Endpoint in REST API V2 for User and Group Management

Netskope Global Technical Success (GTS)

Endpoint in REST API V2 for User and Group Management

Netskope Cloud Version - 126

Objective

Utilize REST API V2 SCIM endpoints to manually create SCIM users and groups.

Context

Manually created users are not automatically designated as SCIM users. Consequently, they receive the default steering configuration profile ("Default tenant config") and the default client configuration profile ("Default tenant config"). This automatic assignment occurs because profile application for steering and client configurations necessitates group membership.

As a workaround, we could leverage REST API V2 for Users and Groups creation, by doing this, the users will become SCIM users, meaning that they are able to be inserted into Groups, therefore apply custom steering and configuration profiles.

⚠️ Important

Any change needed on users created via REST API V2 (eg. User/Group delete, user add/remove into/from a group etc.) have to be performed only via REST API V2.
We do not suggest handling many users in this way.
User enrollment will be performed through email invite once a new SCIM User is created.

Prerequisite

You can use any application capable of sending HTTP requests. This article will demonstrate using Postman (https://www.postman.com/), a tool where you can directly input the request URL (see below).

AD_4nXeHI85XZtqzoa1IfZfuJxPOlpWIEltpYXt3Yoifb3u4JSk6Ng0L9u6ZidBcVIMjxKgxt1xfy9T75fuIiHPlgZphnD9DNxvOBlciXeIk3V4Ntdp4V6fuoh23iGwYGzLP0nLtRl3qSw?key=SUFTDl9IsLfMIuJT-Oh7KQ

ℹ️ Important to know

HTTP METHODS

GET: Retrieves data from the server without modifying it.
POST: Sends data to the server to create a new resource or trigger an action.
PATCH: Partially updates an existing resource on the server.

HTTP RESP CODE

1xx (Informational): Indicates that the request was received and is being processed (e.g., 100 Continue).
2xx (Success): Indicates that the request was successfully processed (e.g., 200 OK).
3xx (Redirection): Indicates that further action is needed to complete the request (e.g., 301 Moved Permanently).
4xx (Client Error): Indicates an error with the request sent by the client (e.g., 404 Not Found).
5xx (Server Error): Indicates that the server encountered an error while processing the request (e.g., 500 Internal Server Error).

Swagger REST API V2 tool

Each Netskope tenant provides a direct link to its Swagger tool (API DOCUMENTATION). Tenant administrators can access this tool via "Settings > Tools > REST API V2". The Swagger tool allows administrators to review the syntax and test REST API v2 calls for their specific tenant.

AD_4nXeQs9P0uImQpQHjcy8MxxjV4_5fAD7HgPYb1bfTpDKV2j-qwm5oFXEPzNmDWt3GppNzShZRSIyCh1erPGotdRmGPGJEkqhDdllwvSlZK03xO5cuUkk2-eUHynKaQU0hIihWVDSWvg?key=SUFTDl9IsLfMIuJT-Oh7KQ

Before we begin

A REST API V2 token with SCIM endpoints needs to be created.

Step #1 - Ensure that REST API V2 is enabled.

Path: Netskope Tenant UI >>> Tools >>> REST API V2

If not enabled, click on pen under “REST API STATUS” and set this up to “Enabled”

AD_4nXc2u5NuUwvLYSvx_hWniy7kReX6Gbbt7LoqyNLApxPcKnGWSP076KeOst2cR3iacBORBBlrk0-1Dg_HbjoaH6F-MT1U9l2UcIwGJth2epMMf22QBjXHTg0pd7R-oaKVgGYhiR5JXg?key=SUFTDl9IsLfMIuJT-Oh7KQ

Step #2 - Create a SCIM token

Path: Netskope Tenant UI >>> Tools >>> REST API V2

Click on “New Token”, add a token name, search for the below endpoints and provide read and write privilege to the token

AD_4nXdl6egS7U1ae_O9biQL9hQyrq-KmvqkK2y5g1ERFXynbNHKTxtDimshwQ0GRdgpBhDo_V5hhvl2Xb0UileGIgFWJly-6vfnfIgo-4gUtA6kEFUMpF9HPrp90NbFt5nq24SqwQPEFQ?key=SUFTDl9IsLfMIuJT-Oh7KQ

Click on “Save” and ensure you save the REST API V2 token by clicking the “COPY TOKEN” as shown below

AD_4nXdqTc8aYn_Ojirz1FEpRGjuERQ5fh9XVufmp0qq-QaTx9VDDSuv-CQJd6gC2Gu6ZOYHSOUH2Uea6aRY7cFgNxz7guY2Wj3pD-mh0nWfcC1CizAIwPJstojzYct83IU5U4Ftni7Vwg?key=SUFTDl9IsLfMIuJT-Oh7KQ

ℹ️ Variables

<TENANT-HOSTNAME>: The Netskope tenant’s hostname eg. mytenant.eu.goskope.com
<API-TOKEN>: The REST API V2 token created above.

*The variables of each requests will be highlighted like above

Creating a new SCIM User

When creating a new SCIM User, we will need to send a POST against /api/v2/scim/Users as shown below

curl --location --request POST 'https://<TENANT-HOSTNAME>/api/v2/scim/Users' \

--header 'Accept: application/json' \

--header 'Content-Type: application/json' \

--header 'Netskope-Api-Token: <API-TOKEN>' \

--data-raw '{

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:User"

"userName": "<UPN>",

"name": {

"familyName": "<FAMILY-NAME>",

"givenName": "<GIVEN-NAME>"

"active": true,

"emails": [

{

"value": "<EMAIL>",

"primary": true

}

"externalId": "User-Ext_id",

"meta": {

"resourceType": "User"

}

After executing the above, we expect to receive a http return code: 201 (OK).
In addition to the return code “201 (OK)”, within the response body, we will receive the new user’s ID. Please refer to the below example:

AD_4nXcXudgfKOvwN5OzSLqv3qQOCds_CAaMHVIDzEv1Jdae1BlGeaxy8vKh-6JdGUds_ZdVgJFTS1r2yWt4dNcOE8ZgJ6pkl1IGin33EqEkXIKWiYaDjO6RF4BjWDZQvEe6L-oWin7V?key=SUFTDl9IsLfMIuJT-Oh7KQ

Retrieve the new User’s information

To pull the user’s information we just created, you can send the following:

curl --location --request GET 'https://<TENANT-HOSTNAME>/api/v2/scim/Users/<USER-ID>'\

--header 'accept: application/scim+json;charset=utf-8' \

--header 'Netskope-Api-Token: <API-TOKEN>’ \

--header 'Content-Type: application/scim+json;charset=utf-8'

On the other hand, you can pull the first 1000 Users by sending:

curl --location --request GET 'https://<TENANT-HOSTNAME>/api/v2/scim/Users'\

--header 'accept: application/scim+json;charset=utf-8' \

--header 'Netskope-Api-Token: <API-TOKEN>’ \

--header 'Content-Type: application/scim+json;charset=utf-8'

Creating a new group

To create an empty new group, we will need to send a POST against /api/v2/scim/Groups as shown below

curl --location --request POST 'https://<TENANT-HOSTNAME>/api/v2/scim/Groups' \

--header 'accept: application/scim+json;charset=utf-8' \

--header 'Netskope-Api-Token: <API-TOKEN>' \

--header 'Content-Type: application/scim+json;charset=utf-8' \

--data '{

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:Group"

"displayName": "<GROUP-NAME>",

"members": [

{

"value": ""

}

"externalId": "Group-Ext_id",

"meta": {

"resourceType": "Group"

}

We could also add Users while creating the group with the following:

curl --location --request POST 'https://<TENANT-HOSTNAME>/api/v2/scim/Groups' \

--header 'accept: application/scim+json;charset=utf-8' \

--header 'Netskope-Api-Token: <API-TOKEN>' \

--header 'Content-Type: application/scim+json;charset=utf-8' \

--data '{

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:Group"

"displayName": "<GROUP-NAME>",

"members": [

{

"value": "<USER-ID-1>",

"value": "<USER-ID-2>",

"value": "<USER-ID-3>"

}

"externalId": "Group-Ext_id",

"meta": {

"resourceType": "Group"

}

Upon successful execution, expect an HTTP status code of 201 (OK). The response body will then contain the ID of the newly created group.

Retrieve the new Group’s information

To pull the Group’s information we just created, you can send the following:

curl --location --request GET 'https://<TENANT-HOSTNAME>/api/v2/scim/Groups/<GROUP-ID>'\

--header 'accept: application/scim+json;charset=utf-8' \

--header 'Netskope-Api-Token: <API-TOKEN>’ \

--header 'Content-Type: application/scim+json;charset=utf-8'

On the other hand, you can pull the first 1000 Groups by sending:

curl --location --request GET 'https://<TENANT-HOSTNAME>/api/v2/scim/Groups/'\

--header 'accept: application/scim+json;charset=utf-8' \

--header 'Netskope-Api-Token: <API-TOKEN>’ \

--header 'Content-Type: application/scim+json;charset=utf-8'

Add an User into a Group

To add an User into a group, you we will need to send a PATH against /api/v2/scim/Groups as shown below

curl --location --request PATCH 'https://<TENANT-HOSTNAME>/api/v2/scim/Groups/<GROUP-ID>' \

--header 'Accept: application/json' \

--header 'Content-Type: application/json' \

--header 'Netskope-Api-Token: <API-TOKEN>' \

--data '{"schemas":

["urn:ietf:params:scim:api:messages:2.0:PatchOp"],

"Operations":[

{

"op":"add",

"path": "members",

"value":[

{

"value": "<USER-ID>"

}

]

}

]

ℹ️ In the above REST API request we have the add operation, as shown below on the screenshot taken from the Swagger, the available operations are: Add, Remove, Replace

Upon successful execution, the expected HTTP response is a 204 (OK) status code with an empty response body, as illustrated in the example below.

AD_4nXcenvxT5KbikgrDCevv9H88mkyBSddwAzinBJcd61JfMb5RuDuTzY3R9JZsyZ1xYxhlMu392aCtCRdQ0YcwkiQj7yZXoHuJ2kPBt-Vn_KTcPyC1IM6Uuqnlzm5NmXzIoFmqsu1SWw?key=SUFTDl9IsLfMIuJT-Oh7KQ

We can also check on the tenant by searching for the members of the group we previously created.

Path: Netskope Tenant UI >>> Security Cloud Platform >>> Netskope Client >>> Groups

Click on group’s setting, then “View Details” or send invitation (when you’re ready to deploy)

AD_4nXfhDStnoPbKj9pGc0I4KWfKCtuxC_pHz3tI8EY223UVZ_yzKcYxtbLAP-Hor2qPwwOg9KRoeFWcBJ6nX62rV-2PiMmpiUtvEvuAqfmLtyBNBjbjIs6TT7s9jo51w38FDzEeVRLeSA?key=SUFTDl9IsLfMIuJT-Oh7KQ

The interface will show you the group’s members

AD_4nXezNBNF0xHcxjRhN3QE2cNxkM_mZqgkAZxRMCJyLaJrFh9pRXxyWp_1NkSzQA7a4c8rUBeMGNzxEzY0sGrhkjjsWvV6orPYpxd2RXSbA0cFIMboQMPXsQubuWFe8ZEyz_YEi7D6ow?key=SUFTDl9IsLfMIuJT-Oh7KQ

A new Steering or Client configuration profile can now be created and assigned to the newly created group.

AD_4nXevRIzX6qzwCwsZbUquqUcwBAm5eWenMe_uA1bv6ZCi899l6_lKhfnhS53oMfo_GnRyhGC8A0mItGJTVdmVF_T7ZMbdqnhyfRN1bwdHGuzwVsZDCyRqqEnyybe3J2RsQUg7RDA7HQ?key=SUFTDl9IsLfMIuJT-Oh7KQ

Terms and Conditions

All documented information undergoes testing and verification to ensure accuracy.
In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

This article is authored by Netskope Global Technical Success (GTS).
For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

Be the first to reply!

Netskope Global Technical Success (GTS)