Managing Application Entitlements using Cloud Identity APIs

View Only

Managing Application Entitlements using Cloud Identity APIs

By Sharmila Pethe posted Thu October 17, 2019 04:04 PM

Like

By Sharmila Pethe and Nikhil Kale

In Cloud Identity, Administrators or Application Owners can ensure the right people in their organisation have access to the right applications by providing Application Entitlements. For instance, any enterprise users needing to access the Salesforce platform should be able to SSO to it. Entitlement can be assigned to an individual user or to a group of users.

Using Cloud Identity APIs, an administrator can manage the user entitlements for an application.

Pre-requisites:

Application is configured on the Cloud Identity host

API Client is created with access to Manage Application Entitlements

Application entitlement can be managed using the Application Access APIs provided in Cloud Identity.

To get details of the APIs, refer to the API documentation at :

https://<Cloud_Identity_Host>/developer/explorer

For example: https://my-cloud-identity.ice.ibmcloud.com/developer/explorer (if your host name is my-cloud-identity.ice.ibmcloud.com)

Application Access APIs: https://<Cloud_Identity_Host>/developer/explorer/#!/Application_Access

To be able to work with application and users on CI, we need to have the Application ID and the User ID.

API to get user details and User ID

get /v2.0/User

This User ID is used in the subsequent requests for updating the entitlement

API to get Application details and Application ID

get /v1.0/applications

This Application ID is used in request for updating the entitlement

API to get current application entitlements

get /v1.0/owner/applications/{applicationId}/entitlements

The response lists the entitlement list with each assignee (User or Group). The entitlement ID for an assignee is required in case of deleting a particular entitlement

API to update application entitlements

post /v1.0/owner/applications/{applicationId}/entitlements

The JSON payload in this post call contains additions or deletions depending on the update to be performed. In case of adding a new entitlement, the User or Group ID needs to be provided. In case of deletion, the entitlement ID has to be given.

The following Postman collection has these requests with some scripting to perform these activities.

Filename: Cloud_Identity_Application_Entitlement_API_postman_collection.json

https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/tasks/t_application_entitlement.html

https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/concepts/api_request_examples.html

0 comments

8 views

IBM Security

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

IBM Security Verify