cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Plugin custom REST API - Filter data visibility based on requester's scope

Plugin custom REST API - Filter data visibility based on requester's scope

 

Symptoms

OOTB SCIM is not restricting the requester around the data visibility. The plugin will use the requesters scope and restricts the data visibility.

 

Solution

Plugin created for Custom REST API with Scoping Support

The functionality/flow is below:

  1. Created a REST end point for reading user data (http://localhost:8080/identityiq/plugin/rest/RESTSCIMExtension/users)
  2. A capability/SPRight (UserListResourceExtendedSCIMExecutor) is created for authorizing access to this end point
  3. A scope (EmailDomainMatch) is created to return the list of users based on the requester's domain match
  4. Enabled the OAuth API Authentication for his custom end point

The above Scope/SPRight can be further extended to address your use cases/needs appropriately.

Enable OAuth 2 Clients for Authentication as explained in the below community forum or refer the attached APIAuthenticationSetup.docx

https://community.sailpoint.com/t5/IdentityIQ-Wiki/OAuth-2-0-Client-Credentials-as-a-Token-Based-Pro...

Refer the attached OAuthClientSOP.java.txt for invoking this Custom REST end point using OAuth Authentication.Note: The users are restricted to execute other SCIM APIs as below unless and until user has the SCIMExecutor capability:

  //Scenario: 401 without SCIMExecutor Capability
  //HttpGet httpGet = new HttpGet("http://localhost:8080/identityiq/scim/v2/Applications/c0a8568d76851514817685f79c3e000b");

  //Scenario: Custom REST end point required Capability is UserListResourceExtendedSCIMExecutor
  HttpGet httpGet = new HttpGet("http://localhost:8080/identityiq/plugin/rest/RESTSCIMExtension/users");
Attachments
Comments

Thanks for posting this. When I try to load it on my 8.2, it says "Unable to locate manifest file in RESTSCIMExtension.zip".

I have looked at the release notes and the version numbers seem fine.

<Plugin certificationLevel="None" displayName="RESTSCIMExtension" minSystemVersion="7.3" name="RESTSCIMExtension" version="2.2">
<Attributes>
<Map>
<entry key="minUpgradableVersion" value="1.0" />

Any help is greatly appreciated.

Pasha

Nevermind. I was using the wrong .zip file

Hello, 

 

Do we have a SCIM API or REst API to fetch access request ids for an identity in Identityiq Sail Point.

 

Thanks

Amit Tiwari

A quick note for the author of this plugin, when you have the RequiredRight annotation for your REST endpoint (@RequiredRight(value = "UserListResourceExtendedSCIMExecutor")), that will automatically cross check the requesting identity against that SPRight.  If you want to use a custom authorizer for the endpoint, then you should be annotating it with @Deferred, not @RequiredRight.

@Amittiwari197678 Do we have a SCIM API or REst API to fetch access request ids for an identity in Identityiq Sail Point. --> are you able to achieve this?

Version history
Revision #:
2 of 2
Last update:
‎May 22, 2023 07:05 PM
Updated by: