Access Profile and Entitlement APIs Can't Handle Plus Symbol

We have entitlements and access profiles that include the plus symbol (+), these are being aggregated without any issues, but when using the v3 Access Profiles or Entitlements API to list we are not able to filter on the exact name of these resources. Example query:

https://[TENANT_URL]/v3/access-profiles?filters=name%20eq%20%22Test%20Entitlement%20With+%22

Ideally there’d be a way to filter to these resources with some kind of encoding, but I haven’t been able to find any that works for me.

When reaching out to support on this I was pointed to this article discussing errors when aggregating entitlements:

This isn’t the issue that we’re facing, but does seem to point to an underlying issue if there have been problems in the past when handling entitlements with special characters.

2 Likes

Hello James,

just come across the Search Query document recently. I believe in your case, it’s related to handle special characters: Building a Search Query - SailPoint Identity Services

not 100% sure if the elastic query is the same query can be used in the API query parameter. but maybe you can give it a try? Or otherwise, I believe at least you can use it with Search Post API search-post | SailPoint Developer Community to achieve sam goal.

so in your case, the search query might be

name.exact:/.*+.*/
1 Like

There is an open engineering ticket to investigate this issue (SAASTRIAGE-2891).

1 Like

Hi Yu,

Thanks for that information, I had tried using wildcards and regexes but hadn’t tried with the slashes they talk about there. Unfortunately it still didn’t make a difference for the filter function, I think it must just be a search feature.

We would use the search API but unfortunately the access profile owner information doesn’t come back from the search queries, and we need that for the integration we’re using. I’ve tried adding in owner as a field in search:

 "fields": [
            "name",
            "description",
            "displayName",
            "owner"
        ],

But that doesn’t work, have also tried owner.email or owner.id, but not been able to get anything back on this. The only alternative I can think of would be to use search to get the entitlement and access profile IDs, and then use the direct APIs to get the data, but that’s doubling the number of API calls we have to do so not ideal, the work we’re doing is to try and reduce the time needed for some of our automation, so this would go against the overall goal.

1 Like

Thanks for the update Colin, good to know this is being looked at! When was the ticket opened? Do you have any idea on some kind of ETA for this kind of thing? (is this something that might be open for months or more like days or weeks?)

It was opened 2 days ago. ETA is hard to gauge on these items until a priority is assigned to the ticket.

2 Likes

Hi Colin. Seeing if there is an update to this case as yet (SAASTRIAGE-2891)

Engineering has opted to document this limitation in the API spec for the time being. The issue is in the underlying service that handles these filters, and this service is due to be upgraded at the end of the year. This may fix the issue, but for the time being engineering is not going to prioritize this.

Hello,

We have the same issue there, we need to add entitlements to Access Profile and we cannot do it through the UI because of this plus symbol in the entitlement.

Is there any ETA for this resolution ?

Hi James

We also had issues for a Source Name that had a plus symbol.

We ended up using the word “plus” instead of the symbol.

Yeah that makes sense if it’s the source that has the problem, unfortunately for us it’s entitlements, so much harder to get them all changed in the different systems.

@colin_mckibben you mentioned that the underlying service for the filters was upgraded at the end of last year, it doesn’t look like this has resolved the issue. What’s the status of the ticket now?