API Search with term filters: Can´t use it correctly

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello dev team,
It seems I am not able to either fully understand how filter terms work (API Search call) or it works as expected, just not how I expected.

Here is my query:

{"indices":["identities"],

"query":

{"query":"@access(source.name:\"Active Directory\" AND name:(\"Employees\")) AND !(attributes.city:\"Singapore\")"},

"queryResultFilter":

{"includes":[

"id",

"accounts.source.id", 

"accounts.source.name",

"accounts.accountId",

"attributes.displayName",

"attributes.workPhone",

"access.name",

"access.type",

"access.source.id",

"access.id"]}

}

the thing is, everything looks good (I only need these fields that I have in the include, but from “access”, I just need entitlements (type = ENTITLEMENT), no roles or access profiles.

I have tried to add:

"filters": {
     "access.type": {
       "type": "TERM",
       "terms": [
         "ENTITLEMENT"
       ],
       "exclude": true
     }}

But it doesn´t really make any difference at all.

Did I get the filter feature just wrong?

3

I don’t totally understand how the filter works, but if I omit the exclude option, then it definitely removes identities from the result. Are you trying to exclude access items that are entitlements from the result set, or are you trying to exclude identities that have entitlements? If you are trying to exclude access items that are entitlements, I don’t think it will work since the index is on identities and not access items. You will have to post process the data in a different tool to remove access items that are entitlements.

4

Oh I see, I am trying to exclude every access item which are not entitlements (I just need entitlements, not roles or ap), but all the other fields should and the identities matching the query should be be there.

In a way, identities matching query should still be there, but I want to limit/filter the type of access that will show up in the result. I hope that makes sense

5

Not that this directly applies to the question at hand, but am I the only one who wants the option to limit access profiles/entitlements that are granted via role membership from search? We have a lot of “birthright” roles (like distros for your location/building) that people see an existing person has, and thinks they need to request it not knowing it will be automatically granted.

You can kinda do this in your BI software by excluding APs that are included in roles, but it doesn’t mean that person didn’t request it directly.

Anyway, sorry for hijacking

6

Sounds like a good #feedback:feature-requests topic :slight_smile:

7

Yea, I don’t think elastic search works that way (which is what search is built on). You’ll definitely need to do some post processing. If you have the time, you can check out my video on API reporting using typescript. I kind of go into this topic of filtering API results.

1 Like
8

Awesome, thank you Colin. I will see how I can do it, I am currently using this search call to overcome the limit of 2mb (workflow), as “get identities” could fill that up.

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.