Discrepancy in Entitlements: Transitioning from Old IAM System to IdentityNow

Hello everyone,

We are transitioning from an old IAM system to IdentityNow and encountering the following issue:

We have aggregated accounts and entitlements from AD and SAP Solution Manager. New roles have also been assigned through IdentityNow.

However, we have a discrepancy in entitlements. I would like to conduct an analysis to identify which entitlements have been assigned through IdentityNow roles and which entitlements are still coming from the old system without being associated with any role.

Are there ways to accomplish this?

Hi @HallChri
One way I can think of to do this is by using V3 REST API to get a list of all the roles, and parse the output to get a list of all distinct access profile IDs. Then, for each ID, make a REST API call to get the access profile, and fetch the list of entitlements from the response.

This might need a custom script, perhaps a PowerShell, or an automation using Postman’s Collection Runner (which could be a low-code/no code alternative, but I haven’t explored it myself).

These APIs could help:

You can extract Access profiles using search query with filter as Identity and output as Access Profiles.

you can extract Roles of a user, find Access Profiles from those Roles, Extract all Access Profiles of a user and subtract with Access Profiles from Roles. You get Access Profiles that are not provisioned through IDN.

Extract entitlements from the left over access profiles using the API call.

How Sushant described this is how I would approach it. Write a custom script to fetch all the entitlements assigned to APs and Roles using the approach Sushant provided, and then find the difference between the list of entitlements from IDN with the list of entitlements from the old IAM system to figure out which entitlements from the old IAM system are not assigned to an IDN access profile or role.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.