By Sharmila Pethe and Nikhil Kale
In Cloud Identity, Administrators or Application Owners can ensure the right people in their organisation have access to the right applications by providing Application Entitlements. For instance, any enterprise users needing to access the Salesforce platform should be able to SSO to it. Entitlement can be assigned to an individual user or to a group of users.
Using Cloud Identity APIs, an administrator can manage the user entitlements for an application.
Pre-requisites:
- Application is configured on the Cloud Identity host
- API Client is created with access to Manage Application Entitlements
Application entitlement can be managed using the Application Access APIs provided in Cloud Identity.
To get details of the APIs, refer to the API documentation at :
https://<Cloud_Identity_Host>/developer/explorer
For example: https://my-cloud-identity.ice.ibmcloud.com/developer/explorer (if your host name is my-cloud-identity.ice.ibmcloud.com)
Application Access APIs: https://<Cloud_Identity_Host>/developer/explorer/#!/Application_Access
To be able to work with application and users on CI, we need to have the Application ID and the User ID.
API to get user details and User ID
get /v2.0/User
This User ID is used in the subsequent requests for updating the entitlement
API to get Application details and Application ID
get /v1.0/applications
This Application ID is used in request for updating the entitlement
API to get current application entitlements
get /v1.0/owner/applications/{applicationId}/entitlements
The response lists the entitlement list with each assignee (User or Group). The entitlement ID for an assignee is required in case of deleting a particular entitlement
API to update application entitlements
post /v1.0/owner/applications/{applicationId}/entitlements
The JSON payload in this post call contains additions or deletions depending on the update to be performed. In case of adding a new entitlement, the User or Group ID needs to be provided. In case of deletion, the entitlement ID has to be given.
The following Postman collection has these requests with some scripting to perform these activities.
Filename: Cloud_Identity_Application_Entitlement_API_postman_collection.json
https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/tasks/t_application_entitlement.html
https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/concepts/api_request_examples.html