will log a warning and not perform the action.

Parameters:

• violator (dict) – A dictionary containing the violator’s information, including their ID.

• access (dict) – A dictionary containing the access information that needs to be removed, including the type and ID of the access.

• reason (str) – A string specifying the reason for removing the access.

Returns:

True if the access was successfully removed, False otherwise.

Return type:

bool

sailpoint.idnscripts.cancel_old_approvals(idn, days_threshold=90, cancel_reason=None, report_only=True)

Cancels old approvals

Cancels approvals older than days_threshold

Parameters:

• idn (idn object) – The IDN connection object

• days_threshold (int) – Approvals open for longer than days approvals will be cancelled

• cancel_reason (string) – The reason for canceling the request

• report_only (bool) – If true, the return value will show only what would be done and no action on the approvals is actually preformed

sailpoint.report module

class sailpoint.report.IDNReport(api, idn)

Bases: object

Standard reports from IDN

get_ai_recommendations(id)

Get access recommendations for an identity

Parameters:

id (string) – The ID of the user you want to get recommendations for

get_disabled_ap_owners()

get_disabled_gg_members()

get_user_by_id_cache(user_id)

Gets a user by their ID, but also caches results so next time the lookup doesn’t have to go to the API

gg_membership()

Outputs a list of Governance groups, members and the associations one per line

sailpoint.util module

class sailpoint.util.IDN(secret=None, client_id=None, tenant=None)

Bases: object

add_gg_members(ggid, members)

Add Governance Group members

Parameters:

• ggid (string) – The ID of the governance group that you want to get the members of

• members (list) – List of members to add, list of guids

Return type:

result json

create_ap(name, description, source_name, owner_login=None, owner_email=None, enabled=True, entitlements=[], comments_required=False, denial_comments_required=False, requestable=True)

Creates an Access Profile

Parameters:

• name (string) – The name of the Access Profile

• description (string) – The description for the Access Profile

• owner_login (string) – The Owner of the Access Profile specified by their loginID (sAMAccountName)

• owner_email (string) – The Owner of the Access Profile specified by their email if owner_login is specified, this will be given preference

• source_name (string) – The source of the Access Profile specified by its name

• enabled (boolean) – If the Access Profile is enabled or not. Default True

• entitlements (list of entitlement dicts (id, name, type)) – The list of entitlements that are included in this Access Profile

• comments_required (boolean) – Whether the requester of the containing object must provide comments justifying the request. Default False

• denial_comments_required (boolean) – Whether an approver must provide comments when denying the request. Default False

• requestable (boolean) – Whether the AP should be requestable. Default True

Returns:

return

Return type:

json - output from the api call

create_app(name, description)

Creates an Application

This creates an Application.

Parameters:

• name (string) – The name of the application.

• description (string) – The description for the application.

Results

app: dict

The application with its status

create_gg(name, description, owner_id=None, owner_login=None)

Creates a Governance Group

Parameters:

• name (string) – The name of the Governance Group

• description (string) – The description for the Governance Group

• owner_id (string (optional)) – The ID of the Owner of the Governance Group (guid)

• owner_login (string (optional)) – The Owner of the Governance Group specified by their loginID (sAMAccountName)

Return type:

True

del_gg(ggid)

Delete Governance Group

Parameters:

ggid (string) – The ID of the governance group that you want to delete

Return type:

return status code

del_gg_members(ggid, members)

Delete Governance Group members

Parameters:

• ggid (string) – The ID of the governance group

• members (list) – List of members to delete, list of guids

Return type:

result json

delete_app(app_id=None, app_name=None)

Deletes an Application

This deletes an Application.

Parameters:

• specified (Either app_id or app_name must be specified. If app_name is)

• name (there must be only a single app that has that)

• this (otherwise)

• exception. (will raise an)

• app_id (string) – The appID of the application. NOTE: This uses the old cc API but this is NOT the short app app ID. (eg. 24016) You must list the app and then get the appId parameter from the app.

• app_name (string) – The name of the application.

Results

app: dict

The application with its status

delete_gg(ggid)

Delete a Governance Group

Parameters:

ggid (string (required)) – The ID of the governance group to delete

Return type:

True if Deleted

get_account(source_name=None, account_name=None)

Gets accounts for a specific source

Parameters:

• source_name (string) – The name of the source

• account_name (string) – The Name of the account

Returns:

accounts – The accounts

Return type:

generator of dicts

get_account_attribute_value(source_name, account_id, attr_name)

Gets the value of a specified account attribute from a source

Returns a value if found

Parameters:

• source_name (string) – The name of the SOURCE where the account can be found.

• account_id (string) – The unique ‘account id’ value on the SOURCE schema

• attr_name (string) – The attribute name on the SOURCE which holds the value

Returns:

string

Return type:

Attribute value

get_all_apps(access_profiles)

Gets all Applications via the access profiles.

Provides applications indexed by Application guid and includes which Access Profiles are attached.

get_all_aps()

Gets all Access Profiles indexed by guid

get_all_entitlements()

Gets all entitlements indexed by guid

get_ap(ap_id=None, ap_name=None)

Gets the Access Profile

Dont confuse ap (access profile) with app (Application)

Either ap_id or ap_name must be specified. If ap_name is specified there must be only a single ap that has that name, otherwise this will raise an exception.

Parameters:

• ap_id (string) – The ap ID that you want to fetch. You can use the ID as found from the list_aps method.

• ap_name (string) – The name of the ap that you want to fetch. This search is case sensitive.

• Results

• --------------------

• ap (dict) – The access profile and its attributes

get_api_obj(api_obj=None, idn_id=None, idn_name=None)

Get something from the API

Basically any API object that supports both getting by ID or by list with a filter.

For example:

• access-profiles

• workgroups (governance groups)

• sod-policies

Parameters:

• api_obj (string) – The API object type you are getting

• idn_id (string (optional)) – The ID of the thing you are wanting to get

• idn_name (string (optional)) – The exact name of the thing you want to get

Returns:

results

Return type:

list - a list of matching things

get_app(app_id=None, app_name=None)

Gets the App

Dont confuse ap (access profile) with app (Application)

Either app_id or app_name must be specified. If app_name is specified there must be only a single app that has that name, otherwise this will raise an exception.

Parameters:

• app_id (string) – The app ID that you want to fetch. You can use the ID as found from the list_apps method.

• app_name (string) – The name of the app that you want to fetch. This search is case sensitive.

• Results

• --------------------

• app (dict) – The application and its attributes

get_app_access_profiles(app_id)

Gets the access profiles for an app.

This comes from the cc api app_id is the cc id

Parameters:

app_id (string) – The app ID that you want to fetch the access profiles for. You can use the ID as found from the list_apps method.

Results

access_profiles: list of dicts

The access profiles that are part of the application requested.

get_app_owner(app_name)

Gets the Identity of the application owner

Uses the search API to get the application owner. If you change the application owner, this can take some time to synchronize before it will appear here. The application owner can also be obtained by calling get_app, however this only gives you the short (cc) ID of the owner and not the full identity.

Parameters:

• app_name (string) – The name of the app that you want to fetch.

• Results

• --------------------

• owner_Identity (dict) – The Identity of the owner

get_approvals(approver_id=None, recipient_id=None)

Gets approvals waiting for a user

Parameters:

• approver_id (string) –

  The ID of the approver

  ORG_ADMIN users can call this with any identity ID value. ORG_ADMIN users can also fetch all the approvals in the org, when

  owner-id is not used.

  Non-ORG_ADMIN users can only specify me or pass their own

  identity ID value.

• recipient_id (string) – The ID of the recipient

Return type:

List of approvals pending

get_aps_for_source(source_id=None, source_name=None)

Get access profiles for a specific source - generator

Parameters:

• source_id (string) – The ID of the source

• source_name (string) – The Name of the source

• specified (Either the name or the ID must be)

Returns:

access_profiles – The access profiles

Return type:

generator of dicts

get_attribute_map(identity_profile_name=None)

Gets the attribute map

get_cc_id_for_id(idn_id)

Gets the ‘cc’ user ID for the ID that is passed in

This is used, for example, when specifying an App Owner on an app. The API call for updating the app parameters is a CC API call, which requires you to use the ‘cc’ user ID.

Parameters:

idn_id (dict) – The ID of the user you want to look up

Returns:

cc_id

Return type:

string - the users CC id if found

get_entitlement(attr_name, attr_value, source_name)

Gets a single entitlement from a source

Returns 1 record if found

Parameters:

• attr_name (string) – The entitlement ATTRIBUTE name i.e “memberOf” in the case of Active Directory

• attr_value (string) – The entitlement NAME as defined in the entitlement schema. ie “Domain Users”

• source_name (string) – The entitlement SOURCE as defined in the entitlement schema.

Returns:

List of dict with the entitlement information

Return type:

entitlement_info

get_entitlement_by_id(entitlement_id)

Gets an entitlement by its ID

Parameters:

entitlement (string) – The ID that you want

Returns:

entitlement – The entitlement

Return type:

dict

get_entitlements_for_source(source_id, search_item='name', search_name=None)

Gets entitlements for source - generator

Parameters:

• source_id (string) – The source ID that you want the entitlements for.

• search_name (string (optional)) – The entitlement you want to search for. In this case the ‘name’ represents the Entitlement Name as defined in the source schema.

• search_item (string (optional default is 'name')) – Either ‘name’ or ‘id’ so you can search on the name or on the ID of the entitlement. In this case the ‘id’ represents the Entitlement ID as defined in the source schema.

Returns:

yields entitlements – The entitlements

Return type:

generator of dicts

get_gg(ggid=None, search_name=None, members=False, connections=False)

Get Governance Groups - Generator

Parameters:

• ggid (string (optional)) – The ID of the governance group that you want to get

• search_name (string (optional)) – The exact name of the governance group that you want to get

• members (boolean (default: False)) – If you want to include the members of the governance group

• connections (boolean (default: False)) – If you want to include the connections of the governance group

Returns:

governance_groups

Return type:

list - a list of matching governance groups

get_gg_connections(ggid)

Get Governance Group connections

Parameters:

ggid (string) – The ID of the governance group that you want to get the connections for

Returns:

connections - NOTE

Return type:

only returns first 50 offset not used

get_gg_members(ggid)

Get Governance Group members

Parameters:

ggid (string) – The ID of the governance group that you want to get the members of

Returns:

members

Return type:

dict

get_id_by_alias(alias)

Gets an Identity for the alias requested

This will throw an error if results of matching IDs is not exactly 1

Parameters:

alias (string) – The alias of the identity you want to retrieve

Returns:

id – The Identity

Return type:

IdentityNow ID object

get_id_by_login(login, include_nested=False)

Gets an Identity for the login specified

Parameters:

• login (string) – The login for the identity you want to retrieve

• include_nested (boolean) – Will include nested objects

Returns:

ids – The Identity

Return type:

list

get_item_description(item_id, refresh=False)

Gets a description for the specified item_id

Parameters:

• item_id – (string) the item ID you want to get the description for

• refresh – (bool) Whether to refresh the description even if we have it cached already. default: False

Data is cached for the life of the idn object

get_org()

Gets the org information

Return type:

org

get_provisioning_policies(source_id=None, source_name=None)

List source provisioning policies

Parameters:

• source_id (string) – The ID of the source

• source_name (string) – The Name of the source

• specified (Either the name or the ID must be)

Returns:

policies – The policies

Return type:

dict

get_sourceid_for_name(name, id_type='id')

Gets the source ID based on name of the source

Parameters:

• name (string) – The name of the source

• id_type (string) – The key of the specific ID you want to return. Type of ID to get, could be “id” or “cloudExternalId”

• Results

• --------------------

• id (string) – The ID

get_user_by_email(email, include_nested=False)

Gets the user by their email

Search is case insensitive

Parameters:

• name (string) – The email to search

• include_nested (boolean) – Will include nested objects

• Results

• --------------------

• identities (list of identities which match)

get_user_by_id(user_id, include_nested=False)

Gets the user by their ID

Parameters:

• user_id (string) – The users ID.

• include_nested (boolean) – Will include nested objects

• Results

• --------------------

• identity (The Identity that matched)

get_user_by_name(name, include_nested=False)

Gets the user by their name

You can also include wildcards such as: Dave* Search is case insensitive

Parameters:

• name (string) – The name to search

• include_nested (boolean) – Will include nested objects

• Results

• --------------------

• identities (list of identities)

list_accounts_for_source(source_id=None, source_name=None, include_type='all')

Lists accounts for a specific source

Parameters:

• source_id (string) – The ID of the source

• source_name (string) –

  The Name of the source

  Either the name or the ID must be specified

• include_type (string) –

  Options are :

  all **Default uncorrelated correlated

Returns:

accounts – The accounts

Return type:

generator of dicts

list_apps()

List all apps from IDN for the org (aka. Tennant)

list_identity_attributes()

List all identity attributes

list_identity_attributes_source()

List all identity attributes from profile source

list_identity_profiles()

List identity profiles

list_source_attributes(source_id=None, source_name=None, usage_type='CREATE')

List source attributes from source sync config

Parameters:

• source_id (string) – The ID of the source

• source_name (string) – The Name of the source

• usage_type (string) –

  Possible values: [CREATE, UPDATE, ENABLE, DISABLE, DELETE, ASSIGN, UNASSIGN, CREATE_GROUP, UPDATE_GROUP, DELETE_GROUP, REGISTER, CREATE_IDENTITY, UPDATE_IDENTITY, EDIT_GROUP, UNLOCK, CHANGE_PASSWORD]

  The type of provisioning policy usage. In IdentityNow, a source can support various provisioning operations.

• specified (Either the name or the ID must be)

Returns:

attributes – The attributes

Return type:

dict

list_source_sync_config(source_id=None, source_name=None, usage_type='CREATE')

List source sync config

Parameters:

• source_id (string) – The ID of the source

• source_name (string) – The Name of the source

Returns:

sync_config – The sync_config

Return type:

dict

list_sources()

List all sources

main_search(thing, query='*')

Generic search for things

Parameters:

• things (string)

• query (string (default: *)) –

  The query string you want to use

  Could be accessprofiles, identities, entitlements etc.

reidx(data, idx_key='name')

remove_account_from_id(account_id)

Removes an account from an Identity

Parameters:

account_id (string) – The if of the account

Returns:

• Dict

• ’pendingCisTasks’ (False - Means it worked)

• ’pendingCisTasks’ (True - Means it failed because there are pending)

• tasks being processed

run_acct_aggregation(source_name, optimized=True)

Runs an account aggregation for a source

Parameters:

• source_name (string) – The name of the source to run the aggregation for.

• optimized (boolean) – If True this will be an optimized aggregation, if False it will do a non-optimized aggregation.

• Results

• --------------------

• dict (The result of the API call)

search(payload, sort='id')

Runs a generic search - generator

You must provide the full payload.

Can be used to search for anything that the search accepts

Tip: Use developer tools in your browser on the search screen to figure out the payload.

For example:

payload = {

“query”: {“query”: “email:”davep@fitchratings.com””}, “indices”: [“identities”]

}

Parameters:

• payload (dict) – The full search payload

• sort (string) – The key to sort on. Default is ‘id’

• Results

• --------------------

• dict (yields)

update_ap(ap_id, parameter, value)

Updates an Access Profile

This updates an access profile.

Parameters:

• ap_id (string) – The ap ID that you want to update.

• parameter (string) – The parameter that you want to update.

• value (string) – The value you want to set.

• Results

• --------------------

• ap (dict) – The aplication and its attributes

update_app(app_id, parameter, value)

Updates an Application

This updates an Application.

Parameters:

• app_id (string) – The app ID that you want to fetch. You can use the ID as found from the list_apps method.

• parameter (string) – The parameter that you want to update. To update the name use alias instead.

• value (string) – The value you want to set.

• Results

• --------------------

• app (dict) – The application and its attributes

update_approval(approval_id, new_owner=None, action='reject', reason='The approval has been reassigned')

Reassigns an approval to a different user

Parameters:

• approval_id (string) – The ID of the approval to reassign as retrieved from access-request_approvals

• action (string) –

  One of the following:

  approve - Approve an access request approval. Only the owner

  of the approval and admin users are allowed to perform this action.

  reject - Rejects an access request approval. Only the owner

  of the approval and admin users are allowed to perform this action.

  forward - Reassigns (Forwards) an access request approval to

  a new owner. Only the owner of the approval and ORG_ADMIN users are allowed to perform this action.

new_owner: string

The ID of the person who the approval will be reassigned to. Only used if action is “forward”.

Results

ret: 202 is success anything else you better check

update_entitlement(entitlement_id, attr='description', val='')

Used to update the entitlement.

Use case is to update the description.

If you set this to blank it will get updated based on the source description at the time the next entitlement aggregation is run

Parameters:

• entitlement_id (string) – The entitlement that you want to update specified by its ID

• attr (string (DEFAULT: description)) – The attribute you want to update.

• val (string (DEFAULT: EMPTY)) – The value that you want to save

Returns:

entitlement – The entitlement as it is after it has been updated

Return type:

dict

update_gg(gg_id, parameter, value)

Updates an governance group

This updates a governance group.

Parameters:

• gg_id (string) – The governance group ID that you want to update.

• parameter (string) – The parameter that you want to update.

• value (string) – The value you want to set.

• Results

• --------------------

• gg (dict) – The governance group and its attributes

update_idn_obj(idn_type, idn_id, op, path, value)

Update an IDN Object

Basically any API object that supports patching an update with a path.

For example:

• access-profiles

• workgroups (governance groups)

• entitlements

• roles

• sources

Parameters:

• idn_type (string) –

  The API object type you are setting:

  • access-profiles

  • workgroups (governance groups)

  • entitlements

  • roles

  • sources

• idn_id (string (optional)) – The ID of the thing you are wanting to update

• op (string (optional)) – replace - as per API docs

• path (string (optional)) – example: /owner - must include preceding forward slash

• value (string, list, dict - as per API docs) –

  example:

  owner = {‘type’: ‘IDENTITY’, ‘id’: transfer_user}

Return type:

json results

Module contents