Clean up the old Entitlement type entries from IdentityIQ

santhirajumunganda · June 29, 2025, 3:05pm

Which IIQ version are you inquiring about?

8.4

Share all details about your problem, including any error messages you may have received.

In SailPoint IdentityIQ, certain entitlements were initially created as Entitlement type and later recreated correctly as Group type. However, the original Entitlement type values are still appearing in certifications and causing confusion.

How can you identify and remove or clean up the old Entitlement type entries from IdentityIQ so they no longer appear in certifications? What steps or methods would you follow?

Thanks, Raju

dheerajk27 · June 29, 2025, 3:31pm

Hi @santhirajumunganda ,

You can create a filter like Filter.and(Filter.eq(application.name,"application_Name"),Filter.eq("attribute","Entitlement")

This could create a filter of all the entitlement of your application, with attribute name as “Entitlement” you can as this filter to QueryOptions and iteratate over them to deleted all the Entitlements which is not required,

dheerajk27 · June 29, 2025, 4:19pm

you can use below logic:


   import sailpoint.object.Application; 
   import sailpoint.object.ManagedAttribute; 
   import sailpoint.object.QueryOptions; 
   import sailpoint.object.Filter; 
   import sailpoint.api.Terminator; 
   
   // Deletes entitlements for a given application 
   String appName = "Application Name"; 
   System.out.println("Deleting entitlements for application " + appName); 
   Application app = context.getObjectByName(Application.class, appName); 
   QueryOptions qo = new QueryOptions();   
   qo.add(new Filter[] { Filter.and(Filter.eq("application", app), Filter.eq("attribute", "Entitlement")) }); 
   Terminator t = new Terminator(context); 
   Iterator itEnt = context.search(ManagedAttribute.class, qo); 
   if(itEnt != null) { 
      while (itEnt.hasNext()) { 
         ManagedAttribute ent = itEnt.next(); 
         System.out.println("Deleting ManagedEntitlement " + ent.getValue()); 
         try { 
             t.deleteObject(ent); 
          } catch (Exception e) { 
             // Don't stop on error 
          } 
      }   
   } else { 
      System.out.println("No entitlements found");

manogna99 · June 30, 2025, 9:22am

Hi @santhirajumunganda,
If you are looking to delete the entitlements of a type from IIQ to avoid them appearing in further certifications, you can try doing one of these approaches

Delete from Debug :
This method is generally safer.Go to ManagedAttribute in the Object Browser, you can sort the Type column and look for entries with entitlement. If there are only a limited entries, you can manually delete them one by one.
Delete from database using DELETE FROM identityiq.spt_managed_attribute WHERE type = 'entitlement';
Make sure to proceed with this approach only if there are no other dependencies.

santhirajumunganda · July 1, 2025, 10:44am

Hello @dheerajk27 I tested your rule and it is successfully deleting the entitlements from the attribute. However, I would like to restrict it to delete only those with the type ‘Entitlement’. Could you please assist with that? you can check the below ss

santhirajumunganda · July 1, 2025, 10:52am

Hi @manogna99, thank you for your response. While both approaches seem good, I’m specifically looking for a rule or task that can remove only entitlements of this particular type. I’d appreciate it if you could let me know how this can be achieved.

manogna99 · July 1, 2025, 11:28am

Hi @santhirajumunganda , Can you try this rule, it actually worked for me.

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" name="Delete_Entitlements_By_Type">
  <Source>
    
    import sailpoint.object.ManagedAttribute;
    import java.util.List;

    int count = 0;
    // Get list of all ManagedAttribute objects
    List attrs = context.getObjects(ManagedAttribute.class);

    for (int i = 0; i &lt; attrs.size(); i++) {
        ManagedAttribute ma = (ManagedAttribute) attrs.get(i);

        if (ma.getType() != null &amp;&amp; ma.getType().equalsIgnoreCase("Entitlement")) {
            context.removeObject(ma);
            System.out.println("Deleted: " + ma.getDisplayName());
            count++;
        }
    }

    context.commitTransaction();

    return "Deleted " + count + " entitlement(s)";
    
  </Source>
</Rule>```

santhirajumunganda · July 1, 2025, 11:52am

Hey @manogna99, the code is working for all applications. Here are the results:

system · August 30, 2025, 11:53am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How can I remove bulk of entitlement from a application IIQ Discussion and Questions identityiq , entitlements	10	1367	April 30, 2024
Cleanup disconnected entitlements from the account IIQ Discussion and Questions identityiq , provisioning , entitlements	11	2005	January 27, 2024
Set Entitlements to non-requestable if no longer in target application IdentityIQ (IIQ)	0	760	June 27, 2022
Get all identities for an entitlement IIQ Discussion and Questions	3	1118	July 19, 2023
Delete stucked entitlement? ISC Discussion and Questions identity-security-cloud , identityiq , entitlements	6	412	February 21, 2024

Clean up the old Entitlement type entries from IdentityIQ

Which IIQ version are you inquiring about?

Share all details about your problem, including any error messages you may have received.

Related topics