Bulk update entitlement owner in SailPoint ISC

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi Team,

Can some provide us the current working PowerShell script to update entitlement owner for a specific source in bulk using CSV (We are planning to input Entitlmentname,onwermail in CSV)

2

Can you not just upload the CSV for the source with the corrected owners? I am not sure why you would need a PS script for this. Unless you were wanting to change the ownership on the target system. If that is the case probably best to do it there instead of through Sailpoint and then run an entitlement aggregation.

3

Hi @Badebaji ,

Here is the powershell code your looking at

    param (
        [string]$Tenant = "YOUR_TENANT",
        [string]$AccessToken = "YOUR_TOKEN",
        [int]$Limit = 250
    )

    $headers = @{
        "Authorization" = "Bearer $AccessToken"
        "Content-Type"  = "application/json"
    }

    $offset = 0
    $allEntitlements = @()
    $hasMore = $true

    while ($hasMore) {
        $url = "https://$Tenant/v3/entitlements?limit=$Limit&offset=$offset"

        try {
            $response = Invoke-RestMethod -Uri $url -Headers $headers -Method Get

            if ($response.items.Count -gt 0) {
                $allEntitlements += $response.items
                $offset += $Limit
            } else {
                $hasMore = $false
            }
        }
        catch {
            Write-Error "Failed to retrieve entitlements: $_"
            break
        }
    }

    return $allEntitlements
}

function Update-EntitlementOwner {
    param (
        [string]$Tenant = "YOUR_TENANT",
        [string]$AccessToken = "YOUR_TOKEN",
        [string]$OwnerId,  # The identity ID of the new owner
        [array]$Entitlements
    )

    $headers = @{
        "Authorization" = "Bearer $AccessToken"
        "Content-Type"  = "application/json"
    }

    $endpoint = "https://$Tenant/v3/entitlements/bulk"

    # Process in batches of 50
    for ($i = 0; $i -lt $Entitlements.Count; $i += 50) {
        $batch = $Entitlements[$i..([math]::Min($i + 49, $Entitlements.Count - 1))]

        $updatePayload = $batch | ForEach-Object {
            @{
                id = $_.id
                owner = @{
                    id = $OwnerId
                    type = "IDENTITY"
                }
            }
        }

        try {
            $jsonBody = $updatePayload | ConvertTo-Json -Depth 5
            $response = Invoke-RestMethod -Uri $endpoint -Headers $headers -Method Patch -Body $jsonBody
            Write-Host "Updated batch of $($batch.Count) entitlements."
        }
        catch {
            Write-Error "Failed to update batch: $_"
        }
    }
}

# Example usage:
$tenant = "tenant.identitynow.com"
$token = "YOUR_TOKEN"
$newOwnerId = "IDENTITY_ID_OF_NEW_OWNER"

$allEnts = Get-Entitlements -Tenant $tenant -AccessToken $token
Update-EntitlementOwner -Tenant $tenant -AccessToken $token -OwnerId $newOwnerId -Entitlements $allEnts

Let me know if you need anything else

Thanks in advance

Avinash Mulpuru

1 Like
4

Also I suggest to take a look at solution provided peer using UI

5

Hi Avinash,
Thanks for sharing the script.
How can we filter for a specific source?

6

update above with the filter

7

also may be you can pull all the entitlements from that source to csv and

read one by one and one more filter to the URL as

$url = "https://$Tenant/v3/entitlements?filters=source.id eq `"sourceid`" and name eq `"$($entitlement)`"""

this will double check and change only entitlements in source your looking at

let me know if you need anything extra

8

Hi Avinash,

Thanks for the update

Do we need to install any modules prior running this script?

9

no you dont need to install