Access Profiles Assigned to User on specific Source

uppala · March 10, 2025, 3:58pm

Hello Experts,

I am trying to generate a report that contains all assigned access profiles to user on specific source, is there any way to achieve this via search Queary or do we need to leverage PowerShell scripts, please provide your insights on this

Get the user ID

$userResponse = Invoke-RestMethod -Uri “$tenantUrl/v3/search?query=username:$username” -Method Get -Headers @{ Authorization = “Bearer $accessToken” }
$userId = $userResponse[0].id

Get the access profiles for the user

$accessProfilesResponse = Invoke-RestMethod -Uri “$tenantUrl/v3/access-profiles?userId=$userId” -Method Get -Headers @{ Authorization = “Bearer $accessToken” }

Output the access profiles

$accessProfilesResponse

While i was trying with above API Calls its pulling ownership of access profiles but not Access of User.

Thanks,
Mahesh

vkashat · March 10, 2025, 5:25pm

You could try a search, something like

@access(source.name:“sourceName”)

Then check the Access Profiles column, and when you download the report you can select “Include Access Details”

Let me know how that works

uppala · March 10, 2025, 6:07pm

@vkashat Thanks Vincent, I tried this search Queary earlier, but we are trying to get associated access profiles along with Access Profile ID, this id will be used as input file for access request we submit via PowerShell script.

kdfreeman · March 10, 2025, 6:08pm

You don’t need to do two API call to get the Access Profile associated to user. When you use the search endpoint and search specific identity, all of it’s access is listed in response in

access[]

array. From there , you can filter the data of type: ACCESS_PROFILE.

uppala · March 10, 2025, 6:18pm

@kdfreeman Hi Kapil,

I modified my script but still its pulling wrong data

Get the access token

$body = @{
client_id = $clientId
client_secret = $clientSecret
grant_type = “client_credentials”
}

$response = Invoke-RestMethod -Uri “$tenantUrl/oauth/token” -Method Post -ContentType “application/x-www-form-urlencoded” -Body $body
$accessToken = $response.access_token

Get the user details including access profiles

$searchBody = @{
indices = @(“identities”)
query = @{
query = “attributes.username:$username”
}
}

$userResponse = Invoke-RestMethod -Uri “$tenantUrl/v3/search” -Method Post -ContentType “application/json” -Headers @{ Authorization = “Bearer $accessToken” } -Body ($searchBody | ConvertTo-Json)

Debugging output

Write-Output “User Response: $($userResponse | ConvertTo-Json -Depth 10)”

$accessProfiles = $userResponse.hits.hits[0].source.access | Where-Object { $.type -eq “ACCESS_PROFILE” }

Debugging output

Write-Output “Access Profiles: $($accessProfiles | ConvertTo-Json -Depth 10)”

Convert the access profiles to a DataTable

$dataTable = New-Object System.Data.DataTable
if ($accessProfiles.Count -gt 0) {
$accessProfiles[0].psobject.Properties.Name | ForEach-Object { $dataTable.Columns.Add($) }
$accessProfiles | ForEach-Object {
$row = $dataTable.NewRow()
$.psobject.Properties.Name | ForEach-Object { $row[$] = $.($_) }
$dataTable.Rows.Add($row)
}
} else {
Write-Output “No access profiles found for the user.”
}

Generate the CSV version of the report

if ($includeCSV -eq $true) {
$dataTable | Export-Csv -Path $csvFilePath -NoTypeInformation
Write-Output “Access profiles have been saved to $csvFilePath”
}

kdfreeman · March 10, 2025, 6:41pm

What exactly are you looking for? From you initial question,you asked to generate a report that contains all assigned access profiles. From that search query, you will get all user info including all the access they have. You can use filter in your code to filter “ACCESS_PROFILE” that you are looking for.

uppala · March 10, 2025, 6:57pm

I need to get ID’s of Access Profiles.

kdfreeman · March 10, 2025, 7:29pm

The search response has all the of Access Profile. If you look into the access array and respective Access Profile, each specific Access Profile have all the information such as id, name, source,description, displayName,owner.

ganesh-atikes · March 13, 2025, 11:25am

Hi Mahesh,
You can use the following API to retrieve all access profiles assigned to a user:
API Endpoint - https://sailpoint.api.identitynow.com/v2024/historical-identities/:id/access-items`

Parameters:

id → Identity ID
type (Query Parameter) → Set to accessProfile

Once you receive the response, you can further filter the access profiles by source.

Ref link - list-identity-access-items | SailPoint Developer Community)

Let me know if that works!

Thank You,
Ganesh

uppala · March 13, 2025, 1:35pm

Thanks Ganesh, its worked