This post builds on two previous posts: one that introduced Entitlement Management and the other that introduced the Beta version of Graph API. I will show what is available within Entitlement Management for automating with Graph API.
The documentation for Graph API is here and is currently in Beta so you will need to use the Beta libraries to access.
Let’s assume that you have already setup your access packages and want to make your own portal to allow users to select the packages they want.
You’ll want to list the packages that are available first to allow the user to pick the package they require. This can be done using the Access Packages endpoint
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var accessPackages = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages
.Request()
.GetAsync();
This will return a list of access packages the user can request access to. You will need to ensure that the user has been assigned the correct permissions: EntitlementManagement.Read.All or EntitlementManagement.ReadWrite.All
Graph API will also allow the user to request access to a package. For this the user will need to create a request using the Create accessPackageAssignment request
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var accessPackageAssignmentRequest = new AccessPackageAssignmentRequestObject
{
RequestType = "AdminRemove",
AccessPackageAssignment = new AccessPackageAssignment
{
Id = "a6bb6942-3ae1-4259-9908-0133aaee9377",
TargetId = "46184453-e63b-4f20-86c2-c557ed5d5df9",
AssignmentPolicyId = "2264bf65-76ba-417b-a27d-54d291f0cbc8"
}
};
await graphClient.IdentityGovernance.EntitlementManagement.AccessPackageAssignmentRequests
.Request()
.AddAsync(accessPackageAssignmentRequest);
The code above was modified from the examples and more scenarios are available there too.
The following request types can be used:
- UserAdd
- UserRemove
- AdminAdd
- AdminRemove
- SystemRemove
So the request can be used to add and remove assignments by either the User or an Admin.
You can view the assignments for a user by using the Access Package assignment endpoint:
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var filterByCurrentUser = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackageAssignments
.FilterByCurrentUser(AccessPackageAssignmentFilterByCurrentUserOptions.Target)
.Request()
.GetAsync();
These end points should be enough to get you started with automating Entitlement management but there are more features that could be automated if you require them. All the resources that are currently available can be found in the Entitlement management API documentation