Does anyone have a report on overlapping entitlements in Access Profiles

I need to find all Access Profiles that have entitlements and what those entitlements are so we can remediate them appropriately as some have been incorrectly added during our onboarding phase, which is now leading to some complexities when revoking access in reviews.

I was wondering/hoping if someone has managed to solve this one before before I start pulling down the raw data via api and doing a comparer in a script.

Hi @Tellius,
By using below query in UI search get all access profiles.
query: *
download file including entitlement details as shown below, then you are able to see entitlement names which are part access profiles and verify.

1 Like

@2135797 - Thanks mate. I was hoping for something I could hand over to a non-tech savvy analyst.

All good, I will script something up to get all the information. It doesn’t seem that there is a native way in the UI to get the data.

Hi Tyson. Did you successfully create a script for this? If so, would you mind sharing your code for others to use? This solution could really benefit the community.

Hi Colin,

Sure can do! The comparer script is in powershell because that is what we have widely accessible on corporate desktops. However the process is basically

Go to IDN Search
Select “Access Profie” in the filter
Search: *
Download the result to csv named as: AP_entitlements.csv
Execute the following script:

## Input the Raw Access Profile data from CSV (change path and filename as required) 
$APRawData = Import-Csv -Path "C:\Temp\IDN\AP_entitlements.csv"

## Group the Access Profiles by Entitlement ID, then Name, then Source
$GroupsOfAPbyEnt = $APRawData | Group-Object -Property "Entitlement ID","Entitlement Name","Source Name"

## Find All Access Profiles where they have 2 or more entitlements with the same Entitlement ID
$GroupsOfAPWithOverlappingEnt = $GroupsOfAPbyEnt | Where-Object { $_.count -ge 2 }

## Build an array for outputting a report data
$allData = @()

## Loop through all the APs with overlapping entitlements and getting the data in a useful format for reporting
Foreach ($GroupOfAP in $GroupsOfAPWithOverlappingEnt)
	$obj = New-Object PSObject -Property @{
    		EntitlementID = (($GroupOfAP.Name -split ",")[0]).Trim()
		EntitlementName = (($GroupOfAP.Name -split ",")[1]).Trim()
		SourceName = (($GroupOfAP.Name -split ",")[2]).Trim()
		AccessProfileName = $GroupOfAP.Group.Name -join "|"
    	$allData += $obj

## Output the data in a CSV with the Entitlement Name, its source, and the Access Profile it belongs to (Change path and fillename as required)
$allData | Select EntitlementName,SourceName,AccessProfileName | Sort-Object SourceName,Entitlement | Export-CSV -NoType -Force -Path "C:\Temp\IDN\AP_Analysis_new.csv"

The downside is it needs someone saavy enough to execute the script but otherwise works for our particular needs.

1 Like