Hi, I need to import Technical Roles in json format in my IGA 24.3. Where I can found some json example to understand the syntax\format ?
Thanks in advance.
Cybersecurity
DevOps Cloud
IT Operations Cloud
Hi, I need to import Technical Roles in json format in my IGA 24.3. Where I can found some json example to understand the syntax\format ?
Thanks in advance.
I think there may be two approaches here. You can export a technical role (create one, then select it in the Technical Roles page and use the actions button to download the defintiion), then look at the content and try to recreate that syntax and import your roles using that format.
That will look like this:
{ "type": "ROLE_POLICY", "export-version": "4.2.0 ", "export-date": "09-1-2025 08:43:03", "roles": [{ "name": "Mining Candidates", "description": "Technical role candidate mined on Jun 25, 2024<br\/><\/br>Authorizations: 2<br\/>Users: 129", "riskMode": "MAN", "uniqueId": "0bc0891399dd417fa5387db9761f5f57", "permissions": [ { "application": "eDir", "applicationId": "55a607831ef44c378b4a9c3fe401cad0", "name": "finance", "description": "One liner", "criteria": { "operator": "AND", "childCriteria": [{ "attributeKey": "digestId", "operator": "MATCHES", "value": "eb5d31d4-6206-3b4c-ae82-a6c26ecfdf0f" }] } }, { "application": "eDir", "applicationId": "55a607831ef44c378b4a9c3fe401cad0", "name": "Billionaires", "description": "Description", "criteria": { "operator": "AND", "childCriteria": [{ "attributeKey": "digestId", "operator": "MATCHES", "value": "7f5035e3-f7fd-3716-a07a-203e18bd7466" }] } } ] }], "applications": [{ "uniqueId": "55a607831ef44c378b4a9c3fe401cad0", "name": "eDir" }] }
Separately, if you are planning on importing more than just once, you may want to look at the API for roles management and think about using a script to make subsequent calls to that API. The payload will likely be a bit different than the import format, but it could be a quicker process if you repeatedly need to import a lot of tech roles. You'd want to look at {API}/policy/roles inside the /apidoc context. Looking at a browser dev tools while you perform an import will give some insight into the correct payload for an import. * Note that API work isn't supported, other than by friendly community members here.
--Jim
Hi Jim, thanks for your feedback. I'm doing the same thing exporting a technical role from the IGA (24.3) console but the format is only in db and not in json. I will use your json example to understand the format and the data.
Hi Jim, do you have the same json example for import tecnical roles with permissions and assigned users? Now I can import a massive number of technical roles via json but I need to assign these roles to users. thanks in advance
Oh, that's interesting. Normally you would assign a technical role to a set of users (and then it will fulfill and grant them the access in the downstream system) OR it runs in a detective mode, where after collecting data from a app collector, it will identify if a user has all the rights of a tech role. I've not attempted to, or thought about assigning via API before. What are you trying to accomplish? I've you are trying to assign roles, you might be able to wrap the tech role in a business role, then use attributes of the user to assign it. But it sounds like you have a list you are starting from. Maybe you need to collect those assignments?
--Jim
Hello,
Assigning a Technical Role from the TR catalog will not cause Authorization requests to be created. The user will simply be assigned to the TR. For the Authorizations to be created the TR must be requested from Access Request or Authorized by a Business Role.
Sincerely,
Steven Williams
Principal Enterprise Architect
OpenText Cybersecurity
Thanks for the correction!
We have circa 100 TRs already present in a ldap source with permissions and users for each TR. We need to import this "picture" in IGA via a schedulated process that generate a json with all these info: TR name, TR Description (info very important for review process), TR users assigned and permissions. In this moment I miss how to reference users in the json file.
I don't think you can import memebership as part of the role object. You might try to watch the network tab in developer tools while you assign a user, to see what the rest call looks like, and possibly automate making similar calls, however, I'll suggest a different strategy here.
Since you have this data in an LDAP source, what do you think about just using an application permission and account collector against your ldap source? You could pull in role objects as permissions with a type of "role" and pull in any other permissions they contain as parent/child permissions. Similarly, if you collect in accounts, you should be able to get the role members in as well. If you can get that setup, then the review should be really straightfoward to setup.
Do you have to use the JSON format, or could you use LDAP here? If your goal is to get them reviewed, I'd probably switch to treating them like perms and collect them in as an application.
--Jim
Thanks Jim for your help. I resolved importing roles via json and user memberships via csv. Last question: there is a way to delete all TRs via gui "oneshot" and not opening edit option for each role?
Alas, I don't think there is a quick way to select all (or many) and delete.
It should be a single REST call, if you have the ID of the TR, so you *could* hit the API repeatedly with the offending TR ID's, but you'd likely want to script that or be careful with a postman instance.
--Jim