Hi
I am trying to utilize ISE APIs to manage users…
So I can create new users no problems.
I started having issues when I needed to assign internal user to an identity group. My script works only if user is already a member of at least one group, but fails if user had no previously assigned group(s). I figured that this behaviour is due to the following: If user is created without specifying identitygroup then updating identitygroup (using PUT: https://isenode:9060/ers/config/internaluser/{userid}) attribute fails as it doesn’t exist.
The only way around this I found is the following: read user {userid} (using GET: https://isenode:9060/ers/config/internaluser/{userid}) , modify the response to add <identitygroups>{GroupID}</identitygroups> and feed it to POST:https://isenode:9060/ers/config/internaluser.
This effectively overwrites/recreates the same user (at least this is how it looks like) with the same ID and password
I am concerned if above has any implications ?
Similar situation I have when I try to remove the group(s) form user.
When user is a member of multiple groups it would allow me using PUT to remove some of the group(s) but not every group and not in any order. I have noticed in GUI you have an option to remove only last group (and they are sorted alphabetical order). Does that sound right?
And finally if user is member of only 1 identity group what is the best way to remove it via API?
Since we cannot use PUT https://isenode:9060/ers/config/internaluser/{userid} with <identityGroups /> (as it fails validation) the only way I see to achieve that is to overwrite user with POST:https://isenode:9060/ers/config/internaluser leaving out identityGroups attribute (same methodology as I was using to assign the 1st group).
I would really appreciate any thoughts on this.
Thanks.
